1. Data Controller
The data controller responsible for processing your personal data is:
ArcaScience SAS
8 rue Jean-Antoine de Baif, 75013 Paris, France
Website: arcascience.ai
Email: privacy@arcascience.ai
ArcaScience is registered in France and operates as an EU data controller under the General Data Protection Regulation (GDPR). Our US office is located at 440 N Wolfe Rd, Sunnyvale, CA 94085, USA.
2. Data We Collect
We collect and process the following categories of personal data:
Usage Analytics
When you visit our website, we automatically collect technical data including your IP address (anonymized), browser type and version, operating system, referring URL, pages visited, time spent on pages, and interaction events. This data is collected through cookies and similar tracking technologies.
Form Submissions
When you submit a contact form, request a demo, or subscribe to our communications, we collect the information you provide, including your name, business email address, company name, job title, phone number, and the content of your message or inquiry.
Platform Usage Data
For clients accessing the ArcaScience platform, we collect authentication credentials, user activity logs, feature usage metrics, and session data. This data is governed separately by individual Data Processing Agreements (DPAs) with each client.
Cookies and Tracking Technologies
We use strictly necessary, analytics, functional, and marketing cookies. For detailed information on the cookies we use, please refer to our Cookie Policy.
3. Processing Purposes
We process your personal data for the following purposes:
Service delivery: To provide, maintain, and improve the ArcaScience platform and website.
Communication: To respond to inquiries, send service-related notifications, and provide customer support.
Marketing: To send relevant industry communications, product updates, and event invitations (with your consent).
Analytics: To understand website usage patterns, optimize content, and improve user experience.
Security: To detect, prevent, and respond to security incidents, fraud, and abuse.
Legal compliance: To comply with applicable laws, regulations, and legal processes.
4. Legal Basis for Processing (GDPR)
Under the General Data Protection Regulation, we rely on the following legal bases for processing your personal data:
Contractual Necessity (Art. 6(1)(b))
Processing necessary for the performance of our service agreements, including platform access, account management, and customer support.
Legitimate Interest (Art. 6(1)(f))
Processing necessary for our legitimate business interests, including website analytics, security monitoring, and service improvement, balanced against your fundamental rights and freedoms.
Consent (Art. 6(1)(a))
Processing based on your freely given consent, including marketing communications and non-essential cookies. You may withdraw consent at any time.
Legal Obligation (Art. 6(1)(c))
Processing necessary to comply with applicable legal and regulatory requirements, including tax obligations and response to lawful data requests.
5. Third-Party Processors
We share personal data with the following categories of third-party processors, each bound by Data Processing Agreements:
| Processor | Purpose | Location |
|---|---|---|
| Google Analytics 4 | Website analytics | EU/US |
| HubSpot | CRM, marketing automation | US (DPF certified) |
| Webflow | Website hosting | US (DPF certified) |
| Amazon Web Services | Cloud infrastructure (platform) | EU (Frankfurt) |
| Intercom | Customer support | US (DPF certified) |
| SendGrid | Transactional email | US (DPF certified) |
DPF = EU-US Data Privacy Framework
6. Data Retention
We retain personal data only as long as necessary for the purposes described in this policy:
Website analytics data: 14 months from collection, then aggregated and anonymized.
Contact form submissions: 24 months from submission, unless a business relationship is established.
Client platform data: Duration of the service agreement plus 12 months, unless otherwise specified in the DPA.
Marketing consent records: Duration of consent plus 3 years for compliance documentation.
Legal and regulatory records: As required by applicable law (typically 5–10 years).
7. International Data Transfers
ArcaScience is headquartered in France (EU) and operates an office in Sunnyvale, California (US). Personal data may be transferred between these locations and to third-party processors located outside the European Economic Area (EEA).
For transfers to the United States, we rely on the following safeguards:
EU-US Data Privacy Framework (DPF): Where third-party processors are DPF certified, transfers are made under this adequacy framework.
Standard Contractual Clauses (SCCs): For transfers not covered by the DPF, we implement the European Commission's Standard Contractual Clauses, supplemented by transfer impact assessments.
Intra-group transfer agreement: Transfers between our Paris headquarters and Sunnyvale office are governed by an intra-group data transfer agreement incorporating SCCs.
8. Your Rights (GDPR)
Under the GDPR, you have the following rights regarding your personal data:
Right of Access
Obtain confirmation of whether we process your personal data and request a copy of that data.
Right to Rectification
Request correction of inaccurate personal data or completion of incomplete data.
Right to Erasure
Request deletion of your personal data when it is no longer necessary for processing purposes.
Right to Restriction
Request that we limit the processing of your personal data in certain circumstances.
Right to Data Portability
Receive your personal data in a structured, commonly used, machine-readable format.
Right to Object
Object to processing based on legitimate interest or for direct marketing purposes.
To exercise any of these rights, please contact our Data Protection Officer at dpo@arcascience.ai. We will respond within 30 days. You also have the right to lodge a complaint with the CNIL (Commission Nationale de l'Informatique et des Libertés), the French supervisory authority, or your local data protection authority.
9. CCPA Disclosures (California Residents)
If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights regarding your personal information.
Categories of Personal Information Collected
In the preceding 12 months, we have collected the following categories: identifiers (name, email, IP address), internet activity (browsing history, interactions with our website), and professional information (company name, job title).
Your CCPA Rights
Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you.
Right to Delete: Request deletion of personal information we have collected from you.
Right to Opt-Out: We do not sell personal information. We do not use or disclose sensitive personal information for purposes other than those permitted under the CCPA.
Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.
To submit a CCPA request, email privacy@arcascience.ai with the subject line "CCPA Request."
11. Security Measures
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:
Encryption of data in transit (TLS 1.3) and at rest (AES-256).
SOC 2 Type II certified infrastructure and operational controls.
ISO 27001 certified information security management system.
Role-based access controls with multi-factor authentication.
Regular penetration testing and vulnerability assessments.
Incident response plan with 72-hour breach notification capability (per GDPR Art. 33).
12. Data Protection Officer
ArcaScience has appointed a Data Protection Officer (DPO) to oversee compliance with data protection regulations. For any questions or requests regarding this privacy policy or your personal data, please contact:
Data Protection Officer
ArcaScience SAS
8 rue Jean-Antoine de Baif, 75013 Paris, France
Email: dpo@arcascience.ai
13. Changes to This Policy
We may update this privacy policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will notify you by posting the updated policy on this page with a revised "Last updated" date.
We encourage you to review this policy periodically. Your continued use of our website and services after any changes constitutes acceptance of the updated policy.