# Privacy Policy **Last Updated:** May 9, 2026 **Version:** 2.0.0 **Effective Date:** May 9, 2026 --- ## 1. Introduction & Data Controller Arc Pilot ("we", "our", "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use Arc Pilot OS, in line with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the UK GDPR, and the California Consumer Privacy Act ("CCPA/CPRA") where applicable. DATA CONTROLLER: Arc Pilot is the data controller of personal data processed about you in connection with your Arc Pilot account. For EU/EEA users, our EU Representative under Art. 27 GDPR may be reached at privacy@arc-pilot.com. DATA PROTECTION OFFICER (DPO): Our DPO can be contacted at dpo@arc-pilot.com for any matter relating to the processing of your personal data or the exercise of your rights. By using the Service, you acknowledge the data practices described in this policy. Where consent is the lawful basis (e.g., non-essential cookies, marketing communications), processing only occurs after you have given consent and you may withdraw it at any time without affecting prior processing. ## 2. Information We Collect We collect the following types of information: ACCOUNT INFORMATION: • Email address (required for registration) • Name/display name • Password (stored as secure hash) • Profile preferences and settings USAGE DATA: • Workspace and feature usage patterns • Conversation history with AI agents • Files and documents you upload • Generated content and outputs • Container execution logs and command history • Organization membership and collaboration data TECHNICAL DATA: • IP address and device information • Browser type and version • Operating system • Session data and cookies PAYMENT DATA: • Transaction records (processed by Paddle) • Purchase history • Coin balance and usage We do NOT collect complete payment card numbers - these are handled by our payment processor. ## 3. How We Use Your Information & Lawful Basis (GDPR Art. 6) We use collected information for the following purposes, each with a corresponding lawful basis under GDPR Art. 6(1): SERVICE DELIVERY — Lawful basis: Performance of a contract (Art. 6(1)(b)) • Provide and maintain the Service • Process transactions and manage your account • Store your files, conversations, and preferences • Provide AI-powered features and responses SERVICE IMPROVEMENT — Lawful basis: Legitimate interests (Art. 6(1)(f)) or consent (Art. 6(1)(a)) where required • Analyze usage patterns to improve features (with consent for non-essential analytics) • Fix bugs and optimize performance • Develop new features and workspaces • Personalize user experience COMMUNICATION — Lawful basis: Performance of a contract / legitimate interests / consent (for marketing) • Send important service announcements (transactional) • Respond to support requests • Provide feature updates and marketing (only with your consent — you can opt out at any time) SECURITY & COMPLIANCE — Lawful basis: Legal obligation (Art. 6(1)(c)) and legitimate interests (Art. 6(1)(f)) • Detect and prevent fraud or abuse • Enforce our Terms of Service • Comply with legal obligations (tax, accounting, law-enforcement requests) We do NOT engage in automated decision-making with legal or similarly significant effect under Art. 22 GDPR. AI outputs are advisory; humans (you) make the final decisions. ## 4. AI Data Processing When you use AI features: • Your inputs are sent to AI providers (Anthropic) for processing • AI providers may process data according to their policies • We do not use your conversations to train our own AI models • AI-generated outputs are stored in your account • You can delete your conversation history at any time Please review Anthropic's privacy policy for their data practices: https://www.anthropic.com/privacy ## 5. Data Sharing We may share your information with: SERVICE PROVIDERS: • Cloud infrastructure providers (hosting, storage) • Payment processors (Paddle) • AI providers (Anthropic) • Analytics services (with anonymization) These providers are contractually bound to protect your data and use it only for specified purposes. LEGAL REQUIREMENTS: We may disclose information if required by law, court order, or to protect our rights, safety, or property. BUSINESS TRANSFERS: In the event of a merger, acquisition, or sale, user data may be transferred to the new entity. WE DO NOT: • Sell your personal data to third parties • Share your data for third-party advertising • Provide access to your private content without consent ## 6. Data Security We implement security measures including: • Encryption of data in transit (TLS/SSL) • Encryption of sensitive data at rest • Secure password hashing (bcrypt) • JWT-based authentication • Regular security assessments • Access controls and audit logging However, no system is 100% secure. You are responsible for maintaining the security of your account credentials. ## 7. Data Retention We retain your data as follows: ACTIVE ACCOUNTS: • Account data: Until account deletion • Conversations: Until you delete them or close account • Files: Until you delete them or close account • Usage logs: 90 days (then anonymized) DELETED ACCOUNTS: • Data is deleted within 30 days of account closure • Backup retention: Up to 90 days • Anonymized analytics may be retained indefinitely LEGAL HOLDS: We may retain data longer if required for legal proceedings or compliance. ## 8. Your Rights (GDPR / UK GDPR / CCPA) If you are in the EU, EEA, UK or other jurisdictions providing equivalent rights, you have the following rights regarding your personal data: • ACCESS (Art. 15 GDPR): Obtain confirmation of, and a copy of, the personal data we hold about you. • RECTIFICATION (Art. 16 GDPR): Have inaccurate or incomplete data corrected. • ERASURE / "RIGHT TO BE FORGOTTEN" (Art. 17 GDPR): Request deletion of your data where one of the legal grounds applies. • RESTRICTION OF PROCESSING (Art. 18 GDPR): Request that we limit how we process your data. • DATA PORTABILITY (Art. 20 GDPR): Receive your data in a structured, commonly-used, machine-readable format and transmit it to another controller. • OBJECTION (Art. 21 GDPR): Object to processing based on legitimate interests, including profiling and direct marketing (which we will stop without exception). • WITHDRAW CONSENT (Art. 7(3) GDPR): Where processing is based on consent, withdraw it at any time without affecting prior lawful processing. • NOT TO BE SUBJECT TO AUTOMATED DECISIONS (Art. 22 GDPR): We do not subject you to decisions based solely on automated processing with legal or similarly significant effects. CCPA/CPRA RIGHTS (California residents): Right to know, delete, correct, opt out of "sale"/"sharing", limit use of sensitive personal information, and non-discrimination. We do NOT sell or share personal information for cross-context behavioral advertising. EXERCISING YOUR RIGHTS: • Use Settings > Privacy in the app to export or delete data • Email privacy@arc-pilot.com (subject line "GDPR" or "CCPA") • We respond within one (1) month per Art. 12(3) GDPR; this may be extended by two (2) months for complex requests with notice to you RIGHT TO LODGE A COMPLAINT (Art. 77 GDPR): You have the right to complain to a supervisory authority — typically the Data Protection Authority of your EU/EEA member state of residence, or the UK Information Commissioner's Office (ICO) at https://ico.org.uk. We would, however, appreciate the chance to address your concern first by contacting dpo@arc-pilot.com. ## 9. Cookies & Tracking We use cookies and similar technologies in line with the EU ePrivacy Directive ("cookie law") and GDPR. Non-essential cookies are only set after you give explicit, informed consent through our Cookie Consent banner. You can change or withdraw consent at any time via the "Cookie Preferences" link in the footer or in Settings > Privacy. CATEGORIES OF COOKIES WE USE: 1. STRICTLY NECESSARY (always on, no consent required): • Authentication / session management (e.g., access tokens, CSRF tokens) • Security features (rate-limit, fraud detection) • Load balancing and basic functionality Lawful basis: legitimate interests; ePrivacy Art. 5(3) exemption. 2. PREFERENCES (consent required): • Language, theme, accessibility settings, layout preferences 3. ANALYTICS / PERFORMANCE (consent required): • Aggregated usage statistics (PostHog, Vercel Analytics, Vercel Speed Insights) • Error tracking and bug reports 4. MARKETING / ADVERTISING (consent required): • We do not currently use third-party advertising cookies. If this changes, we will obtain prior opt-in consent and update this Policy. For each category we publish: cookie name, provider, purpose, duration, and whether it is first- or third-party. The full table is available at /legal/cookies.md and inside the consent banner's "Customize" panel. Cookies can be managed at any time via Settings > Privacy > Cookie Preferences. Refusing non-essential cookies will not affect access to the core Service. ## 10. International Data Transfers (GDPR Chapter V) Some of our service providers (e.g., AI providers, cloud infrastructure, analytics) are located outside the EU/EEA, including in the United States. Where we transfer personal data outside the EU/EEA or the UK, we rely on one of the following GDPR-compliant transfer mechanisms (Art. 44–49 GDPR): • EU Commission ADEQUACY DECISIONS (e.g., EU–US Data Privacy Framework where the recipient is certified) • STANDARD CONTRACTUAL CLAUSES ("SCCs", 2021/914) plus supplementary measures (encryption in transit and at rest, access controls) • UK INTERNATIONAL DATA TRANSFER ADDENDUM ("UK IDTA") for UK transfers • BINDING CORPORATE RULES where applicable • YOUR EXPLICIT CONSENT (Art. 49(1)(a)) where no other safeguard applies, after you have been informed of the risks You can request a copy of the SCCs or other safeguards in place for any specific transfer by contacting privacy@arc-pilot.com. ## 11. Children's Privacy The Service is not intended for children under 13 (or the minimum age in your jurisdiction). We do not knowingly collect data from children under this age. If you believe a child has provided us with personal data, please contact us immediately at support@arc-pilot.com. ## 12. Changes to This Policy We may update this Privacy Policy periodically. We will notify you of material changes via: • Email notification • In-app announcement • Updated "Last Modified" date Your continued use after changes constitutes acceptance of the updated policy. ## 13. Contact Us For privacy-related questions or concerns: Privacy / Data Protection: privacy@arc-pilot.com Data Protection Officer (DPO): dpo@arc-pilot.com General Legal: legal@arc-pilot.com Support: support@arc-pilot.com For GDPR data-subject requests, please include "GDPR" in your subject line. For CCPA requests, include "CCPA". We will respond within one (1) month for GDPR and 45 days for CCPA, unless an extension applies. --- _Contact: privacy@arc-pilot.com_