Privacy policy
Last updated: 2026-04-29
This policy describes what personal data ArcSentinel processes, why, on what
legal basis, and how you can exercise your rights under the EU General Data
Protection Regulation (GDPR) and equivalent national privacy laws.
ArcSentinel ("we", "us") operates the workspace at the domain you
sign in to. The Controller for the data described below is ArcNode —
contact: info@arcsentinel.app for privacy matters and
hello@arcsentinel.app for general inquiries.
1. Personal data we process
We collect only what we need to operate the service.
| Category | Examples | Source |
|---|---|---|
| Account identity | email, display name, optional handle, optional avatar URL | Provided by you at sign-up or via GitHub sign-in |
| Authentication | passphrase hash (Argon2-strength bcrypt, never the plaintext), session metadata | Generated when you sign in |
| Workspace content | targets you declare, cases, scan configurations, intel notes, tags, sealed vault entries | Generated by you using the app |
| Operational telemetry | activity log entries (action kind, timestamp, hashed IP, truncated user-agent), incident IDs | Generated automatically as you use the app |
| Diagnostic submissions | data the optional ArcSentinel agent uploads when you run it on your own infrastructure | Sent by the agent you authorise |
We do not collect:
- Browsing history outside the app
- Advertising or marketing identifiers
- Biometric data
- Special categories of data (health, religion, political opinion, etc.)
2. Why we process it (purposes & legal bases)
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Provide the workspace you are signed into | Contract — Art. 6(1)(b) |
| Authenticate you and protect the account | Contract + Legitimate interest — Art. 6(1)(b) and (f) |
| Detect abuse, throttle attackers, log security events | Legitimate interest — Art. 6(1)(f) |
| Comply with legal requests, retain audit trail for forensics | Legal obligation — Art. 6(1)(c) |
| Operate the optional GitHub OAuth sign-in if you choose it | Consent — Art. 6(1)(a) (you initiate the OAuth flow) |
We do not perform automated decision-making with legal or significant
effects on you (GDPR Art. 22 does not apply).
3. Where data is stored
| Data | Hosting region |
|---|---|
| Postgres database | EU/US, depending on which managed Postgres provider you choose at deploy time |
| Web application | Edge nodes operated by our CDN provider (Vercel) |
| Optional rate-limit cache | Upstash Redis, region selected at deploy time |
| Optional error reports | Sentry, region selected at deploy time |
Transfers outside the EEA, where they occur, rely on the **EU Standard
Contractual Clauses** signed by the upstream processors and on additional
technical safeguards (TLS 1.2+, encryption at rest).
4. Retention
| Data | Retention |
|---|---|
| Account record | Until you delete it. Deletion via Settings → Security → Delete account is immediate and cascades. |
| Workspace content (cases, scans, intel, vault, targets) | Until you delete the parent record or the account |
| Activity log | 24 months from creation, then automatic purge |
| Authentication failures (login_failed, csrf_failed) | 12 months, then automatic purge |
| Backups | 30 days rolling, encrypted, then overwritten |
Full table in Data retention policy.
5. Your rights
Under the GDPR (Art. 15–22) and equivalent laws you have the right to:
- Access the personal data we hold about you. Export from
Settings → Security → Export data. Returns a single JSON file with
every record we hold.
- Rectify inaccurate data. Edit in
Settings → Profile. - Erase the account and the data behind it. `Settings → Security →
Delete account` performs an immediate, cascading hard delete.
- Restrict or object to processing.
- Data portability — the export above is in machine-readable JSON.
- Withdraw consent at any time, where consent is the legal basis (e.g.
by disconnecting GitHub).
- Lodge a complaint with your local supervisory authority.
To exercise any right that is not self-serve in the app, write to
info@arcsentinel.app. We respond within 30 days
(GDPR Art. 12(3)).
6. Security
Security measures we apply:
- TLS in transit; HSTS preload; modern cipher suites only
- Argon2-strength passphrase hashing
- API keys hashed at rest with Argon2id; the raw value is shown to you
exactly once
- Vault entries are encrypted in your browser with AES-256-GCM and a
PBKDF2-SHA512 derived key. The server only ever stores ciphertext.
- Strict Content-Security-Policy, frame-ancestors none on app routes,
per-request nonce
- SSRF guard refusing private and link-local addresses on outbound calls
- Rate limiting on authentication, registration, and sensitive
state-mutating endpoints
- Triple-gated consent on every scan: the UI, the API, and the worker
each verify the consent record
- Append-only structured audit log with secret redaction
- Automatic 15-minute idle session expiry
7. Cookies
We use strictly necessary cookies only — see the Cookie policy.
8. Children
ArcSentinel is not directed at children under 16. We do not knowingly
process data from children. If you believe a child has signed up, contact
info@arcsentinel.app and we will erase the account.
9. Breach notification
In the event of a personal data breach likely to result in a risk to your
rights and freedoms, we will:
- Notify the relevant supervisory authority within 72 hours of
becoming aware of the breach (GDPR Art. 33).
- Notify affected users without undue delay if the risk is high
(GDPR Art. 34).
10. Changes to this policy
We will post material changes to this page and update the date at the top.
For substantive changes affecting your rights, we will notify you in-app
on next sign-in.
Contact
- Privacy / data subject requests: info@arcsentinel.app
- General: hello@arcsentinel.app