Privacy Policy

This Privacy Policy describes how ArcaneAPI ("we", "us", "our") collects, uses, stores, and protects your personal information when you use our website, API, dashboard, and related services (collectively, "the Service"). We are committed to protecting your privacy and processing your data transparently and lawfully.

1. Information We Collect

1.1 Account Information

When you register, we collect your name, email address, company name (optional), and a password. Your password is stored using bcrypt with a cost factor of 12 — we never store plaintext passwords. We also generate a unique unsubscribe token for email preference management.

1.2 API Usage Metadata

For each API request, we log operational metadata including: model identifier, input token count, output token count, response time (milliseconds), HTTP status code, timestamp, and computed cost. We do not store, log, inspect, or retain the content of your API request prompts or model responses. Request and response bodies are forwarded to the upstream provider and not persisted by ArcaneAPI.

1.3 Billing and Transaction Data

We maintain records of credit purchases, usage charges, and account balances for billing purposes.

1.4 Technical Data

We collect IP addresses, browser user-agent strings, and device information from web sessions for security monitoring, rate limiting, and fraud prevention. Server logs are retained for 30 days.

1.5 Newsletter Subscriptions

If you subscribe to our newsletter, we store your email address and subscription status. Newsletter subscription is entirely voluntary and independent of account registration.

1.6 Contact Form Submissions

If you submit a contact form, we collect the name, email, subject, and message content you provide.

2. How We Use Your Information

We use your information for the following purposes:

• Service operation: Authenticating requests, routing to model providers, computing usage, and maintaining your account
• Billing: Calculating charges, processing credit purchases, and maintaining transaction records
• Transactional emails: Sending account verification, password resets, and security alerts (required for service operation, not subject to opt-out)
• Optional notifications: Sending usage alerts, low balance warnings, and weekly reports (only with your explicit opt-in consent)
• Marketing communications: Sending product updates, model announcements, and newsletters (only with your explicit opt-in consent)
• Security: Detecting and preventing unauthorized access, abuse, and fraud
• Service improvement: Analyzing aggregate usage patterns to improve performance and reliability (no individual-level profiling)

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data under the following legal bases:

• Contract performance: Processing necessary to provide the Service you registered for (account data, usage metadata, billing)
• Legitimate interests: Security monitoring, fraud prevention, and service improvement
• Consent: Marketing emails, newsletter subscriptions, and optional notifications (you may withdraw consent at any time)
• Legal obligation: Financial record-keeping as required by applicable tax and accounting regulations

4. Email Communications

We take email consent seriously. Our email practices:

• Marketing and notification emails are sent only to users who have explicitly opted in during registration or via account settings
• The opt-in checkbox is never pre-selected — it requires affirmative action
• Every non-transactional email contains a one-click unsubscribe link that works without requiring login
• You can manage email preferences at any time from your account Settings page
• We honor unsubscribe requests immediately
• We maintain suppression lists for bounced emails and complaint reports

We plan to use Amazon Simple Email Service (AWS SES) for email delivery. When operational, we will comply with all AWS SES sending policies, including bounce rate monitoring, complaint rate monitoring, and suppression list management. All emails include proper List-Unsubscribe headers as required by RFC 8058.

5. Data Sharing and Third Parties

We share your data only in the following limited circumstances:

• AI model providers: Your API request and response content passes through our gateway to the upstream provider (OpenAI, Anthropic, Google, etc.). These providers have their own privacy policies governing how they handle data.
• Infrastructure providers: We use Amazon Web Services (AWS) for hosting and email delivery. Data is processed according to the AWS Privacy Policy and applicable data processing agreements.
• Payment processors: Credit card processing is handled by third-party payment processors who are PCI-DSS compliant. We do not store full credit card numbers.
• Legal requirements: We may disclose data if required by law, court order, or government request, or to protect the rights, safety, or property of ArcaneAPI or others.

We do not sell, rent, or trade your personal information to third parties for marketing purposes. We do not use your data for AI model training.

6. Data Retention

We retain your data for the minimum period necessary:

• Account data: Retained while your account is active and deleted within 30 days of account deletion
• API usage logs: 90 days for operational purposes
• Transaction records: 7 years as required by financial regulations
• Server access logs: 30 days
• Email event logs: 2 years (for suppression list maintenance and compliance)
• Newsletter subscriptions: Until you unsubscribe

7. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you
• Rectification: Correct inaccurate or incomplete personal data
• Erasure: Request deletion of your personal data (available via the Settings page or by contacting us)
• Data portability: Request your data in a structured, machine-readable format
• Restriction: Request that we restrict processing of your data in certain circumstances
• Objection: Object to processing based on legitimate interests or for direct marketing
• Withdrawal of consent: Withdraw consent for marketing communications at any time without affecting the lawfulness of prior processing

To exercise these rights, contact us at privacy@arcaneapi.com. We will respond within 30 days. If you are in the EEA, you also have the right to lodge a complaint with your local data protection authority.

8. Security Measures

We implement appropriate technical and organizational measures to protect your data:

• All data in transit is encrypted using TLS 1.3
• Passwords are hashed with bcrypt (cost factor 12)
• API keys are stored as irreversible SHA-256 hashes — full keys are shown only once at creation
• Database access is restricted to application-level connections with parameterized queries to prevent SQL injection
• Session tokens are HTTP-only, secure-flagged cookies with SameSite protections
• Rate limiting is applied across all endpoints to prevent brute-force attacks
• Infrastructure is hosted on AWS with encryption at rest and in transit

9. Cookies and Tracking

We use session cookies to maintain your authenticated state. These are essential cookies required for the Service to function and do not require consent under GDPR. We do not use advertising cookies, tracking pixels, or third-party analytics that track individual users across sites.

10. International Data Transfers

Our Service is hosted in the United States on AWS infrastructure. If you are accessing the Service from outside the United States, your data will be transferred to and processed in the United States. We rely on Standard Contractual Clauses (SCCs) and other approved transfer mechanisms where required by GDPR or other applicable data protection laws.

11. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email (if opted in) or a notice on our website at least 30 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.

13. Contact

For privacy-related inquiries, data subject access requests, or complaints:

• Email: privacy@arcaneapi.com
• Contact form: arcaneapi.com/contact

We aim to respond to all privacy requests within 30 days.