Privacy Policy

Last updated: April 30, 2026

Arcaveli is built on a single principle: the only secure data is data we cannot read. This policy describes what limited information we hold, what we cryptographically cannot hold, and the rights you have over both.

1. What data we collect and store

Account data

• Your email address, used as a login identifier and for service-related notices.
• A scrypt hash of your password. We never see or store the password itself.
• Your RSA-2048 public key, which we use to encrypt every AI response we send back to you.
• Your selected plan (Starter or Business).
• Account timestamps (created, last updated).

Encrypted conversation data

• AES-256-GCM ciphertext of your Anthropic API key, encrypted with our server master key. This is the only customer secret the server can decrypt at all, and only in memory for the duration of a single API call.
• RSA-OAEP / AES-256-GCM ciphertext of every prompt and response in your conversations. These are encrypted to your public key. We hold no copy of the matching private key and have no cryptographic ability to decrypt them.

Audit metadata

• SHA-256 hashes of request bodies (proof a request happened, with no recoverable content).
• Token counts (input/output) per request, model name, and timestamp.

What we explicitly do not store

• Plaintext prompts.
• Plaintext AI responses.
• Your private key (it is generated in your browser and never transmitted).
• Your unencrypted Anthropic API key.
• Tracking cookies, advertising identifiers, fingerprints, or analytics events.

2. Third-party processors

We use Anthropic, PBC as the AI inference provider. When you send a prompt, an Anthropic API key is used to forward your message to Anthropic over TLS — on the Solo plan, this is your own key (encrypted at rest); on the Starter and Business plans, this is Arcaveli's managed account key. Anthropic processes the prompt and returns a response, both in plaintext, in transit. We immediately encrypt the response with your public key and discard the plaintext from memory.

Anthropic's API tier provides the following commitments per their commercial terms: requests are deleted within 30 days, no training is performed on your inputs or outputs, and a zero-day deletion request is available on request. The operative window for our purposes is the 7-day retention applied to flagged content under their abuse-monitoring policy. See Anthropic's Commercial Terms for the authoritative version.

We use Amazon Web Services (AWS, us-east-1) for compute and database hosting. AWS is a HIPAA-eligible provider and we maintain a BAA with them.

3. Cloud-storage integrations (Google Drive, OneDrive)

Arcaveli offers optional, read-only connections to Google Drive and Microsoft OneDrive so you can pull file content directly into a chat session. Both connections are user-initiated via OAuth 2.0 and can be revoked at any time from the Settings page or from your provider's account-security console. The disclosures below are made specifically for the Google API Services User Data Policy and the Microsoft Graph data-handling requirements.

Google Drive

Arcaveli accesses Google Drive solely to retrieve file content you select and inject into your encrypted chat session. We do not store, share, index, or retain your Google Drive data. Access tokens are encrypted at rest and used only to fulfill your explicit file selection requests.

Scopes requested: https://www.googleapis.com/auth/drive.readonly (to list and read the specific files you choose) and https://www.googleapis.com/auth/userinfo.email (to label the connection in your Settings page). We do not request write, delete, or share permissions on your Drive. Arcaveli's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not transfer Google user data to third parties except as needed to provide or improve user-facing features that are prominent in the requesting application's user interface, and we do not use Google user data to train AI/ML models.

Microsoft OneDrive

Arcaveli accesses Microsoft OneDrive solely to retrieve file content you select and inject into your encrypted chat session. We do not store, share, or retain your OneDrive data. Access tokens are encrypted at rest.

Scopes requested via Microsoft Graph: Files.Read (to list and read the specific files you choose), User.Read (to label the connection in your Settings page), and offline_access (so we can refresh access tokens without re-prompting you to sign in). We do not request write, delete, or share permissions on your OneDrive.

Disconnecting

You can disconnect either integration at any time from your Settings page; doing so deletes the encrypted token records from our database immediately. You may additionally revoke Arcaveli's access from your provider directly: myaccount.google.com/permissions for Google, and account.live.com/consent/Manage for Microsoft.

4. Canvas documents and signature requests

Arcaveli's Canvas feature lets you create rich-text documents and request signatures from external recipients. The encryption model for Canvas is identical to chat: every document you create is stored as RSA-OAEP / AES-256-GCM ciphertext keyed to your public key. Once a recipient signs, their signature image is encrypted to your public key before it touches our database — the server cannot read either the document or any returned signature.

External signing — the one plaintext exception

When you send a signing request, the recipient is unauthenticated by design (no Arcaveli account, no key on their end). To render the document for them on their private signing link, we capture an HTML snapshot of the document at the moment the request is created and store it on the signature-request row. This snapshot is the only intentionally-plaintext piece of Canvas content in our database. Documents shared for external signature are stored in plaintext solely for the purpose of delivery to the designated signer — all other Canvas content remains encrypted at rest.

• Scope. The plaintext snapshot exists only for the specific document you sent for signature, and only during the pending window. Other Canvas documents — including unrelated drafts and the signed Delta you keep in your account — remain encrypted to your public key.
• Automatic deletion. The snapshot is purged from the database the moment the request is signed or declined. After that point, only the encrypted version of the document (with the signed signature image embedded) remains, accessible solely to you.
• Consent. By clicking "Request signature" you are explicitly choosing to share that document with the named recipient. The plaintext snapshot is the unavoidable mechanism for delivery; without it the signer cannot read what they are signing.
• Recommendation. Do not send a document through the signature flow if the content must remain zero-knowledge end-to-end. Any document not sent for signature retains the full encrypt-at-rest property.

5. HIPAA Eligibility

Arcaveli is HIPAA eligible. If you are a Covered Entity or Business Associate under HIPAA and intend to send Protected Health Information (PHI) through Arcaveli, you may execute a Business Associate Agreement with us:

• Starter plan: BAA available on request at privacy@arcaveli.com.
• Business plan: BAA included by default.

Because Arcaveli stores only ciphertext that we cannot decrypt, we hold no readable PHI at rest. Plaintext PHI exists only in transit between our servers and Anthropic, and only for the duration of a single API request. This architectural property is the core control of our HIPAA compliance posture.

6. GDPR — Rights of EU/EEA data subjects

If you are located in the European Union, European Economic Area, or United Kingdom, you have the following rights regarding your personal data:

• Right of access. You may request a copy of all personal data we hold about you, exported in a machine-readable JSON format. This includes your account record and the ciphertext of all your conversations.
• Right to rectification. You may correct inaccurate personal data via the Settings page.
• Right to erasure ("right to be forgotten"). You may permanently delete your account and all associated data via Settings → Danger Zone → Delete my account. Deletion is irreversible and cascades to your encrypted conversations, your encrypted API key, and your audit log entries within 24 hours.
• Right to data portability. Export your encrypted conversation history as a JSON file via Settings (export tooling ships in our next release; until then, request a copy from privacy@arcaveli.com).
• Right to object to processing.
• Right to lodge a complaint with your national supervisory authority.

Our legal basis for processing your account data is performance of a contract (the service you signed up for). We do not process personal data for marketing or profiling.

7. Developer API (zero-knowledge, separate keypair)

If you generate a developer API key from your dashboard, the same zero-knowledge encryption model applies — but with a separate keypair from your web account. When you call POST /api/v1/onboard, our server generates a fresh RSA-2048 keypair, returns the private key to you once in the response, and persists only the public key on your account record. We do not log or store the private key. If you lose it, the encrypted history tied to your API key is permanently unrecoverable.

Web chats and API calls maintain independent encrypted histories on the same account: web messages are encrypted with the keypair your browser holds, API messages are encrypted with the keypair on your developer machine. A breach of our database still yields ciphertext only — for both surfaces, neither key sits with us.

8. Cookies and local storage

Arcaveli does not use tracking cookies, third-party analytics, or advertising identifiers. Only essential storage is used, and only for authentication and your encryption key. Specifically:

• cai_token (localStorage): your authentication JWT, used to identify you to our API. Expires after 8 hours.
• cai_private_key (localStorage): your RSA private key, stored locally so you can decrypt past conversations without re-uploading it on every visit. This value never leaves your device.
• cookie_consent (localStorage): remembers that you dismissed the cookie banner so it doesn't reappear.
• cai_canvas_filter (localStorage): remembers your last Documents-tab filter (Pending / Signed / All).

We do not set any HTTP cookies for tracking, advertising, or behavioral analytics. Clear your browser's site data for arcaveli.com to remove all of the above. If you clear cai_private_key without a saved backup, you'll lose the ability to decrypt past conversations — encryption is genuine zero-knowledge, so we cannot recover it for you.

We use your browser's localStorage for two purposes:

• cai_token — your authentication JWT, used to identify you to our API. Expires after 8 hours.
• cai_private_key — your RSA private key, stored locally so you can decrypt past conversations without re-uploading it on every visit. This value never leaves your device. If you clear your browser data, you will need to re-upload your private key from your saved backup.

9. Data retention

We retain your account data and encrypted conversations indefinitely while your account is active. When you delete your account, all associated data is permanently destroyed within 24 hours.

Anthropic may retain prompts and responses in their systems per their published retention policy, independent of any deletion you perform on Arcaveli.

10. Security

• All transport secured with TLS 1.3.
• Database encrypted at rest by AWS RDS (AES-256).
• Application-layer encryption layered on top: every conversation is RSA-OAEP / AES-256-GCM ciphertext keyed to your public key.
• SOC 2 Type I in progress (target Q4 2026); audit controls maintained via Vanta from day one.

11. International data transfers

Arcaveli operates from the United States. If you access the service from outside the US, your data will be transferred to and processed in the US. EU data residency is on our roadmap for enterprise customers.

12. Children

Arcaveli is not directed at children under 16 and we do not knowingly collect personal data from anyone under that age.

13. Changes to this policy

We will notify all account holders by email at least 30 days before any material change to this policy takes effect. The "Last updated" date at the top of this page reflects the most recent revision.

14. Contact

Privacy questions, GDPR data subject requests, BAA requests, and security concerns: privacy@arcaveli.com.

Arcaveli, Inc. — Florida, United States.