← arvane.ai

Privacy Policy

Last updated: 1 April 2026

1. Who we are

Arvane is operated by [COMPANY_NAME], a company registered in [COUNTRY](“we”, “us”, “our”). We are the data controller for information collected through the Arvane admin dashboard and browser extension.

Contact: privacy@arvane.ai

2. What we collect — and what we never collect

What we collect:

  • Account data — your email address and password hash (bcrypt) when you create an admin account.
  • Organisation data — your organisation’s domain name, policy configuration, and install code.
  • Detection metadata — when the extension detects sensitive data, we log: the AI platform domain, the category of data detected (e.g. “IBAN”, “EMAIL”), the action taken (WARN or BLOCK), and a timestamp. We use a hashed anonymous user ID — no name or email is linked unless the admin invited the user by email.
  • Platform visit metadata — which AI platforms employees visit and how often, for shadow AI discovery. No page content is recorded.
  • Policy acknowledgement — whether an employee has acknowledged the organisation’s AI policy, and when.
  • Billing data — handled entirely by Paddle (our payment processor). We store only a subscription ID and customer ID reference.

What we never collect:

  • The content of any prompts, messages, or text entered into AI tools.
  • The actual sensitive data (e.g. the IBAN number, the email address, the password) — only its category is recorded.
  • Browser history outside of the monitored AI platforms.
  • Keystroke data, clipboard content outside of active detection, or screenshots.

3. Legal basis (GDPR)

We process personal data on the following legal bases:

  • Contract performance (Art. 6(1)(b)) — processing necessary to provide the Arvane service to admin account holders.
  • Legitimate interests (Art. 6(1)(f)) — detection metadata and platform visit data are processed to provide the organisation with the compliance and security features they have configured. Employees’ legitimate interests are balanced by the fact that no content is stored and data is presented only in aggregate or anonymised form.
  • Consent — where required for cookies or non-essential tracking, we obtain consent.

4. How we use your data

  • To provide and maintain the Arvane service.
  • To send transactional emails (invite emails, billing receipts) via Resend.
  • To generate compliance reports for the organisation administrator.
  • To improve the service (aggregated, non-personal analytics only).

We do not sell personal data. We do not use personal data for advertising.

5. Data sharing and third parties

We use the following sub-processors:

  • Railway (railway.app) — cloud hosting, EU region. The database containing your data is hosted on Railway infrastructure.
  • Resend (resend.com) — transactional email. Your email address is shared with Resend only when sending invite or billing emails.
  • Paddle (paddle.com) — payment processing. Billing and payment data is processed by Paddle under their own privacy policy.

We do not share data with any other third parties except where required by law.

6. Data retention

  • Account data — retained for the lifetime of the account, deleted within 30 days of account closure.
  • Detection events — retained for 12 months by default. Organisations on Business plan can configure a custom retention period.
  • Platform visits — retained for 12 months.
  • Billing records — retained for 7 years as required by EU tax law.

7. Your rights under GDPR

If you are in the European Economic Area, you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate data.
  • Erasure — ask us to delete your data (“right to be forgotten”).
  • Restriction — ask us to restrict processing while a dispute is resolved.
  • Portability — receive your data in a machine-readable format.
  • Objection — object to processing based on legitimate interests.
  • Withdraw consent — where processing is based on consent, withdraw it at any time.

To exercise any of these rights, email us at privacy@arvane.ai. We will respond within 30 days.

You also have the right to lodge a complaint with your national data protection authority.

8. Data security

We use industry-standard security measures including HTTPS encryption in transit, bcrypt password hashing, JWT token authentication with server-side session management, and regular security updates. The database is hosted on Railway infrastructure with access controls in place.

9. Cookies

The Arvane admin dashboard uses a session token stored in localStorage — not a cookie — for authentication. We do not use tracking or advertising cookies. If we introduce analytics tools in future, we will update this policy and seek consent where required.

10. International transfers

Your data is stored and processed within the EU (Railway EU region). If any sub-processor processes data outside the EU, appropriate safeguards (Standard Contractual Clauses) are in place.

11. Children

Arvane is a business product not intended for use by children under 16. We do not knowingly collect personal data from children.

12. Changes to this policy

We may update this policy from time to time. When we make material changes, we will notify admin account holders by email and update the “Last updated” date above. Continued use of the service after changes constitutes acceptance.

13. Contact

For any privacy questions or to exercise your rights:
[COMPANY_NAME]
[REGISTERED ADDRESS]
privacy@arvane.ai