← Back to home

Privacy Policy

ARI – Your Augmented Reality

Last Updated: March 6, 2026

This Privacy Policy explains how SmartID Inc. ("SmartID," "we," "us," or "our") collects, uses, and protects information when you use the ARI mobile application and related services (the "Service"). Contact: ari@theariapp.com.

Privacy Guarantee (Plain-English Summary)

ARI is built to work like a privacy-first, real-world social tool: most sensitive data stays on your device, encrypted, under your control. Here is what we mean by that:

  • Your profile data is private: Your profile information (including profile images, linked people, credentials, disguises, and related data) is stored on your device in encrypted storage. It is visible only to you, and shared only with people you explicitly link with through mutual, in-person confirmation.
  • Your informal name label may be visible locally: When you use in-person discovery, the informal name label you choose may be visible to nearby devices participating in ARI local discovery. This label is user-chosen and does not include your legal name, email, phone number, or other contact info.
  • No centralized tracking or public directory: ARI is designed so that people who are not linked to you cannot use ARI to identify, monitor, or track you through a public directory or feed.
  • Biometrics never leave your device: Facial images, facial embeddings, and biometric templates remain on your device either in encrypted local storage or temporary cache. Biometrics generated during camera usage are cached only briefly (typically minutes) and then discarded. We do not upload biometric data to our servers, and we do not share your biometric data with other local devices in readable form.
  • Cryptographic matching across devices: When ARI performs cross-device matching, it uses cryptographic protections designed so the other device does not receive your images or biometric data in whole or in part.
  • Zero-knowledge backups: If you enable backup, your backup is encrypted with your passphrase before upload. We cannot decrypt or recover your backup or passphrase.
  • No ads, no data sales: We do not sell your personal information and we do not run advertising based on your activity in ARI.

The rest of this Privacy Policy provides the detailed, legally operative terms that govern how data is handled.

1. Information We Collect

1.1 Information You Provide and That Is Stored Locally on Your Device

The Service is designed so that most sensitive information is stored locally on your device in encrypted storage, including:

  • Informal display name/label and optional status text
  • Profile images (encrypted local storage)
  • Linked people data and credentials (e.g., Verifiable Credentials)
  • On-device biometric templates for you and linked people (encrypted local storage)
  • AI disguises and related preferences/history stored within the app
  • Optional TOTP configuration and secrets stored on-device

1.2 Temporary On-Device Data During Use

During active camera use, the Service may generate biometric signals (e.g., face embeddings) for identity features. These signals may be cached briefly in memory for performance and are discarded within minutes after detection. This temporary data remains on your device.

1.3 Minimal Cloud Metadata

Our servers store a minimal set of metadata necessary to operate the Service, such as:

  • Randomized account identifier (e.g., GUID)
  • Account creation timestamp and last-access timestamp
  • Encrypted backup blobs (if you enable backups)

We do not require or collect a legal name, email address, phone number, payment information, or government ID for the current core flow.

1.4 Network and Device Information

We and our infrastructure providers may process limited technical information such as device identifiers used for authentication, app version, and network information (including IP address as inherent in internet communications). We may also maintain server request logs for security, abuse prevention, and reliability.

1.5 Location Permission

On Android, the operating system may require location permission to perform Bluetooth scanning. ARI uses this permission to enable Bluetooth discovery. ARI does not use GPS location tracking for analytics or advertising and does not maintain location history.

2. Biometric Data and Facial Recognition

ARI uses on-device facial detection and facial embedding technology to enable identity features. All biometric processing occurs exclusively on your device.

  • No biometric uploads: ARI does not upload or transmit your facial images, facial embeddings, or biometric templates to our servers for biometric purposes.
  • Encrypted local storage: Profile images and biometrics of you and linked people may be stored locally on your device in encrypted storage.
  • Temporary cache: Biometrics created during use may be cached briefly for performance and discarded within minutes.
  • Cryptographic cross-device matching: Cross-device matching uses cryptographic protections designed so that the other device does not receive your images or biometric data in whole or in part.

Device-level biometric authentication (e.g., fingerprint/face unlock) is processed by your operating system and is not stored by ARI.

For details on how cross-device face identification works and how your data is protected, see Section 6 (SmartID Face Identification).

3. Photos and Image Data

The core functionality of ARI relies on your phone camera seeing you and other ARI members, and your phone knowing what you look like. This process is designed with strong privacy and personal data sovereignty. All camera-derived data is processed directly on your device, with only the explicit exceptions described below—each of which is designed so you can maintain full privacy.

3.1 Profile and Linked-People Photos

When you set a profile picture, it is stored in encrypted form on your device. A biometric representation of your profile photo is also generated and stored in encrypted form on your device. Your profile picture is not uploaded to SmartID servers or any other servers, and is not shared with other devices except in one case: when you link with another person on ARI (in-person, mutual confirmation—the equivalent of friending someone), your profile picture is sent to their device so they can identify you. This is akin to sending a friend your photo. On their device, your profile picture is stored in encrypted form in the same way their own profile picture is stored. Their device also generates and stores an encrypted biometric representation of your profile picture.

In other words, your face and your biometric data remain on your device in encrypted form, and on the devices of people you explicitly link with in encrypted form—never uploaded to our servers or any other servers.

The only other place that may hold your photos is your encrypted backup, which is stored on SmartID servers so you can sign out and sign in, or change devices. This backup is encrypted with a strong password that only you have. No one outside SmartID can access the backup at all without your randomized ARI account identifier and a rotating two-factor authentication code from an authenticator app. No one—including SmartID—can decrypt or access the contents of that backup without your password.

3.2 Camera Pictures and Photobooth

Camera pictures (non-photobooth). Pictures you capture with the ARI camera are stored on your device. All filter processing for these pictures happens directly on your device. You can share the resulting images in any way you choose. The pictures are stored in the same location where all other photos are stored on your device, so you have full control over how you use them. SmartID has no way to know whether you are taking pictures—there is no usage tracking built into the camera—and all sharing decisions and responsibility remain with you.

Photobooth—mannequin generation. When your mannequin is generated, we create one that resembles you. Your phone takes your profile picture and blurs the face beyond recognition, leaving only a rough face outline, face color, and hair. This blurred image is sent to SmartID servers. Our servers do not store this image; the only information we retain is that a request came from your account identifier—we do not have your name or any other identifying information. The image is then sent to our third-party AI image processing partner without any link to your ARI account. The partner receives only an unidentifiable image of a person with a blurred face. That image is used only to generate your mannequin and is deleted after processing is complete and your device receives the result. The image and the result are not stored on our servers or the third party’s servers, are used only to process your request, and are explicitly not used for training on your images.

Photobooth—capturing shots. When you capture images with the photobooth, we need to apply disguises directly to the faces in the images, so we cannot blur faces as we do for mannequin generation. You may or may not be in the photo, and there may be one or more people in the shot, so even if information could be linked to an upload, it cannot be tied to a specific person. To produce photobooth results, for each person in the photo we need to add a disguise (you or others linked to you). We crop the necessary portion of the image and send it to our SmartID server. The only information we can link to that cropped image is that it was uploaded by your account—we do not know whether it is you or someone else in the photo. This cropped image is sent to our third-party image processing partner without any link to your account; they only receive a picture of a person to which a disguise should be applied. The result is sent back to your phone and composited back into the shot. All of this image data is used only to process your request, is not stored on our servers, is deleted from the third party’s systems after your device receives the result, and is explicitly not used for training.

After all edits are made, you have full control over sharing the edited photobooth strips and shots. They are stored on your device in your Photos library (or the equivalent), so you have full ownership and responsibility for how you use them.

Summary. Images from your device that we process for photobooth (mannequin generation or capturing shots) are not retained after we have successfully processed and delivered your result; they are not used to train our or our partners’ AI image-editing models; and they are not sent to any third party other than the single processing partner required to fulfill your request.

3.3 Storage, Retention, and Your Control

Profile and linked-people photos, and their biometric representations, remain on your device and on the devices of people you have linked with, in encrypted form. Camera pictures and photobooth outputs are stored on your device in your normal photo storage; we do not retain copies. Photobooth and mannequin processing images are not stored on our servers or our third-party partner’s servers after your request is fulfilled. Your encrypted backup (if you use it) is the only copy we hold, and it is encrypted so we cannot decrypt or read its contents. You control your photos through your device, your sharing choices, and—if you use backup—your backup password; you can delete the app or your account at any time.

4. Connected Devices

ARI uses Bluetooth Low Energy (BLE) to discover and connect with nearby ARI devices, and WebRTC for encrypted peer-to-peer communication and fast data exchange between connected devices. We design these flows so your data is not exposed to observers or to devices you have not linked with.

4.1 Discovery and Connection

We use BLE for discovering and connecting with nearby ARI devices. We use WebRTC (encrypted peer-to-peer communication) for fast data exchange between devices once they are connected. Both are designed so that your data is not exposed to observers or to devices you have not linked with.

4.2 BLE Protocol and What Your Device Broadcasts

For BLE, we use a protocol that is similar to the underlying BLE pairing protocol and provides the same level of security, but without requiring you to enter a pairing code. In ARI, the equivalent of pairing is linking (friending) with another ARI user—something you do in person by mutual confirmation.

As with standard BLE pairing, we do not expose a static identifier for your Aura when your device broadcasts. What your device broadcasts is limited to: (1) a rotating randomized identifier that devices you have not linked with cannot associate with you or your identity; (2) your non-unique display name and member date—not a legal name, but something like a name you might give at a counter for an order: a label you can be referred to that does not identify you beyond what you would want a stranger to know, and that you can set to anything you choose; (3) encrypted data unique to this connection, as used in the SmartID face identification process (see Section 6); and (4) encryption keys unique to this connection. Because no static Aura identifier is broadcast, observers and unlinked devices cannot track or identify you over time from BLE alone.

4.3 Linking and What Unlinked Devices Can See

When you link (friend) with another ARI user, an exchange is made so that your device can recognize that friend's device and vice versa using the rotating randomized identifier—in a way that is very similar to how the underlying BLE paired-device protocol allows two paired devices to recognize each other. Until you link, no such association exists.

Linking is completely decentralized: the link is stored and known only on your device and the linked person's device. SmartID servers and any other third party are not aware of who you link with—there is no central friend graph.

An unlinked device gets no information about an Aura it sees that can link it to the same person over time—even if it sees the same device again later (e.g., an hour later). It might observe that a device has an Aura with a particular display name (e.g., "Alex"), but it cannot tell whether that is the same person or a different person who chose the same name. Unlinked devices therefore cannot track or re-identify you across encounters from BLE broadcasts alone.

5. Trusted Third Parties

We do not currently have trusted third parties on the platform, but we will in the future. Trusted third parties are businesses you may choose to share some of your data with (e.g., a coffee shop, a retailer). You will have full control over what data you share and with whom—either in aggregate (e.g., all coffee shops in a category) or with a specific business (e.g., a specific coffee company).

5.1 How It Works

When your device connects to a trusted third party's device, it can identify that party by a SmartID certificate the third party holds, which identifies the exact business and the categories they match. You configure in advance what data your device may share with trusted third parties (and with which categories or specific businesses). When your device connects to a trusted third party's device, it may then share only the data you have pre-selected, along with the display name you use with everyone (the same non-unique name described in Section 4 (Connected Devices)).

5.2 Decentralized Discovery and Communication

As with linking between ARI users, discovery and communication between you and a trusted third party do not go through SmartID servers. Only your device knows that you interacted with or shared data with that trusted third party; the trusted third party only knows what you chose to share with them. SmartID does not receive or store a record of which trusted third parties you interact with or what you shared.

5.3 What the Trusted Third Party (and Others) Can Know

If you do not share any identifying information with the trusted third party—for example, you only share a preference like how you like your coffee, and you do not share your full name, an account number you have with them, your email, or similar—then they (and anyone else) have no way to tie that interaction to you personally.

If you do share identifying information with them (for example, an account number or other identifier you have with that trusted third party), they will be able to associate that interaction with you. No one else—including SmartID—will know about the interaction or what you shared; only your device and the trusted third party have that information.

6. SmartID Face Identification

SmartID face identification is the technology that allows ARI to recognize you and other ARI members in person across devices—so your in-person interactions can be augmented by the app—without any device sharing face images or biometric data with another device or with us. This section describes how it works and how your data is protected.

6.1 What SmartID Face Identification Is

In this process, two roles matter: the Portal device (the device running the camera and processing what it sees) and the Aura device (the device that holds an ARI user’s profile, including that user’s profile image and biometric data). The Portal device processes all camera data; that data does not leave the device, and none of what the camera sees is stored long term beyond the interaction. The Aura device keeps all image and biometric information for that ARI user, and that information does not leave the device.

The Portal device and the Aura device can be the same device in two cases: when the person being identified is the owner of the profile running the Portal (i.e., you are looking at your own device’s camera), or when the person is linked (friended) to the owner of the Portal device and the Portal already has that linked person’s profile picture as described in Section 3 (Photos and Image Data).

We do not use standard facial recognition in the sense of uploading faces or comparing them to a central database. Faces and biometric data are never uploaded anywhere and never leave the device that holds them. There is no database of faces to compare against.

6.2 How It Works (On-Device and Cryptographic Matching)

When a Portal device sees a face, matching happens in the following order, all designed so that face and biometric data stay on the devices that own them:

  1. Local match to the Portal owner. If the Portal device has a profile set up (the owner’s Aura), it compares the face it sees to that profile face locally on the device. No data leaves the device.
  2. Local match to linked people. If the Portal device has profile images for linked people (friends), it performs those comparisons locally as well. Again, no data leaves the device.
  3. Cryptographic match to nearby Aura devices. If the face did not match any known face locally but the Portal is connected to nearby devices that have an ARI Aura (as described in Section 4 (Connected Devices)), the devices run a cryptographic identification protocol so that the Portal can determine whether the face matches an Aura’s stored identity—without the Portal ever receiving the Aura’s face or biometric data, and without the Aura ever receiving the face the Portal saw.

That protocol works as follows. When an Aura device connects to the Portal, it sends the Portal a portion of an encrypted biometric vector. This data is not usable by anyone other than the Aura device that owns the underlying biometric data and holds the decryption key. It does not contain the face, it does not contain the full biometric data, and the portion of biometric data it does contain is encrypted with a homomorphic encryption (HE) scheme. Homomorphic encryption allows a third party (here, the Portal) to perform a comparison operation on encrypted data without learning anything about the underlying face or biometric data, without revealing the face it sees to the Aura or anyone else, and without learning the result of the comparison—only the Aura device can decrypt that result.

When the Portal sees a new face, it already has this encrypted data from Aura devices it is connected to. The Portal runs the comparison between the face it sees and each Aura’s encrypted data. In doing so, the Portal learns nothing about the Aura’s face, reveals nothing about the face it sees to the Aura or anyone else, and does not learn the result of the comparison—it only sends the encrypted result back to the Aura device. At the same time, the Portal applies the same kind of encryption to a portion of the biometric representation of the face it sees and sends that to the Aura, along with the encrypted result of the comparison it just performed, as part of the protocol.

The Aura device can decrypt the result of the first part of the comparison. If that part indicates a partial match, the Aura runs a similar step: it applies an operation to match the face the Portal saw (face B) to the Aura’s own stored data (face A) without learning anything about face B, without revealing anything about face A, and without learning the result of that partial comparison from its own side. If there is again a partial match, the Aura sends this encrypted result back to the Portal.

The Portal then decrypts the result. At that point it either knows that both devices agree it is a match (and sends a confirmation back to the Aura to complete the process) or concludes it is not a match and may try other connected devices.

At a high level, this is the protocol SmartID uses to provide face-based identification across two distinct devices without those devices sharing any face or biometric data. It is designed to provide strong privacy while enabling the in-person identification that lets ARI augment your real-world interactions.

6.3 What Data Is Used and Not Shared

In summary: (1) All camera data is processed on the Portal device and does not leave it; nothing the camera sees is stored long term beyond the interaction. (2) All profile images and biometric data for an ARI user stay on that user’s Aura device (or on devices that have received that user’s profile because they are linked); that information does not leave the device that holds it. (3) Faces and biometric features are never uploaded anywhere and never leave the device that owns them. (4) There is no central database of faces. (5) The cryptographic protocol allows the Portal and Aura to determine whether the face the Portal sees matches an Aura’s identity without either device learning the other’s face or biometric data, and without the comparison result being visible to anyone except the devices that need it to complete the match. SmartID face identification is how ARI can recognize you and others in person while keeping your face and biometric data on your device and under your control.

7. How We Use Information

We use information to:

  • Provide core functionality (account access, identity features, linking, and backup/restore)
  • Operate and secure the Service (authentication, fraud/abuse prevention, reliability)
  • Provide AI-based disguise/photobooth processing when you request it
  • Respond to support requests and communicate with you

We do not sell personal information. We do not run third-party behavioral advertising in ARI.

8. AI Processing and Third Parties

If you use AI features (e.g., disguises/photobooth), certain images and prompts may be processed through our backend infrastructure and AI processing partners to produce the output you request. We structure these flows to minimize data exposure and to prevent training/retention where feasible.

No training on your content: We do not use your content to train our models. We require service providers to process data only to provide requested functionality and to limit retention consistent with their policies and our agreements.

9. Cookies and Tracking

ARI is a native mobile app and does not use browser cookies. We do not use third-party advertising SDKs in the app for behavioral tracking. Server logs may include standard technical metadata (e.g., IP address) as part of normal internet operations.

10. Sharing and Disclosure

We may share limited information as follows:

  • Service providers: Infrastructure and processing partners (e.g., hosting, storage, AI processing, TURN/STUN providers) acting on our behalf.
  • Legal: If required by law, subpoena, or valid legal process, or to protect rights, safety, and security.
  • With your direction: When you choose to save/export/share content from your device.

We do not sell personal information. We do not "share" personal information for cross-context behavioral advertising as that term is defined under California law.

11. Data Retention

We retain server-side metadata and logs as long as necessary to provide the Service, maintain security, prevent abuse, and comply with legal obligations. Encrypted backups remain stored until you delete them or delete your account. Most sensitive data (profile, linked people, biometrics) remains on your device and is governed by your use and deletion of the app/account.

12. Security

We implement technical and organizational measures designed to protect information, including encryption in transit (HTTPS), encrypted local storage for sensitive app data, and zero-knowledge encrypted backups. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.

13. International Transfers

The Service is currently designed with U.S.-based infrastructure, but it may be accessed globally. If information is transferred internationally, we use appropriate safeguards where required, including Standard Contractual Clauses (SCCs) for EU/UK transfers when applicable.

14. Legal Bases for Processing (EEA/UK)

If you are located in the EEA/UK, we process information under the following legal bases:

  • Contract: To provide the Service you request (e.g., account access, backup, AI outputs you initiate).
  • Legitimate interests: To secure and maintain the Service, prevent fraud/abuse, and improve reliability.
  • Consent: Where required for certain processing (including on-device biometric processing where applicable).

15. Your Privacy Rights

15.1 General Rights

Depending on your location, you may have rights to access, delete, correct, or port information, and to object to or restrict processing. Because much of your data is stored locally on your device, many requests can be satisfied by using in-app controls (e.g., deleting your account) or deleting the app.

15.2 California (CCPA/CPRA)

California residents may have the right to:

  • Know what categories of personal information we collect and why
  • Request deletion of personal information we hold
  • Correct inaccurate personal information
  • Access information about disclosures for business purposes
  • Not be discriminated against for exercising privacy rights

No sale/sharing: We do not sell personal information and we do not share it for cross-context behavioral advertising.

To exercise rights, contact: ari@theariapp.com. We may need to verify your request consistent with applicable law.

16. Children's Privacy

The Service is not intended for children under 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has used the Service, contact us at ari@theariapp.com.

For our standards regarding child safety and the prevention of child sexual abuse and exploitation (CSAE/CSAM), and how to report concerns, see the Child safety section of our Terms of Service.

17. Changes to This Policy

We may update this Privacy Policy from time to time. We will update the "Last Updated" date above and may provide additional notice in-app. Your continued use of the Service after changes become effective constitutes acceptance of the updated Policy.

18. Contact

SmartID Inc.
611 South DuPont Highway Suite 102
Dover, DE 19901
Email: ari@theariapp.com

Note: ARI's privacy posture relies on on-device encrypted storage and zero-knowledge backups. If you lose your backup passphrase, we cannot recover it.

← Back to home