Privacy Policy

Last updated: April 25, 2026

Arcaveli is built on a single principle: the only secure data is data we cannot read. This policy describes what limited information we hold, what we cryptographically cannot hold, and the rights you have over both.

Plain-English summary. We store your account login, your RSA public key, and your conversations as opaque ciphertext that only your private key can decrypt. We never see your AI prompts or responses in readable form. We never sell or share your data.

1. What data we collect and store

Account data

  • Your email address, used as a login identifier and for service-related notices.
  • A scrypt hash of your password. We never see or store the password itself.
  • Your RSA-2048 public key, which we use to encrypt every AI response we send back to you.
  • Your selected plan (Starter or Business).
  • Account timestamps (created, last updated).

Encrypted conversation data

  • AES-256-GCM ciphertext of your Anthropic API key, encrypted with our server master key. This is the only customer secret the server can decrypt at all, and only in memory for the duration of a single API call.
  • RSA-OAEP / AES-256-GCM ciphertext of every prompt and response in your conversations. These are encrypted to your public key. We hold no copy of the matching private key and have no cryptographic ability to decrypt them.

Audit metadata

  • SHA-256 hashes of request bodies (proof a request happened, with no recoverable content).
  • Token counts (input/output) per request, model name, and timestamp.

What we explicitly do not store

  • Plaintext prompts.
  • Plaintext AI responses.
  • Your private key (it is generated in your browser and never transmitted).
  • Your unencrypted Anthropic API key.
  • Tracking cookies, advertising identifiers, fingerprints, or analytics events.

2. Third-party processors

We use Anthropic, PBC as the AI inference provider. When you send a prompt, your decrypted Anthropic API key is used to forward your message to Anthropic over TLS. Anthropic processes the prompt and returns a response, both in plaintext, in transit. We immediately encrypt the response with your public key and discard the plaintext from memory.

Anthropic's API tier (which we route through, using your own API key) provides the following commitments per their commercial terms: requests are deleted within 30 days, no training is performed on your inputs or outputs, and a zero-day deletion request is available on request. Where the operative window for our purposes is the 7-day deletion window applied to flagged content under their abuse-monitoring policy. See Anthropic's Commercial Terms for the authoritative version.

We use Amazon Web Services (AWS, us-east-1) for compute and database hosting. AWS is a HIPAA-eligible provider and we maintain a BAA with them.

3. HIPAA Eligibility

Arcaveli is HIPAA eligible. If you are a Covered Entity or Business Associate under HIPAA and intend to send Protected Health Information (PHI) through Arcaveli, you may execute a Business Associate Agreement with us:

  • Starter plan: BAA available on request at privacy@arcaveli.com.
  • Business plan: BAA included by default.

Because Arcaveli stores only ciphertext that we cannot decrypt, we hold no readable PHI at rest. Plaintext PHI exists only in transit between our servers and Anthropic, and only for the duration of a single API request. This architectural property is the core control of our HIPAA compliance posture.

4. GDPR — Rights of EU/EEA data subjects

If you are located in the European Union, European Economic Area, or United Kingdom, you have the following rights regarding your personal data:

  • Right of access. You may request a copy of all personal data we hold about you, exported in a machine-readable JSON format. This includes your account record and the ciphertext of all your conversations.
  • Right to rectification. You may correct inaccurate personal data via the Settings page.
  • Right to erasure ("right to be forgotten"). You may permanently delete your account and all associated data via Settings → Danger Zone → Delete my account. Deletion is irreversible and cascades to your encrypted conversations, your encrypted API key, and your audit log entries within 24 hours.
  • Right to data portability. Export your encrypted conversation history as a JSON file via Settings (export tooling ships in our next release; until then, request a copy from privacy@arcaveli.com).
  • Right to object to processing.
  • Right to lodge a complaint with your national supervisory authority.

Our legal basis for processing your account data is performance of a contract (the service you signed up for). We do not process personal data for marketing or profiling.

5. Cookies and local storage

Arcaveli does not use tracking cookies, third-party analytics, or advertising identifiers.

We use your browser's localStorage for two purposes:

  • cai_token — your authentication JWT, used to identify you to our API. Expires after 8 hours.
  • cai_private_key — your RSA private key, stored locally so you can decrypt past conversations without re-uploading it on every visit. This value never leaves your device. If you clear your browser data, you will need to re-upload your private key from your saved backup.

6. Data retention

We retain your account data and encrypted conversations indefinitely while your account is active. When you delete your account, all associated data is permanently destroyed within 24 hours.

Anthropic may retain prompts and responses in their systems per their published retention policy, independent of any deletion you perform on Arcaveli.

7. Security

  • All transport secured with TLS 1.3.
  • Database encrypted at rest by AWS RDS (AES-256).
  • Application-layer encryption layered on top: every conversation is RSA-OAEP / AES-256-GCM ciphertext keyed to your public key.
  • SOC 2 Type I in progress (target Q4 2026); audit controls maintained via Vanta from day one.

8. International data transfers

Arcaveli operates from the United States. If you access the service from outside the US, your data will be transferred to and processed in the US. EU data residency is on our roadmap for enterprise customers.

9. Children

Arcaveli is not directed at children under 16 and we do not knowingly collect personal data from anyone under that age.

10. Changes to this policy

We will notify all account holders by email at least 30 days before any material change to this policy takes effect. The "Last updated" date at the top of this page reflects the most recent revision.

11. Contact

Privacy questions, GDPR data subject requests, BAA requests, and security concerns: privacy@arcaveli.com.

Arcaveli, Inc. — Florida, United States.