Privacy Policy
Last updated: [DATE]
This Privacy Policy explains how Arcyto ("Arcyto", "we", "us", "our") collects, uses, and shares personal data when you use the Arcyto website at arcyto.com, the Arcyto web app at app.arcyto.com, and our related services (together, the "Service"). The Service provides a personalised daily financial brief, a stock watchlist, and a macro/economic calendar.
We are based in Germany and established in the European Union, so this policy is written to comply with the EU General Data Protection Regulation (GDPR). If you are a California resident, please also read the dedicated California Privacy Rights section below.
Note on financial content. The briefs, headlines, audio, chat answers, prices, and calendar entries shown in the Service are for information only and are not financial, investment, or tax advice. This Privacy Policy concerns only how we handle your personal data.
1. Who is responsible for your data (Controller)
The controller responsible for processing your personal data under the GDPR is:
Mo Sharifi (operating as a sole trader, trading as "Arcyto") [POSTAL ADDRESS] Berlin, Germany
Privacy contact: hello@arcyto.com
Publication note (remove before publishing): The controller's full legal name and postal address above are legally mandatory under GDPR Art. 13(1)(a) — they are not optional drafting placeholders. An unidentifiable controller is itself a transparency breach. The legal name is filled in; replace
[POSTAL ADDRESS]with the operator's full Berlin postal address (a ladungsfähige Anschrift — street + number, no PO box) before this policy goes live. The same address placeholder appears in Section 14 and must be filled there too.
We have not appointed a Data Protection Officer, as we are not legally required to do so. You can direct all privacy questions and rights requests to the contact address above.
For our full legal-disclosure details (Impressum), see our Imprint.
2. A note on our anonymous-first design (important)
Arcyto is designed to let you start using the Service before you create an account or provide an email address. When you first open the web app, our authentication provider (Supabase) issues an anonymous identity — a randomly generated user ID stored against your browser session — so that your onboarding choices (such as your watchlist, experience level, and topic preferences) can be saved as you go.
If you later choose to create a permanent account, this same anonymous user ID is kept and upgraded into your account. This means that personalisation data you provided while anonymous becomes associated with your account once you sign in.
We rely on this design to deliver the core onboarding experience you have requested. We explain each specific data category and its legal basis in Section 4.
Notice at the point of collection. Because the web app begins collecting data (for example, your watchlist and onboarding preferences) during this anonymous-first onboarding, this Privacy Policy also serves as our notice at or before the point of collection. The categories of data we collect and the purposes for which we use them are set out in Sections 4 and 11, and the onboarding screens link to this policy before your onboarding data is captured.
3. Where personal data comes from
We collect personal data from three sources:
- Directly from you — for example, the email address and (where applicable) password you provide when creating an account, your watchlist selections, your onboarding preferences, questions you type into the "Ask Arcyto" chat, and your details if you join the waitlist.
- Automatically — for example, anonymous/session identifiers, device and connection data, and limited diagnostic data, generated as you use the Service.
- From third parties — if you sign in with a third-party provider (such as Google or Apple), we receive certain profile information from that provider (see Section 4.A). [VERIFY before publication: third-party sign-in is referenced in our code but appears marked "coming soon" in places. Confirm which providers (Google, Apple) are live in production. If a provider is not yet enabled, remove its references from Sections 3, 4.A, 6, and 11 so we do not disclose processing that is not actually occurring.]
4. What personal data we process, why, and on what legal basis
The tables below describe every category of personal data we process, grouped by purpose. "Legal basis" refers to GDPR Article 6.
A. Account identity
| Data | Email address; password (stored only in hashed form by our authentication provider); your Arcyto user ID (a UUID); and, if you sign in with a third-party provider, the profile information that provider returns (email, name, profile picture, and the provider's account identifier). |
| Purpose | To create and secure your account, authenticate you, keep you signed in, and send you account/authentication emails. |
| Legal basis | Performance of a contract (Art. 6(1)(b)) — we need this to provide you with an account and the Service. |
| Notes | Account credentials are managed by our authentication provider, Supabase. Our backend never stores your email or password; it only reads your user ID from your sign-in token. [VERIFY before publication: confirm which third-party sign-in providers (Google, Apple) are live in production before stating them here.] |
B. Anonymous and session identifiers
| Data | An anonymous Supabase user ID (see Section 2); session/authentication cookies; and small browser-storage values that remember your theme preference and whether you dismissed the "Add to home screen" prompt. |
| Purpose | To keep you signed in, to carry your onboarding choices before sign-up, and to remember basic interface preferences. |
| Storage / device access (TDDDG §25) | Placing and reading the session/authentication cookies and the theme / "install dismissed" browser-storage values on your device is strictly necessary to provide a service you have explicitly requested, so it is exempt from prior consent under §25(2) of the German Telecommunications-Digital-Services Data Protection Act (TDDDG, formerly TTDSG). This "strictly necessary" exemption concerns the storage on your device; the legal basis for processing the data itself is set out in the next row. |
| Legal basis (Art. 6 GDPR) | Performance of a contract (Art. 6(1)(b)) for authentication, session continuity, and remembering preferences for features you requested. The linking of pre-sign-up onboarding data to your permanent account is likewise performance of a contract (Art. 6(1)(b)). |
C. Your watchlist and personalisation preferences
| Data | The display name you give us; your self-described experience level (e.g. new / some / pro); topics and news categories you select; your notification opt-in setting and preferred delivery time; onboarding progress; and the assets on your watchlist (and their display order). Your theme preference is stored in your browser. |
| Purpose | To personalise your home feed, daily brief, watchlist, and news selection, and to schedule notifications you have opted into. |
| Legal basis | Performance of a contract (Art. 6(1)(b)) for personalisation. Your notification opt-in is recorded as your consent (Art. 6(1)(a)) for that feature, which you may withdraw at any time. |
| Storage | Stored in our database (Supabase Postgres), protected by row-level security so that only your account can access your own records. |
D. AI-generated brief and chat ("Ask Arcyto")
| Data sent to the AI provider | Your watchlist symbols, asset names, and prices; and, for the chat feature, the free-text questions you type. |
| Purpose | To generate your personalised daily editorial brief and audio brief, and to answer your follow-up questions. |
| Legal basis | Performance of a contract (Art. 6(1)(b)) — these are core features of the Service. |
| AI provider | We use Google's Gemini models to generate this content (see Section 6 — sub-processors). Your typed chat questions are sent to Google to produce an answer. |
| Storage | Generated briefs and their input context are cached temporarily in our database, keyed by a hash of your watchlist plus the date, with an automatic expiry. The chat is stateless — we do not keep a server-side history of your chat conversations. |
| Notes | We do not routinely send your name or email to the AI provider. [VERIFY before publication: our code currently passes a fixed placeholder first name to the model rather than your stored name. Confirm production behaviour before stating this definitively; if the real name is wired in, update this row to disclose that the name is sent.] |
E. Authentication and transactional email
| Data | Your email address and the contents of account/authentication messages (e.g. confirmation links, magic links, password-reset, email-change, and re-authentication messages). |
| Purpose | To verify your email and operate the account lifecycle. |
| Legal basis | Performance of a contract (Art. 6(1)(b)). |
| How it is sent | Authentication emails are sent by Supabase Auth and delivered via Resend (an email provider). Inbound replies to our support address are received via Apple iCloud's custom email domain service. (See Section 6.) |
F. Waitlist (landing page)
| Data | Your email address; the platform you selected (iOS / Android); a one-way SHA-256 hash of your IP address (we never store your raw IP for this purpose); and your browser's User-Agent string (truncated). |
| Purpose | To notify you when we launch, and to prevent abuse/spam of the sign-up form. |
| Legal basis | Consent (Art. 6(1)(a)) for the launch-notification email. The hashed-IP and User-Agent rate-limiting relies on our legitimate interest (Art. 6(1)(f)) in keeping the waitlist secure and preventing fraudulent, automated, or abusive sign-ups. We have weighed this interest against your rights and consider it not to be overridden, because we store only a one-way hash of your IP (never the raw IP), use it solely to throttle abuse, and retain it for a limited period (see Section 8). You can object to this processing under Art. 21 (see Section 10). |
| Storage | Stored in a dedicated, access-restricted table. |
G. Push notifications (if you opt in)
| Data | Your Web Push subscription details (a delivery endpoint URL and the cryptographic keys your browser generates) and your browser's User-Agent. |
| Purpose | To deliver daily-brief notifications you have enabled. |
| Legal basis | Consent (Art. 6(1)(a)) — recorded via your notification opt-in; withdraw any time by disabling notifications. |
| Notes | [VERIFY before publication: push delivery is described in our code as a future capability. Confirm whether notifications are actively being sent in production; if push is not yet live, remove or clearly mark this section as a planned feature rather than active processing.] |
H. Technical, diagnostic, and security data
| Data | IP address and User-Agent at the network/server layer (standard request logs); a request-correlation ID we attach to logs to trace issues; error reports and stack traces. |
| Purpose | To operate, secure, debug, and maintain the reliability of the Service. |
| Legal basis | Legitimate interest (Art. 6(1)(f)) in keeping the Service secure, available, and reliable — specifically in detecting and diagnosing errors, investigating and preventing security incidents and misuse, and maintaining the integrity of our systems. We have weighed this interest against your rights and consider it not to be overridden, because we minimise the data used for these purposes (see Section 9), do not use it to build profiles or target you, and retain it only as long as needed (see Section 8). You can object to this processing under Art. 21 (see Section 10). |
| Error tracking | We use Sentry for error monitoring. We have configured Sentry to not send default personal data, with session replay and tracing disabled. Despite this, an IP address or other request data may still be captured by the error-tracking system. [VERIFY before publication: confirm whether client-IP scrubbing is enabled at the Sentry organisation/project level, and confirm Sentry's data-residency region (see Section 7).] |
| Server logs | Our backend runs on Google Cloud Run; operational logs may contain IP addresses, User-Agents, and user IDs. [VERIFY before publication: confirm the Cloud Logging retention period and state it in Section 8. Google Cloud Logging's default for the relevant log bucket is approximately 30 days unless configured otherwise.] |
I. Analytics
| Data | Aggregated, cookieless web-analytics data collected by Vercel Web Analytics on both arcyto.com and app.arcyto.com: page/route views, Web Vitals performance metrics, a custom "feed load timing" event, coarse (country-level) location, and device/browser type. Vercel processes an IP-and-User-Agent-derived value transiently to count unique visitors; it does not store cookies or other identifiers on your device for this. |
| Purpose | To understand usage and performance and to improve the Service. |
| Legal basis | Legitimate interest (Art. 6(1)(f)) in measuring how the Service is used and performing so that we can improve it. We have weighed this interest against your rights and consider it not to be overridden, because this analytics is cookieless, aggregated, processes only an IP/User-Agent-derived value that is discarded after a short period, and is not used to identify or profile you individually. You have the right to object to this processing at any time under Art. 21 — see Section 10. |
| Your right to object | Because this analytics relies on legitimate interest, you may object to it at any time (Section 10). |
| Regulatory note (for counsel — remove before publication): | Cookieless analytics is a defensible but not risk-free legal basis for a German-established controller. German DPAs and EU supervisory authorities are not uniform on whether such analytics may rely on legitimate interest or requires consent under the TDDDG / ePrivacy regime. Counsel should confirm the no-consent-banner position (Section 5) and decide whether to gate this analytics behind opt-in. |
5. Cookies and local storage
We use only strictly necessary cookies and browser storage. We do not use advertising cookies, third-party tracking cookies, or cross-site tracking.
| What | Type | Purpose |
|---|---|---|
Supabase authentication cookies (sb-…-auth-token) | Strictly necessary | Keep you signed in and carry your session, including the anonymous-first identity. |
arcyto-theme (local storage) | Functional | Remembers your light/dark/system theme choice. |
arcyto.install.dismissed (local storage) | Functional | Remembers that you dismissed the "Add to home screen" prompt. |
| Service-worker and offline caches | Functional | Cache your own brief/feed content and app assets so the app works offline (Progressive Web App feature). |
| Push subscription (if enabled) | Functional | Stores your notification subscription in your browser. |
Because our on-device storage is limited to what is strictly necessary or functional for features you request, we do not display a cookie consent banner. Our analytics (Section 4.I) is cookieless and stores nothing on your device.
For counsel (remove before publication): The no-banner position rests on the analytics being treated as consent-exempt under its cookieless design. As flagged in Section 4.I, this is defensible but not settled for a German-established controller; please confirm before publication.
Google Fonts
The web app loads one icon font (Material Symbols) from Google's Fonts CDN (fonts.googleapis.com). When your browser loads that font, your IP address is transmitted to Google (a recipient in the United States). We rely on our legitimate interest (Art. 6(1)(f)) in rendering the interface correctly; this is an international transfer covered by Section 7 (Google as recipient).
Action before publication (preferred fix): Self-host the Material Symbols font so no request is made to Google's CDN. German courts have treated dynamic Google Fonts embedding as a GDPR violation. If the font is self-hosted before launch, delete this "Google Fonts" subsection and remove Google Fonts as a recipient from Sections 6 and 7. If it is retained, keep this disclosure live.
6. Sub-processors and recipients of your data
We use the following service providers ("sub-processors") to operate the Service. We do not sell your personal data. We put in place data-processing agreements with our processors where required, so that they process your data only on our instructions.
Action before publication: Confirm that a signed data-processing agreement (and, for US recipients, the relevant transfer mechanism in Section 7) is actually in place for each processor listed below before stating it as fact.
| Provider | Role | Data involved |
|---|---|---|
| Supabase | Authentication and primary database (hosting region to be confirmed — see Section 7) | Account identity, user IDs, watchlists, preferences, cached briefs, IP at sign-in. |
| Google Cloud — Cloud Run | Backend hosting (region us-east1, USA) | Data in transit for all authenticated requests. |
| Google Cloud — Cloud Logging & Cloud Monitoring | Operational logging and monitoring (region us-east1, USA) | Logs that may contain IP addresses, User-Agents, and user IDs. |
Google Cloud — Cloud Storage (bucket gs://arcyto-briefs) | File storage for generated audio briefs (bucket region to be confirmed — see Section 7) | Generated podcast audio, named by a hash of your watchlist plus the date (no direct identifiers); deleted on a 7-day lifecycle. |
| Google — Gemini (AI generation) | Generating the editorial brief and audio brief | Watchlist-derived content (symbols, names, prices) and your chat questions. |
| Google / Apple (Sign-in / OAuth) | Federated login, if you choose a third-party sign-in | Your provider email, name, profile picture, and account ID. [VERIFY: confirm which providers are live before listing them — see Section 3.] |
| Resend | Delivery of authentication/transactional email | Your email address and the contents of those messages. |
| Apple (iCloud Custom Email Domain) | Receiving inbound mail to our support address | Any personal data you include in an email to us. |
| Vercel | Hosting of the website and web app, plus Vercel Web Analytics | Request data, IP addresses, session cookies; cookieless analytics metrics. |
| Sentry | Error and crash monitoring | Error reports, diagnostic context (default personal data disabled). |
| Google Fonts | Serving one icon font to the web app (see Section 5) | Your IP address, transmitted on font load. [Remove if the font is self-hosted before launch.] |
DNS provider (not a recipient of your personal data): Our domain's DNS is managed by Cloudflare in a DNS-only configuration (no proxying of application traffic). Cloudflare resolves DNS queries but does not process the application data described in this policy, so it is not listed as a sub-processor.
Market-data sources (not recipients of your personal data): We obtain prices and company news from third-party market-data providers (currently Finnhub and CoinGecko). We send these providers only public ticker/coin identifiers — not your identity or your personal watchlist linked to you. [VERIFY before publication: confirm the exact set of live market-data providers (e.g. whether a Yahoo-based EU provider is also in use) and list them all.]
This list may change as our Service evolves; we will keep this section up to date.
7. International data transfers
Several of our sub-processors are located in, or transfer data to, the United States (see Section 6). When we transfer personal data outside the European Economic Area, we rely on appropriate safeguards under the GDPR — the EU–US Data Privacy Framework (DPF) where a provider is certified, and/or the European Commission's Standard Contractual Clauses (SCCs) with supplementary measures where appropriate.
The intended mechanism per recipient is set out below.
| Recipient | Location | Intended transfer mechanism |
|---|---|---|
| Supabase | Region to be confirmed — Supabase offers an EU (Frankfurt) region. If the project is EU-hosted, no transfer occurs and Supabase should be removed from this table. If US-hosted: SCCs (and DPF if certified). | To verify |
| Google Cloud — Cloud Run / Cloud Logging / Cloud Monitoring | us-east1, USA | EU–US DPF (Google LLC is DPF-certified) and/or SCCs |
Google Cloud — Cloud Storage (gs://arcyto-briefs) | Bucket region to be confirmed (likely US) | EU–US DPF and/or SCCs |
| Google — Gemini | USA (Google global) | EU–US DPF and/or SCCs |
| Google / Apple (Sign-in / OAuth) | USA (provider global) | EU–US DPF and/or SCCs |
| Google Fonts | USA (Google global) | EU–US DPF and/or SCCs (remove if font is self-hosted) |
| Resend | USA | SCCs (and DPF if certified) |
| Apple (iCloud Custom Email Domain) | USA (Apple global) | SCCs (and DPF if certified) |
| Vercel (hosting + Web Analytics) | USA | SCCs (and DPF if certified) |
| Sentry | Region to be confirmed — Sentry offers an EU data-residency option. If EU-hosted, no transfer occurs. If US-hosted: SCCs (and DPF if certified). | To verify |
You can request more information about these safeguards using the contact details in Section 1.
Regions to verify before publication (each changes the transfer position): (1) Supabase project region — this is our primary datastore and an EU region is available, so confirming it is the single most important item here; (2) Sentry organisation region; (3) Google Cloud Storage bucket region for the generated audio. After verification, map each remaining US recipient to its actual mechanism (DPF-certified vs SCCs) and remove any recipient confirmed to be EU-hosted from this table and from Section 6.
8. How long we keep your data
| Data | Retention |
|---|---|
| Account identity and profile/watchlist data | Kept for as long as your account exists, and then deleted. We will also delete or anonymise account data after a prolonged period of account inactivity (criterion to be finalised, e.g. after 24 months of no sign-in, with prior notice where required). We do not currently offer self-service deletion; until then, deletion is handled manually on request (see Section 10). |
| Cached briefs and brief context | Automatically expire after a short period (set by an expiry timestamp in our database). |
| Generated audio briefs | Automatically deleted on a 7-day lifecycle. |
| Chat questions | Not stored server-side after answering. |
| Waitlist entries | Kept until we launch (after which entries are deleted) or until you ask us to remove them. [VERIFY before publication: no automatic purge is currently configured — implement a purge and state a concrete maximum period here, e.g. delete within [X] months of launch.] |
| Server/operational logs (Google Cloud Logging) | Retained for approximately 30 days (Google Cloud Logging default), unless we configure a different period. [VERIFY before publication: confirm the configured retention and state the exact period.] |
| Error-tracking data (Sentry) | Retained according to Sentry's default retention (typically up to 90 days for error events). [VERIFY before publication: confirm the project's configured retention and state the exact period.] |
When data is no longer needed, we delete or anonymise it.
Action before publication: The TODO/VERIFY items above are not optional drafting notes — Art. 13(2)(a) requires a stated retention period or the criteria used to determine it, and Art. 5(1)(e) (storage limitation) does not permit indefinite retention by default. Resolve each item with a concrete period or determination criterion.
9. How we protect your data
We apply technical and organisational measures appropriate to the risk, including:
- Encryption in transit (HTTPS/TLS) across the website, app, and backend.
- Row-level security in our database, so that user records are accessible only to the owning account; internal/system tables are restricted to service-level access.
- Stateless, token-based access control — our backend authorises every request against your signed identity token.
- Minimised diagnostics — error tracking is configured to exclude default personal data, and IP addresses for waitlist abuse-prevention are stored only as one-way hashes.
No method of transmission or storage is completely secure, but we work to protect your data and to address vulnerabilities responsibly. If a personal-data breach occurs that is likely to result in a high risk to your rights and freedoms, we will notify affected users without undue delay, as required by GDPR Art. 34, and will notify the competent supervisory authority where Art. 33 applies.
10. Your rights under the GDPR
Subject to the conditions in the GDPR, you have the right to:
- Access the personal data we hold about you (Art. 15);
- Rectify inaccurate or incomplete data (Art. 16);
- Erase your data ("right to be forgotten") (Art. 17);
- Restrict processing in certain circumstances (Art. 18);
- Data portability — receive your data in a structured, machine-readable format (Art. 20);
- Object to processing based on legitimate interests (Art. 21) — this includes our waitlist abuse-prevention (Section 4.F), our technical/diagnostic and security processing (Section 4.H), and our cookieless analytics (Section 4.I);
- Withdraw consent at any time where we rely on consent (e.g. notifications, waitlist email) — this does not affect processing carried out before withdrawal.
How to exercise your rights. Please email hello@arcyto.com. We will respond within one month, as required by Art. 12(3) (extendable by two further months for complex or numerous requests, with notice to you).
Please note: We do not yet offer a self-service account-deletion or data-export feature inside the Service. Until that is available, we handle access, deletion, and export requests manually when you contact us at the address above.
Internal action (remove before publication): This is a product gap, not just a drafting note. The GDPR requires that these rights are actually deliverable, not merely promised, and the one-month Art. 12(3) deadline must be met. Implement in-product data export and erasure to fully satisfy Arts. 15, 17, and 20; until then, maintain an operational runbook so manual requests can be fulfilled within the deadline at the volumes expected.
Right to complain. If you believe we have mishandled your data, you may lodge a complaint with a supervisory authority. Our lead supervisory authority is:
Berliner Beauftragte für Datenschutz und Informationsfreiheit (Berlin Commissioner for Data Protection and Freedom of Information) Alt-Moabit 59–61, 10555 Berlin, Germany https://www.datenschutz-berlin.de
You may also complain to the supervisory authority in your own EU country of residence.
11. California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have rights under the California Consumer Privacy Act, as amended by the CPRA. This section, read together with Sections 4 and 6, also serves as our notice at collection under Cal. Civ. Code § 1798.100(b): we disclose below the categories of personal information we collect and the purposes for which we use them at or before the point we collect that information, and our onboarding screens link to this policy before collecting onboarding data.
Categories of personal information we collect
We collect the following statutory categories of personal information (described in more detail in Section 4):
| Statutory category (CCPA) | Examples we collect |
|---|---|
| Identifiers | Email address; your Arcyto user/device UUID (including the anonymous-first identity); IP address and a one-way hashed IP (waitlist); third-party account identifier (if you use Google or Apple sign-in). |
| Customer records (Cal. Civ. Code § 1798.80(e)) | The display name you provide. |
| Commercial information | Your watchlist, topic/news selections, notification and delivery preferences. |
| Internet or other electronic network activity | Usage data, request logs, diagnostic/error data, Web Vitals and analytics events. |
| Geolocation data | Coarse, country-level location derived by our analytics provider. |
| Audio / electronic information | Generated audio briefs associated with your watchlist. |
| Professional or employment-related information | Your self-described investing experience level (new / some / pro). (Note: this is self-described and not verified employment data.) |
| Sensitive personal information | Account log-in credentials (password, held only in hashed form by our authentication provider). See the SPI statement below. |
| Inferences | We do not create inferential profiles about you; we use the data above only to personalise the Service. |
| Contents of communications | The free-text questions you type into "Ask Arcyto"; the contents of any support email you send us. |
Categories of sources. We collect this information (a) directly from you (account details, watchlist, onboarding preferences, chat questions, waitlist details); (b) automatically from your device and use of the Service (identifiers, network activity, diagnostic data, analytics); and (c) from a third-party sign-in provider (Google or Apple), if you choose to use one (profile information).
Business and commercial purposes. We collect and use this information for the purposes described throughout this policy — providing and securing your account, personalising your brief/watchlist, generating AI content, sending transactional email, operating the waitlist, ensuring security and reliability, and measuring and improving the Service.
Categories of third parties to whom we disclose personal information for a business purpose. We disclose personal information to our service providers as described in Section 6: Supabase (auth/database), Google Cloud / Gemini (hosting, logging, storage, AI generation), Resend (email delivery), Apple (inbound support email), Vercel (hosting and analytics), and Sentry (error monitoring). In the preceding 12 months we disclosed the categories of personal information listed above to these service providers for the business purposes described in this policy.
We do not sell or share your personal information
We do not sell your personal information, and we do not "share" it for cross-context behavioural advertising, as those terms are defined under the CPRA. We have not done so in the preceding 12 months.
Sensitive personal information (SPI)
We collect limited sensitive personal information — your account log-in credentials, held only in hashed form by our authentication provider. We use SPI solely to authenticate you and provide the Service; we do not use it to infer characteristics about you and we do not use or disclose it beyond the purposes permitted under the CPRA. Because of this, the CPRA right to limit the use of sensitive personal information does not apply.
Your California rights
Subject to the law, you have the right to:
- Know / access the personal information we have collected about you, including the categories of sources, the business/commercial purposes for collecting it, and the categories of third parties to whom we disclose it;
- Delete personal information we hold about you;
- Correct inaccurate personal information;
- Opt out of the sale or sharing of personal information — not applicable, because we do not sell or share it; and
- Non-discrimination — we will not discriminate against you for exercising your CCPA rights. We will not deny you the Service, charge you a different price, or provide you a different level or quality of service for exercising your rights. We do not offer financial incentives in exchange for the collection, sale, or sharing of personal information.
How to exercise your California rights
To exercise any of these rights, email hello@arcyto.com. We will acknowledge your request within 10 business days and respond within 45 calendar days, extendable by a further 45 days where reasonably necessary, with notice to you.
Verification. We will verify your request using a method reasonable and proportionate to the sensitivity of the data. For account holders, we verify by reference to information associated with your account. For non-account holders (for example, waitlist subscribers, whose data we hold without an account), we verify by reference to the email address on file. For deletion requests, we may ask you to confirm the request before we act on it.
Authorised agents. You may use an authorised agent to submit a request on your behalf. We may require the agent to provide proof of written authorisation signed by you, and we may require you to verify your own identity directly with us or to confirm that you authorised the agent.
California minors
The Service requires a minimum age of 18 (see Section 12), so we do not knowingly collect personal information from minors. In any event, because we do not sell or share personal information, the CCPA opt-in requirement for consumers under 16 (Cal. Civ. Code § 1798.120(c)) is not triggered. If we ever begin to sell or share personal information, we will obtain the affirmative opt-in consent required by law before doing so.
12. Children
The Service is not directed to children. You must be at least 18 years old to use the Service (see the Terms of Service). We apply this single minimum age of 18 to all users worldwide. We do not knowingly collect personal data from anyone below this age. If you believe someone under 18 has provided us personal data, contact hello@arcyto.com and we will delete it.
13. Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top and, where appropriate, notify you through the Service. Your continued use of the Service after an update means you accept the revised policy.
14. How to contact us
For any privacy question or to exercise your rights:
Email: hello@arcyto.com Post: Mo Sharifi, [POSTAL ADDRESS], Berlin, Germany
Publication note (remove before publishing): Fill in
[POSTAL ADDRESS]here with the same legally mandatory controller address required in Section 1.
See also our Imprint and Terms of Service.