Privacy Policy
Last updated: 2 May 2026
Aren is committed to protecting your personal data. This policy explains what we collect, why, how long we keep it, and your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Who we are
Aren is an AI-powered law career preparation platform. Aren is the data controller for the personal data described in this policy. You can contact us at hello@aren.bot with any privacy or data protection questions.
2. What data we collect
| Category | Data | Purpose |
|---|---|---|
| Account | Email address, password, name | Authentication, personalisation |
| Phone | Phone number (verified at signup) | Account security, trial abuse prevention |
| Chat | Conversation messages with Aren | Providing AI advice, building your dossier |
| Exercises | SJT, Watson Glaser, Written Exercise, Group Exercise, and Interview scores, answers, and transcripts | Scoring, feedback, readiness tracking, adaptive difficulty |
| Dossier | AI-generated profile of your strengths, weaknesses, and preferences | Personalising advice and exercise difficulty |
| Tracker | Firm names, application statuses, deadlines, notes | Application management |
| Voice | Audio recordings during AI Partner and Group Exercise voice modes | Transcription for scoring; optionally retained for 30 days so you can listen back in the debrief (opt-out from Account → Data & privacy → Save voice sessions for replay) |
| Payment | Processed by a third-party payment provider | Subscription management (we never see or store card details) |
| Technical | IP address, browser type, access timestamps | Security, rate limiting, abuse prevention |
3. Legal basis for processing
- Contractual necessity (Art. 6(1)(b)) — to provide the service you signed up for: chat, exercises, tracking, and feedback.
- Legitimate interests (Art. 6(1)(f)) — security, abuse prevention, service improvement. We balance these against your rights and only process the minimum data necessary.
- Legal obligation (Art. 6(1)(c)) — financial record-keeping required by HMRC.
- Consent (Art. 6(1)(a)) — where we send optional marketing communications. You can withdraw consent at any time.
4. How we use AI
Aren uses AI to generate chat responses, exercise content, and feedback. Your messages and exercise data are sent to third-party AI providers for processing. These providers do not use your data to train their models. Voice audio is transcribed and not retained after processing.
Aren builds a profile of your strengths, weaknesses, and preferences to personalise your experience. You can view and reset this profile at any time from Account settings.
5. Profiling and automated decision-making
Under Article 22 of the UK GDPR, you have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Aren uses profiling in the following ways:
- Readiness score — your practice results are automatically combined into a weighted score reflecting your assessment readiness for a target firm. This score is advisory only and has no legal or contractual effect.
- Dossier — an AI-generated profile of your strengths, weaknesses, tone preferences, and practice history, used to personalise chat advice and exercise difficulty.
- Adaptive exercises — exercise content is adjusted based on your past scores to target areas where you are weakest.
None of these produce legal effects or significantly affect you — they are used solely to improve your preparation experience. You can reset your dossier, delete your practice history, or delete your account at any time from Account settings. If you have concerns about automated processing, contact hello@aren.bot.
6. Third-party processors
Aren uses the following sub-processors to operate the service. Each processes data only on our instructions under appropriate contractual safeguards (UK Standard Contractual Clauses or equivalent where data leaves the UK).
| Processor | Purpose | Location |
|---|---|---|
| Cloudflare | Hosting, CDN, database (D1), storage (R2, KV), bot protection (Turnstile) | UK / Global edge |
| Anthropic | AI chat, exercise generation, feedback | USA |
| OpenAI | Voice transcription (Whisper) | USA |
| ElevenLabs | Text-to-speech for voice modes | USA |
| Stripe | Subscription payments | USA / Ireland |
| Twilio | SMS phone verification (international, processed via Twilio's US and EU infrastructure) | USA / Ireland |
| Resend | Transactional email (login codes, receipts, password resets) | USA |
None of these providers use your data to train their models. We will update this list when sub-processors change.
7. Cookies
We use a single essential session cookie to keep you logged in. We do not use advertising, analytics, or tracking cookies.
8. Data retention
| Data | Retention period |
|---|---|
| Account data, chat history, practice results, dossier | Until you delete your account |
| Voice audio recordings | By default, kept for 30 days so you can listen back in the debrief, then auto-deleted. Each recording can also be deleted manually from the debrief screen, or you can disable recording entirely from Account → Data & privacy. |
| Payment records | 7 years (UK tax law) |
| Signup attempt IP addresses | 30 days, then auto-deleted (used to detect signup abuse) |
| Technical logs | 30 days |
| Deleted account data | Permanently removed within 30 days of deletion request |
9. Your rights
Under UK GDPR, you have the right to:
- Access — request a copy of the personal data we hold about you
- Rectification — correct any inaccurate data
- Erasure — request deletion of your data ("right to be forgotten")
- Restriction — restrict processing in certain circumstances
- Portability — receive your data in a machine-readable format
- Objection — object to processing based on legitimate interests
- Withdraw consent — where processing is based on consent
To exercise any right, email hello@aren.bot. We will respond within 30 days. You can also delete your account and all associated data directly from Account > Data & Privacy > Delete account.
You have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
10. Data security
We implement appropriate technical and organisational measures to protect your personal data. All data is transmitted over encrypted connections and passwords are never stored in plain text.
11. Children
Aren is designed for university students and is not intended for children under 18. We do not knowingly collect data from anyone under 18. If you believe a child has created an account, please contact us and we will delete it promptly.
12. Changes to this policy
We may update this policy to reflect changes to the service or legal requirements. Material changes will be communicated by updating the date above and, where appropriate, by email notification. Continued use of the service after changes constitutes acceptance of the updated policy.
Questions? Contact us at hello@aren.bot