← Ares
DE/EN

Privacy Policy

Privacy Policy — Areti Core

Last updated: 2026-04-15 Version: 1.0

This Privacy Policy informs you in accordance with Articles 13 and 14 of the General Data Protection Regulation (GDPR) about the nature, scope, and purposes of the processing of personal data in connection with Areti Core, the customer relationship and sales platform operated by ARETI GmbH.

1. Data controller

The controller responsible for the processing of personal data on this website and in Areti Core within the meaning of Art. 4 no. 7 GDPR is:

ARETI GmbH Saarstraße 7, 80797 München Germany

Managing Director: Philippe Sünram Commercial register: Amtsgericht München, HRB 248858 VAT ID: DE323997805

Phone: +49 89 215 368 590 Email: datenschutz@areti.de Website: https://reticor.io

Areti Core is available under the canonical base domain reticor.io. Each customer workspace is served from a tenant subdomain in the form {workspace-slug}.reticor.io (for example acme.reticor.io). Customers may additionally configure their own custom domain that points to their workspace (for example app.areti.de, which is the custom domain used by ARETI GmbH for its own internal workspace). Regardless of which URL is used to access the application, the underlying hosting, processing, and storage described below applies identically.

2. Data protection officer

A data protection officer is currently not mandatorily appointed for ARETI GmbH. For data protection inquiries please contact us directly at datenschutz@areti.de.

3. Scope of this Privacy Policy

This Privacy Policy applies to:

  • the use of the Areti Core web application at https://reticor.io, all tenant subdomains ({slug}.reticor.io), and any per-tenant custom domain configured by the customer
  • the use of the Areti Core integration with the Zoom App Marketplace
  • all APIs, edge functions, webhooks, and support channels operated by ARETI GmbH
  • contacting ARETI GmbH by email or phone

Third-party services accessible inside or outside of Areti Core (e.g. Zoom, ClickUp, email providers) are not covered by this Privacy Policy. The respective privacy policies of those providers apply.

4. General information on data processing

4.1 Scope of processing

We process personal data of our users only to the extent necessary to provide a functional website and our product and to fulfil our contractual obligations. Processing takes place either with consent or on the basis of a statutory authorisation.

4.2 Legal bases

Where we obtain consent for processing activities, Art. 6(1)(a) GDPR serves as the legal basis.

For processing necessary for the performance of a contract to which you are party, Art. 6(1)(b) GDPR serves as the legal basis. This also applies to pre-contractual measures.

Where processing is required to comply with a legal obligation (e.g. tax retention obligations), Art. 6(1)(c) GDPR is the legal basis.

Where processing is necessary to safeguard a legitimate interest of ARETI GmbH or a third party and the interests, fundamental rights, and freedoms of the data subject do not override the former, Art. 6(1)(f) GDPR serves as the legal basis.

4.3 Erasure and storage duration

Personal data of the data subject is erased or blocked as soon as the purpose of storage ceases to apply. Storage may continue beyond this point if provided for by European or national legislation. Data is also blocked or erased when a statutory retention period expires, unless there is a continued need for the data for the conclusion or performance of a contract.

5. Hosting and infrastructure

Areti Core runs entirely within the European Union. We use the following infrastructure providers as processors within the meaning of Art. 28 GDPR:

5.1 Vercel (web application hosting)

The web application (available at reticor.io, all {slug}.reticor.io tenant subdomains, and any configured custom domains) is operated by Vercel Inc., 440 N Barranca Ave #4133, Covina, CA 91723, USA, in its Frankfurt edge region (fra1). Vercel is certified under the EU-U.S. Data Privacy Framework (DPF). In addition, we have entered into a Data Processing Addendum with Vercel based on the EU Standard Contractual Clauses.

  • Data categories: IP address, user agent, HTTP request metadata, static assets
  • Purpose: delivery of the web application, CDN, DDoS protection, deployment management
  • Storage location: EU data centers (Frankfurt)
  • Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the secure and efficient delivery of the application)
  • Privacy policy: https://vercel.com/legal/privacy-policy

5.2 Supabase (database, authentication, storage, edge functions)

Core data storage, user authentication, file storage, and server-side logic for Areti Core are provided by Supabase, Inc., 970 Toa Payoh North #07-04, Singapore 318992, on Amazon Web Services infrastructure in the eu-west-1 region (Ireland). We have entered into a Data Processing Agreement with Supabase based on the EU Standard Contractual Clauses.

  • Data categories: all data you enter in Areti Core, including contact data, leads, customers, appointments, offers, invoices, activities, documents, authentication data, and OAuth tokens for connected integrations
  • Purpose: provision of the core functionality of Areti Core
  • Storage location: data centers in Ireland (eu-west-1)
  • Encryption: data is encrypted at rest with AES-256 and in transit with TLS 1.2 or higher
  • Legal basis: Art. 6(1)(b) GDPR (performance of a contract)
  • Privacy policy: https://supabase.com/privacy

5.3 Amazon Web Services (underlying infrastructure)

The physical infrastructure on which Supabase runs is provided by Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855 Luxembourg, in the eu-west-1 region (Ireland). The contractual relationship is between us and Supabase; AWS is our sub-processor. AWS provides contractual assurances based on the EU Standard Contractual Clauses in case technical access from third countries (in particular the United States) becomes necessary.

6. Data processing when visiting the website

6.1 Server log files

When you access reticor.io, any tenant subdomain ({slug}.reticor.io), or a configured custom domain, our hosting provider Vercel automatically collects data and information that your browser transmits. The following data is collected:

  • IP address (truncated and anonymised after a few days)
  • Date and time of the request
  • Requested URL
  • HTTP status code
  • Amount of data transferred
  • Referrer URL
  • Browser used (user agent)
  • Operating system and interface

Legal basis: Art. 6(1)(f) GDPR. Our legitimate interest lies in the technical delivery of the website, ensuring system security, and error analysis. The data is stored separately from other personal data and automatically deleted after 30 days.

6.2 Cookies and local storage

Areti Core uses only strictly necessary cookies and browser storage (localStorage, sessionStorage, IndexedDB) required for the operation of the web application. These include:

  • session cookies for authentication
  • local storage for user preferences and offline caching of CRM data (IndexedDB)
  • temporary storage values for application state

This processing takes place on the basis of § 25(2)(2) TTDSG in conjunction with Art. 6(1)(f) GDPR and does not require consent, as it is strictly necessary to provide the telemedia service explicitly requested by the user.

No tracking cookies, advertising cookies, or analytics cookies that would require consent are used.

6.3 External resources (CDN)

To deliver the application efficiently, we include static scripts and fonts from the following content delivery networks. These are necessary for the application to function. No tracking or profiling data is collected, but IP addresses are transmitted to the providers.

ServiceProviderPurpose
jsDelivrjsDelivr / Prospect One, PolandSupabase JS Client
cdnjsCloudflare, Inc., USAjsPDF, html2canvas, PDF.js
SheetJS CDNSheetJS LLC, USAExcel export library
Google FontsGoogle Ireland Ltd., IrelandFonts (self-hosted, no tracking)
DuckDuckGo IconsDuckDuckGo Inc., USAFavicon lookup for lead sources
OpenStreetMap NominatimOpenStreetMap Foundation, UKAddress geocoding for leads

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in efficient, fast loading of the application and avoiding duplicate hosting costs).

6.4 TLS encryption

For security reasons and to protect the transmission of personal data, the website uses end-to-end TLS encryption (Transport Layer Security, version 1.2 or higher). You recognise an encrypted connection by the "https://" string and the lock icon in your browser bar.

7. Data processing when using Areti Core

7.1 Registration and user accounts

To use Areti Core we create a user account. We process the following data for this purpose:

  • First and last name
  • Email address
  • Role within the workspace (e.g. administrator, sales representative)
  • Password (stored exclusively as a bcrypt/argon2 hash, never in plain text)
  • Optional: profile picture, phone number, signature image
  • Timestamp of registration, last login, and password change

Legal basis: Art. 6(1)(b) GDPR (performance of pre-contractual measures and contract performance).

7.2 Customer relationship data (processing on behalf)

As a CRM platform, Areti Core processes personal data of the leads, contacts, and customers of customer companies on their behalf. In this respect ARETI GmbH acts as a processor under Art. 28 GDPR for the respective customer company.

The basis for this processing on behalf is a Data Processing Agreement (DPA) concluded between ARETI GmbH and the customer company. The customer as controller is responsible for the lawfulness of collecting and using this data.

A template of our DPA is available on request at datenschutz@areti.de.

7.3 Zoom integration

When the administrator of an Areti workspace enables the Zoom integration, we process the following personal data of the connecting Zoom user:

Categories of processed data:

  • OAuth access token and refresh token (issued by Zoom)
  • Zoom user ID
  • Zoom email address
  • Display name
  • Timestamp of the connection
  • Token expiry timestamp
  • Connection settings chosen by the user (e.g. auto recording, join before host, use PMI)

Purpose: automatic creation, updating, and deletion of Zoom meetings on behalf of the connected user when appointments are booked, rescheduled, or deleted inside Areti Core.

Additionally processed meeting metadata (per created meeting):

  • Meeting ID
  • Join URL
  • Start URL
  • Meeting password

This meeting metadata is stored together with the associated appointment record in Areti Core and remains there until the appointment or the parent lead is deleted.

Data not processed: we explicitly do not process meeting content, audio or video recordings, transcripts, participant lists, chat messages, or any other content created during or after a Zoom meeting.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract) and, where the consent of individual Zoom users is required, Art. 6(1)(a) GDPR (users give their consent during the Zoom OAuth consent flow).

Retention: Zoom OAuth tokens and identity data are deleted as soon as

  • an administrator disconnects Zoom in Areti Core, or
  • the user uninstalls the Areti Core app in their Zoom settings (Zoom then sends a deauthorization notification to our edge function zoom-oauth/deauthorize, which removes the tokens without delay).

International data transfers: Zoom Video Communications, Inc. is headquartered in the United States. Personal data is transferred to Zoom on the basis of Art. 46(2)(c) GDPR (EU Standard Contractual Clauses) in conjunction with the EU-U.S. Data Privacy Framework, under which Zoom holds a valid certification.

Details of the Zoom scopes requested and the technical operation of the integration are available in our Zoom integration documentation.

7.4 ClickUp integration

Some customer companies that use Areti Core have historically stored their CRM data in ClickUp (Mango Technologies, Inc., 350 Tenth Avenue, Suite 1400, San Diego, CA 92101, USA). These customers can continue to use ClickUp as a data source; Areti Core acts as middleware between the frontend and the ClickUp API in this case.

Data categories: leads, contacts, appointments, activities, attachments, and all other data stored in the customer's ClickUp workspace and displayed or edited through Areti Core.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

International data transfers: ClickUp data is stored on infrastructure in the United States. Transfers take place on the basis of the EU Standard Contractual Clauses. Customer companies that require exclusively EU-based processing can migrate their workspace database backend to Supabase (EU); we support migrations on request.

Retention: stored in ClickUp for the entire contract duration and in accordance with the deletion policies of the customer workspace.

ClickUp Privacy Policy: https://clickup.com/terms/privacy-policy

7.5 Make.com (workflow automation)

For certain workflows — in particular sending transactional emails (appointment confirmations, offer delivery, reminders), electronic signature of documents, and intake webhooks for incoming leads — we use Make.com (Celonis Operations GmbH), Theresienhöhe 11a, 80339 München, Germany, as a processor.

Data categories: recipient email address, recipient name, email content (including personalised template variables), attachments (e.g. offer PDFs), webhook payloads from incoming lead sources.

Legal basis: Art. 6(1)(b) GDPR.

Storage location: EU data centers of Make.com (Celonis).

Privacy policy: https://www.make.com/en/privacy-notice

7.6 Unipile (email and calendar integration)

For the optional integration of personal email mailboxes and calendars of sales representatives with Areti Core we use Unipile SAS, 22 rue Claude Tillier, 75012 Paris, France. Unipile provides a unified API for email and calendar providers (Google, Microsoft, iCloud, IMAP).

Data categories: OAuth tokens for email accounts and calendars, metadata of incoming and outgoing emails, calendar entries with title, time, participants, and description.

Legal basis: Art. 6(1)(a) GDPR (consent when connecting the respective account) and Art. 6(1)(b) GDPR (performance of a contract).

Storage location: EU data centers.

Privacy policy: https://www.unipile.com/privacy-policy/

7.7 OpenAI (lead enrichment)

For the optional "data enrichment" feature (enrichment of lead data through web crawling and AI-assisted analysis) we transmit the company URL provided by the user and extracted text content of the company website to OpenAI Ireland Ltd., 1st Floor, The Liffey Trust Centre, 117-126 Sheriff Street Upper, Dublin 1, Ireland.

Data categories: company URL, text content of publicly accessible web pages. No personal data from the Areti database (lead names, email addresses, etc.) is transmitted to OpenAI.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in efficient lead qualification).

Storage location: EU — Ireland. OpenAI Ireland Ltd. is the contract partner for all EU customers. OpenAI does not use data transmitted via the API to train its models (zero-data-retention mode).

Privacy policy: https://openai.com/policies/privacy-policy/

7.8 E-signature services

For the electronic signing of offers and contracts Areti Core offers an integration with an external e-signature provider. The specific provider is configured per customer company. Typical providers are DocuSign, yousign, or comparable services.

Data categories: documents (PDF) with their content, recipient names and email addresses, signature metadata (IP address, timestamp of the signature).

Legal basis: Art. 6(1)(b) GDPR (performance or initiation of a contract).

The specific privacy policy of the configured e-signature provider is made available to the customer company on request.

7.9 Supabase Storage (file attachments)

Files you upload to Areti Core — such as attachments to leads, profile pictures, signature images, logos, or images in offers and email templates — are stored in Supabase Storage on the same EU infrastructure as the database (see section 5.2).

Retention: for as long as the associated record exists. When a record is deleted (e.g. an offer or an appointment), the associated files are automatically removed as part of garbage collection.

8. Contacting us

When contacting us by email, phone, or a contact form, the voluntarily provided information is stored for the purpose of processing the request. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in responding to inquiries) or Art. 6(1)(b) GDPR if the request is aimed at concluding a contract.

Your data is deleted after your request has been conclusively processed, provided that no statutory retention obligations oppose deletion.

9. Your rights as a data subject

If personal data is processed about you, you are a data subject within the meaning of the GDPR and have the following rights towards ARETI GmbH:

9.1 Right of access (Art. 15 GDPR)

You can ask us to confirm whether personal data concerning you is being processed. If such processing is taking place, you can request the information specified in Art. 15(1) GDPR, in particular the purposes of processing, categories of data processed, recipients, the planned retention period, and the existence of a right to lodge a complaint.

9.2 Right to rectification (Art. 16 GDPR)

You have the right to request rectification and/or completion if the processed personal data concerning you is inaccurate or incomplete.

9.3 Right to erasure (Art. 17 GDPR)

You can request the immediate erasure of the personal data concerning you if one of the grounds listed in Art. 17(1) GDPR applies and no statutory retention obligation opposes it.

9.4 Right to restriction of processing (Art. 18 GDPR)

Under certain conditions you can request the restriction of the processing of personal data concerning you.

9.5 Right to data portability (Art. 20 GDPR)

You have the right to receive personal data concerning you that you have provided to us in a structured, commonly used, and machine-readable format.

9.6 Right to object (Art. 21 GDPR)

You have the right, for reasons arising from your particular situation, to object at any time to the processing of personal data concerning you that takes place on the basis of Art. 6(1)(e) or (f) GDPR.

Objection to direct marketing: if your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing. If you object to processing for direct marketing purposes, the personal data will no longer be processed for these purposes.

9.7 Right to withdraw consent (Art. 7(3) GDPR)

You have the right to withdraw your consent under data protection law at any time. The withdrawal of consent does not affect the lawfulness of processing carried out on the basis of the consent up to the point of withdrawal.

9.8 Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, your place of work, or the place of the alleged infringement, if you consider that the processing of personal data concerning you violates the GDPR.

The competent supervisory authority for ARETI GmbH is:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA) Promenade 18 91522 Ansbach Germany

Phone: +49 981 180093-0 Email: poststelle@lda.bayern.de Website: https://www.lda.bayern.de

9.9 Exercising your rights

To exercise any of the above rights, please contact:

ARETI GmbH datenschutz@areti.de Saarstraße 7, 80797 München

We will review your request upon receipt and provide you with information on the measures taken in accordance with Art. 12(3) GDPR without undue delay and at the latest within one month of receipt. This period may be extended by a further two months if necessary, taking into account the complexity and number of requests.

10. Automated decision-making

Automated decision-making within the meaning of Art. 22 GDPR does not take place. Areti Core does not use algorithms that have legal effects on data subjects or similarly significantly affect them.

11. Data security

We use appropriate technical and organisational security measures to protect your data against accidental or intentional manipulation, partial or total loss, destruction, or unauthorised access by third parties. Our security measures are continuously improved in line with technological developments.

Specific measures include, among others:

  • TLS 1.2 or higher for all data transmissions
  • AES-256 encryption for data at rest
  • Row-level security in the database for strict tenant isolation
  • OAuth tokens stored exclusively server-side, never in the browser
  • HMAC-SHA256-signed state parameters to protect OAuth flows against CSRF
  • Regular security reviews and updating of all dependencies
  • Access to production systems restricted to authorised personnel
  • Incident response process with notification obligations under Art. 33 GDPR

12. International data transfers

A transfer of personal data to countries outside the EU/EEA does not take place in regular operation, with the exception of the cases listed in section 7 (Zoom, ClickUp, and OpenAI where the US API is used). In these cases transfers take place exclusively on the basis of the mechanisms provided for in Art. 44 et seq. GDPR, in particular the European Commission's Standard Contractual Clauses and, where applicable, the EU-U.S. Data Privacy Framework.

13. Changes to this Privacy Policy

We reserve the right to update this Privacy Policy from time to time so that it always complies with the current legal requirements or in order to reflect changes in our services in the Privacy Policy, e.g. when introducing new services. The new Privacy Policy then applies to your next visit.

Material changes will be communicated to customer company administrators by email at least 30 days before they take effect.

14. Contact

For questions about data protection, to exercise your rights, or to request a copy of our Data Processing Agreement please contact:

ARETI GmbH Saarstraße 7, 80797 München Germany

Email: datenschutz@areti.de Phone: +49 89 215 368 590

PrivacyTermsImprintSupportDocs