Privacy Policy
Last updated: 26 March 2026
Data Controller
The data controller responsible for your personal data is:
[Company Name]
[Registered Address]
[City, Country, Postal Code]
Data Protection Officer: privacy@arcbase.com
If you have any questions about how we process your personal data, or if you wish to exercise your data protection rights, please contact our Data Protection Officer at the email address above.
Personal Data We Collect
We collect and process the following categories of personal data:
Account Data
- Full name and email address
- Organisation name, industry, and size
- Job title and role within the platform
- Password (stored in hashed form only)
Usage Data
- Pages visited, features used, and actions taken within the platform
- AI interactions: queries submitted, suggestions received, and feedback provided
- Audit logs: timestamps, IP addresses, and user actions for security and compliance
- Performance metrics and error reports
Device and Technical Data
- IP address and approximate geolocation (country/region level)
- Browser type and version, operating system
- Device identifiers and screen resolution
- Referring URL and access timestamps
Organisational GRC Data
- Risk assessments, compliance requirements, and control configurations
- Policies, audit reports, and evidence documents uploaded by your organisation
- Workflow data, task assignments, and approval records
Note: Organisational GRC data is processed on behalf of your organisation. Your organisation is the data controller for this data, and Arcbase acts as a data processor under a Data Processing Agreement (DPA).
Purposes and Legal Bases for Processing
Under the GDPR (Articles 6 and 9), we process your personal data based on the following legal grounds:
Performance of Contract (Art. 6(1)(b))
- Creating and managing your user account
- Providing the Arcbase GRC platform and its features
- Processing subscription payments and managing billing
- Delivering AI-powered risk assessments, compliance monitoring, and audit support
- Providing customer support and responding to your requests
Legitimate Interest (Art. 6(1)(f))
- Ensuring the security and integrity of our platform
- Analysing usage patterns to improve our services and user experience
- Detecting and preventing fraud, abuse, and security incidents
- Generating anonymised and aggregated insights for product development
Consent (Art. 6(1)(a))
- Setting non-essential cookies (functional, analytics, marketing)
- Sending marketing communications and product updates
- Participating in optional surveys and feedback programs
You may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.
Legal Obligation (Art. 6(1)(c))
- Maintaining audit logs as required by applicable regulations
- Responding to lawful requests from regulatory authorities
- Complying with tax, accounting, and financial reporting obligations
AI-Specific Processing
Arcbase uses artificial intelligence to deliver core platform features. In accordance with the EU AI Act and GDPR Article 22, we provide the following transparency disclosures:
Types of AI Processing
- Risk assessment and scoring: AI analyses your organisation's risk data to generate risk scores, identify patterns, and suggest mitigation strategies.
- Compliance monitoring: AI continuously maps your controls and policies against regulatory frameworks (SOC 2, ISO 27001, HIPAA, GDPR, etc.) to identify gaps.
- Control testing suggestions: AI recommends testing procedures and schedules based on control type and effectiveness history.
- Audit report generation: AI assists in generating draft audit reports, evidence summaries, and compliance documentation.
- Natural language processing: AI interprets regulatory texts and user queries to provide contextual guidance.
Human Oversight
All AI-generated outputs are advisory in nature. Arcbase does not make fully automated decisions that produce legal effects or similarly significantly affect you (GDPR Article 22). Every AI recommendation requires human review and approval before implementation. Users retain full control over all GRC decisions.
AI Training Data
Your organisational data is never used to train our AI models. AI model improvement relies solely on anonymised, aggregated, and de-identified data sets. Your proprietary compliance information, risk assessments, and audit evidence remain confidential and are not shared across organisations.
Right to Explanation
You have the right to request a meaningful explanation of any AI-driven assessment or recommendation. Contact privacy@arcbase.com to request an explanation of specific AI outputs.
AI Risk Classification
Under the EU AI Act, Arcbase classifies its AI systems as decision-support tools that assist human professionals. Our AI does not autonomously make decisions in high-risk domains as defined by Annex III of the AI Act. We continuously monitor regulatory developments to ensure our AI classification and safeguards remain appropriate.
Data Sharing and Sub-processors
We share your personal data only when necessary to provide our services, comply with legal obligations, or protect our legitimate interests. We do not sell your personal data.
Categories of Recipients
- Cloud infrastructure providers: Hosting, storage, and compute services for running the platform.
- AI service providers: Third-party AI APIs for processing natural language and generating recommendations (data is processed in transit only, not retained by providers).
- Payment processors: For handling subscription payments and billing.
- Email and communication services: For transactional and marketing emails.
- Analytics providers: Only when you have consented to analytics cookies.
Sub-processor List
A current list of our sub-processors is available upon request. Contact privacy@arcbase.com for the full sub-processor register. We will notify you of any changes to our sub-processors in advance, giving you the opportunity to object.
Law Enforcement and Legal Requests
We may disclose personal data to law enforcement or regulatory authorities when required by applicable law, court order, or legal process. We will notify you of such requests unless prohibited by law.
International Data Transfers
Arcbase's infrastructure is hosted in the United States. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your personal data will be transferred to the US for processing.
Safeguards for International Transfers
We protect your data during international transfers through the following mechanisms:
- EU-US Data Privacy Framework (DPF): Where applicable, we rely on sub-processors that are certified under the EU-US DPF, providing an adequate level of data protection as recognised by the European Commission.
- Standard Contractual Clauses (SCCs): For transfers not covered by the DPF, we execute the European Commission's Standard Contractual Clauses (2021/914) with all relevant sub-processors, supplemented by additional technical and organisational measures where required by transfer impact assessments.
- Technical safeguards: All data in transit is encrypted using TLS 1.3, and data at rest is encrypted using AES-256 encryption.
You may request a copy of the safeguards we have put in place by contacting privacy@arcbase.com.
Data Retention
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected:
| Data Category | Retention Period | Basis |
|---|---|---|
| Account data | Duration of account + 30 days | Contract |
| Usage and audit logs | 2 years from creation | Legitimate interest / Legal obligation |
| GRC data (risks, controls, evidence) | Duration of subscription + 90 days | Contract |
| Billing and payment records | 7 years from transaction | Legal obligation (tax/accounting) |
| Cookie consent records | 1 year from consent | Legal obligation (ePrivacy) |
| Marketing consent records | Duration of consent + 3 years | Legal obligation (GDPR accountability) |
Upon expiration of the retention period, data is securely deleted or anonymised. You may request earlier deletion by exercising your right to erasure (see "Your Rights" below).
Your Rights Under GDPR
If you are located in the EEA, UK, or Switzerland, you have the following rights regarding your personal data:
Right of Access (Art. 15)
Request a copy of the personal data we hold about you, along with information about how it is processed.
Right to Rectification (Art. 16)
Request correction of inaccurate or incomplete personal data.
Right to Erasure (Art. 17)
Request deletion of your personal data when it is no longer necessary, or when you withdraw consent.
Right to Restriction of Processing (Art. 18)
Request that we limit the processing of your data in certain circumstances.
Right to Data Portability (Art. 20)
Receive your personal data in a structured, commonly used, machine-readable format.
Right to Object (Art. 21)
Object to processing based on legitimate interests, including profiling. Object to direct marketing at any time.
Right to Withdraw Consent (Art. 7(3))
Withdraw consent at any time for processing activities based on consent (e.g., cookies, marketing).
Right to Lodge a Complaint (Art. 77)
Lodge a complaint with your local data protection supervisory authority if you believe your rights have been violated.
How to Exercise Your Rights
To exercise any of these rights, contact us at privacy@arcbase.com. We will respond to your request within 30 days. We may ask you to verify your identity before processing your request. If your request is complex or we receive a high volume of requests, we may extend the response period by an additional 60 days, and we will inform you of the extension and the reasons for it.
Children's Privacy
Arcbase is a business-to-business platform designed for professional use. Our services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that data promptly.
If you believe that we have inadvertently collected data from a child under 16, please contact us at privacy@arcbase.com.
DSA Transparency
In accordance with the Digital Services Act (DSA), we provide the following information:
Content Moderation
Arcbase is a SaaS platform where organisations manage their own GRC data. We do not host user-generated content for public distribution. Content uploaded to Arcbase (policies, evidence, reports) is accessible only to authorised members of your organisation. We reserve the right to remove content that violates our Terms of Service or applicable law.
Complaint Mechanism
If you believe content on our platform violates applicable law or our Terms of Service, you may submit a complaint to privacy@arcbase.com. We will review complaints within 14 business days and provide a reasoned response.
Transparency Reporting
We will publish annual transparency reports on content moderation actions, as required by the DSA. These reports will be made available on this page.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
- Update the "Last updated" date at the top of this page
- Notify you via email or an in-platform notification for significant changes
- Where required by law, obtain your consent to the updated policy
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.
Contact and Data Protection Officer
For any questions, concerns, or requests related to this Privacy Policy or your personal data:
Data Protection Officer
Email: privacy@arcbase.com
General Inquiries
Email: hello@arcbase.com
Postal Address
[Company Name]
[Registered Address]
[City, Country, Postal Code]
You also have the right to lodge a complaint with your local data protection supervisory authority. A list of EEA supervisory authorities is available at edpb.europa.eu.