Privacy Policy | Arterial

This Privacy Policy describes how Arterial, Inc. ("Arterial," "we," "us," or "our") collects, uses, discloses, and protects information when providing our Services, including our website, hardware (for example, ARTIE camera systems), software, analytics dashboard, APIs, and data products.

By accessing or using the Services, you ("Customer," "you," or "your") agree to the collection and use of information in accordance with this policy.

Version 2.0. Effective April 20, 2026.

Our Role: Controller and Processor

Arterial plays two distinct roles depending on the data involved:

Website visitors and prospects. When you visit arterial.us, request a demo, or otherwise interact with us directly, Arterial is the controller of your personal information and processes it as described in this policy.
Customer Data.When Arterial processes data collected from a Customer's jurisdiction through our hardware, software, or APIs ("Customer Data" as defined in our Terms of Service), Arterial acts as a service provider and processor on behalf of the Customer. Arterial processes Customer Data only in accordance with the Customer's instructions, the Agreement, and applicable law. Constituents of public-agency Customers should direct privacy requests to the relevant Customer agency in the first instance; Arterial will support the Customer in responding.

Website Privacy Controls

Essential cookies only by default. Optional analytics tags do not load until you opt in. If you allow them, advertising and cross-site data stay off, and you can withdraw consent later.

Optional analytics stay off unless you opt in.
Global Privacy Control is treated as an opt-out request where the browser supports it.
Your choice can be updated at any time from the site footer or this page.
Optional analytics providers currently include Google Analytics, Microsoft Clarity, and Vercel Web Analytics.
If you opt in, Microsoft Clarity may use behavioral metrics, heatmaps, and session replay to help us understand how people use and navigate the site.
Your privacy choice is stored in a first-party cookie that does not leave arterial.us.

Use the privacy controls below to review optional analytics and keep the site on essential cookies only if you prefer.

For more information about how Microsoft collects and uses data in connection with Clarity, see the Microsoft Privacy Statement.

Privacy Controls

Manage optional analytics

Essential cookies stay on so the site works. Optional analytics from Google Analytics, Microsoft Clarity, and Vercel Web Analytics only load if you opt in, and you can switch back to essential-only at any time. When enabled, Microsoft Clarity may use behavioral metrics, heatmaps, and session replay to help us understand site usability.

Current setting: Essential cookies only

U.S. State Privacy Choices

Do Not Sell, Share, or Use My Personal Information for Targeted Advertising

Arterial does not sell personal information, share it for cross-context behavioral advertising, or use it for targeted advertising as those terms are defined under California, Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, and other comprehensive U.S. state privacy laws. Arterial does not engage in profiling that produces legal or similarly significant effects on individuals.

If you want to manage optional analytics or submit a privacy request, use the privacy controls above or contact privacy@arterial.us. We honor Global Privacy Control (GPC) signals as an opt-out request where applicable.

Full Text

Arterial Privacy Policy

Effective Date: April 20, 2026

Arterial, Inc. ("Arterial," "we," "us," or "our") respects your privacy. This Privacy Policy describes how we collect, use, disclose, and protect information when providing our Services, including our website, hardware (for example, ARTIE camera systems), software, analytics dashboard, APIs, and data products (collectively, the "Services").

By accessing or using the Services, you ("Customer," "you," or "your") agree to the collection and use of information in accordance with this policy.

1. Information We Collect

1.1 Customer-Provided Data

Information you share when you sign up, request a demo, contact us, or otherwise interact with us (for example, name, email, phone number, organization).
Billing and payment information (if applicable).

1.2 Data Collected via Hardware & Services

When our hardware (for example, ARTIE camera) is deployed as part of the Services, we collect:

Imagery, video, and sensor data (for example, from cameras, GPS, inertial sensors).
Metadata such as timestamp, GPS coordinates, and vehicle-related data.
Derived data and analysis outputs (hazard detections, pavement condition scores, field inventory, and similar outputs).

1.3 Sensitive Categories of Information

In the course of operating ARTIE in the public right-of-way, the Services may incidentally capture information that is treated as sensitive under federal or state law, including:

Vehicle identifiers and license plates,which may be subject to the federal Driver's Privacy Protection Act and equivalent state statutes.
Images of faces and bodies of pedestrians and motorists. Arterial does not perform facial recognition or biometric identification by default and does not use these images to identify individuals.
Precise geolocation tied to vehicle paths, which several states classify as sensitive personal information.

Arterial applies heightened controls to these categories. By default, faces and license plates are blurred or hashed before delivery to Customer dashboards or third parties, raw imagery is encrypted at rest and segregated from analytics outputs, and access is restricted to personnel with a documented operational need. Arterial does not contribute to driver scoring, insurance, employment, or housing decisions and is not a consumer reporting agency.

1.4 Automatically Collected Information

When you use our website or dashboard, we may automatically collect:

Log data (IP address, browser type, pages visited, access times).
Usage data (how you interact with the dashboard, APIs, and other tools).
An essential first-party cookie that stores your privacy preference.
Subject to your privacy choices, optional analytics data collected through cookies or similar technologies to understand site performance and usability.
Where you opt in, interaction data such as page views, clicks, scroll depth, navigation patterns, and similar behavioral metrics. Microsoft Clarity may also generate heatmaps and session replays for website improvement and debugging.

2. How We Use the Information

We use the information we collect for the following purposes:

To provide, operate, and maintain the Services.
To develop, improve, and optimize our analytics, machine learning models, and platform, subject to the limits in Section 10 (AI and Machine Learning).
To measure website performance and usability, only when you have opted in to non-essential analytics.
To analyze navigation patterns, clicks, scrolling, heatmaps, and session replays from opted-in visitors so we can identify usability issues, improve content, and debug site behavior.
To generate reports and insights for Customers (for example, hazard maps, road-condition assessments).
To support data-as-a-service offerings using aggregated, de-identified data.
For research, quality assurance, and internal testing.
For billing, account management, and customer support.
For marketing and promotional purposes, where you have given consent or where permitted by law. Every marketing email contains an unsubscribe link; withdrawal of consent does not affect transactional or service messages.
To comply with legal obligations and enforce our Terms of Service.

2.1 Legal Basis for Processing (GDPR)

Where applicable, we process personal data under the following legal bases:

Consent — where you have provided explicit permission (for example, optional analytics, marketing).
Contract — where processing is necessary to provide our Services.
Legitimate Interests — to improve, secure, and operate our platform, provided such interests are not overridden by your rights.
Legal Obligations — where required to comply with applicable laws.

You may withdraw consent at any time through our privacy controls.

3. Disclosure of Information

We may share information with the following categories of third parties:

Cloud infrastructure and storage providers used to operate the Services.
Analytics providers, only where consent is provided, including Google Analytics, Microsoft Clarity, and Vercel Web Analytics.
Service providers supporting platform operations, customer support, and internal business functions.
Professional advisors (legal, accounting, audit) under confidentiality obligations.
Government authorities or other parties where required by law (see Section 15).

All third parties are contractually obligated to protect data, use it only for the specified purposes, and meet security standards consistent with this policy. Arterial does not sell personal information.

When optional analytics is enabled, those analytics providers may receive device, browser, page view, referrer, and interaction data needed to provide analytics features to us. In Microsoft Clarity's case, this can include behavioral metrics, heatmaps, and session replay data for opted-in sessions.

4. Sub-processors

Arterial maintains a current list of sub-processors that may process Customer Data on our behalf, including the cloud host(s), database and storage providers, email and customer-support tooling, optional analytics providers, and any model providers used to deliver the Services.

Customers can request the current sub-processor list by contacting privacy@arterial.us. Arterial commits to provide Customers with at least thirty (30) days' advance written notice before adding a new sub-processor that would process Customer Data, and to grant Customers a reasonable right to object on documented data-protection grounds.

5. Security

Arterial maintains administrative, technical, and physical safeguards designed to protect data from unauthorized access, disclosure, alteration, or destruction. Current safeguards include:

Encryption of Customer Data in transit using TLS 1.2 or higher and at rest using AES-256 or equivalent.
Single sign-on with multi-factor authentication for all production access by Arterial personnel.
Role-based access control with least-privilege defaults, periodic access reviews, and full audit logging.
Production secrets stored in a managed secrets vault and rotated on a defined schedule.
A formal vulnerability management program, regular dependency and infrastructure scanning, and code review prior to production deployment.
Personnel security training upon hire and annually thereafter.
A documented business continuity and disaster recovery program with regular testing.

Arterial is pursuing SOC 2 attestation and aligns its security program with widely accepted control frameworks. Customers may request a copy of Arterial's most recent security report under non-disclosure terms.

However, no system is 100% secure, and we cannot guarantee absolute protection of your data.

6. Security Incident Notification

Arterial maintains a documented incident response program covering detection, triage, containment, eradication, recovery, and post-incident review.

If Arterial confirms a security incident that has resulted in, or is reasonably likely to have resulted in, unauthorized access to or disclosure of Customer Data or personal information, Arterial will:

Notify affected Customers without undue delay, and in any event no later than seventy-two (72) hours after confirmation, by email and through the dashboard.
Provide a description of the incident, the categories and approximate volume of data involved, the steps Arterial is taking to mitigate harm, and a point of contact.
Provide periodic updates as the investigation progresses and a written post-incident summary within thirty (30) days of resolution.
Cooperate with the Customer's breach-notification obligations to its constituents and regulators.

7. Privacy in Public Spaces

Our hardware operates in public rights-of-way, where there is generally no reasonable expectation of privacy for passersby in many jurisdictions. We pair this operating context with the following commitments:

We do not perform facial recognition, biometric identification, or persistent tracking of identifiable individuals as a default service. Any deviation requires a documented contractual basis with the Customer.
We are committed to privacy by design and data minimization, limiting collection to what is needed to deliver the Services.
Where local law, agency policy, or contract requires anonymization, blurring, or other privacy-preserving treatment of imagery, we will implement appropriate measures and document them.
See Section 1.3 for additional commitments regarding sensitive categories.
See Section 11 for our children's privacy commitments.

8. Data Retention

Arterial retains personal information and Customer Data only as long as necessary for the purposes described in this policy and the applicable Agreement. Default retention periods are:

Raw imagery, video, and sensor recordings: deleted or returned to the Customer within ninety (90) days following the end of the engagement, unless a longer period is requested in writing.
Derived analytics and reports tied to a specific Customer's jurisdiction: retained for the duration of the Agreement plus one (1) year, or per Customer instruction.
Aggregated, de-identified Arterial Data: retained indefinitely, in accordance with our Terms of Service.
Account, contact, and billing records: retained for the duration of the relationship plus seven (7) years to satisfy tax and audit obligations.
Website server logs: retained for ninety (90) days unless required for security investigation.
Privacy preference cookie: retained for twelve (12) months, after which the visitor is re-prompted.

Specific Customer Agreements may set shorter or longer retention periods, in which case the Agreement controls. Where required by law to retain information for longer, we will do so and continue to apply this policy.

9. Your Privacy Rights

Depending on your jurisdiction, you may have rights with respect to your personal information, including the right to:

Access, confirm, or obtain a copy of the personal information we hold about you.
Request correction of inaccurate personal information.
Request deletion of your personal information.
Object to or request restriction of certain processing.
Request data portability.
Opt out of the sale or sharing of personal information, targeted advertising, and profiling that produces legal or similarly significant effects.
Withdraw previously given consent at any time, without affecting prior lawful processing.
Be free from discrimination for exercising any of these rights.

To exercise these rights, contact privacy@arterial.us. We will acknowledge your request within ten (10) business days and respond within forty-five (45) days, with one extension of up to forty-five (45) additional days where reasonably necessary and permitted by law. We may take reasonable steps to verify your identity before fulfilling a request. You may use an authorized agent where applicable law permits.

Automated decision-making.Arterial's analytics outputs describe infrastructure conditions, not individuals. Arterial does not make automated decisions that produce legal or similarly significant effects on identifiable individuals using personal information. If this changes for any product or feature, we will update this policy and provide notice.

If you are a constituent of a public-agency Customer,Arterial typically processes your information as a service provider on the Customer's behalf. We will route your request to the Customer where appropriate or, with the Customer's authorization, respond directly.

Residents of California, Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, and other states with comprehensive privacy laws have these rights to the extent provided by their state's law. If we deny a request, we will inform you of your right to appeal where applicable. We honor Global Privacy Control (GPC) signals as opt-out requests where required.

10. Children's and Minors' Privacy

Our Services are not directed to children, and we do not knowingly collect personal information directly from anyone under 18. We recognize that ARTIE may incidentally capture imagery of minors in the public right-of-way. Such imagery is subject to the sensitive-category controls in Section 1.3 and is not used to identify, profile, or track minors. If you believe we hold information about a minor that should be removed, please contact privacy@arterial.us.

11. AI and Machine Learning

Arterial develops and operates machine learning models for infrastructure analytics. Our commitments are:

Customer Data containing personal information is not used to train cross-customer or commercially licensable models without the Customer's express written authorization. Arterial may use aggregated, de-identified data derived from any source to improve detection algorithms, analytics, and service quality, consistent with our Terms of Service.
De-identification is performed using methods consistent with NIST SP 800-188 guidance, including removal or hashing of direct identifiers (such as license plates and faces) and statistical safeguards against re-identification. Recipients of aggregated data are contractually prohibited from attempting re-identification.
Arterial does not perform facial recognition or persistent tracking of identifiable individuals as part of its core Services and does not train models for those purposes.
Where third-party AI or model providers are used in delivery of the Services, Arterial selects providers that contractually commit to zero-day data retention and to not training their models on Customer Data. The current list of such providers, if any, is available on request as part of the sub-processor list (Section 4).
Consequential analytics outputs are designed for human review by trained Customer personnel before any action is taken. Arterial supports Customer governance of AI-assisted decisions and aligns its program with the NIST AI Risk Management Framework.
Arterial monitors model performance for accuracy and disparate-impact concerns and updates models when material issues are identified.

Customers may contact us to request additional limitations on data use, including opting out of inclusion in aggregated training datasets, where applicable.

12. Cookies and Tracking Technologies

We use cookies and similar technologies in the following categories:

Strictly necessary. Required for the website and dashboard to function (for example, session management). These cannot be disabled.
Privacy preference. A first-party cookie that stores your consent choice for twelve (12) months. This cookie does not leave arterial.us.
Optional analytics. Disabled by default. Activated only on opt-in. Currently includes Google Analytics, Microsoft Clarity, and Vercel Web Analytics. These tools may collect pages viewed, referrer, device and browser information, approximate geographic region, clicks, scrolling, and navigation behavior. Microsoft Clarity may additionally use behavioral metrics, heatmaps, and session replay for opted-in visits.
Marketing. Arterial does not currently use marketing cookies, third-party advertising tags, or cross-site trackers. If this changes, we will update this policy and require fresh consent before activation.

For more information about Microsoft's data practices, see the Microsoft Privacy Statement. You may manage your preferences at any time through our privacy controls or browser settings.

13. Data Residency and International Transfers

Arterial's Services are operated in the United States, and Customer Data is stored and processed in U.S. cloud regions. Access to production systems by Arterial personnel located outside the United States is disabled by default for government Customers and may be enabled only with the Customer's written approval. Region-specific pinning (for example, U.S. East or U.S. West only) is available on request.

If you access our Services from outside the United States, the personal information you provide may be transferred to and processed in the United States. Where required by applicable law, Arterial implements appropriate safeguards for international data transfers, including the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, or other lawful mechanisms. A copy of the relevant transfer mechanism is available on request.

14. Third-Party Links

Our Services may include links to third-party services. We are not responsible for their privacy practices or policies. We recommend that you review the privacy policies of any linked websites.

15. Compliance & Legal Requests

If we receive a subpoena, court order, or other legal request for data, we will, where legally permitted, provide notice to the affected Customer and cooperate as appropriate. Arterial will not voluntarily disclose Customer Data to third parties absent legal compulsion.
For public-agency Customers, Arterial will reasonably assist with responses to lawful open-records or freedom-of-information requests, consistent with our Terms of Service.

16. Changes to this Privacy Policy

We may update this policy from time to time. When we make material changes, we will:

Notify you (for example, via your dashboard, email, or website).
Increment the policy version and update the Effective Date.
Maintain prior versions on request for reference.

Your continued use of the Services after we post changes constitutes your acceptance of the revised policy.

17. Contact Us

If you have any questions about this Privacy Policy or your data, contact our Privacy Officer at privacy@arterial.us.

Privacy Officer
Arterial, Inc.
Attn: Privacy Officer
[Postal address — insert before publishing]