← Back to Home

Privacy Policy

Last updated: May 1, 2026

1. Information We Collect

When you sign in with GitHub or Google, we receive your name, email address, and profile picture from your OAuth provider. We do not collect passwords.

We also store data you voluntarily create within the platform: projects, features, tasks, issues, notes, secrets, file uploads (up to 50 MB per file), comments, and activity logs. Files you upload are stored in our object storage; only the file content, filename, MIME type, and size are recorded.

2. How We Use Your Information

  • To authenticate your identity and maintain your session.
  • To provide, operate, and improve the Arcanova platform.
  • To send transactional emails (e.g., project collaboration invites) when applicable.

3. Data Storage & Security

All data is stored on infrastructure we control. Secrets stored in the vault are encrypted with AES-256-GCM with a per-secret random IV at rest; decryption only happens server-side on explicit reveal requests, and every reveal is logged with timestamp and IP. AI provider API keys you configure are encrypted with the same scheme.

All connections use HTTPS with HSTS preload. The application ships hardened HTTP security headers (Content-Security-Policy, Permissions-Policy, COOP/CORP) on every response, and uploaded files are served with Content-Disposition: attachment +X-Content-Type-Options: nosniff for any non-previewable type so a leaked URL still cannot execute at our origin.

4. Third-Party Services

We use the following third-party services:

  • GitHub & Google — for OAuth authentication.
  • PayMongo — for payment processing in the Philippines (if you subscribe to a paid plan or purchase a subscription card).
  • Stripe — for international payment processing where supported (if you subscribe to a paid plan).
  • AI providers you configure — when you use AI features (spec analyzer, autopilot), requests are sent directly to the provider you configured (Google Gemini, Anthropic Claude, OpenAI, xAI Grok, or Alibaba Qwen) using your API key. We never store the prompts or responses on our servers; the request body never leaves your AI provider's environment beyond what you've already agreed to with them.

We do not sell, rent, or share your personal data with any other third parties.

5. Data Retention & Deletion

Your data is retained as long as your account is active. You may request deletion of your account and all associated data by contacting us. Upon deletion, all personal data and project content will be permanently removed.

Activity log entries (records of who changed what on a project board) are automatically purged after 90 days on all tiers to limit the long-tail of audit data we retain. Backups are kept for 30 days.

6. Cookies

We use essential cookies only — an Auth.js session cookie (httpOnly, Secure, SameSite=Lax) for authentication, and a small number of OAuth handshake cookies (PKCE verifier, state, nonce) that exist for at most 15 minutes during sign-in. We do not use tracking cookies, advertising cookies, or third-party analytics.

7. Changes to This Policy

We may update this privacy policy from time to time. Changes will be posted on this page with an updated revision date.

8. Contact

If you have questions about this policy, contact us at support@arcanova.online.