Privacy Policy

Effective date: February 23, 2026

1. Introduction

This Privacy Policy explains how Arceus, operated by Sait Burak Yücekaya ("we", "us", "our"), collects, uses, and protects your personal information when you use our Service. We are committed to protecting your privacy and handling your data transparently.

2. Information We Collect

2.1 Account Information

  • Email address — collected during registration or OAuth sign-in (Google, GitHub).
  • Authentication data — managed by Firebase Authentication (Google Firebase). We do not store your password directly; Firebase handles credential storage and verification.

2.2 Usage Data

  • API usage statistics — request counts, token counts, and time-based usage for enforcing subscription limits.
  • Model usage breakdown — which models are used and how frequently, for analytics and service improvement.
  • Device identifiers — a randomly generated browser-based device ID for managing WebSocket bridge connections.

2.3 Payment Information

All payment information (credit card numbers, billing addresses, etc.) is collected and processed exclusively by Paddle, our Merchant of Record. We do not store, process, or have access to your payment card details. We only receive subscription status information (active, cancelled, etc.) from Paddle via webhooks.

3. Information We Do NOT Collect

  • Your code — when using local models (Ollama, llama.cpp), inference runs entirely on your machine. Your prompts and code are sent directly from your browser to your local model server and are never transmitted to our servers.
  • Prompt content — we do not log, store, or inspect the content of your prompts or model responses. Only metadata (token counts, request timestamps) is recorded for usage tracking.
  • Payment card details — handled entirely by Paddle.

4. How We Use Your Information

  • Service operation — to authenticate your account, enforce usage limits, and route requests.
  • Subscription management — to manage your plan, process upgrades/downgrades, and coordinate with Paddle for billing.
  • Service improvement — aggregate, anonymized usage statistics help us improve performance and reliability.
  • Communication — to send essential service notifications (e.g., email verification, subscription changes). We do not send marketing emails without your consent.

5. Data Storage and Security

  • Account and usage data is stored in Google Cloud Firestore, secured with Firebase security rules and encrypted at rest.
  • Authentication is handled by Firebase Authentication with industry-standard security practices.
  • API keys are generated server-side and transmitted over encrypted (HTTPS/WSS) connections.
  • We implement rate limiting, input validation, and other security measures to protect against abuse.

6. Third-Party Services

We use the following third-party services that may process your data:

  • Firebase (Google) — authentication and database. Subject to Firebase Terms.
  • Paddle — payment processing (Merchant of Record). Subject to Paddle Privacy Policy.
  • Cloud model providers (Anthropic, OpenAI, Google) — only when you use cloud models. Prompts sent to cloud models are subject to each provider's privacy policy.

7. Data Retention

  • Account data is retained for as long as your account is active.
  • Usage statistics are retained for up to 12 months for analytics purposes, then aggregated or deleted.
  • Upon account deletion, your personal data will be removed within 30 days. Some anonymized, aggregate data may be retained.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you.
  • Request correction of inaccurate data.
  • Request deletion of your data.
  • Object to or restrict processing of your data.
  • Export your data in a portable format.

To exercise any of these rights, contact us at support@arceus.app.

9. Cookies and Local Storage

  • We use a single session cookie (arceus-logged-in) to track your authentication state. It expires after 24 hours.
  • We store a randomly generated device ID in your browser's local storage for WebSocket bridge connection management.
  • We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

10. Children's Privacy

The Service is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us at support@arceus.app and we will promptly delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the effective date. Your continued use of the Service constitutes acceptance of the revised policy.

12. Contact

If you have any questions about this Privacy Policy or our data practices, please contact us at support@arceus.app.