Privacy Policy for Arena

1. Introduction

Welcome to Arena, operated by Arena CRM LLC (“we,” “us,” or “our”). We prioritize the protection of your information. This Privacy Policy details how we collect, use, disclose, and secure your information when you use Arena. We are compliant with HIPAA and other applicable privacy laws.

Please read carefully. If you do not agree with this policy, do not use the application.

2. Information We Collect

We collect different types of information based on your use of the app:

●     Personal Data: Name, phone number, email address, demographic details, provided when registering.

●     Protected Health Information (PHI): Sensitive data about leads’ health conditions, entered by our users (healthcare providers) solely to qualify leads and schedule appointments.

●     Derivative Data: Automatically collected info like IP address, browser type, operating system, access times, and navigation within the app.

●     Google Calendar Data: We only access time slots, names, email addresses, and phone numbers associated with booking events to ensure accurate scheduling.

3. Use of Your Information

Your information helps us deliver Arena’s features:

●     Enable SMS communication between users and leads for qualification and appointment setup.

●     Manage booking events via Google Calendar using only permissible data.

●     Administer user accounts and enhance app functionality.

●     Analyze trends to improve the application.

●     Prevent fraud, theft, and criminal misuse.

●     Respond efficiently to support requests.

AI Use Notice: We will not use any data—PHI included—to train AI models or for purposes beyond the services we provide. All AI model development is based on data unrelated to Google Workspace user information.

Google API Data Limited Use Policy Compliance: Arena CRM's use of information received, and data obtained, from Google APIs will adhere to the Google API Services User Data Policy , including the Limited Use requirements. We use Google Workspace data only to provide or improve user-facing features described in our Privacy Policy and do not transfer this data except as necessary to provide or improve those features, comply with applicable law, or as part of a merger, acquisition, or sale of assets.

4. Disclosure of Your Information

We may share your information in these situations:

●     Legal & Safety Reasons: To respond to legal demands, investigate policy violations, or secure rights and safety.

●     Third-Party Providers: With partners like SMS gateway services or data storage vendors under strict confidentiality.

●     With Your Authorization: Only when you expressly consent.

We never sell, rent, or trade your personal information or PHI for marketing purposes. All third parties receiving Google user data from us are required to comply fully with Google's Limited Use policy and applicable U.S. privacy laws.

5. Security of Your Information

We use enterprise-grade security measures via Supabase’s Enterprise plan, including:

●     SOC 2 Type II and HIPAA compliance, with signed BAAs.

●     AES‑256 encryption of data at rest and TLS/SSL encryption in transit  .

●     Application‑level encryption for sensitive tokens and keys  .

●     Multi-factor authentication, role-based access control, IP whitelisting, and PrivateLink for private networking  .

●     Daily backups, point-in-time recovery, DDoS protections, and vulnerability scanning  .

●     Regular security audits and penetration testing by third-party experts  .

While we take extensive precautions, no system is infallible; we continuously update and monitor our defenses.

6. HIPAA Compliance

We comply fully with HIPAA Privacy and Security Rules, and will sign BAAs with covered entities. Our safeguards uphold PHI confidentiality, integrity, and accessibility.

7. PHI Rights & SMS Opt-Out for Leads

Our users (e.g., healthcare providers) control SMS marketing to leads—not the leads themselves—and leads can opt out via the reply function within the Arena app. Users are not covered for PHI directly; PHI refers to the leads’ health information, managed solely to support communication and appointment scheduling.

8. Compliance with Google API Services

Arena adheres strictly to Google’s API Services User Data Policy:

●     We use only allowed Google Calendar fields (time slots, names, emails, phone numbers) for bookings.

●     Google Calendar data is not used for ads or shared externally, except when legally required or during business transitions.

●     Human review of this data only occurs if users explicitly authorize it, or for security or legal compliance, and always in anonymized & aggregated form.

●     We comply fully with Google's Limited Use Requirements, restricting the use of data obtained from Google Workspace APIs exclusively to authorized purposes.

●     We do not use Google Workspace user data for advertising, selling, or any unauthorized purposes.

●     We implement robust security and privacy controls to prevent unauthorized access or disclosure of Google user data

●     We retain Google user data only as long as necessary to provide our services or as required by law.

9. Data Retention

We keep personal data and PHI only as long as necessary for service delivery, compliance with legal obligations, dispute resolution, and policy enforcement.

10. Children

Arena is for users aged 18+. We do not knowingly collect data from minors and will delete any such data if discovered.

11. International Transfers

Personal data and PHI may be processed abroad. We ensure proper safeguards for these international transfers under applicable law.

12. Policy Updates

We may update this policy occasionally. The “Effective Date” will reflect such changes and we recommend reviewing it periodically.

13. Contact Us

For inquiries, please contact:

support@arenacrm.com