Legal Document

Privacy Policy

We believe privacy is a right, not a feature. This policy explains exactly what data we collect, why we need it, and how we keep it safe.

Effective June 23, 2026·ArcaGate, Inc.

1Who We Are

ArcaGate, Inc. ("ArcaGate," "we," "our," or "us") operates the ArcaGate AI Agent Governance Platform at arcagate.io. We help enterprises discover, inventory, risk-score, and govern their AI agents.

For privacy questions: privacy@arcagate.io

2What We Collect

Account Information

When you create an account, we collect your name, work email address, company name, and authentication tokens from your identity provider (Google, Microsoft, Okta, Auth0). We never store your OAuth passwords.

AI Agent Metadata

To provide governance services, we read metadata about your AI agents from the integrations you authorize — including agent names, types, configurations, model providers, hashed API key identifiers, data access scopes, risk scores, and audit logs. We do not read, store, or process the content of your agents' conversations or outputs.

Integration Credentials

When you connect an integration, we store your API key or token encrypted using AES-256-GCM. The raw credential is never logged, never exposed in our UI, and accessible only to the background scanner process. We request read-only scopes wherever providers support them.

Usage & Log Data

We collect standard server logs including IP addresses (encrypted before storage), browser type, pages visited, timestamps, and feature usage patterns to operate and improve the service.

Billing Information

Payment is processed by Stripe, Inc. We never see or store your full card number, CVV, or bank details — only a tokenized customer reference and the last four digits for display.

3How We Use It

Provide the service

Scan connected integrations, generate risk scores, surface findings, maintain agent inventory.

Security & compliance

Detect unauthorized access, enforce MFA, maintain tamper-evident audit logs.

Billing

Process subscription payments and send invoices via Stripe.

Communications

Send transactional emails (alerts, scan completion, invoices). No marketing without opt-in.

Improvement

Analyze aggregate, anonymized usage patterns. We do not sell data or use it for advertising.

Legal obligations

Comply with law, respond to lawful authority requests, and enforce our Terms of Service.

4How We Protect It

AES-256-GCM encryption at restAll PII (names, emails, IP addresses, credentials) is encrypted before writing to the database. Raw disk access yields only ciphertext.
TLS 1.2+ in transitAll communications are encrypted in transit. We enforce HSTS with a two-year max-age.
Role-based access controlsTeam access is strictly limited by role (owner, admin, analyst, viewer). Privileged actions require elevated session checks.
HMAC-SHA256 for searchable fieldsEmail addresses are stored as secure hashes for lookup — never as plaintext in the DB layer.
Google Cloud Secret ManagerProduction secrets are injected at runtime and never committed to source code or logs.
Per-IP & per-user rate limitingAll API endpoints enforce rate limits to prevent brute-force and enumeration attacks.
Tamper-evident audit loggingEvery meaningful action is recorded with userId, timestamp, and before/after values.

5Sharing & Third Parties

We do not sell your data. Ever.

We share data only with these service providers, each bound by data processing agreements:

ProviderPurposeRegion
Google LLCAuth (OAuth), hosting (Firebase), infrastructureUSA
Neon, Inc.PostgreSQL databaseUSA (us-west-2)
Stripe, Inc.Payment processing (PCI-DSS L1)USA
Anthropic, PBCOptional AI features — anonymized metadata onlyUSA
Resend, Inc.Transactional email (optional)USA

6Data Retention

Active accountData retained while your account is active.
After cancellationAccount data retained for 30 days for recovery, then permanently deleted.
Encrypted backupsPurged within 90 days of account deletion.
Audit logs (legal)Retained up to 7 years where required by law.
Anonymized statsMay be retained indefinitely (cannot identify you).

Request earlier deletion at any time: privacy@arcagate.io

7Your Rights

Access your data
Correct inaccurate data
Delete your account
Export your data
Restrict processing
Withdraw consent

GDPR (EU/EEA)

You have all rights listed above. Legal basis for processing: contract performance and legitimate interests.

CCPA (California)

We do not sell personal information. You have the right to know what we collect and to request deletion.

To exercise any right, email privacy@arcagate.io. We respond within 30 days.

8Cookies

authjs.session-token
Strictly necessary

Maintains your authenticated session. HttpOnly, Secure, SameSite=Lax. Expires after 8 hours or on sign-out.

We do not use advertising cookies, tracking pixels, or third-party analytics cookies.

9Children's Privacy

ArcaGate is a B2B platform for organizations and their employees. It is not directed at individuals under 18. We do not knowingly collect data from minors. Contact us immediately at privacy@arcagate.io if you believe we have.

10International Transfers

ArcaGate is based in the United States. For EU/EEA customers, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission for transfers of personal data outside the EEA.

11Changes to This Policy

We may update this policy as our service evolves. We will notify you of material changes by email and by updating the effective date. Continued use after the effective date constitutes acceptance.

12Contact Us

ArcaGate, Inc.

Privacy Team

Email us at privacy@arcagate.io