Privacy Policy

This Privacy Policy explains what data ArqZero (“Service”) collects, why, and what your rights are. ArqZero is operated by [OPERATOR_LEGAL_NAME](“we”, “us”) located in [OPERATOR_JURISDICTION]. Questions: privacy@arqzero.dev.

1. The BYOK architecture

ArqZero is bring-your-own-key: you supply your API key for the LLM provider of your choice (OpenAI, Anthropic, Fireworks, OpenRouter, Ollama, etc.). When you run the CLI:

• Your prompts and the LLM's responses flow directly between your machine and your chosen LLM provider. They do not pass through our servers.
• Code you operate on and files you read or edit stay on your machine.
• Our backend only sees account, license, and usage-counter data — never your code or prompt content, unless you explicitly enable a server-side feature.

2. Data we collect

2.1 Account data

• Email address — for device-flow authentication and product communication.
• Hashed verification tokens and refresh tokens — for authentication. Plain values are never stored.
• Subscription tier and status — to enforce feature access.
• License keys — issued per device.

2.2 Usage data

• Daily request counters — number of CLI sessions/dispatches per day, for tier-limit enforcement. We do not log prompt content, file paths, or code.

2.3 Team Memory (opt-in, Team tier only)

If you enable Team Memory, key-value entries you write are stored on our servers and shared with your team. You control what is written. Maximum 64 KB per value.

2.4 Payment data

Stripe processes payments and stores card details. We receive only a customer identifier and subscription status — never full card numbers. See Stripe's privacy notice at stripe.com/privacy.

2.5 Email delivery

Resend delivers transactional emails (verification codes, team invites). Resend receives recipient address, subject, and message body. See resend.com/legal/privacy-policy.

2.6 Error reporting

The backend reports unhandled errors to Sentry to aid debugging. Sentry receives stack traces and contextual metadata. The CLI may also report errors, but only if you explicitly opt in by setting ARQZERO_TELEMETRY=1— telemetry is off by default. Telemetry payloads contain crash signatures, version string, and OS string only. They do not include command arguments, file paths, or content of your work.

2.7 Website analytics

The website arqzero.dev uses Plausible Analytics, a privacy-preserving service that does not use cookies, does not collect personal data, and does not track users across sites. Aggregate page views and referrer counts are stored.

2.8 Web fonts

The website loads fonts from Google Fonts (fonts.googleapis.com / fonts.gstatic.com). When you load a page, your browser sends a request to Google's servers, which includes your IP address and basic browser data. We do not pass any personal data to Google ourselves, but this network request constitutes a transfer for purposes of GDPR. We are evaluating self-hosting the font to eliminate this transfer; in the meantime see Google's privacy notice at policies.google.com/privacy.

2.9 Server logs

Standard server logs (IP address, request path, timestamp, response code) are retained for up to [LOG_RETENTION_DAYS] days for security and operational debugging.

3. Legal basis for processing (EU/UK users)

• Contract (GDPR Art. 6(1)(b)) — account, licensing, payment.
• Legitimate interests (Art. 6(1)(f)) — security logging, anti-abuse, fraud detection.
• Consent (Art. 6(1)(a)) — opt-in CLI telemetry, marketing emails (if you subscribe).
• Legal obligation (Art. 6(1)(c)) — tax records and any required regulatory reporting.

4. Data sharing and sub-processors

We do not sell personal data. We share data only with these sub-processors, each bound by a written data processing agreement:

• Supabase (database, US) — account, license, usage, team data.
• Fly.io (compute, US) — backend hosting.
• Cloudflare (CDN, DNS, WAF) — website + API edge.
• Upstash (rate-limit Redis) — counter keys, no personal content.
• Resend (email delivery) — transactional emails.
• Stripe (payments) — billing.
• Sentry (errors) — stack traces and crash metadata.
• Plausible (analytics) — aggregate website metrics.

A current list of sub-processors is maintained at /legal/dpa#subprocessors. We will notify customers of material changes with at least 30 days' notice.

5. International data transfers

Some sub-processors operate in the United States. Where you are in the EU/UK, cross-border transfers occur under Standard Contractual Clauses or equivalent safeguards as available from each sub-processor.

6. Retention

• Account data: retained while your account is active; deleted within 30 days of account deletion (or sooner where required by law).
• Daily usage counters: 90 days, then aggregated or deleted.
• Verification tokens: deleted on use or expiration.
• Server logs: [LOG_RETENTION_DAYS] days.
• Payment records: as required by tax law (typically 7 years).

7. Your rights

Depending on your jurisdiction, you have rights to:

• Access the personal data we hold about you — request via GET /account/data-export in the CLI (Pro/Team tier) or email privacy@arqzero.dev.
• Correct inaccurate data.
• Delete your account and data — initiated via DELETE /account or by emailing us. We confirm by email and honor the deletion within 30 days, subject to legal retention requirements.
• Restrict or object to certain processing.
• Portability — receive your data in a machine-readable format.
• Withdraw consent for opt-in processing at any time.
• Lodge a complaint with a data protection authority. EU users may complain to their national DPA; UK users to the ICO; California residents to the California Attorney General.

8. Security

We use reasonable technical and organizational measures to protect personal data, including: TLS in transit, encrypted database connections, hashed authentication tokens, row-level security policies, rate limiting, JWT-based session management with short access-token lifetimes, secret rotation procedures, and continuous secret-scanning of source control. No system is perfectly secure; in the event of a breach involving personal data we will notify affected users without undue delay where required by law.

9. Automated decision-making

We do not make decisions that produce legal effects on you, or significantly affect you, solely on the basis of automated processing (including profiling), within the meaning of GDPR Article 22. AI features within the Service generate suggestions the user reviews and applies; the user is the decision-maker.

10. Children

The Service is not directed at children under the relevant age of digital consent:

• EU/EEA: 16 years (some member states have set this between 13 and 16 — we apply 16 as the conservative floor).
• United Kingdom: 13 years.
• United States (COPPA): 13 years.
• California (CCPA): For users aged 13–15, the “sale” or “sharing” of personal information requires affirmative opt-in (we do neither, but state this for completeness).

We do not knowingly collect personal data from users below the applicable threshold. If we learn we have, we will delete the data and any associated account promptly. Parents or guardians who believe their child has used the Service should contact privacy@arqzero.dev.

11. California residents (CCPA / CPRA)

11.1 Notice at Collection

This Privacy Policy serves as the Notice at Collection required by Cal. Civ. Code §1798.100(b):

• Categories of personal information collected: identifiers (email), commercial information (subscription tier), internet activity (request logs, opt-in error reports), inferences (usage counters).
• Purposes: as described in Sections 2 and 3 above — providing the Service, billing, security, support.
• Sources: directly from you.
• Retention: as described in Section 6 above.
• Sensitive personal information: we do not collect, use, retain, or share sensitive personal information beyond what is necessary to provide the Service.

11.2 Your CCPA/CPRA rights

California residents have the right to:

• Know what categories and specific pieces of personal information we collect.
• Delete personal information.
• Correct inaccurate information.
• Opt out of “sale” or “sharing” of personal information. We do not sell or share personal information for cross-context behavioral advertising.
• Limit use of sensitive personal information.
• Non-discrimination for exercising these rights.

Exercise rights at privacy@arqzero.dev.

11.3 Do Not Track signals

Some browsers transmit “Do Not Track” (DNT) or Global Privacy Control (GPC) signals. We treat a GPC signal as a valid opt-out request from any “sale” or “sharing” under CCPA. Because we do not sell or share personal information for behavioral advertising, no change is required to our processing on receipt of such a signal. We do not currently respond differently to a generic DNT header.

12. How we verify data subject requests

Requests made via authenticated CLI/API endpoints (/account/data-export,DELETE /account) are verified by your existing JWT session.

Requests made via email to privacy@arqzero.devare verified by: (a) confirming the request is sent from the email address on file for the account; or, (b) where that is not possible, asking you to authenticate via the CLI and trigger the request from there. We may ask follow-up questions based on data we hold to verify identity. We will not disclose personal data in response to an unverified email request.

13. Changes to this policy

We may update this Privacy Policy. Material changes will be announced by email to account holders and via a notice on this page at least 14 days before they take effect.

14. Contact

Data Protection contact: privacy@arqzero.dev
Operator: [OPERATOR_LEGAL_NAME], [OPERATOR_ADDRESS]