Legal
ArvoFin Privacy Policy
For RIA Firms · Effective Date: June 17, 2026
ArvoFin, Inc. (“ArvoFin,” “we,” “our,” or “us”) provides software that helps registered investment advisory firms generate, deliver, and track client investment proposals. This Privacy Policy explains what information we collect, how we use it, who we share it with, and the choices available to you.
Our role.ArvoFin is a service provider to advisory firms. For the financial and personal information that firms and their clients submit to the platform, the advisory firm is the data controller and ArvoFin processes that data on the firm’s behalf and under its instructions, as set out in our customer agreement and Data Processing Addendum. As a provider of services to financial institutions, ArvoFin handles nonpublic personal information consistent with applicable financial-privacy laws, including the Gramm-Leach-Bliley Act (GLBA), where applicable.
1. Information we collect
- Firm information — business name, address, contact details, AUM, CRM details, and custodian details.
- User information — names, titles, email addresses, and login credentials for advisor and admin users.
- Client financial information — financial statements and documents uploaded to the platform, and the structured data extracted from them (for example, account balances, holdings, and transaction data).
- Proposal and engagement data — generated proposals and proposal-view analytics, including which sections a recipient viewed and time spent (collected via engagement.arvofin.com).
- Platform usage data — IP address, browser type, device and log information, timestamps, and activity logs.
- Third-party integration data — data from tools your firm authorizes us to connect to, such as planning, aggregation, CRM, and custodial platforms.
2. How we use information
We use the information above to:
- Provide, maintain, secure, and improve proposal generation, portfolio analysis, analytics, and engagement workflows.
- Authenticate users and manage role-based access across your firm.
- Generate proposal content, portfolio analysis, and related platform outputs.
- Monitor usage, investigate issues, and protect the platform against misuse or security threats.
- Meet our contractual, legal, regulatory, and compliance obligations.
Automated processing / AI.ArvoFin uses AI-assisted processing to extract data from uploaded financial documents and to help generate proposal content. This processing is performed using a third-party AI sub-processor (see Section 4) that does not use ArvoFin’s submitted content to train its models. AI-assisted outputs may contain errors and are provided for review by the advisory firm; firms are responsible for reviewing and verifying outputs before use.
3. How we share information
We do not sell firm or client data. We disclose information only as needed to operate the platform or comply with law:
- To service providers and sub-processors operating under confidentiality and data-protection obligations who help us host, support, secure, or maintain the platform (see Section 4).
- To custodians, CRMs, data aggregators, or other tools your firm authorizes us to connect to.
- When required by law, subpoena, court order, or other legal or regulatory process.
- In connection with a merger, acquisition, financing, or other corporate transaction, subject to the protections of this policy.
4. Sub-processors
ArvoFin uses a limited set of sub-processors that may process customer data on our behalf. All are bound by data processing agreements and are assessed for security posture at least annually. Current sub-processors:
| Vendor | Service | Location |
|---|---|---|
| Amazon Web Services, Inc. | Cloud hosting, database, and object storage | United States (us-east-2, Ohio) |
| Anthropic, PBC | AI-assisted financial document parsing and proposal generation; does not train on submitted content | United States |
| Vanta, Inc. | Security compliance automation; may process evidence artifacts containing production data | United States |
A current list is maintained at /legal/subprocessors and updated when material changes occur. (A read-only market-data feed, EODHD, supplies market data and does not receive customer data.)
5. Data security
We protect data in transit and at rest using industry-standard controls, including TLS 1.3 encryption in transit, AES-256 encryption at rest, role-based access control, multi-factor authentication for internal systems, and continuous monitoring. See our Security page for detail.
6. Data residency
ArvoFin stores and processes customer data in the United States. We do not replicate customer data to regions outside the United States. The platform is intended for use in the United States; if you access it from another jurisdiction, you do so at your own risk and are responsible for compliance with local law.
7. Data retention and deletion
We retain firm and user data while your account is active and as needed to meet legal and regulatory obligations. Following account termination or a verified deletion request, customer data in production systems is deleted within 30 days and backup copies are purged within 60 days, except for records we are required to retain by law (for example, certain financial and audit logs retained for 7 years under FINRA Rule 4511 / SEC Rule 17a-4) or that are subject to a legal hold. Full detail is in our Data Deletion Policy.
8. Your rights and choices
Your firm may request access to, correction of, deletion of, export of, or portability of firm and user data, subject to legal and operational constraints. Because ArvoFin processes client financial data on behalf of advisory firms, requests from a firm’s end clients should be directed to the advisory firm; we support our firm customers in responding to such requests. To make a request, contact privacy@arvofin.com.
9. Changes to this policy
We may update this policy from time to time. Material changes will be reflected by an updated effective date and, where appropriate, additional notice to account administrators.
10. Contact
Questions about this policy or our data practices: privacy@arvofin.com.
Data Protection Officer: [name and title — to confirm]. ArvoFin, Inc., [registered business address — to confirm].