Privacy Policy

1. SCOPE

This Privacy Policy applies to personal information collected, stored, used, disclosed and processed by Arist Holdings, Inc., together with our affiliate companies (collectively “Arist,” “we,” “us,” and “our”) in the course of our business, including our website located at http://arist.com/ (the “Site”) and our platform accessible via our Site that allows organizations or administrative users (“Admin Users”) to create online content (“Content”), which will be completed through text messages or such other messaging features offered by the Services, with individual users that enroll in such Content (“Learner Users”), as well as our related offerings. To make this Privacy Policy easier to read, the Site and our platform, services and related offerings are collectively called the “Services.”

Your privacy is important to us, and we are strongly committed to making our practices regarding your personal information transparent and fair. Please read this Privacy Policy carefully and make sure that you fully understand and agree to it. If you do not wish to provide us with such personal information, or to have it processed by us or any of our affiliates or service providers, please do not access or use the Services. You may also choose not to provide us with certain “optional” personal information, but please keep in mind that without it, we may not be able to provide you with the full range of our Services or with the best user experience when using our Services.

Capitalized terms not defined in this Privacy Policy have the meaning set forth in our Terms of Service Agreement at https://arist.com/legal/terms-of-service or any successor URL (“Agreement”). Please review that Agreement, as it governs your access and use of the Services.

2. PERSONAL INFORMATION WE COLLECT

The categories of personal information we collect depend on how you interact with our Services.

a. Information You Provide to Us

Learner User Account. When you register to be a Learner User, as part of the Account setup process, we collect personal information from you including without limitation your name, email address and phone number. We also collect information about your interests.

Admin User Account. When you are registered as an Admin User by your organization, we collect personal information such as name, email address, phone number and role or skill set information relevant to content creation.

Your Communications with Us. When you request information about our Services, sign up for marketing from us, register for our newsletter, request a demo or otherwise communicate with us directly, we collect personal information such as your email address, phone number or mailing address. By providing this information in these contexts, you consent to receiving informational and marketing communications from us. You agree that any notices, agreements, disclosures or other communications that we send electronically will satisfy any legal communication requirements, including that those communications be in writing. For more information about marketing communications, including how to opt out, please see Section 5 or contact us at privacy@arist.com. This Section does not apply to Learner Users receiving content through their organization; content delivery communications are governed by the following subsection (“Content Delivery Communications”) and Section 15.

Content Delivery Communications. Learner Users may be enrolled directly (such as by texting a keyword) or by their organization. Content is delivered through messaging channels selected during enrollment, which may include SMS, email and other messaging platforms.

If content is delivered via SMS, we obtain your consent to receive automated text messages at the mobile phone number provided during enrollment, and you may opt out at any time by replying “STOP” to a text message you have received from us or by otherwise contacting us. If content is delivered via email, such messages are intended to be transactional, relationship or educational content-delivery communications rather than Arist marketing emails; however, you may opt out of content delivery at any time by following the instructions in the message or contacting your organization.

These communications are delivered on behalf of the organization that enrolled you and are separate from any marketing communications from Arist. See Section 15 for additional details on our text messaging program, including how to opt out.

Surveys. We may contact you to participate in surveys. If you decide to participate, you may be asked to provide certain information, which may include personal information.

Interactive Features. We may offer interactive features such as the Content Library, messaging and chat features, collaboration and commenting functionalities, blogs and social media pages. We and others who use our Services may collect the information you submit or make available through these interactive features. Any content you provide on the public sections of these features will be considered “public” and is not subject to the privacy protections referenced herein.

Conferences, Trade Shows, and Other Events. We may attend conferences, trade shows, and other events where we collect personal information from individuals who interact with or express an interest in Arist and/or the Services. If you provide us with any information at one of these events, we will use it for the purposes for which it was collected.

Business Development and Job Applications. We may collect personal information from individuals and third parties to assess and pursue potential business opportunities. In addition, from time to time we may post job openings and opportunities on the Services. If you reply to one of these postings by submitting your application, CV and/or cover letter to us, we will collect and process the information contained therein to assess your suitability, aptitude, skills and qualifications for employment with Arist.

Demo Requests and Sales Inquiries. When you request a Services demonstration, consultation or contact our sales team, we collect your name and job title, business email address and phone number, company name and size, information about your interest in our Services, and any additional information you provide in the demo request form or during our communications. We use this information to respond to your inquiry and schedule demonstrations, provide information about our Services, send you marketing communications about our products (you may opt out at any time), and improve our sales and marketing processes. This information may be shared with our sales and customer success teams and with service providers who assist with CRM, email marketing, and sales operations. A current list of our sub-processors is maintained at https://arist.com/legal/sub-processors. We retain demo request information as described in Section 6, or until you request that we delete it, whichever comes first.

Sensitive Personal Information. We do not knowingly collect sensitive personal information as defined by the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“CCPA”) and similar state laws. This includes precise geolocation data, Social Security numbers, driver's license numbers, financial account information, health information, biometric information, or information concerning an individual’s sex life or sexual orientation. If you believe we have inadvertently collected such information, please contact us immediately at privacy@arist.com.

b. Information Collected Automatically

Automatic Data Collection. We may collect certain information automatically when you use the Services. This information may include your Internet protocol (IP) address, user settings, MAC address, cookie identifiers, mobile advertising and other unique identifiers, details about your browser, operating system or device, location information (including inferred location based on your IP address), Internet service provider, mobile carrier, the Content you enroll in and details about your interactions with such Content, pages that you visit before, during and after using the Services, information about the links you click, information about how you interact with the Services, including the frequency and duration of your activities, and other information about how you use the Services. If you access our Services through a mobile application, we may also collect device model, operating system version, mobile carrier information, push notification tokens, app usage analytics and crash or performance data. We do not collect precise geolocation information.

Cookies, Pixel Tags/Web Beacons, and Analytics Information. We, as well as third parties that provide content, advertising, or other functionality on the Services, may use cookies, pixel tags, local storage, and other technologies (“Technologies”) to automatically collect information through the Services. Technologies are essentially small data files placed on your device that allow us and our partners to record certain pieces of information whenever you visit or interact with our Services.

● Cookies. Cookies are small text files placed in device browsers to store their preferences. Most browsers allow you to block and delete cookies. However, if you do that, the Services may not work properly.
● Pixel Tags/Web Beacons. A pixel tag (also known as a web beacon) is a piece of code embedded in the Services that collects information about engagement on the Services. The use of a pixel tag allows us to record, for example, that a user has visited a particular web page or clicked on a particular advertisement. We may also include web beacons in e-mails to understand whether messages have been opened, acted on, or forwarded.
● Mobile SDKs and Analytics Libraries. Our mobile applications may include third-party software development kits (SDKs) and analytics libraries that collect usage data, performance metrics and crash reports. These function similarly to cookies and pixel tags in web-based services. A current list of our third-party service providers, including mobile analytics providers, is maintained at https://arist.com/legal/sub-processors.

Our uses of these Technologies fall into the following general categories:

● Operationally Necessary. This includes Technologies that allow you access to our Services, applications, and tools that are required to identify irregular behavior, prevent fraudulent activity and improve security or that allow you to make use of our functionality;
● Performance Related. We may use Technologies to assess the performance of our Services, including as part of our analytic practices to help us understand how our users and visitors access or use the Services;
● Functionality Related. We may use Technologies that allow us to offer you enhanced functionality when accessing or using our Services. This may include identifying you when you sign into our Services or keeping track of your specified preferences, interests, or past items viewed;
● Content Personalization. We may use first-party or service-provider technologies to personalize educational content and improve content delivery based on activity on our Services. We do not use personal information collected through the Services for cross-context behavioral advertising or targeted advertising, and we do not track Learner Users across third-party websites or services for advertising purposes;
● Analytics. We use third-party analytics services to collect and process analytics information on our Services, including session replay and usage analytics. A current list of our analytics providers is maintained at https://arist.com/legal/sub-processors. You may be able to opt out of certain analytics processing by using opt-out mechanisms provided by the applicable service provider or by adjusting your browser settings.

Content Engagement Tracking. When you interact with content delivered through our Services, we collect engagement metrics on behalf of the organization that enrolled you, including:

• Message delivery status;
• Message open/read status and timestamps;
• Time spent viewing Content;
• Response content, response rates and completion metrics; and
• Device and platform information associated with Content interactions.

We use this information to measure content effectiveness, improve delivery and analyze responses to identify areas where additional explanation may be needed, and to provide engagement analytics to Admin Users and organizational administrators.

c. Information from Other Sources

We may obtain information about you from other sources, including from third-party services and organizations. For example, if you authenticate to our Services using a third-party identity provider (such as Google or your organization's single sign-on provider), we may receive profile information such as your name and email address from that provider. If your organization uses a third-party integration to enroll Learner Users or synchronize user data with our Services, we may receive personal information through that integration. The categories of information we receive depend on the identity provider or integration and your organization's configuration.

3. HOW WE USE YOUR INFORMATION

We use your personal information for a variety of business purposes, including:

a. To Provide the Services or Information Requested, such as:

● Fulfilling our Agreement with you;
● Recommending Content to you based on your interests;
● To send you informational text messages related to the content you’re enrolled in;
● Responding to questions, comments and other requests;
● Allowing you to register for events;
● Providing access to certain areas, functionalities and features of our Services; and
● Answering requests for customer or technical support.

b. Administrative Purposes, such as:

● Pursuing legitimate interests, such as direct marketing to website visitors and business contacts (we will never use your phone number for marketing purposes), research and development, network and information security, and fraud prevention;
● Measuring interest and engagement in our Services;
● Improving or troubleshooting the Services;
● Developing new products and services;
● Ensuring internal quality control and safety;
● Authenticating and verifying individual identities;
● Carrying out audits;
● Communicating with you about your account, activities on our Services and Privacy Policy changes;
● Preventing and prosecuting potentially prohibited or illegal activities;
● Enforcing our agreements; and
● Complying with our legal obligations.

c. Marketing Our Products and Services. We may use personal information collected from website visitors, demo requesters and business contacts (excluding phone numbers) to send marketing communications about our products and Services. We may use first-party and service-provider tools to measure and improve our marketing communications and website performance. We do not use Learner User personal information collected through the Services for cross-context behavioral advertising or targeted advertising purposes. If you have any questions about our marketing practices or would like to opt out, you may contact us at any time at privacy@arist.com.

d. B2B Marketing and Sales Communications. If you submit a demo request or sales inquiry, we may use your business contact information to send you marketing communications about our Services, including updates and new feature announcements, educational content and resources, event invitations and promotional offers. You may opt out of marketing communications at any time by clicking "unsubscribe" in any email or by contacting privacy@arist.com. Please note that you will continue to receive transactional communications related to any active service relationship.

e. Consent. We may use personal information for other purposes that are clearly disclosed to you at the time you provide personal information or with your consent.

f. Use De-identified and Aggregated Information. We may use personal information and other data about you to create de-identified and aggregated information, such as de-identified demographic information, de-identified location information, information about the device from which you access our Services or other analyses we create. De-identified and aggregated information is not personal information, and we may use and disclose such information in a number of ways, including research, internal analysis, analytics and any other legally permissible purposes.

g. Share Content with Friends or Colleagues. Our Services may offer various tools and functionalities. For example, we may allow you to provide information about your friends through our referral services. Our referral services may allow you to forward or share certain content with a friend or colleague, such as an email inviting your friend to use our Services.

h. Automated Processing and AI-Assisted Delivery.

Content Delivery. We use automated systems, including artificial intelligence, to support the delivery and effectiveness of content on behalf of Admin Users and organizational administrators. These automated processes are used exclusively for educational content delivery and service improvement and are not used for marketing, advertising profiling or decisions that produce legal or similarly significant effects. Specifically, we may use engagement data and AI-driven systems to:
• Trigger reminder messages if content has not been viewed within a specified period;
• Adjust the timing and sequencing of content delivery based on engagement patterns;
• Analyze learner responses to identify areas where a learner may need additional explanation, and deliver follow-up content or clarifying messages based on that analysis;
• Generate completion notifications based on participation thresholds; and
• Optimize message delivery windows to improve content completion rates.

These automated processes operate within the scope of content delivery as directed by the Admin User or organization. They do not evaluate your fitness for employment, creditworthiness or eligibility for any benefit or service.

Marketing and Business Operations. We may use automated tools to manage our own marketing communications, such as optimizing email send times or segmenting our prospect communications. These activities do not involve profiling that produces legal or similarly significant effects and apply only to individuals who have interacted with our website or sales team, not to Learner Users receiving content.

You may contact us at privacy@arist.com with questions about our automated processing practices.

4. DISCLOSING YOUR INFORMATION TO THIRD PARTIES

We may share your personal information with the following categories of third parties:

a. Your Organization and Admin Users. Learner Users are enrolled through an organization that has subscribed to our Services. As part of providing the Services, we share your personal information, including enrollment status, engagement data and completion records, with Admin Users and organizational administrators authorized by your organization. This sharing is part of our service delivery on behalf of your organization and is governed by our agreement with them.

b. Learner User Engagement Data. If you are enrolled in Content by your employer or organization, we share engagement analytics with them, including individual-level metrics such as message open rates, completion rates, response times, and participation levels. This allows the organization to assess training effectiveness and individual progress. This data is processed on behalf of your organization in accordance with our Data Processing Addendum.

c. Third-Party Messaging Platforms. If you interact with Content via a third-party SNS platform (e.g., Meta/Facebook Messenger or WhatsApp), the third-party messaging platform can collect and use any information you provide via that channel in accordance with its terms of service and privacy policy. We do not control third-party messaging platforms and we are not responsible for their privacy or security practices. You provide information to third-party messaging platforms at your own risk.

d. Service Providers. We may share any personal information that we collect about you with our third-party service providers. The categories of service providers to whom we entrust personal information include service providers for: (i) the provision of the Services; (ii) the provision of information, products, and other services you have requested; (iii) marketing and advertising (no phone number data will be shared); (iv) payment and transaction processing; (v) customer service activities; and (vi) the provision of IT and related services. A current list of our data sub-processors is maintained at https://arist.com/legal/sub-processors.

e. Business Partners. We may provide personal information to business partners to provide you with a product or service you have requested. We may also provide personal information to business partners with whom we jointly offer products or services.

f. Affiliates. We may share personal information with Arist’s affiliated entities.

g. APIs and Software Development Kits. We may use third party APIs and software development kits (“SDKs”) as part of the functionality of our Services. For more information about our use of APIs and SDKs, please contact us as set forth below.

h. Disclosures to Protect Us or Others. We may access, preserve, and disclose to external parties any information we store in association with you if we, in good faith, believe that doing so is required or appropriate to: (i) comply with law enforcement or national security requests and legal process, such as a court order or subpoena; (ii) protect your, our, or others’ rights, property or safety; (iii) enforce our policies or contracts; (iv) collect amounts owed to us; or (v) assist with an investigation and prosecution of suspected or actual illegal activity.

i. Disclosure in the Event of Merger, Sale, or Other Asset Transfer. If we are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, purchase or sale of assets, or transition of service to another provider, then your information may be sold or transferred as part of such a transaction, as permitted by law and/or contract.

j. SMS/Text Messaging Data – No Third-Party Sharing. Notwithstanding anything to the contrary herein, personal information collected in connection with your enrollment or participation in our SMS/text messaging program, including your mobile phone number, opt-in consent and any related messaging data, will not be sold, rented, shared or otherwise disclosed to any third party for their own marketing or other independent purposes. All other categories of personal information described in this Section 4 similarly exclude text messaging originator opt-in data and consent; such information will not be shared with any third parties, except as necessary to facilitate message delivery through our carriers, aggregators and messaging service providers who act solely on our behalf.

5. YOUR CHOICES

You may be able to opt out of certain uses of your personal information.

a. Email Communications. If you receive an unwanted marketing email from us, you may use the unsubscribe link found at the bottom of the email to opt out of receiving future emails. Note that you will continue to receive transactional communications regarding the Services. We may also send you certain non-promotional communications regarding us and our Services, and you will not be able to opt out of those communications (e.g., communications regarding the Services or updates to our Terms of Service or this Privacy Policy). Educational content delivered via email on behalf of your organization is not a marketing communication; to opt out of content delivery, contact your organization or follow the instructions provided in the content itself.

b. Text Messages. You may opt out of receiving text messages by replying "STOP" to a text message you have received from us or by otherwise contacting us.

c. “Do Not Track” (“DNT”) and “Global Privacy Control” (“GPC”). DNT is a privacy preference that users can set in certain web browsers. We recognize and honor GPC signals as valid requests to opt out of the sale or sharing of personal information where required by applicable state law. We do not currently respond to browser-based DNT signals.

d. Cookies and Similar Technologies. You may stop or restrict the placement of Technologies on your device or remove them by adjusting your preferences as your browser or device permits. However, please note that blocking certain Technologies may impact your experience on our Services. We do not use personal information collected through the Services for interest-based advertising, targeted advertising or cross-context behavioral advertising. For information about how we use cookies and similar Technologies, see Section 2b above.

e. Mobile Applications. If you access our Services through a mobile application, you can manage push notifications and app permissions through your device settings. Disabling certain permissions may limit the functionality of the mobile application.

6. DATA RETENTION

We (and our authorized service providers) store the personal information we receive as described in this Privacy Policy for as long as you use our Services or as reasonably necessary to fulfill the purpose(s) for which it was collected, provide our Services, resolve disputes (i.e., as required by laws applicable to log-keeping, records and bookkeeping, and in order to have proof and evidence concerning our relationship, should any legal issues arise following discontinuance of use), establish legal defenses, pursue legitimate business purposes, enforce our agreements and comply with applicable laws.

Retention periods vary depending on your relationship with us and the type of information:

• Content and Learner Data. Learner Users are enrolled through an organization that has subscribed to our Services. We retain Learner User personal information, including enrollment records, engagement data, responses and completion records, for the duration of the organization's agreement with us. Following termination of that agreement, we will delete or return this data in accordance with our Data Processing Addendum, typically within 30 days of the organization's request. We may retain de-identified or aggregated data derived from content interactions beyond this period.
• Demo Request and Sales Inquiry Data. For 2 years from the date of your inquiry, or until you request deletion, whichever comes first.
• Customer Support Communications. For 5 years after resolution.
• Payment Information. For 7 years to comply with tax and financial regulations.
• Marketing Communications Data. Until you opt out of marketing communications. After opt-out, we retain your contact information on a suppression list for up to 2 years to ensure we honor your opt-out preference.
• Account Information. For the duration of your account plus 7 years after account closure, to support audit, legal, and compliance requirements.
• Legal and Compliance Records. As required by applicable law, typically 7–10 years.

Please note that except as required by applicable law or our specific agreements with you, we will not be obligated to retain personal information for any particular period, and we are free to securely delete it or restrict access to it for any reason and at any time, with or without notice to you. If you have any questions about our data retention policy, or if you wish to request that we stop processing or delete your Personal Data (see GDPR section below), please contact us by e-mail at privacy@arist.com.

7. SECURITY OF YOUR INFORMATION

We use industry-standard physical, procedural and technical security measures, including encryption as appropriate, to ensure that your information is treated securely and in accordance with this Privacy Policy. However, please be aware that regardless of any security measures used, we cannot and do not ensure, guarantee or warrant the absolute security of any information you provide to us or to any third parties as described herein. To the fullest extent permitted by applicable law, we do not accept liability for unauthorized disclosure.

By using the Services or providing personal information to us, you agree that we may communicate with you electronically regarding security, privacy and administrative issues relating to your access to and use of the Services. If we learn of a security system’s breach, we may attempt to notify you electronically by posting a notice on the Services, by mail or by sending an email to you.

8. THIRD PARTY WEBSITES/APPLICATIONS

The Services may contain links to other websites/applications, and other websites/applications may reference or link to our Services. These third-party services are not controlled by us. We encourage our users to carefully read the privacy policies and other applicable terms and policies of each third-party website and application with which they interact. Subject to the terms herein, we do not endorse, screen or approve, and we are not responsible for, the privacy practices or content of such other websites or applications. You provide personal information to third party websites or applications at your own risk.

9. CHILDREN’S INFORMATION

The Services are not directed to individuals under the age of 18 (or under 16 in certain jurisdictions such as the European Economic Area (“EEA”) and United Kingdom (“UK”), and we do not knowingly collect personal information from children under the applicable age threshold. If you learn that your child has provided personal information to us without your consent, you may contact us by e-mail at privacy@arist.com or as otherwise set forth below. If we learn that we have collected a child’s personal information in violation of applicable law, we will promptly take steps to delete such information and terminate the child’s account.

10. INTERNATIONAL DATA TRANSFERS

All information processed by us may be transferred, processed, and stored anywhere in the world, including but not limited to, the United States or other countries, which may have data protection laws that are different from the laws where you live. As explained in further detail herein, we endeavor to safeguard your information consistent with the requirements of applicable laws.

For transfers from the EU/EEA, UK and Switzerland to the United States and other jurisdictions, we rely on the following legal mechanisms:

• Standard Contractual Clauses (“SCCs”): We use the European Commission-approved Standard Contractual Clauses for transfers to countries not deemed adequate by the European Commission.
• Adequacy Decisions: Where the European Commission or UK authorities have determined a country provides adequate protection, we may transfer data on that basis.

11. GDPR

Arist's role under the EU’s General Data Protection Regulation (“GDPR”) and UK GDPR depends on your relationship with us. Arist is the "controller" of Personal Data that we collect directly from website visitors, demo requesters, and marketing contacts, and that Arist uses for the purposes of our business. For Learner Users and other Users of the Services, all of whom access the Services through an organization that has subscribed to our Services, Arist acts as the data "processor" and processes Personal Data on behalf of that organization, as governed by our Data Processing Addendum. Where Arist acts as a data processor, requests to exercise your rights under this section should be directed to your organization.

Under GDPR, the main legal bases that we rely on to process Personal Data collected by the Services include the following:

● Necessary for entering into, or performing, an agreement: to perform obligations that Arist undertakes in providing Services to you, or to take steps at your request to enter into an agreement with Arist, it will be necessary for us to process your Personal Data;
● Necessary for compliance with a legal obligation: Arist is subject to certain legal requirements which may require processing of your Personal Data. Arist may also be obligated to disclose your Personal Data to a regulatory body or law enforcement agency;
● Necessary for the purposes of legitimate interests: either Arist, or a third party, will need to process your Personal Data for the purposes of Arist’s (or a third party’s) legitimate interests, provided that Arist has established that those interests are not overridden by your rights and freedoms, including your right to have your Personal Data protected. Arist’s legitimate interests include responding to requests and enquiries from you or a third party, optimizing our Site, platforms and client experience, informing you about our products and Services and ensuring that our operations are conducted appropriately and efficiently; and
● Consent: in some circumstances, Arist may ask for your consent to process your Personal Data in a specific way.

Where Arist acts as a data processor, the legal basis for processing is established by the organization (the data controller), not by Arist. Arist processes Personal Data solely in accordance with our Data Processing Addendum and the documented instructions of the organization.

As noted herein, Arist will share your Personal Data with trusted third parties where we have retained them to provide services that you or our clients have requested, and to perform maintenance or respond to technical issues involving the Services (“sub-processors”). A current list of our sub-processors, describing the services they provide and where they are located, is maintained at https://arist.com/legal/sub-processors. Where Arist discloses Personal Data to third parties, we require minimum standards of confidentiality and data protection. To the extent that your Personal Data is transferred outside of the EEA or UK or accessed from outside the EEA or UK, we will ensure that approved safeguards are in place to comply with GDPR and UK GDPR, such as the SCCs or adequacy decisions. In limited circumstances, transfers of Personal Data may be based on context-specific derogations which permit transfers in the absence of safeguards, such as where a transfer is necessary for the establishment, exercise or defense of legal claims.

As also noted herein, Arist will retain your Personal Data for the time necessary to provide the Services or to achieve other purposes set forth in this Privacy Policy. To request that Arist stop processing or delete your Personal Data, please contact us by e-mail at privacy@arist.com.

You have the following rights in relation to the Personal Data that Arist holds about you, which rights you may exercise by emailing us at privacy@arist.com. Arist will require evidence of your identity before being able to act upon your request. We will respond to your request within one (1) month, though we may extend this period by two (2) additional months where necessary, taking into account the complexity and number of requests.

● You have the right to request confirmation of whether we are processing your Personal Data.
● You have the right to ask for a copy of your Personal Data. With good reason, and if the GDPR permits, we can refuse your request in whole or in part. If we do refuse, we will provide our reasons for the refusal.
● In certain situations, with respect to Personal Data you have previously provided to us, and that we process by automated means, you have the right to receive an electronic copy in a structured, commonly used and machine-readable format. You may request that we transmit this information to you or to another company (i.e., the right of data portability).
● In certain situations, you have the right to object to or restrict our uses of your Personal Data (for example, if we are processing your Personal Data on the basis of our legitimate interests and there are no compelling legitimate grounds for our processing which override your rights and interests, or if you object to use of your Personal Data for purposes of direct marketing). You may also be entitled to restrict our use of your Personal Data (for example, where you have challenged the accuracy of the Personal Data and while we are verifying its accuracy). To request that Arist stop processing or delete your Personal Data, please contact us by e-mail at privacy@arist.com.
● You have the right to seek correction or amendment of Personal Data that is inaccurate, untrue, outdated or incomplete.
● In certain situations, you have the right to request erasure of your Personal Data (for example, if the Personal Data is no longer necessary for the purposes for which it was collected or processed, or if our processing is based on your consent and there is no other legal basis for us to process the Personal Data).

You have the right to withdraw consent at any time where we are relying on consent to process your Personal Data. This will not affect the lawfulness of any processing carried out before you withdraw your consent.

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, unless the processing is necessary for entering into or performing a contract, is authorized by law, or is based on your explicit consent. As described in Section 3h, Arist uses automated systems to support content delivery and engagement optimization; these processes do not produce legal or similarly significant effects.

If you are located in the EEA or the UK, you have the right to lodge a complaint with a supervisory authority. You can find the contact information for your relevant data protection authority on the European Data Protection Supervisor's website at https://www.edps.europa.eu/data-protection or for the UK, the Information Commissioner’s Office at https://ico.org.uk.

12. CALIFORNIA RESIDENTS

This section applies only to our processing of personal information that is subject to the CCPA.

Categories of Personal Information We Collect:

In the preceding 12 months, we have collected the following categories of personal information:

Arist does not sell or share personal information for cross-context behavioral advertising. Where a Learner User is enrolled in Content by or through an employer, customer or other sponsoring organization, Arist may disclose relevant personal information to that organization in connection with providing and administering the Content.

Sensitive Personal Information: We do not collect, use or disclose sensitive personal information.

Your CCPA Rights: The CCPA provides California residents with specific rights regarding their personal information. These rights include:

● The Right to Know: You have the right to request that we disclose the following information covering the 12 months preceding your request:

• The categories and specific items of personal information we collected about you
• The categories of sources from which we collected the personal information
• The business or commercial purpose for collecting, selling or sharing personal information
• The categories of third parties to whom we disclosed personal information
• The categories of personal information we sold or shared, and the categories of third parties to whom we sold or shared it
• The categories of personal information that we disclosed for a business purpose

Our purposes for collecting and using this information are described in Section 3 above.

● The Right to Deletion: You have the right to request the deletion of your personal information, subject to certain exceptions permitted by law.
● The Right to Correction: You have the right to request that we correct inaccurate personal information that we maintain about you.
● The Right to Non-Discrimination: You have the right not to be discriminated against for exercising your CCPA rights.
● The Right Regarding Sale or Sharing of Information: You have the right to opt out of the "sale" or "sharing" of your personal information. Under the CCPA’s broad definition, Arist does not "sell" or “share” personal information as defined by the CCPA.
● The Right to Limit Use of Sensitive Personal Information: Arist does not collect sensitive personal information (e.g., biometric, precise geolocation, health data).
● The Right to Opt-Out of Automated Decision-Making: Arist uses automated systems to support content delivery timing and engagement as described in Section 3h. These automated processes do not produce legal or similarly significant effects and are limited to educational content delivery. To the extent required by applicable law, you may contact privacy@arist.com to learn more about or opt out of specific automated processing activities.
● Retention: We retain personal information as described in Section 6 above.

How to Exercise Your Rights: To exercise your right to know, right to deletion, right to correction or other rights described above, you or your authorized agent may submit a verifiable request by emailing us at privacy@arist.com, by calling our toll-free number at (855) 901-0697, or by submitting a request through our webform at arist.link/privacy-portal.

Verification Process: To verify your identity, we may require you to: (1) provide your email address and phone number associated with your account, (2) confirm recent account activity and/or (3) provide additional information depending on the sensitivity of the personal information requested.

For requests for specific pieces of personal information, we may require you to provide a declaration, signed under penalty of perjury, that you are the consumer whose personal information is the subject of the request.

Authorized Agents: You may designate an authorized agent to make a CCPA request on your behalf by: (1) providing that authorized agent written permission signed by you, (2) verifying your identity directly with us, or (3) providing proof that the agent is authorized to act on your behalf (such as a power of attorney).

Response Timing: We will respond to verified requests within 45 days after we receive the request. If we require more time (up to an additional 45 days), we will inform you in writing of the reason and the extension period.

Financial Incentives: We do not offer financial incentives or price or service differences for the collection, retention, sale or sharing of personal information.

Data Broker Registration: We are not registered as a data broker with the California Attorney General.

13. OTHER U.S. STATE PRIVACY RIGHTS

Applicability: This section applies to residents of Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, Virginia and other U.S. states with comprehensive consumer privacy laws (collectively, "State Privacy Laws").

Your Rights: If you reside in a state with applicable State Privacy Laws, you have the following rights regarding your personal information:

• Right to Confirm: You have the right to confirm whether we are processing your personal information.
• Right to Access: You have the right to access your personal information that we have collected.
• Right to Correct: You have the right to correct inaccuracies in your personal information, taking into account the nature of the personal information and the purposes of processing.
• Right to Delete: You have the right to request deletion of your personal information that we have collected, subject to certain exceptions.
• Right to Data Portability: You have the right to obtain a copy of your personal information in a portable and, to the extent technically feasible, readily usable format that allows you to transmit the data to another entity without hindrance.
• Right to Opt-Out: You have the right to opt out of (1) the processing of personal information for purposes of targeted advertising, (2) the sale of personal information, (3) profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.

How We Use Personal Information:

• Targeted Advertising: We do not process personal information for targeted advertising purposes.
• Sale of Personal Information: We do not sell personal information in the ordinary sense of exchanging it for money. We also do not sell personal information as defined under applicable State Privacy Laws.
• Profiling: We use automated systems to support educational content delivery as described in Section 3h; these processes do not evaluate personal aspects such as economic situation, health, preferences, or behavior for purposes unrelated to content delivery. We do not use profiling in furtherance of decisions that produce legal or similarly significant effects, such as decisions about eligibility for employment, housing, education, lending, insurance, healthcare or essential goods or services.

Sensitive Personal Information: We do not collect sensitive personal information as defined under applicable State Privacy Laws.

How to Exercise Your Rights: To exercise your right to know, right to deletion, right to correction, or other rights described above, you or your authorized agent may submit a verifiable request by emailing us at privacy@arist.com, by calling our toll-free number at (855) 901-0697, or by submitting a request through our webform at arist.link/privacy-portal.

We will respond to your request within 45 days after we receive it. If we require more time (up to an additional 45 days), we will inform you in writing of the reason and the extension period.

Verification: To verify your identity, we may require you to: (1) provide your email address and phone number associated with your account, (2) confirm recent account activity and/or (3) provide additional information depending on the sensitivity of the personal information requested.

Authorized Agents: You may designate an authorized agent to make a CCPA request on your behalf by: (1) providing that authorized agent written permission signed by you, (2) verifying your identity directly with us, or (3) providing proof that the agent is authorized to act on your behalf (such as a power of attorney).

Appeals: If we decline to take action regarding your request, you have the right to appeal our decision. To appeal, please email privacy@arist.com with "Privacy Rights Appeal" in the email subject line. We will respond to your appeal within 60 days. If we deny your appeal, we will provide you with information about how to contact your state attorney general to submit a complaint.

Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights, including by: (1) denying you goods or services, (2) charging you (or suggesting you will receive) different prices or rates for goods or services, or (3) providing you (or suggesting you will receive) a different level or quality of goods or services.

14. CHANGES TO OUR PRIVACY POLICY

We may update and amend this Privacy Policy from time to time in our sole discretion. If there are any material changes to this Privacy Policy, we will notify you as required by applicable law by: (1) posting a notice on our Site, (2) sending an email to the address associated with your account, and/or (3) providing notice via the Services.

You can review the most current version of this Privacy Policy at any time by visiting https://arist.com/legal/privacy-policy. We will indicate at the top of the Privacy Policy the date it was last updated. You understand and agree that you will be deemed to have accepted the updated Privacy Policy if you continue to use the Services after the new Privacy Policy takes effect.

Material Changes: For material changes, we will provide at least 30 days' notice before the new Privacy Policy becomes effective. Material changes include changes to: (1) the categories of personal information we collect, (2) the purposes for which we use personal information, (3) the categories of third parties with whom we share personal information and/or (4) your rights regarding your personal information.

15. OUR TEXT MESSAGING PROGRAM POLICY

Consent and Enrollment: By enrolling in Content, you expressly consent under the TCPA to receive automated text (short message service or “SMS”) messages from Arist related to that Content. This consent is not a condition of purchase or enrollment; but it is necessary to receive content via SMS messages. After enrolling in Content, you can expect to receive SMS messages each day for the duration of the Content delivery period. Each message will be educational in nature and will be no longer than 1,200 characters in length.

Message Frequency and Cost: Message frequency varies by Content but typically ranges from 2 to 10 messages per day during active delivery periods. Message and data rates may apply depending on your mobile carrier plan. For questions about charges, contact your wireless service provider.

Opting Out: You may cancel the SMS service at any time. Just text "STOP" in reply to a text message you have received from us or by otherwise contacting us. After you send the SMS message "STOP" to us, we will send you an SMS message to confirm that you have been unsubscribed. After this, you will no longer receive SMS messages from us. If you want to join again, just sign up as you did the first time and we will start sending SMS messages to you again.

Support: If you are experiencing issues with the messaging program, you may reply to a text with the keyword HELP for more assistance, or you may contact us directly for help at support@arist.com or privacy@arist.com.

Supported Carriers: Compatible carriers include major U.S. carriers, such as AT&T, Verizon, T-Mobile and Sprint, and may also include certain regional, prepaid and international carriers. Carrier support may vary by message type, destination and delivery method. Carriers are not liable for delayed or undelivered messages.

Privacy: Your mobile phone number and SMS message content are governed by this Privacy Policy. We will not share your mobile phone number with third parties for their marketing purposes without your express consent.

Terms: By participating in our text messaging program, you also agree to our Terms of Service at https://arist.com/legal/terms-of-service.

16. CONTACT US

If you have any questions about our privacy practices or this Privacy Policy, or if you wish to submit a request to exercise your rights as detailed in this Privacy Policy, please contact us at:

Arist Holdings, Inc.
2261 Market Street, #4320
San Francisco, CA 94114
Email: privacy@arist.com
Toll-Free Phone: (855) 901-0697
Web: https://arist.com/

Data Protection Officer:
Scott Willson, privacy@arist.com

APPENDIX A: CHANGE LOG

Current Version – May 29th, 2026

• Clarified data controller/processor roles under GDPR based on user relationship

• Added AI-assisted content delivery and automated processing disclosure (Section 3h)

• Updated data retention schedule to align with Data Processing Addendum

• Added framing paragraph distinguishing marketing and product processing contexts

• Removed advertising partner provisions and interest-based advertising opt-outs

• Updated terminology from "Author" to "Admin User" and "Course" to "Content"

• Added explicit SMS/text messaging no-third-party-sharing provision (Section 4j)

• Added toll-free number and webform for privacy rights requests

• Clarified content delivery communications are educational, not marketing

• Added mobile application data collection and permissions disclosures

• Updated CCPA section to reflect CPRA amendments

• Added comprehensive state privacy rights section for Colorado, Connecticut, Utah, Virginia and other states

• Enhanced GDPR-compliance provisions

• Added GPC signal recognition

• Expanded data retention schedule, with specific timeframes

• Added sensitive personal information disclosures

• Enhanced automated decision-making transparency

• Updated international transfer mechanisms

• Added correction and portability rights

• Further clarified consent provisions for text (SMS) messaging

• Added table (categories of personal information) for California residents

• Updated third-party disclosure categories

• Clarified verification procedures

• Added appeals process

• Clarified sale/sharing definitions and opt-out mechanisms

Prior Version – September 6, 2022

https://arist.com/legal/privacy-policy-09-06-22

• Added cookie categories

• Clarified data retention practices

• Updated security practices

• Added international data transfer disclosures

• Added GDPR-compliance provisions

• Clarified text (SMS) messaging program policy

Initial Version – September 27, 2020