AVG / GDPR compliance statement
Arcnode Network is operated from Netherlands and is subject to the AVG / General Data Protection Regulation (Regulation (EU) 2016/679). If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the rights described in section 8. We process personal data only where a lawful basis under Article 6 GDPR exists, as set out in section 4.
01 Who we are
Arcnode Network is a software studio established in Netherlands. It builds and operates a family of applications, websites, APIs, and services under the Arcnode brand, reachable at arcnode.dev.
For all matters relating to personal data, Arcnode Network acts as the data controller within the meaning of Article 4(7) GDPR. You can reach our privacy and compliance contact at legal@arcnode.dev.
02 Scope of this policy
This policy is a network-wide framework. It applies to every service operated under the Arcnode Network brand, including:
- The arcnode.dev website and all associated subdomains, including visit analytics, the contact form, and update sign-ups.
- All current and future Arcnode Network applications, web tools, desktop applications, APIs, and SaaS products that adopt this framework.
This policy does not cover third-party websites or services linked from our products. Review their own privacy policies independently.
03 What data we collect and why
3.1 Website visit analytics
When a page on arcnode.dev is loaded, our infrastructure may record technical request data to understand how the website is used and to keep it secure and reliable. Where this data can identify a visitor, it is treated as personal data.
| Data Point | Value / Format | Purpose |
|---|---|---|
| IP address | IPv4 or IPv6 | Personal data under the GDPR. Used to distinguish visitors, derive approximate location, and protect against abuse. |
| Location | Country and city | Derived from the IP address by our hosting infrastructure. |
| Page path | e.g. "/projects" | Which page was visited. |
| Referrer | Referring URL, if present | The page you navigated from, if any. |
| Device data | User agent, browser, OS, device type | Parsed to understand the platforms our visitors use. |
| Timestamp | Date and time | When the visit occurred. |
An IP address is personal data
Under Article 4(1) GDPR, an IP address constitutes personal data because it can be used, in combination with other information, to identify a natural person. We rely on the legitimate-interests basis (Article 6(1)(f) GDPR) for visit analytics, as described in section 4, and we do not sell this data to third parties.
3.2 Update sign-ups (voluntary)
If you submit your email address to receive product updates, we store the address you provide together with limited metadata recorded at sign-up time (such as the IP address and derived location) for administrative record-keeping. Email delivery is handled by Resend (see section 5). You may withdraw consent and unsubscribe at any time by contacting legal@arcnode.dev.
3.3 Contact form submissions (voluntary)
When you use a contact form, your name, email address, and message are transmitted via Resend as an email to our team so we can respond. We retain that correspondence only for as long as needed to handle your enquiry, then delete it.
3.4 Account and application data
When you create an account or use an application that stores data on our servers, we process the data you submit to provide that service. This may include:
- Content you create within a Service.
- Preferences and settings.
- Account credentials. Passwords are stored only as a salted hash and are never stored in plain text.
All data is transmitted over HTTPS. We do not use your content for any purpose other than operating the Service for you.
3.5 Client portal data
The Arcnode Client Portal is a private, authenticated environment accessible only to invited clients and their team members. The following categories of personal data are processed within the portal:
| Data Point | Value / Format | Purpose |
|---|---|---|
| Account data | Name, email address, bcrypt password hash, account creation and last-update timestamps, mustResetPassword flag | Passwords are stored exclusively as a bcrypt hash and are never stored or transmitted in plain text. |
| Team membership | Team membership record, role (Owner, Admin, Member, or Viewer), join timestamp | Used to enforce role-based access control within a team. |
| Team invitations | Email address of the invitee, assigned role, invitation token | Collected when a team member invites a colleague. The token is deleted immediately after it is accepted or after 7 days if unused. See the note on third-party data below. |
| File uploads | Filename, file type, file size, description, Cloudflare R2 object key, upload timestamp, uploader identity | File content is stored in Cloudflare R2 object storage in the EU (EEUR region). Arcnode application servers never handle file content directly; uploads are performed via pre-signed URLs direct from the client browser to R2. |
| Form answers | Free-text responses (up to 10,000 characters) or file references linked to admin-defined questions | Stored for the duration of the associated project. |
| Password reset tokens | One-time cryptographic token with a 1-hour expiry | Deleted immediately after use. Expired unused tokens are deleted when a new reset is requested or on account deletion. |
| Security events | Login event type (success or failure), submitted email address, anonymized IP address (IPv4 /24, IPv6 /48), User-Agent string, timestamp | Logged for fraud and abuse prevention. Raw IP addresses are not stored; only the anonymized subnet prefix is retained. |
Team invitations and third-party data
When a team member invites a colleague who does not yet have an account, their email address is collected and stored as a TeamInvite record. The recipient is contacted at first opportunity via the invitation email. The legal basis is legitimate interests (Art. 6(1)(f)). Unused invitation records are deleted after 7 days.
Email address changes
The Client Portal does not provide a self-service email address change facility. To update the email address associated with your account, contact legal@arcnode.dev.
04 Legal bases for processing (Art. 6)
Article 6 GDPR requires a lawful basis for every processing activity that involves personal data. The following bases apply across the network:
| Processing activity | Lawful basis |
|---|---|
| Website visit analytics, including IP address | Legitimate interests (Art. 6(1)(f)), to understand and maintain the website. We have assessed that this interest is not overridden by visitors’ fundamental rights, given the limited, non-commercial purpose. |
| Update sign-up email collection | Consent (Art. 6(1)(a)). You actively submit your email address. You may withdraw consent at any time. |
| Contact form processing | Legitimate interests (Art. 6(1)(f)), to respond to your enquiry. |
| Account and application data | Performance of a contract (Art. 6(1)(b)), as processing is necessary to provide the Service you signed up for. |
| Security, fraud prevention, and legal compliance | Legitimate interests (Art. 6(1)(f)) and legal obligation (Art. 6(1)(c)) where applicable. |
| Client portal account creation and authentication | Performance of a contract (Art. 6(1)(b)). |
| Password reset token generation and delivery | Performance of a contract (Art. 6(1)(b)). |
| Team invitation email collection (non-users) | Legitimate interests (Art. 6(1)(f)) - facilitating access to the portal for invited colleagues. |
| File upload storage in Cloudflare R2 | Performance of a contract (Art. 6(1)(b)). |
| Form answer storage | Performance of a contract (Art. 6(1)(b)). |
| Security event logging for fraud and abuse prevention | Legitimate interests (Art. 6(1)(f)). |
Right to object to legitimate-interests processing
Where we rely on legitimate interests, you have the right under Article 21 GDPR to object at any time. If you object, we will stop that processing unless we can demonstrate compelling legitimate grounds that override your interests and rights. Contact legal@arcnode.dev to exercise this right.
05 Third-party processors
We use the following processors, each of which handles personal data on our behalf under an Article 28 GDPR data-processing arrangement. We do not sell personal data to any of them.
| Processor | Purpose and location |
|---|---|
| Resend | Transactional and notification email delivery. (United States / EU) |
| Vercel | Application hosting, analytics, and performance monitoring. (EU / United States) |
| Railway | PostgreSQL database hosting. (EU / United States) |
| Upstash Redis | Rate limiting and session-level request throttling. IP addresses (anonymized) are processed as rate-limit keys. (European Union / Global edge) |
| Sentry | Error monitoring and application logging. (European Union) |
| Cloudflare R2 | Object storage for client portal file uploads (images, videos, documents, and other project files submitted by clients). (European Union (EEUR region)) |
06 International transfers
Some of our processors operate infrastructure outside the European Economic Area, in particular in the United States. Where personal data is transferred outside the EEA, we rely on appropriate safeguards under Chapter V of the GDPR, such as the European Commission Standard Contractual Clauses and, where applicable, an adequacy decision.
File uploads are stored in Cloudflare R2 object storage in the EU (EEUR region). No international transfer of stored file objects occurs. Cloudflare's DPA and Standard Contractual Clauses govern any residual management-plane processing.
You may request information about the safeguards that apply to a specific transfer by contacting legal@arcnode.dev.
07 Data retention
Under Article 5(1)(e) GDPR, personal data must not be kept longer than necessary. The following retention periods apply:
| Data type | Retention period |
|---|---|
| Website visit records, including IP addresses | Up to 12 months from the date of the visit. Individual records can be deleted earlier on request. |
| Update subscriber records | Until you unsubscribe or withdraw consent, then deleted on request. |
| Contact form correspondence | Retained only as long as needed to manage the communication, then deleted. Not stored in our application database. |
| Account and application data | For the duration of your account. Permanently deleted within a reasonable time after an account deletion request. |
| ClientUser account data | Retained for the duration of the account. Deleted immediately on account deletion, including all associated R2 file uploads. |
| PasswordResetToken | Deleted immediately after use. Expired unused tokens are deleted when a new reset is requested or on account deletion. |
| TeamInvite | Active invites expire after 7 days. Expired unused invites are deleted by automated purge. |
| File uploads (R2 objects) | Deleted when the associated project or account is deleted. |
| Form answers | Retained for the duration of the associated project. Deleted with the project or account. |
| SecurityEvent logs | 90 days. |
| AuditLog records | 12 months. |
08 Your rights
If you are located in the EEA, the United Kingdom, or Switzerland, you have the following rights:
- Right of access (Art. 15): to confirm whether we process personal data about you and to receive a copy.
- Right to rectification (Art. 16): to correct inaccurate or incomplete data.
- Right to erasure (Art. 17): to request deletion of your personal data, subject to any legal retention obligation.
- Right to restriction (Art. 18): to limit how we use your data in certain circumstances.
- Right to data portability (Art. 20): to receive a copy of the data you provided in a structured, machine-readable format where processing is based on consent or contract.
- Right to object (Art. 21): to object to processing based on legitimate interests at any time. See section 4.
- Right to withdraw consent (Art. 7(3)): where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
- Right to lodge a complaint (Art. 77): with a supervisory authority. See section 13.
To exercise any of these rights, contact legal@arcnode.dev. We will respond within one month as required by Article 12(3) GDPR. We may verify your identity before acting on a request.
09 Account deletion, export, and correction
You can ask us to export, correct, or permanently delete your account and associated personal data at any time. Send your request to legal@arcnode.dev from the email address linked to your account, or include enough information for us to verify your identity.
On a verified deletion request, we permanently remove your account and the personal data we hold about you within a reasonable time, except where we are legally required to retain specific records.
Client portal users may delete their account directly from Settings → Danger zone within the portal. Account deletion immediately deletes all associated personal data and R2 file uploads. Team membership records are also deleted; team projects and their content remain accessible to other team members.
10 Cookies and analytics
We use only strictly necessary and privacy-respecting analytics cookies by default. The categories we use, their purposes, their retention periods, and how to manage your consent are described in full in our Cookie Policy. Analytics are processed in aggregated form and are not used to build advertising profiles.
11 Security measures
We apply technical and organisational measures including:
- HTTPS encryption for all data in transit between your device and our servers.
- Passwords stored only as salted hashes, never in plain text.
- Token-based authentication protecting privileged access.
- Access to data restricted to authorised infrastructure components.
- Client portal sessions use an httpOnly, Secure, SameSite=Lax cookie with a 30-day expiry. The session token is an HS256 JWT signed with a secret enforced at a minimum length of 32 characters in production.
- Rate limiting on sensitive authentication endpoints: login (5 attempts per 15 minutes), password reset (3 per 15 minutes), and account deletion (1 per hour).
- Security event logging for all authentication events in the client portal, including both successful and failed login attempts.
- Pre-signed upload URLs: file content transfers directly from the client's browser to Cloudflare R2. Arcnode's application servers never handle file content.
No system is perfectly secure. In the event of a personal data breach likely to result in a high risk to your rights and freedoms, we will notify you without undue delay as required by Article 34 GDPR.
12 Children's privacy
Our products are not directed at children under the age of 16 within the EEA (Article 8 GDPR), or under 13 elsewhere. We do not knowingly collect personal data from children below these ages.
If you are a parent or guardian and believe your child has provided personal data to us, contact legal@arcnode.dev and we will delete it promptly.
13 Complaints
You have the right to lodge a complaint with a supervisory authority. In Netherlands, this is the Dutch Data Protection Authority (Autoriteit Persoonsgegevens), reachable at autoriteitpersoonsgegevens.nl. You may also contact the supervisory authority in your country of residence. We would appreciate the chance to address your concern first, so please consider contacting legal@arcnode.dev before lodging a complaint.
14 Changes to this policy
We may update this policy when our practices change or when required by law. The effective date at the top reflects the most recent version. For material changes, we will provide notice on the website or within the relevant application.
Continued use of our website or applications after the effective date of a revised policy constitutes your acknowledgement of the changes.
15 Contact
For any privacy-related question, request, or complaint:
Arcnode Network, Netherlands
legal@arcnode.dev