Privacy Policy
Last updated: 2026-05-23
This policy describes how Arc OS (arc-os.co) collects, uses, and
protects information about you during the closed beta. It will be
revised before general availability.
What we collect
| Category | Examples | Purpose |
|---|---|---|
| Account identity | Email address, OAuth profile (name + avatar from Google/GitHub), hashed password | Auth + account recovery |
| Project data | Prompts you send, AI responses, files you upload, code you generate | Operating your workspace |
| Usage logs | Activity log entries (issue updates, deploys, exports), timestamps, IPs, user agents | Multi-tenancy audit + security forensics |
| Telemetry | Onboarding funnel events, feature usage counters (no content) | Product improvement |
| Trial credit usage | Token counts per AI call (no prompt content) | Quota enforcement |
What we do NOT collect
- No cross-tenant data leakage. Every API call is gated by
canAccessProject(...). Other users' projects are unreachable. - No model training on your content. We do not feed your code, prompts, or responses into any training pipeline — neither ours nor third-party.
- No advertising trackers, no analytics SDKs. No Google Analytics, no Mixpanel, no Sentry. Server-side logs only.
- No third-party social trackers. OAuth providers see only the login flow; they do not get embedded scripts on the app.
How we store it
- In transit: TLS 1.3 via Cloudflare → origin nginx → backend. Authenticated Origin Pulls (mTLS) prepared (Phase 53.17.5).
- At rest: SQLite database. Sensitive fields are AES-256-GCM encrypted with keys derived from your password (Phase 45 E2EE).
- Vault: API keys and bot tokens live in
config/vault.json— AES-256-GCM encrypted, never written to.envor committed to git. - PII redaction: Email addresses, API keys, JWTs, card numbers
are sanitized from server logs at write-time (
shared/pii-sanitizer.ts).
Who can see your data
| Role | Access |
|---|---|
| You | Full read/write of your projects |
| Other users | Nothing — multi-tenancy enforced server-side |
| Platform operator (CEO) | Operational metadata only (project names, last-active timestamps); chat content is encrypted at rest |
| AI providers (Anthropic) | Whatever prompts you submit to them, per their terms |
Third-party processors
We use the minimum set of third parties needed to operate the service:
- Cloudflare — DNS, CDN, DDoS protection, WAF.
- Anthropic — Claude AI inference (when you call any worker).
- OAuth providers (Google, GitHub) — sign-in only; we receive only the bare profile (id, email, name, avatar URL).
- Email provider — outbound transactional email (verification + password reset + magic link). No newsletter, no marketing.
We do not use:
- Ad networks
- Analytics SDKs (no GA, no Mixpanel)
- CRM tools to track you
- Tracking pixels in transactional email
Your rights
You may at any time:
Download your data (GDPR Art. 20 — Data Portability): Go to Settings → Security → Download my data in the CRM dashboard. This generates a JSON export of all your account data (projects, chat history, issues, wiki, skills, activity logs). Also available via
GET /api/auth/export(rate-limited to 3 requests per 24 hours).Delete your account (GDPR Art. 17 — Right to Erasure): Go to Settings → Security → Delete account in the CRM dashboard. This triggers immediate, permanent cascade erasure across all your data (15+ tables). Also available via
DELETE /api/auth/account. Anonymized audit log entries may be retained for up to 12 months for fraud prevention.Export project context via Project Settings → AI Interop → Export project context (Phase 56). The export passes through a 3-tier secret scanner before download.
Object to processing by closing your account.
EU residents have the additional rights granted under GDPR (Articles
15–22). Ukrainian residents have rights under the Law on Personal Data
Protection (ZUOPD). To exercise any of these, use the self-service
options above or write to [email protected].
Cookies + local storage
Arc OS uses localStorage to keep:
crm-token— your JWT session token (24h TTL)crm-last-project— last opened project (UX convenience)crm-locale— your selected languagecookie-consent— records your cookie consent choice
We use sessionStorage (browser-only, cleared on tab close) to keep:
- Your E2EE master key — derived client-side from your password, never sent to the server.
No cookies at all. Arc OS does not set any HTTP cookies. All session
state is stored in localStorage / sessionStorage only. There are no
third-party tracking cookies, no advertising cookies, no analytics SDKs
embedded in the page. The browser Permissions-Policy header is set to
disable camera, microphone, geolocation, payment, and USB access.
Data retention
Automated retention cron runs daily and purges data that exceeds these limits:
| Data | Retention |
|---|---|
| Active project content | While account is active |
| Chat messages | 180 days |
| Auth events (login/logout/etc.) | 90 days |
| Activity log entries | 365 days |
| Token usage records | 730 days (2 years) |
| Data export records | 365 days |
| Deleted account | Purged immediately (cascade) |
| Audit logs (anonymized) | 12 months for fraud detection |
| Email verification tokens | 24 hours TTL |
| Password reset tokens | 30 minutes TTL |
| Magic-link tokens | 10 minutes TTL |
Children
The service is not intended for users under 16. If you become aware
that a child has signed up, please email [email protected] so we can
remove the account.
Security incidents
If we become aware of a breach affecting your data, we will notify you via email within 72 hours of confirmed compromise, per GDPR Article 33.
To report a security issue: [email protected].
Changes to this policy
We may revise this policy. Material changes will be announced via:
- The
@arcos_beta_feedbackTelegram channel, and - A banner in the application for at least 7 days.
Contact
- Operator: Sergii Marchenko (Ukraine)
- Privacy contact:
[email protected] - Security contact:
[email protected]