Privacy Policy

1. Introduction

ArcSek FZ-LLC (hereinafter referred to as "Company", "we", "us", or "our") operates the ArcSek APIs, products, website, and customer dashboard (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our Service. We are committed to protecting your privacy and complying with the UAE Personal Data Protection Law (Federal Decree‑Law No. 45 of 2021) and, where applicable, the General Data Protection Regulation (GDPR).

2. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person.
"Processing" means any operation performed on personal data, such as collection, storage, use, transfer, or deletion.
"Data Controller" means you, the customer, who determines the purposes and means of processing the text you submit via the API.
"Data Processor" means us, the Company, who processes personal data on your behalf.

3. Personal Data We Collect

3.1 Account Information

When you register for our Service, we collect your full name, email address, company name (optional), VAT number (if applicable), and payment information (processed by Dodo Payments; we do not store full credit card numbers).

3.2 API Usage Data

For each request to our /check endpoint, we temporarily collect the text submitted, the API key used (hashed), the timestamp, the response status (SAFE or DANGER), the latency of the request, and the model that processed it. This data is pseudonymised (the text content is associated with an internal identifier, not directly with your name).

3.3 Usage Metadata

We collect aggregate metrics such as total requests per API key, blocked percentages, language distribution of attacks, and error rates. This metadata is anonymised and cannot be traced back to specific individuals.

3.4 Dashboard Access Logs

When you log into your dashboard, we record your IP address, browser user agent, login time, and actions taken (e.g., creating a new API key, viewing invoices).

3.5 Communications

If you contact us via email or support chat, we retain the correspondence indefinitely for customer service improvement.

4. Legal Basis for Processing

Under PDPL and GDPR, our legal bases are:

Consent: You give explicit consent by using our Service and accepting this Privacy Policy.
Contractual necessity: We need your personal data to provide the Service (e.g., authenticating your API key).
Legitimate interests: We use anonymised data to improve security algorithms and detect new attack patterns.
Legal obligation: We may retain data to comply with court orders or regulatory requests.

5. How We Use Your Personal Data

5.1 To authenticate you and validate your API key.
5.2 To process your requests to the AI model and return a response.
5.3 To generate usage reports and invoices.
5.4 To detect and prevent abuse, fraud, or unauthorised access (including rate limiting).
5.5 To improve our threat detection algorithms (only using aggregated, anonymised data).
5.6 To send you service notifications (e.g., rate limit warnings, security incidents, subscription renewals) via email.
5.7 To comply with applicable laws and regulations.

6. Cross‑Border Data Transfers

Our primary database is hosted in Seoul, South Korea. By using our Service, you expressly consent to these cross-border transfers.

6.1 Our primary database is hosted by Supabase on cloud infrastructure located in Seoul, South Korea (AWS region ap-northeast-2). This means your account information, API keys (hashed), usage logs, and the text content of your API requests may be transferred to and processed in South Korea.

6.2 Why Seoul? This region offers the best latency for our customers in the Middle East and Asia, while providing enterprise‑grade physical and network security. Supabase is GDPR‑compliant and adheres to the EU‑US Data Privacy Framework. For UAE customers, we rely on Standard Contractual Clauses (SCCs) approved by the UAE Data Office to legitimise the transfer.

6.3 Additionally, we use OpenRouter (AI gateway) which may route your requests to model providers located in the United States, the European Union, or other regions. Each such provider is contractually bound to process data only for the purpose of returning API responses and not for any other purpose.

6.4 Email alerts are sent via Resend, which may process your email address in the United States.

6.5 By using our Service, you expressly consent to these cross‑border transfers. If you do not agree, you must not use the Service.

7. Data Retention and Deletion

7.1 Text content (the user messages submitted to /check) is retained only for the period specified in your subscription plan:

Plan	Log Retention
Free	1 day
Scout	30 days
Guard	90 days
Fortress	365 days (1 year)

After the retention period expires, the content is permanently deleted from our primary databases and backups are purged within an additional 30 days.

7.2 API keys are stored as bcrypt hashes and are retained until you delete them or your account is terminated.

7.3 Usage metadata (aggregated stats) is retained indefinitely for historical reporting and algorithm training, but it is anonymised and cannot be linked back to any individual end user.

7.4 Upon termination of your account, we will delete all your personal data within 30 days, except where we are required to retain it by law (e.g., tax records for 7 years).

8. Data Security

We implement appropriate technical and organisational measures to protect your personal data:

Encryption at rest (AES‑256) for all stored data.
TLS 1.3 encryption for data in transit.
Hashing of API keys using bcrypt (we do not store plaintext keys).
Access controls and role‑based permissions for our staff; only senior engineers have access to raw logs, and only for debugging.
Regular vulnerability scanning and penetration testing.
Incident response plan in the event of a data breach.

Despite these measures, no method of transmission over the Internet is 100% secure. You use the Service at your own risk.

9. Data Breach Notification

If we discover a breach of your personal data, we will notify you within 72 hours via email, describing the nature of the breach, the data affected, and the steps we have taken to remedy it. We will also notify the UAE Data Office as required by PDPL.

10. Your Rights

You have the following rights regarding your personal data:

Right to access: Request a copy of the personal data we hold about you.
Right to rectification: Correct inaccurate or incomplete data.
Right to erasure: Request deletion of your data, subject to legal retention periods.
Right to restriction: Limit how we use your data during a dispute.
Right to data portability: Receive your data in a structured, machine‑readable format.
Right to object: Object to processing based on legitimate interests (e.g., direct marketing).
Right to withdraw consent: Withdraw any previously given consent without affecting the lawfulness of prior processing.

To exercise these rights, email privacy@arcsek.com. We will respond within 30 days.

11. Children's Privacy

Our Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from minors. If we learn that we have inadvertently done so, we will delete the data.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email (using the address associated with your account) and by posting a prominent notice on our website. The updated version will become effective 14 days after such notice, unless a shorter period is required by law.

13. Contact Information

For questions or complaints regarding this Privacy Policy or our data practices, please contact our Data Protection Officer (DPO):

Name: E.N. Aman Cooray
Address: Sharjah Research Technology and Innovation Park, Sharjah, UAE