Privacy Policy

Arcellite Inc. ("Arcellite", "we", "our") operates the website at arcellite.com and the billing and licensing infrastructure that supports it. This Privacy Policy describes how we handle personal information in connection with that website and infrastructure.

Arcellite is a self-hosted software product. When you deploy Arcellite on your own hardware, that deployment is entirely under your control. We have no access to it, no visibility into it, and no obligation to process the data stored within it — that responsibility belongs to you as the data controller for your deployment.

This policy applies only to data processed by Arcellite Inc. through arcellite.com and its associated cloud services (billing, licensing, the Inside Out AI proxy).

Because you own the hardware and control the network, you are the data controller for everything inside your deployment. Arcellite acts only as the software vendor that provides the application code.

If you choose to expose your Arcellite server to the internet, configure reverse proxies, or share access with team members, you are responsible for those decisions and their privacy implications for the people whose data you store.

We strongly recommend reading the Security & Trust page and the Shared Responsibility Model before deploying in a multi-user environment.

When you visit arcellite.com we may collect standard web server logs, which include your IP address, browser type, referring URL, and the pages you visit. These logs are used solely for security monitoring and diagnosing infrastructure issues.

We do not use third-party behavioural tracking scripts, ad networks, or cross-site fingerprinting. If we add any analytics tooling in the future, this policy will be updated and the tooling will be disclosed here before it is activated.

When you register for Founder Access or purchase a plan, we collect:

• Your name and email address — used to issue your license and communicate order status.
• Your license token — a randomly-generated string tied to your plan, stored in Firebase Firestore.
• Your plan tier (startup, growth, enterprise) and purchase date.

This data is stored in Google Firebase Firestore, hosted in the United States. It is protected by Firebase's security rules which restrict access to Arcellite's backend services only.

Your license token is the credential your self-hosted server uses to authenticate with Arcellite's cloud services (e.g. the Inside Out AI proxy). Treat it like a password — do not commit it to public repositories.

All payment processing is handled by Stripe. Arcellite never receives, stores, or has access to your full card number, CVV, or bank details. Stripe is a PCI DSS Level 1 certified payment processor.

When you complete a purchase, Stripe provides us with a non-sensitive summary: your email address, the amount charged, the plan purchased, and a Stripe customer ID. We use this to activate your license.

For refunds, billing disputes, or payment receipts, contact us at the address below and we will work with Stripe on your behalf.

If your self-hosted Arcellite server uses the Inside Out AI proxy (POST /api/ai/proxy), the following data is processed by Arcellite's cloud infrastructure:

• Your license token — validated on every request to confirm your plan and quota.
• Token usage counts — the number of tokens consumed per request is aggregated per license token per calendar month.
• Provider and model name — logged for debugging and capacity planning.

AI provider API keys are stored as server-side environment variables and are never exposed in responses. They are injected into upstream requests at runtime and do not appear in logs.

Token usage data is retained for 13 months to support billing, quota enforcement, and plan upgrade recommendations, then automatically deleted.

We send transactional emails to the address you provided at purchase. These include:

• License activation and purchase confirmation
• Important product updates (security patches, major version releases)
• Renewal reminders

We do not send marketing newsletters unless you explicitly opt in. Transactional emails cannot be opted out of while your license is active, as they may contain critical security information.

To update your email address or request removal from future non-essential communications, contact us at the address in the Contact section below.

We do not sell, rent, or trade your personal information. We share data only with the following categories of service providers, and only to the extent necessary to operate Arcellite:

We may disclose personal information if required to do so by law, court order, or governmental authority. We will notify you where legally permitted to do so.

We retain your data for as long as your license is active. Specific retention periods:

• License and account data — retained while your license is active and for 12 months after expiry (for dispute resolution), then deleted.
• Token usage records — 13 months rolling window, then deleted automatically.
• Server access logs — 90 days, then purged.
• Payment records — retained by Stripe per their legal obligations; we retain a non-sensitive summary for 7 years for tax and accounting purposes.

To request early deletion of your account data, contact us. We will process the request within 30 days, subject to any legal retention obligations.

Depending on your jurisdiction, you may have some or all of the following rights regarding your personal data:

To exercise any of these rights, contact us at the address below. We will respond within 30 days. We do not charge a fee for reasonable requests.

If you have questions, requests, or concerns about this Privacy Policy or how we handle your data, please contact us:

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page and, for material changes, notify active license holders by email.