Arky is now inopen beta

PRIVACY POLICY

Effective Date: May 1, 2026

Arky Labs, Inc. (“Arky,” “we,” or “us”), a company incorporated in the State of Delaware, United States, values your privacy. This Privacy Policy explains what information we collect when you use our websites, applications, and related services (collectively, the “Services”), and how we use, retain, protect, and share that information. By using the Services, you agree to this Policy.

Your use of the Services is also subject to our Terms of Use, which incorporate this Policy.

1. Data Controller

Arky Labs, Inc. is the data controller responsible for your personal data processed in connection with the Services. For contact information, see Section 17 below.

2. Changes to This Policy

We may update this Policy to reflect changes to our Services or legal requirements. For material changes, we will provide at least 7 days’ notice via our website, email, or other reasonable means. Your continued use of the Services after the effective date means you accept the updated Policy.

3. Scope

This Policy applies to personal data we process in connection with the Services. It does not cover the practices of third parties that we do not own or control.

4. Personal Data We Collect

We may collect:

  • Profile and contact details: name, email address, username.
  • Device and technical data: IP address, device identifiers, browser/OS information, timestamps.
  • Usage data: pages visited, feature usage, edit history, clickstream.
  • User-provided content: documents and text you create, feedback, support inquiries.
  • AI inputs/outputs: prompts you submit and AI-generated results returned to you.
  • Payment data: billing details and transaction history processed by our payment provider. We do not store full credit card numbers.

5. Legal Bases for Processing (EU/EEA Users)

If you are in the EU/EEA, we process your personal data under the following legal bases pursuant to the General Data Protection Regulation (GDPR):

  • Contract performance (Art. 6(1)(b)): account creation, service provision, customer support, payment processing.
  • Legitimate interests (Art. 6(1)(f)): service usage measurement, security monitoring, service improvement, fraud prevention.
  • Consent (Art. 6(1)(a)): marketing communications where required by applicable law.
  • Legal obligation (Art. 6(1)(c)): compliance with applicable laws, tax, and regulatory requirements.

You may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.

6. How We Use Personal Data

We use personal data to:

  • Create and manage accounts and provide the Services.
  • Respond to inquiries and provide support.
  • Personalize features and improve usability and performance.
  • Analyze usage, detect errors, and maintain security.
  • Improve AI features using de-identified and aggregated data.
  • Send service notices and, if you have consented, marketing communications.
  • Process payments and manage subscriptions.
  • Comply with applicable laws and respond to lawful requests.

7. How We Collect Personal Data

We collect data when you:

  • Register for or use the Services and enter information directly.
  • Communicate with us by email or other channels.
  • Use the Services, which automatically generate logs and technical data.
  • Use OAuth sign-in (e.g., Google, GitHub), which provides us limited account information per your settings.

8. How We Share Personal Data

We do not sell personal data. We may share limited data:

  • With service providers that operate on our behalf, including:
    • Cloud infrastructure and hosting providers
    • Authentication and identity verification services
    • Payment processing services
    • AI model providers (de-identified inputs only)
    • Analytics and error monitoring services
  • For legal reasons when required by law, regulation, or lawful request.
  • In a business transfer (e.g., merger or acquisition), after notice is provided.

A current list of our subprocessors is available upon request at help@arky.so.

9. International Data Transfers

Your data may be transferred to and processed in countries other than your own, including the United States and the Republic of Korea. When we transfer personal data outside your jurisdiction, we rely on:

  • EU adequacy decisions (including the EU–Republic of Korea adequacy decision)
  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Your explicit consent, where applicable

We ensure that any transfer is subject to appropriate safeguards in compliance with applicable data protection law.

10. Cookies and Similar Technologies

We use cookies and similar technologies only where needed to operate the Services, maintain security, and remember your preferences:

  • Essential cookies: required for the Services to function and remain secure (e.g., authentication, infrastructure security, network reliability). Cannot be disabled.
  • Functional storage: remembers your preferences and settings (e.g., language, theme) in your browser.

We do not use advertising cookies, cross-site advertising trackers, or non-essential analytics cookies on the Services. You can control or clear browser storage through your browser settings, though disabling certain storage may limit language, theme, or sign-in related features.

11. Children’s Privacy

The Services are not directed to children. In the United States, we do not knowingly collect personal data from children under 13 (per COPPA). In the EU/EEA, parental consent is required for users under 16 (or the lower age set by your member state, minimum 13). In the Republic of Korea, parental consent is required for users under 14. If we learn we have collected data from a child without required consent, we will delete it promptly.

12. Data Security

We apply appropriate technical and organizational safeguards to protect personal data, including encrypted storage and transmission, access controls, security logging, regular backups, and anomaly detection. No method of transmission or storage is completely secure; we cannot guarantee absolute security.

13. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes described in this Policy or as required by law. Typical retention periods:

  • Account data: duration of account plus 60 days after deletion
  • Usage and log data: up to 12 months
  • Payment records: as required by applicable tax and financial regulations
  • Support communications: up to 24 months after resolution

When retention ends, we delete or irreversibly anonymize the data.

14. Your Rights

Depending on your jurisdiction, you may exercise the following rights regarding your personal data:

  • Access and review your personal data
  • Correction / rectification of inaccurate data
  • Deletion (erasure) of your data
  • Restriction (suspension) of processing
  • Data portability (receive your data in a structured, machine-readable format)
  • Object to processing based on legitimate interests

Submit requests via email at help@arky.so or through in-product settings. We will respond within the timeframe required by applicable law.

15. Additional Rights for EU/EEA Residents (GDPR)

In addition to the rights listed above, EU/EEA residents may:

  • Withdraw consent at any time (Art. 7(3) GDPR)
  • Lodge a complaint with your local data protection supervisory authority (Art. 77 GDPR). A list of EU/EEA supervisory authorities is available at edpb.europa.eu
  • Not be subject to decisions based solely on automated processing, including profiling, that produces legal or similarly significant effects (Art. 22 GDPR)

We do not currently engage in solely automated individual decision-making as described in Art. 22 GDPR.

16. Additional Rights for California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to Know: You may request the categories and specific pieces of personal information we have collected about you.
  • Right to Delete: You may request deletion of your personal information.
  • Right to Correct: You may request correction of inaccurate personal information.
  • Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information for cross-context behavioral advertising.
  • Right to Limit Use of Sensitive Personal Information: To the extent we process sensitive personal information, it is used only for purposes permitted under CCPA.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.

To exercise these rights, contact us at help@arky.so. We will verify your identity before processing your request.

17. Data Protection Officer and Contact

  • Data Protection Officer: Jaeho Lee (CTO & DPO)
  • Primary contact: help@arky.so
  • DPO contact: jaeho@arky.so
  • Hours: Mon–Fri 10:00–18:00 (KST)

18. Incident Response and Notifications

Upon detecting a personal data incident, we will promptly contain and investigate the issue, determine scope and impact, implement remediation, and provide notices to affected users and relevant authorities as required by applicable law, including within 72 hours to the relevant supervisory authority where required under GDPR.