Legal
Privacy policy
Last updated: April 2026
This policy explains what personal data Arch collects, how we use it, and what rights you have under the General Data Protection Regulation (GDPR) and French data protection law.
1. Data controller
The data controller is RART Digital (operating in beta; registration and registered office details will be published upon public release of the service).
For any privacy-related question or to exercise your rights, contact us at management@rart-digital.com.
2. What data we collect
Account data
- Email address and authentication credentials
- Display name (if provided)
- Subscription plan and billing status
Content you provide
- Audio files, reference images, lyrics, and creative direction you upload for rendering
- Video projects you create and their metadata (titles, duration, settings)
Technical data
- IP address, browser type, device information
- Logs of API calls and render activity (for debugging and abuse prevention)
- Usage analytics (anonymized: pages viewed, features used)
Payment data
Payment information (card details, billing address) is processed directly by our payment provider, Stripe. We never see or store your full card number. We only receive a transaction reference and the last four digits.
API keys
Your Google Gemini API key is encrypted at rest using AES-256-GCM encryption. It is decrypted only at the moment of a render request and never logged or transmitted to third parties other than Google.
3. Why we use your data
| Purpose | Legal basis |
|---|---|
| Provide the service (account, rendering, support) | Contract performance |
| Process payments and manage subscriptions | Contract performance |
| Prevent abuse and ensure security | Legitimate interest |
| Improve the service (anonymized analytics) | Legitimate interest |
| Send service-related emails (renewals, important changes) | Contract performance |
| Comply with legal obligations (tax, accounting) | Legal obligation |
4. Who we share data with
We share data only with trusted service providers strictly necessary to operate Arch:
- Supabase — database and authentication (EU region)
- Stripe — payment processing (EU/US, GDPR-compliant)
- Google (Gemini API) — AI generation, called via your own API key
- Vercel — hosting and content delivery (multi-region)
- Render compute providers — for video generation infrastructure
We do not sell your data. We do not share it with advertisers or data brokers.
5. International data transfers
Some of our providers may process data outside the European Economic Area (notably the United States). When this happens, we ensure adequate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission, in line with GDPR Article 46.
6. How long we keep your data
- Account data: kept for as long as your account exists, plus 3 years after deletion (for legal and accounting purposes).
- Content (uploads, generated videos): kept for the duration of your subscription or until you delete the project. Deleted projects are removed within 30 days.
- Billing and tax records: kept for 10 years as required by French law.
- Server logs: kept for up to 90 days for security and debugging.
7. Your rights under GDPR
You have the following rights regarding your personal data:
- Access — request a copy of the data we hold about you
- Rectification — correct inaccurate or outdated information
- Erasure — request deletion of your data ("right to be forgotten")
- Restriction — limit how we process your data
- Portability — receive your data in a machine-readable format
- Objection — object to processing based on legitimate interest
- Withdraw consent — at any time where processing is based on consent
To exercise any of these rights, email us at management@rart-digital.com. We respond within 30 days.
You also have the right to lodge a complaint with the French data protection authority (CNIL) at cnil.fr or with the data protection authority of your country of residence.
8. Cookies and tracking
Arch uses only essential cookies required to operate the service: authentication, session management, and security. We do not use advertising cookies or third-party tracking.
9. Security
We protect your data with industry-standard measures: encrypted connections (TLS), encrypted storage at rest, role-based access controls, and regular security audits. API keys are encrypted with AES-256-GCM. Payment data is handled exclusively by PCI-compliant providers.
In the event of a data breach affecting your personal data, we will notify you and the CNIL within 72 hours, as required by GDPR.
10. Children
Arch is not intended for users under 16. We do not knowingly collect personal data from children. If you believe a child has created an account, contact us and we will remove the account and associated data.
11. Changes to this policy
We may update this policy from time to time. Substantial changes will be announced by email and on this page at least 30 days before they take effect.