Privacy Policy
Last updated: April 17, 2026
This policy explains what information Arca collects, why we collect it, how we use it, and the rights you have over it. We wrote it in plain English on purpose. If anything is unclear, email privacy@runarca.xyz and a real person will answer.
1. Who we are
Arca is a managed operations platform for freelancers, solo operators, and small service businesses. Arca is operated by Unbanked ("Unbanked", "we", "us", "our"), a privately held company. Our website is runarca.xyz.
For the purposes of GDPR, Unbanked is the data controller of personal information collected through Arca. For the purposes of Canadian PIPEDA, we are the organization accountable for that information.
2. What we collect
We only collect information that we actually need. Specifically:
Information you give us directly
- Waitlist and contact information:your email address (and optionally your name and business type) when you join our waitlist or contact us.
- Account information:when Arca launches as a paid product: your name, email, business name, and authentication credentials.
- Payment information:billing name, address, and the last four digits of your card. Full card numbers are handled by our payment processor (Stripe) and never touch our servers.
- Content you send through Arca:messages, tasks, client records, documents, and any other information you or your clients provide through the platform (including via Telegram, email, or web).
- Support correspondence:whatever you send us when you email or DM for help.
Information we collect automatically
- Log data:IP address, browser type, device type, pages visited, referring page, and timestamps. This comes from Cloudflare and standard web server logs.
- Cookies and similar technologies:we use a small number of strictly necessary cookies (for session management and security). We do not use advertising or cross-site tracking cookies. See Section 9.
Information we do not collect
- We do not sell personal information. Ever.
- We do not use third-party advertising trackers on this website.
- We do not use your content or your clients' content to train public AI models.
3. How we use your information
We use the information we collect to:
- Provide, operate, and improve Arca.
- Run the automations, workflows, and AI features you configure. This includes sending your content to the AI providers listed in Section 5 so the platform can do what you asked it to do.
- Communicate with you about your account, billing, product updates, and occasional announcements you can unsubscribe from at any time.
- Protect Arca, our users, and the public from fraud, abuse, and security threats.
- Comply with legal obligations.
We do not use your business data or your clients' data for any purpose you didn't ask for.
4. Legal bases for processing (GDPR)
If you're in the UK, EEA, or Switzerland, our legal bases are:
- Contract:to deliver the Arca service you signed up for.
- Legitimate interests:to keep Arca secure, prevent abuse, and improve the product, where those interests don't override your rights.
- Consent:for optional marketing emails and any non-essential cookies. You can withdraw consent at any time.
- Legal obligation:where we're required to retain or disclose information by law.
5. Who we share information with
Arca runs on a small number of trusted third parties ("subprocessors") that help us operate the platform. We only share what's necessary for them to do their job, and each one is contractually required to protect your information.
| Subprocessor | Purpose | Location |
|---|---|---|
| Cloudflare | Hosting, CDN, DDoS protection, edge logs | Global |
| Neon | Managed Postgres database | US / EU |
| Stripe | Payment processing (when billing goes live) | US |
| Anthropic, OpenAI, OpenRouter, xAI, Groq, SiliconFlow | AI model inference for workflows you configure | US |
| Telegram | Chat-first interface (when you connect a Telegram channel) | Global |
| Twilio | SMS and voice messaging (optional feature) | US |
| Gmail / Zoho Mail | Transactional and support email | US / EU |
| GitHub | Source control and deployments | US |
| Google Workspace (Gmail, Calendar, Drive, Sheets, Slides) | Email, calendar, and file integration (when you connect your Google account) | US |
Google Workspace integration
When you connect your Google account to Arca, you grant us access to specific Google Workspace scopes (Gmail, Calendar, Drive, Sheets, and Slides). This access:
- Is used solely to provide the Arca features you enabled — reading emails, managing calendar events, and accessing files you designate.
- Is governed by Google's Privacy Policy as well as this one. Google is a data controller for your Google account data; Arca is a data processor for the data we access through the integration.
- Can be revoked at any time by disconnecting your Google account in the Arca integrations settings, or by visiting your Google account permissions page.
- Access tokens are stored encrypted at rest and automatically refreshed. We never share your Google credentials with third parties.
We may also disclose information if required by law, to protect Arca or our users from fraud or abuse, or as part of a business transfer (e.g., acquisition). In that case the acquiring entity will be bound by this policy or give you notice of any material change.
6. International data transfers
Arca is operated from Canada, and several of our subprocessors are located in the United States and other jurisdictions. When we transfer personal information out of your country, we rely on lawful transfer mechanisms like Standard Contractual Clauses and the EU–US Data Privacy Framework where applicable, so your information receives substantially similar protection wherever it travels.
7. How long we keep information
We keep personal information only as long as we need it for the purpose we collected it, or as long as we're required to by law. Specifically:
- Waitlist data:until you unsubscribe or the waitlist closes.
- Account data:for the life of your account plus up to 90 days after you delete it, so we can restore it if you change your mind and clean up backups.
- Billing records:for 7 years, to meet Canadian tax and accounting requirements.
- Support correspondence:for up to 2 years.
- Logs:typically 30–90 days.
8. Your rights
Depending on where you live, you have the right to:
- Access the personal information we hold about you.
- Correct information that's inaccurate or incomplete.
- Delete your information (subject to legal retention rules).
- Port your information to another service in a machine-readable format.
- Object to or restrict certain processing.
- Withdraw consent where we rely on it.
- Opt out of the sale or sharing of your personal information (CCPA). We don't sell your information, but you can still submit this request.
- Complain to a supervisory authority (the Office of the Privacy Commissioner of Canada, your local EU data protection authority, the UK ICO, or the California Attorney General).
To exercise any of these rights, email privacy@runarca.xyz. We'll respond within 30 days and may need to verify your identity before acting on the request.
9. Cookies
We use a minimal set of cookies and similar technologies:
- Strictly necessary:for session management, security, and remembering your preferences. These are always on.
- Analytics:we may use Google Analytics 4 to understand aggregate site usage, content performance, and lead-form behavior. We use this data to improve the website and do not sell it.
You can block cookies in your browser settings. Blocking strictly necessary cookies may break parts of the site.
10. Security
We take reasonable technical and organizational measures to protect your information: encryption in transit (TLS 1.2+), encryption at rest for sensitive fields, access controls, audit logs, and regular security reviews. No system is perfectly secure, but we treat your data like it's our own. In most cases, ours is on the same systems.
If we ever learn of a breach that affects your personal information, we'll notify you and the relevant authorities as required by law.
11. Children
Arca is not intended for anyone under 16, and we do not knowingly collect information from children. If you believe a child has given us their information, email privacy@runarca.xyz and we'll delete it.
12. Changes to this policy
When we make material changes to this policy, we'll update the "Last updated" date at the top and, for significant changes, email account holders or post a notice on the site. The current version always lives at runarca.xyz/privacy.
13. Contact us
Questions, requests, or complaints? Email privacy@runarca.xyz. We read everything that comes in.