Privacy Policy

Last updated: 18 May 2026

This Privacy Policy explains how REQARCHITECT LTD ("Archiet", "we", "our", "us") collects, uses, and protects your personal data on the Archiet platform at archiet.com. We are the data controller for the personal data you give us when you create an account, generate code, or contact us. We comply with the UK GDPR, EU GDPR (Regulation 2016/679), and the California Consumer Privacy Act (CCPA) where applicable.

1. What we collect

Account data: email address, hashed password (we never store passwords in plaintext), workspace name, billing details (handled by Stripe, Flutterwave, or Paystack — we do not store full card numbers).
Content you upload: PRDs, requirements documents, architectural genome YAML/JSON, and any text you enter into the generation wizard. We use this content to generate code for you and to improve our extraction models. We do not sell or share this content with third parties.
Usage data: pages visited, generations triggered, ZIP downloads, error logs, IP address, browser user-agent. We use this to operate the service, detect abuse, and improve quality.
Cookies: see our Cookie Policy for the full list. The most sensitive cookie is theaccess_token_cookie (httpOnly, Secure, SameSite=Lax) which authenticates your session.

2. Why we collect it (lawful basis)

Contractual necessity (UK GDPR Article 6(1)(b)) — to provide the code-generation service you signed up for.
Legitimate interests (Article 6(1)(f)) — to operate and improve the service, detect fraud, monitor security. You can object via privacy@archiet.com.
Consent (Article 6(1)(a)) — for non-essential cookies and optional marketing emails. You can withdraw consent at any time from your account settings.

3. Who we share data with

Sub-processors: Stripe (payments), Flutterwave (payments), Paystack (payments), Azure (hosting), OpenRouter (LLM inference), Anthropic / OpenAI / Google / DeepSeek (LLM providers, only when you opt into their tier), E2B (sandbox execution for code preview + tests), PostHog (product analytics, anonymised). Each operates under a Data Processing Agreement.
Legal compliance: we will disclose data if compelled by a valid court order or subpoena and will notify you unless legally prohibited.
We do not sell personal data.

4. How long we keep it

Account data: until you delete your account, then 30 days for backup retention.
Generated artifacts: 12 months after the last access, then archived. You can delete at any time.
Logs: 90 days.
Billing records: 7 years (legal retention requirement).

5. Your rights

Under UK GDPR, EU GDPR, and CCPA you have the right to:

Access your personal data (we provide a JSON export from account settings).
Rectify inaccurate data (edit from account settings).
Erase ("right to be forgotten") — delete your account from settings or email privacy@archiet.com. We respond within 30 days.
Restrict processing in some circumstances.
Object to processing based on legitimate interests.
Data portability — receive your data in a machine-readable format.
Opt-out of sale (CCPA) — we do not sell data, so this is automatically honoured.

6. International transfers

Our servers are in the EU (Azure East US 2). Some sub-processors (Stripe, OpenRouter, Anthropic) are in the United States. Transfers are protected by Standard Contractual Clauses (SCCs) where required and adequacy decisions where available.

7. Security

We encrypt data in transit (TLS 1.3) and at rest (AES-256 for customer-supplied credentials). Passwords are hashed with bcrypt. JWT tokens are stored in httpOnly cookies (not localStorage) to mitigate XSS. We run security scanners on every code generation to detect leaked secrets.

8. Children

Archiet is not directed to children under 16. We do not knowingly collect data from children. If you believe we have, email privacy@archiet.com and we will delete it.

9. Changes

We will notify you by email of material changes at least 30 days before they take effect. The "Last updated" date above is the authoritative version date.

10. Contact

Data Protection Officer (acting): Aniekan Okono.
Email: privacy@archiet.com
Company: REQARCHITECT LTD, registered in the United Kingdom.

Plain-English summary: Your code stays yours. We don't sell your data. We use sub-processors only when needed to run the service, all under DPAs. You can export or delete your account any time.

Loading…

Last updated: 18 May 2026

1. What we collect

Account data: email address, hashed password (we never store passwords in plaintext), workspace name, billing details (handled by Stripe, Flutterwave, or Paystack — we do not store full card numbers).

Content you upload: PRDs, requirements documents, architectural genome YAML/JSON, and any text you enter into the generation wizard. We use this content to generate code for you and to improve our extraction models. We do not sell or share this content with third parties.

Usage data: pages visited, generations triggered, ZIP downloads, error logs, IP address, browser user-agent. We use this to operate the service, detect abuse, and improve quality.

Cookies: see our Cookie Policy for the full list. The most sensitive cookie is theaccess_token_cookie (httpOnly, Secure, SameSite=Lax) which authenticates your session.

2. Why we collect it (lawful basis)

Contractual necessity (UK GDPR Article 6(1)(b)) — to provide the code-generation service you signed up for.

Legitimate interests (Article 6(1)(f)) — to operate and improve the service, detect fraud, monitor security. You can object via privacy@archiet.com.

Consent (Article 6(1)(a)) — for non-essential cookies and optional marketing emails. You can withdraw consent at any time from your account settings.

3. Who we share data with

Sub-processors: Stripe (payments), Flutterwave (payments), Paystack (payments), Azure (hosting), OpenRouter (LLM inference), Anthropic / OpenAI / Google / DeepSeek (LLM providers, only when you opt into their tier), E2B (sandbox execution for code preview + tests), PostHog (product analytics, anonymised). Each operates under a Data Processing Agreement.

Legal compliance: we will disclose data if compelled by a valid court order or subpoena and will notify you unless legally prohibited.

We do not sell personal data.

5. Your rights

Under UK GDPR, EU GDPR, and CCPA you have the right to:

Access your personal data (we provide a JSON export from account settings).

Rectify inaccurate data (edit from account settings).

Erase ("right to be forgotten") — delete your account from settings or email privacy@archiet.com. We respond within 30 days.

Restrict processing in some circumstances.

Object to processing based on legitimate interests.

Data portability — receive your data in a machine-readable format.

Opt-out of sale (CCPA) — we do not sell data, so this is automatically honoured.

10. Contact

Data Protection Officer (acting): Aniekan Okono.
Email: privacy@archiet.com
Company: REQARCHITECT LTD, registered in the United Kingdom.

Plain-English summary: Your code stays yours. We don't sell your data. We use sub-processors only when needed to run the service, all under DPAs. You can export or delete your account any time.