top of page

Privacy Policy

A legal disclaimer

ARC Transport Alliance Global Privacy Policy

​

Effective Date: September 13, 2025
Last Updated: September 13, 2025

ARC Transport Alliance (“ARC,” “we,” “our,” or “us”) respects your privacy. This Privacy Policy explains how we collect, use, disclose, transfer, secure, retain, and otherwise process information about you when you use our websites, mobile applications, AI systems (including Arcia and ArciaOS), transport and logistics services, medical transport services, and certain remote facilities that may operate under specialized local legal frameworks (together, the “Services”). By using the Services, you acknowledge this Policy. Where required by law, we request consent separately.

We design our program around data minimization and continuity of rights across all operating environments.

​

1. Introduction
Welcome to ARC Transport Alliance. Your privacy is important to us. This policy outlines how we collect, use, manage, and protect your information when you use our website and Services. By accessing our website, you consent to the data practices described here.

​

2. Data Collection
We collect information you provide and information generated by your use of the Services:

  • Personal Information: name, email, phone, payment details, login credentials, communications.

  • Technical Information: IP address, browser/OS, device info, log data.

  • Usage Data: pages visited, time on page, interactions, navigation, referral URLs.

  • Transaction Data: purchase history, reviews/feedback, billing details, fulfillment status.

  • Cookies/Tracking: cookies, beacons, and similar tools for functionality, analytics, and (if enabled) advertising.
    We may also receive information from third-party sources (e.g., social platforms, ad networks, business partners) to improve our Services.

​

3. Data Management & Usage
We use data to: provide/operate/improve Services; process payments; authenticate access and maintain security; respond to support requests; send newsletters/promotions/service updates (if consented or permitted); analyze performance; prevent fraud; comply with legal obligations; and personalize content/ads to your preferences (ads only where permitted).

​

4. Cookies & Tracking
Cookies help us recognize your device, store sessions securely, improve performance, analyze traffic, and (if enabled) deliver personalized content/ads. You can manage cookies in your browser or via the site banner. Disabling some cookies may limit functionality.

​

5. Sharing & Security
We do not sell or rent personal information. We share it only to: comply with the law, protect rights and safety, operate with vetted service providers (under confidentiality), and complete corporate transactions (e.g., merger). We use industry-standard security; no Internet method is 100% secure.

​

6. Your Rights & Consent
You can access, update, delete, restrict/oppose processing, withdraw marketing consent, and receive a copy of your data. Contact arcsupport@arctransportalliance.org or see the Data Subject Request portal. We respond consistent with applicable law.

​

7. Changes
We may modify this policy; updates will appear here with a new effective date and, where significant, additional notice.

​

8. Contact
Questions or concerns? arcsupport@arctransportalliance.org · ARC Transport Alliance.

​

1) Scope & Roles

This Policy covers website visitors; account holders; passengers and customers; AI users; applicants and employees where stated; and individuals who enroll in programs administered at certain remote facilities that operate under specialized jurisdictional requirements. Some Services provide additional notices (e.g., a HIPAA Notice of Privacy Practices for covered medical services).

  • Controller/Processor. ARC acts as a Controller for consumer Services and governance programs; a Processor for certain B2B or medical-transport contexts (subject to a Data Processing Addendum “DPA” and, where applicable, a Business Associate Agreement “BAA”); and may act in a shared-oversight capacity with an independent authority for specific facilities.

​

2) Information We Collect

We collect information directly from you (e.g., account details, documents you upload, communications), automatically via our Services (e.g., device IDs, IP address, telemetry, crash logs, usage analytics, cookie/SDK data), and from third parties (e.g., payment processors, mapping providers, identity verification vendors, social/ad partners). Categories include:

  • Personal Information: name, email, phone, postal address, identity documents (where required), payment/billing details, login credentials, communications and support history.

  • Technical/Device Data: IP address, device identifiers, OS and browser type, app version, crash data, diagnostics, security telemetry.

  • Usage Data: pages/screens visited, time on page, clicks and navigation patterns, referral URLs, feature usage, service configuration.

  • Transaction Data: purchase/trip history, order status, product reviews/feedback, invoices and receipts.

  • Cookies & Tracking: cookies, SDKs, and pixels for functionality, analytics, and—if enabled—advertising measurement (see Section 4).

  • Special Category Data (only as necessary): medical/health information for medical transport (HIPAA applies when ARC is a Covered Entity), biometrics/voice for access control or TTS where enabled, and precise geolocation for routing and safety.

Data Minimization. We collect only what is necessary for the specific purpose, require teams to justify each field, and periodically reduce collection where feasible.

​

3) How We Use Information (Purposes & Legal Bases)

We use Personal Data to:

  • Provide, operate, and improve the Services; fulfill trips and requested features.

  • Process payments securely and detect, investigate, and prevent fraud and abuse.

  • Authenticate access and maintain safety, reliability, and security.

  • Respond to inquiries and provide customer support and service communications.

  • Send newsletters, promotions, and updates only where permitted (you can opt out at any time).

  • Analyze performance and usage to enhance user experience and product quality.

  • Comply with legal and regulatory obligations and defend legal claims.

  • Administer identity/residency records where specialized jurisdictional requirements apply.

  • Personalize content and (where permitted) advertising to align with user preferences.

  • Improve AI models only if you opt in to AI training (see Section 6).

Legal Bases (GDPR/UK GDPR). Consent (e.g., analytics where required, AI training); Contract (e.g., trip fulfillment); Legitimate Interests (e.g., security/diagnostics—balanced against your rights and freedoms); and Legal Obligation or Vital/Public Interests (e.g., safety, incidents, medical transport). We document Legitimate Interest Assessments.

Security & Fraud-Only Combination. We may combine data across ARC Services strictly to detect and prevent security incidents and fraud. We do not combine data for advertising without your consent.

​

4) Cookies, SDKs & Universal Opt-Out

We use cookies/SDKs for Strictly Necessary, Functional, Analytics, and (if enabled) Advertising purposes. Manage preferences via your browser or our site’s cookie banner. Disabling certain cookies may limit functionality. We do not respond to legacy Do Not Track (DNT) signals; we do honor Global Privacy Control (GPC) and recognized universal opt-out signals where applicable.

A continuously updated cookie/SDK inventory (vendor, purpose, retention) will be posted at /privacy/cookies by December 31, 2025.

​

5) Sharing & Disclosure

We do not sell or rent Personal Data. We share it with:

  • ARC personnel under least-privilege access.

  • Vetted service providers/subprocessors (cloud/AI infrastructure, payments, maps/geocoding, messaging, identity verification, medical partners) under binding confidentiality and data protection terms.

  • Emergency services where vital interests require it.

  • Governmental/regulatory authorities responding to lawful requests.

  • Other third parties with your consent or as permitted by law.

In a corporate transaction (e.g., merger, acquisition, or sale of assets), Personal Data may be transferred as part of the transaction, subject to this Policy and applicable law.

Subprocessor Transparency. We maintain a live, versioned Third-Party Privacy Center at /privacy/third-parties (publishes by December 31, 2025) listing vendors, purposes, regions, and links to their privacy policies. We provide at least 30 days’ notice of material changes for business customers; where consumer-impacting, we also post a site notice and, when appropriate, email affected users.

De-identified & Aggregated Data. We may use de-identified/aggregated data for analytics and research; we will not re-identify such data and require vendors to do the same.

​

6) AI Interactions, Training & Automated Decisions

  • Modes. Offline mode processes locally; online mode may transmit data securely to deliver requested features. Persistent memory is opt-in and can be disabled at any time.

  • Training & Revocation. AI improvement uses your data only if you opt in. If you withdraw consent, we delete your source data and exclude it from future training cycles. Because model parameters are statistical, prior influence cannot be reliably removed; however, we cease further use and retrain on refreshed corpora over time, using minimization/redaction and, where feasible, differential privacy.

  • Transparency & Review. We publish model cards and fairness/abuse-testing summaries at least twice per year and after major updates. If an automated decision could significantly affect you, you may request human review at privacy@arctransport.com (target resolution: 14 business days).

  • Consent Audit. View and change AI toggles under Settings → Privacy → AI Controls. “Export My Consents” provides a timestamped JSON log (retained 2 years).

​

7) International & Extra-Jurisdictional Transfers

We may transfer Personal Data across borders, including to facilities operating under specialized legal frameworks. For EU/UK data, we use Standard Contractual Clauses (SCCs) (appropriate modules) and the UK Addendum/IDTA, with supplementary measures (ARC-held KMS keys, TLS in transit, encryption at rest, admin MFA, least-privilege, and transfer-impact assessments for higher-risk flows).

​

8) Retention & Deletion

We retain Personal Data only as long as needed for the purposes described, to comply with law, resolve disputes, and enforce agreements. Illustrative timeframes:

  • Trip & invoicing records: 7 years

  • Web/app analytics: 24 months

  • Device/telemetry logs: 180 days

  • AI service logs: 90 days

  • AI training data (opt-in): 2 years or 30 days after revocation

  • Identity/residency records (where applicable): status duration + 5 years

  • CCTV standard: 30 days; CCTV flagged/legal hold: until resolution or up to 1 year (extendable while proceedings are active)

  • Medical transport PHI: ≥6 years or as required by law

Backups. Deletions propagate on restore/rollover within 35 days; we do not restore solely to delete. Restores re-run deletion jobs to honor prior requests.

​

9) Security

We implement administrative, technical, and physical safeguards proportionate to risk, including encryption at rest (e.g., AES-256), encryption in transit (TLS), ARC-held KMS/HSM key management, multi-factor authentication, role-based access control, continuous vulnerability management, annual penetration tests, and coordinated vulnerability disclosure (security@arctransport.com). No method of transmission or storage is 100% secure; please take appropriate measures to protect your information.

Post-Quantum Roadmap. We are adopting NIST-selected algorithms (ML-KEM/Kyber for key establishment; ML-DSA/Dilithium for signatures) with hybrid TLS during transition. Target: external endpoints hybrid by Q4 2025; service-to-service PQC defaults by 2026, subject to compatibility.

​

10) Your Choices & Rights

  • Cookie/Ad Preferences. Manage via the site’s cookie banner or your browser. We honor GPC/UOOM.

  • Marketing. Opt out via unsubscribe links or account settings.

  • AI Data. Disable memory in-app or request exclusion from AI interaction logging (including offline sessions) via privacy@arctransport.com.

  • California (CPRA). We do not sell Personal Information. We may “share” Personal Information for cross-context behavioral advertising only with opt-in where required. Use Do Not Sell/Share and Limit Use of Sensitive Personal Information. No data-based financial incentives.

  • Nevada (NRS 603A). We do not sell covered information; opt-out via the DSR form.

  • GDPR/UK GDPR. Rights to access, rectification, erasure, restriction, portability, and objection. Response time one month (extendable two months with notice for complexity).

  • HIPAA (Medical Transport). Where applicable, see our HIPAA Notice of Privacy Practices at /privacy/hipaa-npp (publishes by December 31, 2025).

​

11) How to Exercise Your Rights (DSR), Verification & Appeals

Submit a Data Subject Request (DSR) via:

  • Web form: /privacy/request

  • Email: privacy@arctransport.com

  • Mail: ARC Transport Alliance — Privacy, 123 ARC Alliance Blvd, Indianapolis, IN 46201, USA

Verification. We may require identity verification (e.g., signed-in session, code to verified email/phone, or government ID for sensitive requests). Authorized Agents may submit requests with notarized authorization or power of attorney; where required by law, we confirm directly with the consumer.

Timelines. U.S. states: 45 days (extendable once by 45 days with notice). EU/UK: one month (extendable two months with notice). Appeals are decided within 45 days; certain states permit escalation to the Attorney General; EU/UK residents may lodge complaints with their supervisory authority.

​

12) Children & Teens

We do not knowingly collect data from children under 13 without verifiable parental consent. Teens 13–16 are not subject to cross-context behavioral advertising without opt-in where required by law. We conduct quarterly audits of age-gating, ad-platform settings, and AI-training exclusions, and we segregate minor data with stricter access controls.

​

13) Breach Notifications

  • GDPR. We notify supervisory authorities within 72 hours of awareness where required, and affected individuals without undue delay.

  • Non-GDPR Jurisdictions. We notify affected individuals and, where applicable, regulators without unreasonable delay and no later than 30 days after confirmation, unless law enforcement requests a delay.

  • Conflicting Deadlines. Where multiple laws apply, we follow the strictest (shortest) deadline and document our decision process.

  • Limited-Connectivity Environments. If transmission is constrained, we post official notices locally and deliver formal notices during the next available window; we retain proof of posting.

​

14) Accessibility & Language Access

This Policy is screen-reader compatible. For assistance, call +1 (260) 209-4440 (TTY/TDD supported). We provide this Policy in English, Spanish, French, and Japanese. For other languages, request translation via the DSR form (“Policy Translation”) or info@arctransport.com. We acknowledge within 10 business days and aim to deliver within 30–45 days; complex scripts receive specialist review and back-translation for critical sections.

​

15) Changes to This Policy

We update this Policy periodically. Material changes will be announced by prominent notice within the Services and, where appropriate, by email. The “Last Updated” date at the top reflects the most recent changes.

​

16) Contact Us

ARC Transport Alliance
123 ARC Alliance Blvd, Indianapolis, IN 46201, USA
Email (privacy): info@arctransport.org
Email (support): arcsupport@arctransportalliance.org
Phone: +1 (260) 209-4440 (TTY/TDD supported)
Independent Privacy Ombud: ombud@arctransport.com · Portal: /ombud

Linked Notices

  • Third-Party Privacy Center: /privacy/third-parties (publishes by December 31, 2025)

  • Cookie/SDK Inventory: /privacy/cookies (publishes by December 31, 2025)

  • HIPAA Notice of Privacy Practices (if applicable): /privacy/hipaa-npp (publishes by December 31, 2025)

  • Data Processing Addendum (B2B): /legal/dpa (publishes by December 31, 2025)

bottom of page