— LEGAL / PRIVACY POLICY

Privacy Policy

What personal information ArcSync processes, why we process it, who we share it with, and the rights you have.

Effective 2026.05.02 Version 1.0-draft · Last edited 2026.05.02

The short version

ArcSync collects just enough data to authenticate you, charge you (if you pay), parse the repos you point us at, and improve the product. Your source code is cloned ephemerally and discarded — we keep parsed graph metadata, not your code. We never train ML models on your code or diagrams and we don't run advertising or retargeting pixels.

Draft for review. This document was generated from a codebase audit and is awaiting attorney review before publication. It is not legal advice. Several sections still contain [FILL IN] placeholders that depend on the operating entity's choices.

— Section 01

Introduction#

[Entity name] ("we," "us," "our") operates ArcSync at arcsync.dev. ArcSync generates interactive architecture diagrams from infrastructure-as-code. This policy explains what personal information we process, why we process it, who we share it with, and the rights you have.

— Section 02

Information We Process#

2.1 Information you provide

Account data — when you sign in via Auth0, we receive your email, name, profile picture, and the identifier of the social provider you used (e.g. Google, GitHub).
Repository identifiers — the repository URL, branch, and commit SHA you submit for diagram generation.
Diagram content — your saved graphs, layout overrides, custom labels, thumbnails, and visibility settings.
Billing information — when you subscribe, your payment method and billing details are collected by Stripe; we receive a Stripe customer and subscription identifier and the tier you selected. We do not store your card number.
Support communications — content of any messages you send via the Team-tier contact form (/contact/team).

2.2 Information collected automatically

Product analytics (PostHog) — events corresponding to product actions, associated to your Auth0 user identifier. We do not include email addresses, names, or content in event properties. Autocapture and pageview tracking are enabled.
Logs — server logs include IP address, user-agent, request path, and timing.
Approximate location — derived from IP address (city/country level). We do not collect precise geolocation.
Cookies and local storage — see the table below.

2.3 Information from third parties

From Auth0 — verified identity claims when you log in or link a secondary identity. A post-login Auth0 Action auto-links identities that share a verified email.
From GitHub (App installation) — when you install the ArcSync GitHub App, we receive the installation ID, GitHub account or organization login, and the list of repositories you've authorized us to read. Webhook events for installation, installation_repositories, and push are received and dispatched by our /github/webhook endpoint.
From Stripe — subscription and payment status events via webhook.

2.4 Cookies and similar technologies

Category	Purpose	Examples	Duration
Strictly necessary	Authentication and session	Auth0 SPA SDK persistence (`@@auth0spajs@@::*` in localStorage)	Session / refresh-token lifetime
Analytics	Product usage measurement	PostHog cookies and localStorage	`[Per PostHog default — FILL IN if customized]`
Preference	UI state, redirect-loop guards	`sessionStorage` keys (e.g. `__as_marketing_redirect_at__`)	Session

We do not use advertising or retargeting cookies. No third-party advertising or attribution pixels (Meta, LinkedIn, Google Ads, X, etc.) are present in our application.

— Section 03

Purposes and Legal Bases (GDPR Art. 6)#

Purpose	Data categories	Legal basis
Provide and operate the service	Auth0 identity, repo URL, parsed graph data, overrides	Contractual necessity (Art. 6(1)(b))
Bill you for paid plans	Account ID, Stripe customer/subscription IDs, tier	Contractual necessity (Art. 6(1)(b))
Auto-refresh diagrams on push (Pro)	GitHub App installation, push event metadata	Contractual necessity (Art. 6(1)(b))
Quota enforcement	Usage counters keyed to your account	Contractual necessity (Art. 6(1)(b))
Product analytics and improvement	Event telemetry tied to Auth0 sub	Legitimate interests (Art. 6(1)(f))
Security, fraud prevention, abuse	Logs, IPs, usage counters	Legitimate interests (Art. 6(1)(f))
Respond to support inquiries	Contact form contents, account ID	Legitimate interests (Art. 6(1)(f))
Comply with law	As required	Legal obligation (Art. 6(1)(c))

— Section 04

How We Share Information#

We share data only with the subprocessors below, each engaged under a Data Processing Agreement.

Subprocessor	Purpose	Region
Amazon Web Services	Hosting, compute, storage, CDN, DNS, transactional email (SES)	US (us-east-1) + CloudFront edge POPs globally
Auth0 (Okta)	Authentication and identity linking	`[FILL IN — Auth0 tenant region]`
Stripe	Payment processing and subscription management	US/EU per Stripe routing
PostHog	Product analytics	US (`us.i.posthog.com`)
GitHub (Microsoft)	Repository access via our GitHub App; identity from a GitHub social login is brokered by Auth0	US

We do not sell personal information.

California "Sharing" disclosure Our analytics integration (PostHog with autocapture enabled) may be considered "sharing" of personal information under California's CPRA. You may opt out at any time — see Section 8 — California Rights.

We may also disclose information when required by law, in response to valid legal process, or to protect the rights, property, or safety of our users or others.

— Section 05

Repository Content Handling#

When you submit a repository to ArcSync, we clone it into ephemeral Lambda storage, run our parser and (for AWS CDK projects) cdk synth in a per-language sandbox, extract architecture metadata, and discard the working copy when the function exits. We do not retain a copy of your source code. Only parsed graph metadata — node and edge data, not source files — is stored in our database so you can revisit and edit your diagrams.

For private repositories accessed via our GitHub App, we use installation tokens minted per parse and never persist the tokens. Diagrams generated from private repositories carry sourceVisibility: "private" and cannot be made public; this restriction is enforced server-side.

— Section 06

Real-Time Collaboration#

If you co-edit a diagram with another user, your browsers establish a peer-to-peer WebRTC mesh to exchange edit operations. Edit-operation data flows directly between participants and is not routed through our servers. Initial signaling — to discover and connect peers — passes through our WebSocket API. The user's name and profile picture (sourced from Auth0) are passed as WebSocket query parameters because JWT access tokens do not include profile claims; these values therefore appear in WebSocket access logs.

— Section 07

Data Retention#

Data category	Retention
Account data (Auth0 profile, ArcSync DynamoDB items)	Lifetime of account
Diagrams (`GRAPH#` items)	Lifetime of account, or until deletion. Soft-deleted diagrams are purged after 30 days via DynamoDB TTL.
Pro time-travel history (`HISTORY#` items)	Retained while the parent diagram exists and the owner is on a Pro tier; no TTL — unlimited retention while Pro.
Billing records	`[FILL IN — typically 7 years for tax]`
Product analytics (PostHog)	`[Per PostHog retention setting — FILL IN]`
Server logs (CloudWatch)	`[FILL IN — e.g. 30 days]`
Hourly and monthly usage counters	~25 hours and ~31 days, respectively, via DynamoDB TTL
GitHub installation records	Until you uninstall the App or delete your account

— Section 08

Your Rights — California (CCPA / CPRA)#

If you are a California resident, you have the rights to: know, delete, correct, opt out of "sale" or "sharing," limit use of sensitive personal information, and non-discrimination. To exercise any of these rights, email privacy@arcsync.dev.

To opt out of analytics-based "sharing," send a request to privacy@arcsync.dev. We do not sell personal information.

Categories collected in the past 12 months

Identifiers (Auth0 sub, email, IP address)
Customer records (billing details processed by Stripe; we receive only the customer/subscription IDs)
Commercial information (subscription tier, usage metrics)
Internet/network activity (event telemetry, server logs, autocaptured product interactions)
Geolocation (approximate, IP-derived)
Inferences (product engagement signals)

We do not collect protected classifications, biometric data, sensory data, professional or employment information, education information, or precise geolocation.

— Section 10

Children's Privacy#

ArcSync is a developer tool and is not directed to children under 16. We do not knowingly collect personal data from children. If you believe we have, contact us at privacy@arcsync.dev and we will delete it.

— Section 11

International Transfers#

ArcSync is hosted in AWS us-east-1, with content delivery via CloudFront edge locations worldwide. Personal data is therefore processed primarily in the United States, with transit through CloudFront edges. Where data leaves the EEA, UK, or Switzerland, transfers are protected by Standard Contractual Clauses (or the UK IDTA) included in our subprocessor agreements.

— Section 12

Security#

TLS in transit (HTTPS-only via CloudFront)
AWS-managed encryption at rest for DynamoDB and S3
IAM-scoped Lambda execution roles
Secrets stored in AWS Secrets Manager and SSM Parameter Store
Webhook signature verification (HMAC-SHA256 for GitHub, Stripe-Signature for Stripe)
PKCE for browser auth flows (Auth0 SPA SDK v2)
GitHub App installation tokens minted per-parse, never persisted

No system can guarantee absolute security; report suspected vulnerabilities to security@arcsync.dev.

— Section 13

Changes to This Policy#

We will post material changes here with an updated "Last Updated" date and, where required, notify users by email or in-product notice.

— Section 14

Contact#

Privacy contact: privacy@arcsync.dev
Security contact: security@arcsync.dev
Mailing address: [FILL IN]
DPO: [FILL IN — only if appointed]