Privacy Policy

Last updated: April 9, 2026

This policy covers personal data we collect when you use ArchGenie (the "Service"), as defined in our Terms of Service. If we make material changes to this policy, we'll notify you by email at least 30 days before they take effect and post the updated policy here with a new "last updated" date.

1. What we collect

When you use ArchGenie, we collect:

  • Account information — your email, name, and profile picture from Google, GitHub, or Microsoft when you sign in. We don't see or store your OAuth password. If you sign in with a Google Workspace account, we record the domain name (e.g. "acme.com") to help us understand enterprise adoption patterns.
  • Content you submit — the prompts, descriptions, and screenshots you send us, plus the diagrams, infrastructure code, documentation, and estimates we generate in response. This is stored in your account so you can come back to past sessions.
  • Integration data — if you connect GitHub, GitLab, Bitbucket, or Jira, we store encrypted authentication credentials and metadata about the repositories or workspaces you select. We don't read your repositories beyond what's needed for an export you initiate.
  • Usage data — device type, browser, approximate location (city / country from IP), pages viewed, and feature interactions. We load analytics only after you consent via our cookie banner. You can change your choice at any time.
  • Activity data — we track aggregate counts of your actions (e.g. diagrams generated, infrastructure code created, exports performed) server-side under legitimate interest to detect abuse, improve the Service, and understand usage patterns. This is separate from consent-gated analytics. We also record your country code (derived from your IP address) at signup for abuse prevention. Your IP address is cryptographically hashed and retained for up to 24 hours for rate limiting; we do not store raw IP addresses.
  • Billing information — held by Paddle, our payment processor, not by us. We only see a transaction identifier, plan name, and renewal status.

We do not collect sensitive personal information such as Social Security numbers, precise geolocation, racial or ethnic origin, or biometric data.

2. How we use it

We use this data to:

  • run the Service — authenticate you, process prompts, generate outputs, save your work;
  • handle payments and credit purchases via Paddle;
  • perform Git and Jira exports when you ask us to;
  • improve the Service based on how people actually use it;
  • detect abuse, prevent fraud, and fix bugs;
  • communicate with you about changes, issues, and support.

We do not use your content to train AI models, and we contractually require the same of our third-party providers.

Your content belongs to you. We do not combine your content with other customers' data for any purpose.

Diagrams, infrastructure code, documentation, security findings, and cost estimates are generated by AI models. These outputs are suggestions — they require your review before use. No automated decisions about you or your account are made solely by AI.

Legal bases for processing

Under the GDPR, we rely on:

  • Contract performance (Art. 6(1)(b)) — to run the Service: authentication, prompt processing, output generation, storage, exports, and billing;
  • Legitimate interest (Art. 6(1)(f)) — to improve the Service, detect abuse, prevent fraud, and fix bugs. Our interest does not override your rights because we process only what's needed to operate and improve a tool you chose to use;
  • Legal obligation (Art. 6(1)(c)) — to retain records where required by tax or other law;
  • Consent (Art. 6(1)(a)) — for analytics tracking via Firebase Analytics. You can withdraw consent at any time via the cookie banner or by emailing us.

3. Who we share it with

We share data only with the service providers we need to run ArchGenie:

ProviderWhat they do
Google CloudHosting, database, file storage, authentication, analytics, and AI model inference.
PaddlePayment processing (merchant of record)
GitHub, GitLab, Bitbucket, AtlassianOAuth integrations you initiate

We have data processing agreements in place with each provider listed above, as required by GDPR Article 28. We select providers that maintain appropriate security standards.

This list reflects our current providers. If a change materially affects how your data is processed, we'll update this policy and notify you as described above.

When you submit a prompt, your content is sent to our AI infrastructure provider for processing. Our providers process your content solely as data processors under our agreements and are contractually prohibited from using it for their own purposes, including model training.

We may also disclose data if required by law, court order, or valid legal process, or if needed to protect the safety or rights of our users or the public. We never sell your personal data.

Do Not Sell or Share

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising as defined by the California Privacy Rights Act. We respect browser-based opt-out signals, including Global Privacy Control (GPC).

International data transfers

ArchGenie is operated from Belgium. Your data may be processed on infrastructure located outside the European Economic Area, including in the United States. For transfers from the EEA, UK, or Switzerland, we rely on the European Commission's Standard Contractual Clauses as incorporated into our agreements with our sub-processors.

4. How long we keep it

We keep your account data and stored content for as long as your account is active. You can delete individual chats, projects, or your entire account at any time from Settings. After you delete your account, we will delete your personal data within 30 days, except where we are required to retain it by law (for example, tax records held by Paddle may be retained for up to 7 years).

If your account is suspended for abuse, we may retain your account data for up to 90 days for investigation purposes before permanent deletion. You may request earlier erasure by contacting us.

Analytics data collected is retained for 14 months, after which it is automatically deleted. Server logs are retained only as long as needed for security, debugging, and product improvement. IP rate-limiting records are automatically deleted after 24 hours.

5. How we protect your data

We use industry-standard measures to protect your data, including:

  • encryption in transit and at rest;
  • third-party authentication — we never see or store your password;
  • integration credentials encrypted at rest;
  • access controls limiting internal access to personal data.

If we become aware of a data breach that is likely to affect your rights, we will notify you and the relevant supervisory authority in accordance with applicable law.

No system is perfectly secure. If you discover a vulnerability, please report it to security@archgenie.io.

6. Your rights

Depending on where you live, you have rights over your personal data. If you're in the EEA, UK, or Switzerland (under GDPR) or in California, Virginia, Colorado, or a similar US state, you can ask us to:

  • give you a copy of your personal data;
  • correct something that's wrong;
  • delete your data;
  • restrict or object to how we use it;
  • export your data in a portable format;
  • withdraw consent where we rely on it.

We don't sell your personal data. To exercise any of these rights, email privacy@archgenie.io. We'll respond within the time your local law requires. If we decline a request, we'll explain why. Virginia residents may appeal by emailing privacy@archgenie.io with "Appeal" in the subject line. California residents may designate an authorized agent to submit requests on their behalf.

We don't knowingly collect data from anyone under 18. If you think we have, please email us and we'll delete it.

7. Data controller and contact

Your data is controlled by ArchGenie, a sole proprietorship registered in Belgium. You can reach us at:

Privacy Policy — ArchGenie