Privacy Policy
Last updated: May 2026
Arodus Inc. ("Arodus," "we," "our," or "us") operates arodus.com and the Arodus vendor intelligence platform (the "Service"). This Privacy Policy explains what information we collect, how we use, share, and protect it, and the rights you have. By using the Service you agree to the practices described here.
Our roles
For data you bring to the Service, such as your ERP records and your inputs, Arodus acts as a processor acting on your instructions, and you are the controller. For your account data, our website data, and the aggregate intelligence and network signals we derive across customers, Arodus acts as a controller.
Information we collect
We collect account information you provide when registering: your name, work email, company name, and job title. We process third-party information about vendors from public and licensed sources, including news feeds, regulatory and court filings, securities filings, company databases, and prediction-market data; some of this may identify individuals such as named executives in the context of reputational or compliance signals. We collect the ratings, reviews, and verified spend you submit about vendors you pay. And we collect usage and device data, including pages visited, features used, session timestamps, and standard server logs such as IP address and browser type, for security and product improvement.
ERP data
When you connect an accounting or ERP system, we access two object types only: vendor records (name, legal name, category, email domain, account number) and bill and payment records (vendor reference, invoice date, payment date, and amount). We connect through OAuth with read-only permission, so we can never write to, change, or delete anything in your books, and you can revoke access at any time from your ERP or your Arodus account. We do not access payroll, income statements, balance sheets, bank account details, or employee records. We currently support QuickBooks Online and NetSuite and may add other systems under the same read-only scope. We do not currently ingest line-item or SKU-level detail; if that changes, we will update this policy and keep the same read-only, purpose-limited scope.
Individuals and sole traders
Some vendors in a customer's ledger are individuals rather than companies, such as freelancers or sole traders. We do not score these vendors, include them in the cross-customer intelligence network, or enrich them with external data, and we do not retain them as vendor records in our systems. They remain visible only within the customer's own account, unscored, and are never used for any networked or aggregated purpose. Separately, a named individual may appear in third-party risk signals about a company, for example a news report naming an executive; in that case the information relates to the company vendor, is drawn from public sources, is minimized, and is not compiled into a profile of that individual.
How we use your information
We use account data to operate your account and communicate with you. We use ERP data to identify your vendors and generate risk scores and intelligence within your dashboard. We use third-party and review inputs to build and weight vendor risk and rating signals. We use usage data to secure and improve the Service. We do not sell your data and do not use your ERP data for advertising.
The intelligence network
A core part of the Service is a network in which signals from many customers improve risk and rating intelligence for all. When you submit a review of a vendor, it may be shown to other customers of that vendor in anonymized but attributed form: your name and company are not shown, but your organizational role and a verified annual spend band (a range, not a figure) are shown so others can judge relevance, and reviews are weighted by verified spend. Your raw ERP records, your identity, and your specific spend figures never enter the network. Once a review has been incorporated into a vendor's aggregate signal, that anonymized contribution may persist in non-identifiable form even after you stop using the Service, because it can no longer be tied back to you.
How we share your information
We do not sell personal data. We share data only with service providers and sub-processors that process data on our behalf, such as cloud hosting and database infrastructure, under confidentiality and data-protection terms; within the intelligence network as described above; in connection with a business transfer such as a merger or acquisition, subject to this policy; and where required by law or to protect rights and safety. A current list of sub-processors is available on request at privacy@arodus.com.
Automated processing
The Service uses automated processing to generate vendor risk scores and signals from the data described above.
Data retention
Account data is retained for the duration of your subscription and deleted within 30 days of cancellation. ERP data is retained only while your connection is active and purged within 30 days of revocation or cancellation. Usage logs are retained for up to 12 months. Anonymized network contributions may persist as described above. You may request deletion at any time by emailing privacy@arodus.com.
Security
All data in transit is encrypted using TLS 1.2 or higher, and all data at rest using AES-256. ERP credentials are held in encrypted secrets management and never logged in plaintext. Access to production systems is restricted on a need-to-know basis, and we conduct regular security reviews and testing. Our SOC 2 Type II examination is in progress. In the event of a breach affecting your data, we will notify you without undue delay and, where applicable, within 72 hours of becoming aware.
Cookies and analytics
We use essential cookies required for the site to function and first-party analytics to understand aggregate usage patterns. We do not use third-party advertising cookies or sell browsing data. You can disable non-essential cookies in your browser settings without affecting the core platform.
Your privacy rights
Depending on your location, you may have rights to access, correct, delete, export, or restrict or object to processing of your personal data. California residents have rights under the CCPA and CPRA, and EEA and UK residents have rights under the GDPR and UK GDPR. Our legal bases are contract performance for account and ERP processing, and legitimate interests for security, product improvement, and operating the intelligence network. To exercise a right, email privacy@arodus.com and we respond within 30 days. A Data Processing Addendum is available for business customers on request.
International data transfers
Arodus is based in the United States, and your data may be processed in the US. For transfers of personal data from the EEA or UK, we rely on Standard Contractual Clauses, and the UK Addendum, as the transfer mechanism.
Children's privacy
The Service is a business-to-business platform not directed at individuals under 18. We do not knowingly collect personal information from minors. If you believe we have inadvertently collected data from a minor, contact privacy@arodus.com and we will delete it promptly.
Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we update the date at the top of this page and notify active users by email at least 14 days before changes take effect. Continued use of the platform after the effective date constitutes acceptance of the updated policy.
Contact
Privacy questions? Email privacy@arodus.com. For formal written notices: Arodus Inc., Attn: Privacy, Delaware, United States.