Privacy Policy
Last updated June 15, 2026 · Version 1
Privacy Policy
Effective date: June 15, 2026 Last updated: June 15, 2026
Arcflux, Inc., a Delaware corporation ("Arcflux," "we," "us," or "our"), provides a platform for building and running agentic workflows. This Privacy Policy explains how we collect, use, share, and protect personal information when you visit arcflux.ai, join our waitlist, or use the Arcflux platform and related services (together, the "Services").
By using the Services, you agree to the practices described here. If you do not agree, please do not use the Services.
1. Two different roles, two different sets of rules
Arcflux handles personal information in two distinct capacities, and it is important to understand which one applies:
- As a controller — for information about you as a website visitor, waitlist subscriber, account holder, or billing contact, and for the operation of our business. This Privacy Policy governs that information.
- As a processor — for the data that your workflows ingest, process, and act on ("Customer Data"), including content drawn from connected integrations and the payloads of real-time device or message streams. When you run workflows, you (or your organization) decide what data enters them and why, so you act as the controller and Arcflux processes that data on your behalf. Our handling of Customer Data is governed by the Data Processing Agreement (DPA) and your customer agreement, not by this Privacy Policy. If any term conflicts, the DPA controls for Customer Data.
2. Information we collect
Information you provide to us
- Waitlist and contact details — your email address, and any name or company information you submit when joining the waitlist or contacting us.
- Account information — name, email, password credentials, organization name, role, and team membership when you create or join an account.
- Billing information — your plan, billing contact, billing address, and transaction history. Card details are collected and processed directly by our payment processor; we do not store full card numbers.
- Workflow and configuration data — the workflows, prompts, policies, and settings you create in Arcflux Studio. (Note: the content your workflows process at runtime is Customer Data under Section 1.)
- Channel and connection settings — when you connect a real-time channel (MQTT, NATS, or AMQP) or an integration, we collect the configuration needed to operate it, such as broker or endpoint addresses, topic and subscription settings, access-control rules, and the connection credentials or certificates you supply. The device telemetry and messages that then flow through those channels are Customer Data, governed by the DPA.
- Knowledge base content — files and material you upload to power knowledge lookups, to the extent it contains personal information about you or your contacts.
- Community and support interactions — the contents of messages, requests, and feedback you send us by email or through our support channels, and content you share when you interact with us on community or social platforms (for example, GitHub or LinkedIn).
Information we collect automatically
- Usage data — actions you take in the Services, features used, workflow run metadata, timestamps, and similar diagnostic information.
- Device and connection data — IP address, browser type, operating system, device identifiers, and referring or exit pages.
- Approximate location — we may infer your approximate location (for example, city or region) from your IP address, to operate, secure, and localize the Services.
- Cookies and similar technologies — see Section 10.
- Logs and audit records — system, security, and run-level logs we keep to operate, secure, and debug the Services.
Information we receive from third parties
- Connected integrations — when you authorize an integration or MCP server (for example, a project tracker, chat tool, or database), we receive data from that service as needed to run your workflows, at your direction and scoped to the relevant workflow.
- Authentication providers — if you sign in via SSO/SAML or a third-party login, we receive basic profile and authentication details from that provider.
- Payment processor — confirmation and limited transaction details needed to manage billing.
We may combine information from these sources with information we collect directly, to operate, secure, and improve the Services.
3. How we use information
We use personal information to:
- provide, maintain, and operate the Services, including building, running, and governing workflows;
- create and manage accounts, authenticate users, and enable team access;
- process payments, manage subscriptions, and track credit usage;
- respond to support requests and communicate with you about the Services;
- monitor, secure, debug, and improve the Services, and detect and prevent fraud, abuse, and security incidents;
- send administrative and transactional messages, and — where permitted — product or marketing communications you can opt out of; and
- comply with legal obligations and enforce our terms.
Where required by law, we rely on a lawful basis for each use — typically performance of our contract with you, our legitimate interests in operating and securing the Services, your consent (for example, certain marketing or cookies), or compliance with a legal obligation.
We may also de-identify or aggregate personal information so that it no longer identifies you, and use or share that de-identified or aggregated information for purposes such as analytics, research, and improving the Services.
4. AI processing and model providers
The Services route data to third-party large language model (LLM) providers — including OpenAI, Anthropic, Google, xAI, and Groq — so that the model steps in your workflows can run. You choose which model runs at each step.
- Data sent to a model provider is processed under that provider's terms in order to return a result to your workflow.
- We do not use your prompts, Customer Data, or outputs to train our own models, and we contract with model providers on terms intended to prevent the use of your data to train their models. Provider practices can change, so review the current Subprocessors list and the providers' own policies.
- Workflows run with per-workflow scoping, and risky steps can be gated behind human approval, giving you control over what data is processed and what actions are taken.
AI outputs may be inaccurate or incomplete. You are responsible for reviewing outputs and any actions your workflows take. This section describes data handling only; your rights and our liability regarding outputs are addressed in the Terms of Service.
5. How we share information
We share personal information only as described here:
- Service providers and subprocessors — vendors that host our infrastructure, process payments, provide analytics and error monitoring, deliver email, and supply the model providers in Section 4. They may access information only to perform services for us and under appropriate confidentiality and data-protection obligations. See Section 6.
- Integrations you connect — when your workflow sends data to a service you have connected, that data is shared with the third party at your direction and is then governed by that third party's terms and privacy policy.
- Within your organization — account and usage information may be visible to administrators and other members of your team or organization.
- Legal and safety — where we believe disclosure is reasonably necessary to comply with law, respond to lawful requests, enforce our terms, or protect the rights, safety, and security of Arcflux, our users, or the public.
- Business transfers — in connection with a merger, acquisition, financing, or sale of assets, subject to the protections in this policy.
We do not sell your personal information, and we do not share it for cross-context behavioral advertising.
6. Subprocessors
We use third-party subprocessors to provide the Services, including infrastructure hosting, the LLM providers listed in Section 4, our payment processor, and operational tools. A current list of subprocessors is available at Subprocessors. Where required, we provide a mechanism for customers to receive notice of changes to that list under the DPA.
7. International data transfers
We and our service providers may process information in countries other than where you live, including the United States and [OTHER COUNTRIES WHERE YOU OR YOUR PROVIDERS OPERATE]. These countries may have data-protection laws that differ from those in your jurisdiction. Where we transfer personal information from the European Economic Area, the United Kingdom, or Switzerland to a country that has not been recognized as providing adequate protection, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (and the UK Addendum). You can contact us for more information about these safeguards.
8. Data retention
We retain personal information for as long as needed to provide the Services, comply with our legal obligations, resolve disputes, and enforce our agreements. Retention periods depend on the type of data and the purpose for which it was collected — for example, [account data for the life of the account plus DELETION/GRACE PERIOD], [billing records for STATUTORY PERIOD], and [logs for LOG RETENTION PERIOD]. When information is no longer needed, we delete or de-identify it; where deletion is not immediately possible (for example, in backups), we isolate the information until deletion can occur. Retention and deletion of Customer Data are governed by the DPA.
9. Security
We use technical and organizational measures designed to protect personal information, including encryption in transit, per-workflow scoping, access controls, and run-level auditing. No method of transmission or storage is completely secure, so we cannot guarantee absolute security. [SSO/SAML and dedicated data isolation are available on enterprise plans / on our enterprise roadmap — confirm current status before publishing.]
10. Cookies and tracking
We and our providers use cookies and similar technologies to operate the site, remember your preferences, and understand usage. You can control non-essential cookies through our cookie banner and your browser settings. Because there is no common industry standard for interpreting browser "Do Not Track" signals, the Services do not currently respond to them; you can still use the controls described here and in our Cookie Policy. For details on the specific cookies we use and your choices, see our Cookie Policy.
11. Your privacy rights
Depending on where you live, you may have some or all of the following rights regarding your personal information: to access it, correct it, delete it, receive a portable copy, restrict or object to certain processing, and withdraw consent where processing is based on consent. You also have the right not to be discriminated against for exercising these rights.
You can opt out of marketing emails at any time using the unsubscribe link or your account settings; you will still receive non-promotional, transactional messages about the Services.
To make a request, contact us at info@arcflux.ai [or via our data-request portal at LINK]. We will verify your request and respond within the timeframe required by applicable law. You may use an authorized agent where the law permits. If we process your information as a processor on behalf of one of our customers, we will direct your request to that customer.
EEA and UK
If you are in the EEA, UK, or Switzerland, Arcflux is the controller of the information described in this policy and processes it on the following lawful bases:
- Performance of a contract — to create and operate your account, deliver the Services, and process payments.
- Legitimate interests — to secure, monitor, debug, and improve the Services, prevent fraud and abuse, and communicate with you about your account and enquiries.
- Consent — for optional marketing and non-essential cookies (which you can withdraw at any time).
- Legal obligation — to meet our financial, tax, and other legal requirements.
The categories of recipients with whom we share this information are described in Section 5 and itemized in our Subprocessors list. You have the right to lodge a complaint with your local supervisory authority. [Identify and name your EU/UK representative, and provide their contact details, if you are required to appoint one.]
California
If you are a California resident, you have rights under the CCPA/CPRA, including the right to know, delete, and correct personal information, and to opt out of sale or sharing — though, as stated in Section 5, we do not sell or share personal information for cross-context behavioral advertising. We do not knowingly process the sensitive personal information of California residents for purposes that would trigger a right to limit its use beyond what is described here.
Other regions
Residents of other jurisdictions — including New Zealand (Privacy Act 2020), Australia, and Canada — may have rights under local law. [Confirm Arcflux's place of establishment and appoint a privacy officer / nominate a contact where required, e.g., under the NZ Privacy Act.] Contact us at info@arcflux.ai to exercise any rights available to you.
12. Children's privacy
The Services are intended for businesses and are not directed to children. We do not knowingly collect personal information from anyone under 18 [confirm or adjust this age]. If you believe a child has provided us personal information, contact us and we will take appropriate steps to delete it.
13. Third-party links and services
The Services may link to or integrate with third-party websites and services we do not control. This policy does not apply to those third parties, and we are not responsible for their practices. Review their privacy policies before providing them information.
14. Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date and, where appropriate, provide additional notice. Your continued use of the Services after a change takes effect means you accept the revised policy.
15. How to contact us
If you have questions about this Privacy Policy or our privacy practices, contact us at:
Arcflux, Inc. 2261 Market Street, STE 65143 San Francisco, CA 94114, United States Email: info@arcflux.ai