Privacy Policy
1. Introduction
Archilas (“we”, “us”, or “our”) operates the Archilas platform available at archilas.com and related services (collectively, the “Service”). This Privacy Policy explains how we collect, use, store, and share personal information when you use the Service, visit our website, or otherwise interact with us.
We are committed to protecting your privacy and handling your data in line with applicable laws, including the UK and EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), and recognised international privacy standards.
By using the Service, you acknowledge that you have read this policy. If you do not agree, please do not use the Service.
2. Information We Collect
We may collect the following categories of information, depending on how you use the Service:
- Account and contact data: email address, full name, and similar identifiers you provide when you register or update your profile.
- Project and deployment data: uploaded project files, repository URLs or identifiers, build logs, configuration you supply, deployment metadata (such as stack detection results, environment variables you choose to set, deployment status, and live URLs).
- Usage data: how you interact with the platform (e.g. features used, timestamps, approximate frequency of actions), diagnostic and performance information, and error reports where you choose to send them.
- Technical and device data: IP address, browser type and version, device type, operating system, language preferences, and similar data sent automatically when you access our services over the internet.
- Cookies and similar technologies: as described in the Cookies section below.
- Payment-related data: where you purchase paid plans, payment processing is handled by our payment provider; we do not store full payment card numbers on our servers. We may receive limited billing metadata (e.g. transaction status, last four digits where applicable, subscription identifiers).
- Communications: content of emails or support messages you send to us.
We do not require you to provide more information than is reasonably necessary to operate the Service. Some fields are optional.
3. How We Use Your Information
We use personal information for the following purposes, as permitted by law and, where required, on the basis described in applicable privacy laws:
- To provide and operate the Service, including authenticating you, deploying and hosting your projects, generating live URLs, and delivering features you request.
- To process payments and manage subscriptions or credits, through our payment processor.
- To send transactional and service-related communications (e.g. account notices, security alerts, deployment status, billing receipts). Where the law requires consent for marketing emails, we will obtain it separately.
- To improve and develop the platform, including analytics in aggregate or de-identified form where possible, troubleshooting, and product planning.
- To detect, prevent, and address fraud, abuse, and security incidents, and to enforce our Terms of Service.
- To comply with legal obligations, respond to lawful requests from public authorities, and establish or defend legal claims.
4. Data Storage and Security
We store and process data using Supabase, with data hosted in the EU (London — eu-west-2) region unless we notify you otherwise for a specific component. We implement appropriate technical and organisational measures designed to protect personal data, including encryption in transit (e.g. TLS) and, where supported by our infrastructure providers, encryption at rest.
Access to personal data is limited to personnel and subprocessors who need it to operate the Service, subject to confidentiality and access controls. We do not sell your personal information as that term is commonly understood under the CCPA, and we do not sell personal data for monetary consideration under the GDPR.
No method of transmission or storage is completely secure. While we strive to use commercially reasonable safeguards, we cannot guarantee absolute security.
5. Third Party Services
We rely on trusted service providers (“subprocessors”) to run the Service. They process data only as instructed by us and in line with their own policies and our agreements with them. Below is a summary of key providers, the categories of data they may receive, and links to their privacy policies.
| Provider | Purpose | Typical data shared | Privacy policy |
|---|---|---|---|
| Railway | Compute and hosting infrastructure for deployments | Deployment configuration, build artefacts, environment variables you set, logs, domain names you connect, technical metadata | railway.app/legal/privacy |
| GitHub | Importing code from repositories when you connect GitHub or supply repository URLs | Repository identifiers, OAuth tokens or credentials you authorise, code and metadata accessible via your authorisation | GitHub Privacy Statement |
| Anthropic | AI-assisted features (e.g. assistant or automation) where enabled | Prompts, code snippets, or context you submit to the AI feature; session metadata as required to provide the feature | anthropic.com/legal/privacy |
| Porkbun | Domain registration and related services where you purchase or manage domains through us | Registrant contact details, domain names, payment-related identifiers as processed by Porkbun | porkbun.com/legal/privacy |
| Vercel | Hosting for our web application and API endpoints | HTTP request data (including IP, headers), application logs, deployment configuration for our own site | vercel.com/legal/privacy-policy |
| Supabase | Database, authentication, and related backend services | Account credentials (hashed passwords or OAuth identifiers), profile fields, project records, application data you store via the Service | supabase.com/privacy |
| Stripe | Payment processing for subscriptions and purchases | Billing name, email, payment method details (processed by Stripe), transaction history metadata | stripe.com/privacy |
This list may evolve as we add or replace providers. We encourage you to review each provider’s policy for full detail.
6. Cookies
We use essential cookies and similar technologies that are strictly necessary to operate the Service — for example, to keep you signed in, maintain session security, and protect against cross-site request forgery where applicable.
Under the UK Privacy and Electronic Communications Regulations (PECR), we rely on the exemption for cookies that are strictly necessary to provide a service you have requested. We do not use non-essential cookies (such as analytics or advertising cookies) without your consent where UK or EU law requires consent. If we introduce non-essential cookies, we will explain them clearly and, where required, ask for your consent before they are set.
We do not use advertising cookies, behavioural tracking cookies, or third-party marketing pixels for profiling visitors across unrelated sites. If we ever introduce optional analytics or marketing cookies that are not strictly necessary, we will update this policy and, where required by law, obtain your consent before activating them.
7. Data Retention
- Account data: retained while your account is active and for a short period afterwards as needed for backup, audit, or legal compliance.
- Deletion after account closure: following a verified account deletion request, we aim to delete or anonymise personal data associated with your account within 30 days, except where a longer period is required by law or to resolve disputes.
- Project and deployment files: after you delete a project, associated deployment files and related artefacts may be retained for up to 90 days before permanent deletion, unless a shorter period is technically feasible or a longer period is required by law.
Retention periods may be extended if necessary to comply with legal obligations, enforce our agreements, or resolve claims.
8. Your Rights
Depending on where you live, you may have rights regarding your personal data. We will respond to verifiable requests in line with applicable law.
General rights (where applicable): you may have the right to access the personal data we hold about you, to correct inaccurate data, to delete your data (subject to exceptions), to export or receive a copy in a portable format where technically feasible, to object to certain processing, to restrict processing, and to withdraw consent where processing is based on consent.
GDPR (UK / EEA): if you are in the UK or European Economic Area, you may exercise the rights above under the GDPR and (where applicable) the UK GDPR. Our processing is typically based on one or more of the following lawful bases: performance of a contract with you; legitimate interests (for example, securing the Service, preventing abuse, and improving the product, balanced against your rights); legal obligation; or consent where we ask for it. Where consent is the basis, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.
You may lodge a complaint with a supervisory authority. In the United Kingdom, the supervisory authority is the Information Commissioner’s Office (ICO) (ico.org.uk). In the EEA, you may contact the supervisory authority in your country of residence or work.
Data protection contact: for questions about how we process personal data or to exercise GDPR-related rights, contact privacy@archilas.com. We will respond within the timeframes required by applicable law.
CCPA / CPRA (California): California residents have the right to know what personal information we collect, use, disclose, and sell (we do not sell personal information as defined by the CCPA/CPRA), the right to request deletion of personal information subject to exceptions, the right to correct inaccurate personal information, the right to opt out of the sale or sharing of personal information (not applicable while we do not sell or share for cross-context behavioural advertising in a way that triggers opt-out), and the right to limit use of sensitive personal information where applicable. We will not discriminate against you for exercising any of these rights (for example by denying goods or services, charging different prices, or providing a different level of service), except as permitted by law. You may designate an authorised agent where permitted by law.
How to exercise your rights: email us at privacy@archilas.com with your request and enough information for us to verify your identity. We will respond within the timeframe required by applicable law.
9. Children’s Privacy
The Service is not directed at children under 13 years of age (U.S. Children’s Online Privacy Protection Act — COPPA). We do not knowingly collect personal information from anyone under 13. If you are a parent or guardian and believe we have collected information from a child under 13, please contact privacy@archilas.com and we will take steps to delete it promptly.
For users in the European Economic Area and United Kingdom, the Service is not intended for individuals under 16 years of age, and we do not knowingly collect personal information from children under 16 in those regions without appropriate consent where required by law. If you believe we have collected such information, contact us at privacy@archilas.com.
10. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (to the address associated with your account) and/or by a prominent notice on the Service, and we will update the “Last updated” date at the top of this page. We encourage you to review this policy periodically.
11. International transfers, controllers, and further GDPR / UK GDPR disclosures
Controller: for the purposes of the GDPR and UK GDPR, Archilas acts as a controller of personal data described in this policy when we determine the purposes and means of processing (for example account and billing data). Processing of your projects and content may involve us acting on your instructions as part of providing the Service.
International transfers: where we transfer personal data from the UK or EEA to countries that have not been recognised as providing an adequate level of data protection, we will use appropriate safeguards as required by applicable law (such as standard contractual clauses approved by the European Commission or UK government, or other lawful transfer mechanisms).
UK GDPR: if you are in the UK, the UK GDPR and Data Protection Act 2018 apply. You have the same broad categories of rights as under the EU GDPR, including the right to lodge a complaint with the ICO (see section 8).
Automated decision-making: we do not use solely automated decision-making, including profiling, which produces legal or similarly significant effects concerning you, unless we notify you separately and provide a lawful basis.
12. Contact Us
For privacy-related questions, requests, or complaints:
Email: privacy@archilas.com
Website: archilas.com