Privacy Policy

This Privacy Policy ("Policy") describes how Joswin P Satheesh, sole proprietor, operating under the laws of the Republic of India ("Arc," "we," "us," or "our"), collects, uses, shares, and protects personal information about users ("you," "your") of the Arc mobile application and related services (collectively, the "Service").

By using Arc, you acknowledge that you have read and understood this Policy. If you do not agree with any part of this Policy, do not use the Service.

Grievance contact (DPDP Act 2023): Joswin P Satheesh, Grievance Officer · Email: arc.app.contact@gmail.com · Postal: Kottayam, Kerala, India (full address available on written request). We acknowledge grievances within 7 days and respond substantively within 30 days.

1. Scope and Applicability

This Policy applies to all users of Arc globally. Additional jurisdiction-specific provisions appear in Section 15 (Regional Privacy Rights). If you are located in India, the European Union, United Kingdom, California, Brazil, or Canada, please review those provisions in addition to the rest of this Policy.

2. Information We Collect

2.1 Information You Provide During Onboarding

Your chosen identity (e.g., "a disciplined person who keeps their word") — the identity you want to become, used to personalise daily actions
Your stated obstacle — what you said is blocking you, used to inform AI-generated content
Self-assessed starting points — your numeric ratings for consistency, motivation, and clarity
Preferred notification time — morning, midday, or evening
Your "why now" answer — free-text response describing why you opened Arc today

2.2 Information You Generate Through Use

Daily action completions — which AI-generated actions you completed, when, and whether you skipped or completed each day
Energy check-ins — your post-action energy rating (1–5) and any optional reflection note you choose to add
Streak data — current streak, best streak, total completed days, freeze usage
Focus session metadata — duration, completion status, and your self-rated focus level
Challenge progress — which 30-day challenge you started, days completed, missed days, day-15 mid-challenge report viewed status
Achievement and rank progression — which achievements you've earned, when, your current rank
Weekly report engagement — whether you viewed or shared each weekly identity report
Mirror views — which Mirror milestones (Day 30, 60, 90, 180, 365) you have viewed, the AI-generated reflection text associated with each, viewed timestamps, and whether you shared each
Compass snapshots — daily identity-radar values (your evolving consistency, motivation, clarity, energy) calculated from your actions, used to visualise progress over time
Time capsule letters — text content you write to your future self, the milestone trigger you wrote it under, sealed timestamp, and scheduled delivery date. Stored encrypted in transit and accessible only to you.

2.3 Information Collected Automatically

Anonymous user identifier — a pseudonymous UUID we generate via Supabase Auth to recognise your device across sessions. By default, this is not linked to your name, email, or any other personal identifier.
Push notification token — an Expo Push token (which Expo's servers route to Firebase Cloud Messaging for Android delivery), used solely to deliver notifications you've consented to. Stored in our database alongside your anonymous user ID.
Timezone — captured from your device on first launch (e.g., "Asia/Kolkata"). Used to schedule notifications at your local time.
Notification log — type, send timestamp, delivery status, and whether you opened each notification. Used for delivery audit and to prevent duplicate sends.
Subscription status — whether you are a paying subscriber, your plan (monthly/yearly), and renewal status. Received from Google Play Billing.
App version and device information — sent automatically by Expo / Google Play to diagnose crashes and serve updates via EAS Updates.

2.4 Information Collected If You Choose to Sign In (Optional)

Arc is anonymous by default. If you choose to sign in — an optional step that lets your data follow you to a new device or reinstall — we collect the following from your authentication provider:

Email address — collected if you sign in with Google (taken from your Google account) or with email magic-link (you provide it directly). Linked to your existing anonymous user identifier so the same data continues to be yours after sign-in.
Display name — collected if you sign in with Google (taken from your Google profile). We store this but do not currently display it inside the app.
Authentication metadata — a Google account identifier (Google's sub) or email-link verification token, both managed by Supabase Auth. Used only to recognise you on subsequent sign-ins.

You can use Arc fully without ever signing in. Signing in is offered only as a means to back up your identity, streak, and history across devices, and to recover your account if you reinstall the app.

2.5 Information We Do NOT Collect

We do not collect your real name unless you voluntarily type it into a free-text field, or unless your Google account provides it during optional sign-in (see Section 2.4)
We do not collect your email address by default. We collect it only if you choose to sign in (see Section 2.4) — this is optional and not required to use Arc.
We do not collect your phone number, physical address, or government-issued IDs
We do not collect biometric data
We do not access your contacts, photos, microphone, camera, calendar, files, or other apps on your device
We do not track your precise location (we only store the timezone you're in)
We do not collect payment card details — those are handled exclusively by Google Play Billing
We do not use analytics SDKs (no PostHog, Sentry, Mixpanel, Amplitude, etc. at present)
We do not use advertising or marketing trackers

3. How We Use Information

We process the information above only for the following purposes:

To provide the core Service: generating your daily AI micro-action, tracking your streak and alignment score, awarding achievements and ranks, producing your weekly identity report, running focus sessions and 30-day challenges
To deliver notifications you've consented to: daily reminder at your chosen time (with the day's action body), streak-defense alerts in the evening when you're at risk of breaking a streak, and weekly identity report ready notifications on Mondays
To process payments: verifying subscription status via Google Play Billing and unlocking premium access
To improve the Service: reviewing crash and delivery logs to fix bugs (no third-party analytics)
To provide customer support: responding to your inquiries
To detect fraud and abuse: preventing payment fraud and enforcing our Terms of Service
To comply with legal obligations: responding to lawful requests from authorities, complying with tax laws applicable to us

4. Legal Bases for Processing (GDPR / UK GDPR)

If you are in the European Economic Area, United Kingdom, or Switzerland, we process your personal data on the following legal bases:

Contractual necessity (Art. 6(1)(b)): to provide the subscription Service, including AI-generated daily actions, progress tracking, and payment processing
Legitimate interests (Art. 6(1)(f)): to improve the Service, prevent fraud, ensure security, and detect abuse. You may object to processing on this basis.
Consent (Art. 6(1)(a)): for push notifications. You may withdraw consent at any time by disabling each notification type in Profile or revoking the OS-level permission.
Legal obligation (Art. 6(1)(c)): for tax records and responses to lawful authority requests

5. Artificial Intelligence Processing

Arc uses one third-party AI service to generate personalised content. You should know how this works.

5.1 What AI service we use

We currently use Google Gemini (model: gemini-2.5-flash-lite) via Google's Generative Language API. All AI calls are proxied through our Supabase Edge Functions; the AI provider never sees your IP, device ID, or any identifier we don't explicitly send.

5.2 What we send to the AI provider

When generating content, we send only the following minimal context:

Daily action: your chosen identity label, stated obstacle, preferred time-of-day, and up to 5 recent action texts (so the AI avoids repetition)
Onboarding sentence: your chosen identity label and your "why now" answer
Streak milestone message: your chosen identity label, current streak day number, and current alignment score
Mid-challenge report (day 15): the challenge template, your day-by-day completion pattern, and identity context
Weekly identity report: the past week's completion pattern, energy ratings, and identity context
Mirror reflection (Day 30 / 60 / 90 / 180 / 365): your identity, stated obstacle, your "why now" answer, completed-day count, missed-day count, and your average energy pattern over the period leading up to that milestone

5.3 What we never send

We do not send your anonymous user ID, your email address, your IP address, your push token, your timezone, your device information, your subscription status, your name, or any payment data to the AI provider.

5.4 AI provider's data practices

Google contractually agrees, under its Generative Language API terms, that data sent via the API is not used to train Google's foundation models. See Google Gemini API Additional Terms.

5.5 Storing AI output

AI-generated content (your daily action texts, milestone messages, weekly insights) is stored in our database alongside the rest of your data so you can revisit it. It is deleted when your account is deleted.

6. How We Share Information

6.1 Service Providers (Data Processors)

We share personal data with the following third-party processors solely to operate the Service. Each is contractually bound to use your data only for the purposes we authorise:

Supabase, Inc. (database, authentication — both anonymous and optional Google sign-in / email magic-link, file storage, Edge Functions, scheduled jobs) — United States / European Union
Google LLC — Sign in with Google (OAuth 2.0 identity provider, used only if you opt to sign in with Google. We receive your Google email address and display name from this provider via Supabase Auth.) — United States
Google LLC — Gemini API (AI content generation as described in Section 5) — United States
Google LLC — Firebase Cloud Messaging (FCM) (Android push notification delivery, transparent to you, routed via Expo Push Service) — United States
Google LLC — Play Billing (subscription processing) — United States
RevenueCat, Inc. (subscription entitlement management abstracting Google Play Billing; receives your pseudonymous user ID and subscription transaction details from Play Billing to determine whether you have an active Pro entitlement) — United States
Expo, Inc. (Expo Push Service relay, EAS Build and EAS Update infrastructure) — United States
Vercel Inc. (hosting for this Privacy Policy, Terms of Service, and the auth verification landing page at arcapp.online/auth/confirm) — United States
Resend, Inc. (custom SMTP relay used to send Arc's authentication emails — verification links, sign-in magic-links, and email-change confirmation links sent from noreply@arcapp.online; receives your email address only when you initiate optional sign-in or account-linking, together with the link content needed to deliver the email) — United States, with mail routed via AWS Simple Email Service infrastructure in the European Union

6.2 Legal and Regulatory Disclosures

We may disclose personal data when we believe disclosure is necessary to:

Comply with applicable laws, regulations, court orders, or government requests (including the DPDP Act 2023 and Indian law enforcement requests)
Enforce our Terms of Service
Protect the rights, property, or safety of Arc, our users, or others
Detect, prevent, or address fraud, security, or technical issues

6.3 Business Transfers

If Arc is acquired, merged with another entity, or its assets are transferred, your personal data may transfer to the new owner. We will notify you via in-app notice at least 30 days before your data becomes subject to a different privacy policy.

6.4 What We Never Do

We do not sell personal data to anyone, ever, under any definition of "sale"
We do not share personal data with advertisers or advertising networks
We do not allow third parties to track you across other apps or websites via Arc
We do not use your data for purposes outside providing the Service

7. International Data Transfers

Arc's primary infrastructure is hosted by Supabase in the European Union, with Edge Functions running in the same region. AI calls to Google Gemini and push notifications via Expo Push / FCM are processed in the United States. If you access the Service from outside these regions, your data is transferred to and stored in them.

For users in the EEA, UK, and Switzerland: we rely on Standard Contractual Clauses (Module 2 — Controller-to-Processor) approved by the European Commission for transfers to processors outside the EEA. A copy of these safeguards is available on request at arc.app.contact@gmail.com.

8. Your Rights

Subject to applicable law, you have the following rights regarding your personal data:

Access: request a copy of the personal data we hold about you
Rectification: correct inaccurate or incomplete data
Erasure: request deletion of your personal data, subject to legal exceptions
Portability: receive your data in a structured, machine-readable format (JSON export)
Restriction: request that we limit how we process your data
Objection: object to processing based on legitimate interests
Withdraw consent: withdraw consent for notifications at any time by disabling them in Profile or revoking the OS-level permission
Right not to be subject to automated decision-making: Arc does not make decisions producing legal or similarly significant effects based solely on automated processing. AI suggestions are advisory only.
Lodge a complaint: with your local data protection authority

How to exercise these rights: Email us at arc.app.contact@gmail.com with the subject "Privacy Rights Request." We will respond within 30 days (extendable to 60 days for complex requests).

You can also reset all your data inside the app: Profile → Become someone else. This wipes your identity, streak, action history, and all check-ins. Because the Service is anonymous by default, this effectively deletes your personal data from your perspective; the anonymous user record on the server is purged within 30 days unless retention is required by law.

9. Data Retention

We retain personal data only as long as necessary for the purposes set out in this Policy:

Active accounts: retained for the duration of your use
Cancelled subscriptions: retained for 90 days after cancellation in case of reactivation, then deleted unless you request immediate deletion
Inactive anonymous accounts: deleted after 180 days of no activity
Reset accounts (via "Become someone else"): data removed within 30 days; aggregated and anonymised data may be retained indefinitely
Tax and financial records: retained for 7 years as required by Indian tax law (Income Tax Act, 1961)
Notification delivery logs: retained for 90 days then purged
Crash and diagnostic data: retained for 90 days then purged
Database backups: may persist up to 35 days after deletion due to disaster-recovery rotation, then overwritten

10. Children's Privacy

Arc is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13.

If we become aware that we have inadvertently collected data from a child under 13, we will delete the data immediately. If you believe a child has provided us with personal information, please contact us at arc.app.contact@gmail.com.

For users between 13 and the age of legal majority in their jurisdiction (typically 18), the Service should only be used with parental or guardian consent and supervision. Where required by applicable law (e.g. GDPR-K in some EU member states which sets the digital age of consent above 13), parental consent is required before processing personal data.

11. Security

We implement reasonable technical and organisational safeguards to protect your personal data:

Encryption in transit: all API communications use TLS 1.2 or higher
Encryption at rest: Supabase database storage encrypted via AES-256
Row-level security: Postgres RLS policies prevent users from accessing each other's data
Secret storage: AI provider API keys and push credentials stored in Supabase Vault, never in the application code or in version control
Authentication: via Supabase anonymous authentication; no passwords are stored
Access controls: production database access limited to the sole operator (Joswin P Satheesh)
Security updates: we apply security patches to dependencies promptly via Expo SDK and Supabase upgrades

No security measures are perfect. If we become aware of a data breach affecting your personal information, we will notify you and the relevant authorities within 72 hours (or as required by applicable law).

12. Cookies and Local Storage

The Arc mobile application does not use cookies. We use the following local storage technologies on your device:

Anonymous session token: stored locally via Expo SecureStore to keep you signed in across launches
App preferences: your onboarding state, notification time choice, identity, and progress cached locally via AsyncStorage and synced to our servers
Push notification token: stored locally and transmitted to our servers to enable notifications

You can clear all of this by uninstalling the app or by clearing app data in your device settings.

13. Third-Party Services and Links

The Service may link to third-party websites — including AI provider terms (Google), Supabase, Expo, and Google Play. We are not responsible for the privacy practices of those websites. Please review their privacy policies separately.

14. Changes to This Policy

We may update this Policy from time to time. When we do:

We will update the "Last updated" date at the top
For material changes affecting your rights or how we use your data, we will provide at least 30 days advance notice via in-app notification
For changes requiring renewed consent under applicable law, we will request your consent before they take effect
Continued use of the Service after the effective date constitutes acceptance of the updated Policy

Previous versions are available upon request.

15. Regional Privacy Rights

15.1 India (DPDP Act 2023)

If you are in India, your personal data is processed in accordance with the Digital Personal Data Protection Act 2023. You have the right to:

Access information about personal data we process about you
Correct, complete, or update your personal data
Erase your personal data, subject to legal retention requirements
Nominate another person to exercise your rights in case of death or incapacity
Grievance redressal through our Grievance Officer (contact details at the top of this Policy)

Grievance Officer: Joswin P Satheesh. We acknowledge grievances within 7 days and substantively respond within 30 days. If your grievance is not resolved, you may approach the Data Protection Board of India under Section 27 of the DPDP Act 2023.

15.2 European Economic Area, United Kingdom, and Switzerland

In addition to the rights described in Section 8, you have the right to lodge a complaint with your local supervisory authority. For EU residents, see the EDPB member directory. For UK residents, see the Information Commissioner's Office.

EU/UK Representative: Arc currently does not have an appointed EU/UK Representative under GDPR Article 27. If you are an EU or UK resident and require a local point of contact, please email arc.app.contact@gmail.com. We will appoint a representative if our user base in those jurisdictions makes it legally required.

15.3 California (CCPA / CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

Right to Know: request disclosure of categories and specific pieces of personal information collected
Right to Delete: request deletion of personal information
Right to Correct: request correction of inaccurate personal information
Right to Opt-Out of Sale or Sharing: we do not sell or share personal information for cross-context behavioural advertising
Right to Limit Use of Sensitive Personal Information: we do not collect sensitive personal information beyond what is described in Section 2
Right to Non-Discrimination: we will not discriminate against you for exercising any of these rights

Categories of personal information collected in the past 12 months (per CCPA definitions): identifiers (anonymous user ID, push token), internet activity (action completion patterns), inferences (energy averages, completion rates), commercial information (subscription status). We do not collect categories listed in subdivisions (a)(9) or (10) of CCPA (biometric, sensitive personal information).

To exercise these rights: email arc.app.contact@gmail.com with subject "California Privacy Rights Request."

15.4 Brazil (LGPD)

If you are a Brazilian resident, you have rights under Lei Geral de Proteção de Dados including the rights described in Section 8. You may file complaints with the Autoridade Nacional de Proteção de Dados (ANPD).

15.5 Canada (PIPEDA)

If you are a Canadian resident, you have rights under the Personal Information Protection and Electronic Documents Act, including access to your personal information and the ability to challenge its accuracy. Complaints may be filed with the Office of the Privacy Commissioner of Canada.

15.6 Australia (Privacy Act 1988)

If you are an Australian resident, you have rights under the Australian Privacy Principles. Complaints may be made to the Office of the Australian Information Commissioner.

15.7 South Africa (POPIA)

If you are a South African resident, you have rights under the Protection of Personal Information Act 4 of 2013, including the right to lodge a complaint with the Information Regulator.

15.8 Other Jurisdictions

Users in jurisdictions not listed retain the rights described in Section 8 and any additional rights granted by local law.

16. Do Not Track Signals

Arc is a mobile application and does not engage in cross-site tracking. Mobile platforms (Android) provide their own privacy controls (App permissions, OS-level notification controls) which Arc respects.

17. Contact Information

For privacy-related questions, complaints, or to exercise your rights:

Email: arc.app.contact@gmail.com
Postal mail: Joswin P Satheesh, Kottayam, Kerala, India (full address available on written request)
Grievance Officer (DPDP Act 2023): Joswin P Satheesh, same contact details as above

We aim to respond to all privacy inquiries within 7 business days, and formal rights requests within the timeframes specified in applicable law.