Transparency at Arthium
How data moves through Arthium
A plain-language explanation of local storage, optional cloud sync, connected services and the responsibilities of Arthium and each business.
Effective: July 17, 2026
Who is responsible for what
Data controller
Chooses what customer, vendor, staff, invoice, inventory, payment and delivery data is entered; manages permissions; sets retention; and responds to requests from its own customers and staff.
Service provider / processor
Processes account and workspace data to provide the features selected by authorised users, operate security controls, maintain the service and provide support.
Sub-processors
Provide limited hosting, authentication, storage, payment or distribution functions when the related Arthium service is enabled.
Data-processing map
| Data | Why it is processed | Where it goes | Typical retention |
|---|---|---|---|
| Account identity | Sign-in, tenant membership, roles, devices and session security. | Device and Firebase Authentication / tenant directory when cloud access is used. | While the account is active, then deleted or anonymised subject to security and legal needs. |
| Business profile and staff | Configure businesses, permissions, stores, documents and operational access. | Local device; tenant-scoped cloud workspace when sync is enabled. | Until an administrator deletes it or the workspace is deleted. |
| Customers, vendors and contacts | Create documents, manage balances, deliveries and business relationships. | Local device; authorised tenant workspace when sync is enabled. | Set by the business, including statutory record-keeping needs. |
| Sales, purchases, stock and payments | Billing, accounting, inventory, reporting, audit history and reconciliation. | Local device; authorised tenant workspace when sync is enabled. | Set by the business and applicable tax/accounting law. |
| Delivery and POD evidence | Dispatch tracking, proof of delivery and dispute handling. | Local device; Firebase Storage/tenant records when cloud evidence is uploaded. | Until removed by the business or the workspace is deleted, subject to disputes or law. |
| Device and diagnostics metadata | Security, reliability, troubleshooting and abuse prevention. | Device; limited operational services when a connected diagnostic or support action is used. | Only as long as needed for support, security and service reliability. |
| Subscription and payment references | Activate plans, reconcile billing and prevent payment abuse. | Arthium backend and Razorpay when subscription billing is enabled. | As required for billing, tax, fraud prevention and disputes. |
| Support communications | Investigate requests and maintain a support history. | Email provider and authorised Arthium support personnel. | For the request lifecycle and a reasonable follow-up or legal period. |
Connected providers
A provider receives only the information needed for the selected function and processes it under its own applicable terms and privacy commitments. Availability depends on which Arthium features the customer enables.
Security controls
- Authenticated access and role checks for protected cloud operations.
- Tenant-scoped database and storage rules.
- Encrypted network transport for connected services.
- Recent-authentication checks for destructive operations.
- Sanitised diagnostics designed to exclude secrets and raw business records.
Your choices and rights
- Keep the app local-only or enable optional cloud synchronization.
- Manage Android permissions through device settings.
- Request access to or correction of account information.
- Ask the business controller about records it entered into Arthium.
- Request eligible cloud account deletion through the deletion page.
Retention, deletion and transfers
Local records remain on each device until an authorised user removes, resets or restores them. Cloud records remain while the tenant workspace is active or as directed by the business controller. Verified deletion requests are handled under the published account deletion process. Limited records may remain where tax, accounting, security, fraud prevention, payment disputes or law require retention.
Infrastructure providers may process data in regions determined by their service configuration and contracts. Businesses should not enable cloud sync where their own legal or contractual requirements prohibit that processing.
Questions or data requests: email labsarthium@gmail.com. Do not include passwords, OTPs, card details or confidential business records in the first message.