Privacy Policy Ares Agent Governance Platform

1 Scope and Applicability

This Policy applies to:

• All personal information collected from or about individuals who interact with the Platform, including employees and agents of enterprise customers ("Customer Personnel");
• Information collected through the Azure Marketplace listing, our website, and related documentation portals;
• Information processed on behalf of enterprise customers in our capacity as a data processor or service provider.

This Policy does not apply to information processed solely within a customer's own Azure tenant environment where Ares Networks acts solely as a subprocessor with no independent data access.

2 Definitions

Agentic AI System

An autonomous or semi-autonomous AI system that perceives inputs, makes decisions, executes multi-step workflows, and interacts with external tools or APIs with limited human intervention per action.

Audit Log Data

Structured records generated by the Platform documenting agent decisions, invoked tools, data accessed, and actions taken, used for governance and compliance purposes.

Customer

The enterprise or organization that has subscribed to the Platform through Azure Marketplace and accepted our Terms of Service.

Customer Personnel

Employees, contractors, and authorized users of a Customer whose personal information may be processed in connection with the Platform.

Personal Information

Any information about an identifiable individual as defined under PIPEDA, or "personal data," "personal information," or equivalent terms under applicable US state privacy laws.

Platform

The Ares Agent Governance Platform, including all associated APIs, SDKs, dashboards, audit infrastructure, policy enforcement layers, and compliance tooling.

3 Information We Collect

3.1 Account and Subscription Information

When a Customer subscribes to the Platform through Azure Marketplace, we collect:

• Organization name, billing address, and Azure subscription identifiers;
• Contact information for authorized administrators (name, business email, phone number);
• Payment and billing information, processed through Microsoft's Azure billing infrastructure.

3.2 Platform Operational Data

During Platform operation, we may collect or process:

• Audit Log Data: Agent decision records, tool invocation logs, policy evaluation outcomes, access events, and workflow traces generated by deployed AI agents;
• Configuration Data: Governance policies, role assignments, permission structures, and compliance rules configured by Customer administrators;
• Credential and Identity Metadata: User and service identifiers, role memberships, and authentication events (not passwords or secret tokens);
• Usage Telemetry: Feature usage metrics, API call volumes, error rates, and performance diagnostics in aggregated or pseudonymized form.

3.3 Support and Communications Data

When Customers or Customer Personnel contact us for support or communicate with us, we collect:

• Contact details and correspondence content;
• Diagnostic data and logs voluntarily submitted with support requests;
• Survey responses and feedback.

3.4 Information We Do Not Collect

4 Purposes of Collection and Legal Basis

Under PIPEDA, we rely on knowledge and consent as the primary legal basis, supplemented by implied consent for data processing necessary to fulfill our contractual obligations to Customers.

5 Disclosure of Personal Information

5.1 Service Providers and Subprocessors

We engage third-party service providers who may process personal information on our behalf, including:

• Microsoft Azure: Cloud infrastructure, hosting, and identity services;
• Analytics and monitoring vendors: Application performance and security monitoring;
• Customer relationship management platforms: Sales and support workflows.

All subprocessors are contractually bound to process personal information only as directed, maintain appropriate security measures, and comply with applicable privacy laws.

5.2 Disclosure to Customers

Audit Log Data and governance reports generated by the Platform are disclosed to the Customer that controls the relevant deployment. We do not cross-disclose Customer data between unrelated enterprise accounts.

5.3 Legal and Regulatory Disclosures

We may disclose personal information without consent where required or permitted by law, including in response to:

• A court order, subpoena, or other lawful process issued by a Canadian or US court or regulatory authority;
• A request by a law enforcement or national security agency with lawful authority;
• Circumstances where disclosure is necessary to prevent fraud, protect the safety of individuals, or protect our legal rights.

Where legally permissible, we will notify the affected Customer before disclosing their information to government authorities.

5.4 Business Transfers

In the event of a merger, acquisition, financing, or sale of all or a portion of our assets, personal information may be transferred to the successor entity, subject to equivalent privacy protections.

5.5 No Sale of Personal Information

6 Cross-Border Transfers of Personal Information

As a Canadian company serving US-based customers, personal information is routinely transferred between Canada and the United States. Canada and the US maintain differing legal frameworks for privacy protection.

• Transfers of personal information to the United States are made pursuant to contractual protections that obligate US-based subprocessors to maintain appropriate privacy and security standards;
• Where required, we execute Data Processing Agreements that incorporate standard contractual clauses or equivalent transfer mechanisms;
• We disclose to individuals at the time of collection that their information may be transferred to and processed in the United States, where it may be subject to access by US law enforcement or national security agencies.

Customers may request a copy of our standard Data Processing Agreement by contacting our Privacy Officer (see Section 13).

7 Data Retention

We retain personal information only for as long as necessary to fulfill the purposes for which it was collected, or as required by law:

• Account and billing data: Retained for the duration of the subscription and for seven (7) years thereafter, as required for tax and accounting purposes;
• Audit Log Data: Retention periods are configurable by the Customer in accordance with their compliance requirements. Default retention is ninety (90) days unless extended by Customer configuration;
• Usage telemetry: Retained in aggregated, de-identified form indefinitely for product analytics;
• Support communications: Retained for three (3) years from the date of last interaction.

Upon termination or expiry of a Customer subscription, we will delete or anonymize Customer Personal Data within sixty (60) days, unless a longer retention period is required by law or agreed in writing.

8 Security Safeguards

Ares Networks implements physical, administrative, and technical safeguards appropriate to the sensitivity of personal information, including:

• Encryption of personal information in transit (TLS 1.2 or higher) and at rest;
• Role-based access controls and least-privilege principles for all Platform components;
• Continuous monitoring, anomaly detection, and audit logging of access to personal information;
• Penetration testing and vulnerability management programs;
• Employee privacy and security training;
• Incident response procedures with defined notification timelines.

In the event of a breach of security safeguards involving personal information that creates a real risk of significant harm, we will notify affected individuals and, where required, the Office of the Privacy Commissioner of Canada (OPC) and applicable US state regulators, in accordance with applicable law.

9 Individual Rights

9.1 Rights Under PIPEDA (Canadian Residents)

Individuals whose personal information we control (not process on behalf of Customers) have the right to:

• Access their personal information held by us;
• Challenge the accuracy and completeness of their information and request correction;
• Withdraw consent to collection, use, or disclosure, subject to legal and contractual limitations;
• Lodge a complaint with the Office of the Privacy Commissioner of Canada.

9.2 Rights Under US State Privacy Laws

Residents of California and other US states with applicable privacy legislation may have the following rights with respect to personal information we control:

• The right to know what personal information has been collected, used, and disclosed;
• The right to request deletion of personal information, subject to applicable exceptions;
• The right to correct inaccurate personal information;
• The right to opt out of the sale or sharing of personal information (we do not sell personal information);
• The right to non-discrimination for exercising privacy rights;
• The right to appeal a denial of a rights request.

9.3 Exercising Rights Relating to Customer-Controlled Data

9.4 Submitting Requests

To submit a privacy rights request, contact our Privacy Officer at privacy@ares-networks.com. We will acknowledge your request within ten (10) business days and respond within thirty (30) days, or as otherwise required by applicable law. We may request verification of your identity before processing your request.

10 Cookies and Tracking Technologies

Our public-facing website and documentation portal may use cookies and similar tracking technologies for:

• Essential session management and authentication;
• Usage analytics (aggregated and anonymized where possible);
• Preference and configuration storage.

The Platform itself, as deployed within a Customer's Azure tenant, does not independently deploy web cookies against Customer end users. Cookie use within Customer-controlled web interfaces is governed by the Customer's own privacy disclosures.

You may manage cookie preferences through your browser settings. Disabling certain cookies may affect the functionality of our public website.

11 Children's Privacy

The Platform is an enterprise software product not directed at individuals under the age of eighteen (18). We do not knowingly collect personal information from minors. If we become aware that personal information of a minor has been submitted without appropriate authorization, we will delete such information promptly.

12 Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Platform's capabilities, or applicable law. We will notify Customers of material changes by:

• Posting an updated version to the Azure Marketplace listing and our website;
• Sending notice to the primary administrator contact on file, at least thirty (30) days before the change takes effect for material changes;
• Updating the "Last Updated" date at the top of this document.

Continued use of the Platform after the effective date of a revised Policy constitutes acceptance of the updated terms, to the extent permitted by law.

13 Contact Information

For privacy inquiries, rights requests, or to reach our designated Privacy Officer, please use the following contact information:

US customers may also contact the appropriate state privacy regulator in their jurisdiction if they believe their rights have not been adequately addressed.

14 Governing Law and Jurisdiction

This Privacy Policy is governed by the laws of Canada, including PIPEDA, and the laws of the applicable province of Ares Networks' principal place of business. Where applicable US state privacy laws (including but not limited to the California Consumer Privacy Act as amended by CPRA, and analogous statutes in Virginia, Colorado, Connecticut, Texas, and other states) impose obligations on Ares Networks in respect of US residents, we comply with those obligations to the extent required.

Nothing in this Policy limits the rights of individuals under applicable mandatory law.