I don't know if we have one. The amount of personal information collected is pretty minimal, given that it is a geolocation tool. Your email is associated with your account, but your account name can be anything. The big thing is that ARIS asks you for a headshot when first logging in (though you don't have to do it - take a shot of the floor).
I do not know if the server is set up so that your email and geolocation data are commingled.
If you use any of the notebook features, you may be sharing more personal information that is geolocated.
The tool was designed with research use in mind, but not only specific users and use cases are research participants. I would guess that an IRB protocol (or something similar if other types of research) would need to be on file (and the game/experience have some means of asking permission of players) before such data would be made available.
I'm not the closest to it, but these are the relevant parts I can think of. Assuming that we don't have anything truly specific yet, and that the overall intent is not to be creepy and mine or share data unnecessarily, what would such a policy need for various use cases. I'm a bit familiar with GDPR and IRB, but not an expert.