Privacy Policy

The data controller for the ARCANAI Service is:

ARCANAI does not store your documents. Here is exactly what happens:

1. Your text is anonymized in your browser (PII replaced with tokens like [NAME_1]).
2. The anonymized text is AES-256-GCM encrypted in your browser with an ephemeral key.
3. The encrypted payload is sent to our server. The server decrypts it briefly, calls the AI, re-encrypts the result, and discards the plaintext immediately.
4. Only the AI-generated result is saved to your history — never the source text.
5. For chat messages, we store only the message length (e.g. "[142 chars]") for quota tracking — never the content.

Important limitation: Our server does briefly process your anonymized text in memory. This is not true zero-knowledge. We never persist it, but during the processing window it is technically accessible to us. See our How it works page for a full technical explanation.

• Contract (Art. 6(1)(b)): Processing your account data, sessions, and analysis results to provide the Service you signed up for.
• Legitimate interests (Art. 6(1)(f)): Security logging, abuse prevention, and service improvement analytics (aggregated, non-personal).
• Legal obligation (Art. 6(1)(c)): Retaining payment records for the legally required 5-year period.
• Consent (Art. 6(1)(a)): Any optional analytics or marketing communications, which you can withdraw at any time.

We share data only as follows:

• Anthropic, OpenAI, Google (AI providers): We send anonymized text to generate AI responses. These providers receive anonymized text, not your identity or IP. They operate under their own privacy policies and, for API usage, do not train on your data.
• Stripe (payments): Processes payment information. We share your email for receipts. Stripe is PCI-DSS compliant and GDPR-covered under a Data Processing Agreement.
• Infrastructure (hosting): Our servers may be hosted on a European or US cloud provider. Any US transfers are covered by Standard Contractual Clauses.

We do not sell your data. We do not share it with advertisers.

We retain personal data only for as long as necessary for the purposes described. Specifically:

• Account data: retained until you request account deletion.
• Analysis history: retained until you delete individual entries or close your account.
• Server logs: automatically purged after 30 days.
• Session tokens: expire after 7 days (access) or 30 days (refresh).
• Payment records: retained for 5 years to comply with French accounting law.

After account deletion, we will erase your personal data within 30 days, except where we are required by law to retain it longer.

If you are in the EU/EEA or UK, you have the following rights:

• Right of access (Art. 15):Request a copy of all personal data we hold about you.
• Right to rectification (Art. 16):Correct inaccurate or incomplete data.
• Right to erasure (Art. 17):Request deletion of your account and associated data.
• Right to restriction (Art. 18):Ask us to pause processing while a dispute is resolved.
• Right to data portability (Art. 20):Receive your data in a structured, machine-readable format.
• Right to object (Art. 21):Object to processing based on legitimate interests.
• Right to withdraw consent:Where processing is based on consent, withdraw it at any time.

To exercise any of these rights, email our DPO at dpo@arcanai.app. We will respond within 30 days. You also have the right to lodge a complaint with your national data protection authority (in France: CNIL).

ARCANAI does not use third-party advertising cookies, tracking pixels, or analytics services that profile you.

We store authentication tokens in localStorage on your device. These are strictly necessary for the Service to function and do not require consent under the ePrivacy Directive.

We may set a session cookie for CSRF protection. This cookie expires when you close your browser.

We implement the following security controls:

• AES-256-GCM encryption for documents in transit.
• RSA-2048 (OAEP) key wrapping for the session AES key.
• PBKDF2 (100,000 iterations, SHA-256) key derivation for API key encryption.
• bcrypt (12 rounds) password hashing.
• HTTPS with HSTS, X-Frame-Options, CSP, and Referrer-Policy headers.
• Rate limiting and brute-force protection on all authentication endpoints.
• Log sanitization that strips API keys and PII from server logs.

ARCANAI is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately at dpo@arcanai.app.

We may update this Privacy Policy from time to time. We will notify you of material changes via email or in-app notification at least 14 days before they take effect. The date at the top of this page indicates the most recent revision.