Weft
Sign in Start free trial

Privacy policy

Last updated: · Operator: Arlualo LLC, 30 North Gould Street, Sheridan WY 82801, USA · Contact: [email protected]

Plain-English working draft. This document is the v1 working text used by Arlualo LLC to operate Weft. It is intentionally plain-English so customers can read it. A formal review by counsel is in progress; substantive changes will be versioned with a new "Last updated" date.

1. Who we are

The data controller for the Weft service is Arlualo LLC, a Wyoming limited liability company with its principal place of business at 30 North Gould Street, Sheridan, WY 82801, USA. You can reach our privacy team at [email protected].

2. Two kinds of data

This policy distinguishes between two types of personal data:

  • Account data — personal data of the individuals who sign up for and use Weft (typically your team and any agents you invite). For this data, Arlualo LLC is the controller.
  • Customer data — personal data contained in the emails, Slack messages, and Shopify orders that flow through Weft as part of providing your after-sales workflow (i.e., the personal data of your customers). For this data, Arlualo LLC is a processor acting on your instructions; the terms are set out in our DPA.

3. Account data we collect

  • What you give us: name, business email, password (hashed with Argon2id), organisation name, billing details (collected by Stripe; we never see card numbers).
  • Logged automatically: IP address, browser user-agent, pages visited, clicks on links, error reports (via Sentry).
  • Cookies: two strictly-necessary cookies, no third-party tracking. Detail in section 11.

3.1 Customer data we process on your behalf

The categories below are processed only because you connect Weft to a mailbox / Shopify store / Slack workspace. We act as a processor here — full terms in the DPA.

  • Mailbox content (always): sender, recipient, CC/BCC, subject, body (plain + HTML), attachments, IMAP UIDs, timestamps.
  • Shopify order data (when you connect a store): order numbers, totals, currency, customer first/last name, customer email and phone, shipping/billing addresses, line items, tracking numbers, fulfilment + financial status. Used to ground AI replies in real order facts.
  • Slack workspace data (when you install the Weft Slack app): workspace + channel IDs, message text from connected channels, sender Slack user IDs and display names, emoji reactions, file metadata.
  • AI-pipeline metadata: per-shop AI context that you configure, draft revisions, classification labels, audit-log entries (actor, action, target, timestamp).
  • Auto-translation: if you enable it on a mailbox, the inbound body is sent to the AI provider for translation into your team's working language and the result is cached on the email row.

4. Why we use account data

  • To operate the service — authenticate you, route you to the correct Org, enforce plan limits, render the inbox UI. (Lawful basis: performance of contract.)
  • To bill you — pass billing details to Stripe so it can charge your card and issue invoices. (Lawful basis: performance of contract.)
  • To keep the service safe and reliable — detect abuse, debug errors, monitor performance, prevent fraud. (Lawful basis: legitimate interest.)
  • To communicate with you — send transactional emails (sign-up, password reset, billing receipts), occasional product updates. You can opt out of product updates at any time. (Lawful basis: performance of contract / legitimate interest.)
  • To comply with the law — respond to lawful requests, enforce our terms. (Lawful basis: legal obligation / legitimate interest.)

5. How long we keep account data

  • Account profile data: as long as your account is active, then 30 days after deletion (soft-delete grace period), unless we must keep it longer for legal reasons (e.g., billing records: 7 years for US tax compliance).
  • Login and security logs: 90 days.
  • Backups (Postgres dumps): 30 days, encrypted, off-site.

6. Customer data — your customers' personal data inside Weft

When you connect a mailbox or Shopify store, Weft processes the personal data of your customers (their email addresses, names, message bodies, order details, attachments). Because that data is yours, not ours, we act as a processor under the GDPR, and our use of that data is limited to providing the service. The full terms are in the data processing addendum, which forms part of these terms automatically when you sign up.

We do not sell customer data. We do not use it to train AI models. We do not show it to anyone outside our limited team without your instructions or a lawful order.

7. Sub-processors

The maintained list of third-party services we engage on your behalf — including each one's location, the data category it touches, and the legal transfer mechanism — is at /legal/subprocessors. The list is split between sub-processors that are always engaged (Hetzner, Stripe, the AI providers, Cloudflare, Sentry, Backblaze, Plausible) and only engaged when you opt in (Slack, Shopify, Google sign-in, your IMAP provider).

Material changes — adding or removing a sub-processor — are announced at least 30 days in advance via in-app banner, an email to organisation owners, and the page above. You may object on reasonable grounds; if we cannot agree on a remedy within 30 days, you may terminate and we will refund the unused prepaid period.

8. International transfers

Our primary servers are in Helsinki (EU). Some sub-processors are based in the United States, Canada, or China. When personal data is transferred outside the EEA we rely on the European Commission's Standard Contractual Clauses (Module 2: Controller to Processor) of 4 June 2021. For US-based sub-processors that are self-certified under the EU-US Data Privacy Framework — currently Anthropic, Stripe, Cloudflare, Slack and Google — we additionally rely on the DPF as a transfer mechanism alongside the SCCs. For UK transfers, the UK International Data Transfer Addendum to the EU SCCs is deemed entered into.

Supplementary technical measures (TLS 1.2+ in transit; AES-256 at rest; mailbox credentials encrypted with NaCl secretbox; off-site backups end-to-end encrypted before upload) are applied consistent with the EDPB recommendations following the Schrems II judgment.

9. Your rights

If you are in the EU, the UK, or another jurisdiction with similar laws, you have the right to:

  • access the personal data we hold about you;
  • have inaccurate personal data corrected;
  • have your personal data deleted, subject to exceptions (e.g., billing records);
  • object to processing based on legitimate interest;
  • port your data to another provider in a structured, machine-readable format;
  • withdraw consent where processing is based on consent (this does not affect prior processing);
  • lodge a complaint with a supervisory authority — for EU users, your local data protection authority.

To exercise any of these rights, email [email protected]. We will respond within 30 days.

10. Security

  • HTTPS-only with TLS 1.2+; HSTS in place.
  • Passwords stored as Argon2id hashes with per-password salts; never in plaintext.
  • Multi-factor auth available via TOTP.
  • API tokens stored as hashes; never returned after creation.
  • Per-tenant access scoping enforced at the database query level (SQLAlchemy before_compile hook); cross-tenant isolation tested in CI.
  • Backups encrypted in transit and at rest; off-site retention 30 days.
  • Sub-processors required to apply equivalent measures.

11. Cookies

Weft uses two cookies, both strictly necessary, plus a privacy-respecting analytics tag on the marketing site. We do not use third-party advertising, retargeting, or cross-site-tracking cookies.

Cookie Purpose Lifetime Set by
weft_session Authenticates your sign-in session 30 days, sliding app.weftforge.com
weft_lang Remembers your UI language preference 1 year app.weftforge.com
(none — cookieless) Marketing-site page-view counts via Plausible N/A weftforge.com

12. Children

The service is not intended for individuals under 16. We do not knowingly collect personal data from anyone under 16.

13. Updates to this policy

We may update this policy from time to time. Material changes will be announced by email or in-app at least 30 days before they take effect.

14. Contact

For privacy enquiries, write to:
Arlualo LLC — Privacy
30 North Gould Street
Sheridan, WY 82801, USA
[email protected]