Privacy Policy
What Arketo collects and why: account and billing data, the architecture you create, and a single sign-in cookie. No data sold, no trackers, and no AI key held on your behalf.
- Effective
- 22 June 2026
- Jurisdiction
- Denmark / EU
- Contact
- privacy@arketo.app
Overview
This policy explains what personal data Arketo collects, why, and what rights you have. Arketo ("we", "us") is the data controller for the data described here. You can reach us about privacy at privacy@arketo.app.
We have kept it readable. If anything is unclear, ask us.
What we collect
We keep the data we need to run a private, paid canvas, and nothing we do not:
- Account data: your email address and a securely hashed password. We never store your password in readable form.
- Billing data: your subscription status and a customer reference held by Stripe. Stripe handles your card details; we do not see or store your full card number.
- Your content: the architecture you create, including components, connections, findings, reports, and the workspace they live in.
- Technical data: a single sign-in cookie, and basic server logs such as IP address and request metadata, which we use to operate and secure the service.
We do not collect or hold any AI provider API key. Your assistant connects with its own credentials, not ours.
What we do not do
- We do not sell or rent your personal data.
- We do not run advertising or third-party analytics trackers, and we set no advertising cookies.
- We do not use your private architecture content to train models, and we do not send it to any AI provider ourselves.
How we use your data
We use your data only for these purposes, on these legal bases under the GDPR:
- To provide the service: create your account, host your workspace, and serve the canvas and reports (performance of our contract with you).
- To take payment: run the subscription through Stripe (performance of our contract).
- To keep the service secure and working: prevent abuse, debug, and protect against fraud (our legitimate interests).
- To meet legal duties: keep records such as invoices where the law requires (legal obligation).
Your assistant and MCP
Arketo is controlled by your own AI assistant over MCP. When you connect it, the assistant reads and writes your workspace through a URL tied to your account. That assistant is operated by you or your AI provider under its own terms and privacy policy, not ours. We move your content to and from your assistant as you direct, and we do not send it to any model provider on our own initiative.
Who we share data with
We share data with a small set of service providers (processors) that help us run Arketo, under contracts that require them to protect it:
- Stripe, for payments and subscription management.
- Our hosting and database providers, which store the account and workspace data that runs the service.
You can also create read-only share links. If you generate one, anyone with that link can view the diagram you shared until you turn the link off. You control whether a link exists.
Where your data is held
We aim to host your data in the EU / EEA. If a provider processes data outside the EEA, we rely on appropriate safeguards such as the European Commission's standard contractual clauses. Ask us if you would like detail on a specific provider.
How long we keep it
We keep your account and content for as long as your account is active. If you close your account or delete a workspace, we delete the associated content within a reasonable period, except where we must keep certain records, such as billing and tax records, for longer to meet legal duties. Backups are rotated on a regular cycle.
How we protect it
We protect your data with measures including passwords stored only as salted, industry-standard slow hashes (scrypt), encrypted connections (TLS) for traffic to the site and to our database, HTTP-only session cookies, and workspace isolation so one account cannot see another's data. No system is perfectly secure, but we work to keep these protections current.
Your rights
Under the GDPR you have the right to access your data, correct it, delete it, export it, restrict or object to certain processing, and withdraw consent where we rely on it. To exercise any of these, email privacy@arketo.app and we will respond within the time the law allows. You also have the right to complain to a supervisory authority, in Denmark Datatilsynet (the Danish Data Protection Agency).
Children
Arketo is for professional use and is not directed at children. We do not knowingly collect personal data from anyone under 16. If you believe a child has given us data, contact us and we will delete it.
Changes to this policy
We may update this policy as the service changes or the law requires. When we make a material change, we will update the effective date above and, where appropriate, tell you in the product. Continuing to use Arketo after a change means you accept the updated policy.
Contact
Questions, requests, or complaints about privacy? Email privacy@arketo.app. For the terms that govern use of the service, see the Terms and Conditions.
