1Who We Are
ArcaGate, Inc. ("ArcaGate," "we," "our," or "us") operates the ArcaGate AI Agent Governance Platform at arcagate.io. We help enterprises discover, inventory, risk-score, and govern their AI agents.
For privacy questions: privacy@arcagate.io
2What We Collect
Account Information
When you create an account, we collect your name, work email address, company name, and authentication tokens from your identity provider (Google, Microsoft, Okta, Auth0). We never store your OAuth passwords.
AI Agent Metadata
To provide governance services, we read metadata about your AI agents from the integrations you authorize — including agent names, types, configurations, model providers, hashed API key identifiers, data access scopes, risk scores, and audit logs. We do not read, store, or process the content of your agents' conversations or outputs.
Integration Credentials
When you connect an integration, we store your API key or token encrypted using AES-256-GCM. The raw credential is never logged, never exposed in our UI, and accessible only to the background scanner process. We request read-only scopes wherever providers support them.
Usage & Log Data
We collect standard server logs including IP addresses (encrypted before storage), browser type, pages visited, timestamps, and feature usage patterns to operate and improve the service.
Billing Information
Payment is processed by Stripe, Inc. We never see or store your full card number, CVV, or bank details — only a tokenized customer reference and the last four digits for display.
3How We Use It
Provide the service
Scan connected integrations, generate risk scores, surface findings, maintain agent inventory.
Security & compliance
Detect unauthorized access, enforce MFA, maintain tamper-evident audit logs.
Billing
Process subscription payments and send invoices via Stripe.
Communications
Send transactional emails (alerts, scan completion, invoices). No marketing without opt-in.
Improvement
Analyze aggregate, anonymized usage patterns. We do not sell data or use it for advertising.
Legal obligations
Comply with law, respond to lawful authority requests, and enforce our Terms of Service.
4How We Protect It
6Data Retention
Request earlier deletion at any time: privacy@arcagate.io
7Your Rights
GDPR (EU/EEA)
You have all rights listed above. Legal basis for processing: contract performance and legitimate interests.
CCPA (California)
We do not sell personal information. You have the right to know what we collect and to request deletion.
To exercise any right, email privacy@arcagate.io. We respond within 30 days.
9Children's Privacy
ArcaGate is a B2B platform for organizations and their employees. It is not directed at individuals under 18. We do not knowingly collect data from minors. Contact us immediately at privacy@arcagate.io if you believe we have.
10International Transfers
ArcaGate is based in the United States. For EU/EEA customers, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission for transfers of personal data outside the EEA.
11Changes to This Policy
We may update this policy as our service evolves. We will notify you of material changes by email and by updating the effective date. Continued use after the effective date constitutes acceptance.
12Contact Us
ArcaGate, Inc.
Privacy Team