Skip to main content
Arc

Privacy Policy

Effective date: March 13, 2026. Last updated: March 13, 2026.

1. Who We Are

Arc ("we", "us", "our") is a documentary story development tool operated by Arc (storyarc.co). We act as the data controller for personal data processed through our service. For questions about this policy, contact us at privacy@arccompanion.com.

2. Data We Collect

Account information

When you create an account, we collect your email address, a securely hashed password, and optionally your name. If you sign in with Google, we receive your Google account ID, name, email, and profile picture.

Creative content

We store the content you create within Arc: documentary project details, chat conversations with the AI story coach, uploaded video files and their transcripts, photos, documents, and notes. This content is yours. We process it to deliver the service and never use it to train AI models.

Usage and technical data

We collect technical information needed to operate the service: your last login time and IP address (for security), error logs, and with your consent, analytics about how you use Arc's features.

Beta agreement records

When you accept the Beta Program Agreement, we record your acceptance including the agreement version, timestamp, and IP address. We keep this record for 7 years to comply with our legal obligations.

3. AI Disclosure

Arc uses third-party AI services to power the story coaching experience:

  • Anthropic (Claude) and Google (Gemini) — process your chat messages to generate coaching responses. These providers do not retain your data beyond the immediate API request per their API terms.
  • AssemblyAI — transcribes videos you upload. Files are deleted from AssemblyAI's systems after transcription.

Your creative content is not used to train any AI model. Embeddings (numerical representations used for search) are stored in Pinecone and deleted when you delete your projects or account.

4. Sub-Processors

We share data with the following third-party companies ("sub-processors") solely to deliver the Arc service:

ServicePurposeCountry
AnthropicAI story coaching (Claude)USA
GoogleAI story coaching (Gemini) + OAuth sign-inUSA
AssemblyAIVideo transcriptionUSA
PineconeVector search for story contextUSA
Amazon Web ServicesFile and video storageUSA
PostHogProduct analytics (consent required)USA
SentryError monitoringUSA
Mem0Long-term coaching memoryUSA
RenderCloud hostingUSA

All transfers to US-based processors are covered by Standard Contractual Clauses (SCCs) under GDPR Chapter V. For the full list, see our sub-processor list.

5. Legal Basis for Processing

We process your data under the following legal bases (GDPR Article 6):

  • Contract — Account management, AI coaching, video transcription, and project storage are necessary to deliver the service you signed up for.
  • Legal obligation — We retain your Beta Agreement acceptance record to comply with applicable law.
  • Legitimate interest — Security logging (login IP) and error monitoring (Sentry) are necessary for system integrity and safety.
  • Consent — Analytics (PostHog) are only activated after you accept cookies via the consent banner. You can withdraw consent at any time in Settings.

6. Data Retention

We keep your data for as long as your account is active. When you delete your account, we delete all your projects, chat history, videos, assets, and profile information within 30 days. The only exception is your Beta Agreement acceptance record, which we retain for 7 years as required by law.

Analytics data in PostHog is retained for 1 year. Error traces in Sentry are retained for 90 days. Application logs are retained for 30 days.

7. Your Rights

If you are located in the European Economic Area, UK, or California, you have the following rights:

  • Access — Request a copy of all data we hold about you (Settings > Export My Data).
  • Erasure — Delete your account and all associated data (Settings > Delete Account).
  • Portability — Download your data as a structured ZIP file (Settings > Export My Data).
  • Rectification — Update your profile information at any time in Settings.
  • Object to analytics — Decline or revoke analytics consent via the cookie consent banner or Settings.
  • Restriction — Contact us to restrict processing in specific circumstances.

To exercise rights not available in the product, email privacy@arccompanion.com. We respond within 30 days.

8. Security

We use HTTPS for all data in transit. Passwords are hashed with bcrypt. TOTP secrets and Google OAuth tokens are encrypted with AES-256 at the application layer before storage. JWT access tokens expire after 24 hours.

9. Cookies

Arc uses the following cookies:

  • Authentication cookies (strictly necessary) — HttpOnly, Secure session cookies for login state. No consent required.
  • Analytics cookies (PostHog) — Set only after you accept the cookie consent banner.

10. Children

Arc is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it promptly.

11. Changes to This Policy

We may update this policy from time to time. When we make material changes, we will notify you by email or by displaying a notice in the app. The effective date at the top of this page reflects when the policy was last updated.

12. Contact

For privacy questions or to exercise your rights:

Arc Privacy
privacy@arccompanion.com

If you are in the EEA and believe we have not adequately addressed your privacy concern, you have the right to lodge a complaint with your local data protection authority.

Back to Arc