Privacy Policy

Last updated: April 16, 2026

This Privacy Policy explains how REQARCHITECT LTD ("we", "us", "our") collects, uses, stores, and protects your information when you use the Archiet platform at archiet.com.

1. Information We Collect

Account Information

When you register, we collect your email address, workspace name, and a hashed password (bcrypt, cost factor 12). We do not store your password in plaintext.

Content You Provide

We store the content you create within Archiet, including:

System descriptions and PRD documents you upload
Architecture blueprints and ArchiMate elements
Compliance reports and code generation outputs
Journey wizard conversation history
Blueprint chat messages

LLM API Keys

If you provide your own LLM API keys (Anthropic, OpenAI, Google, DeepSeek, OpenRouter, HuggingFace), these are encrypted at rest using Fernet symmetric encryption with a master key stored separately from the database. Keys are decrypted only at the moment of making an API call and are never logged.

Usage Data

We collect anonymized usage data including page views, feature usage frequency, and performance metrics to improve the product. We use PostHog for analytics, which may set a cookie. See our Cookie Policy for details.

Payment Information

Payment processing is handled by Paddle (our merchant of record). We do not store credit card numbers, bank account details, or other payment credentials on our servers. Paddle processes payments according to their own privacy policy.

2. How We Use Your Information

We use your information to:

Provide the service: Generate architecture blueprints, compliance reports, and production code based on your inputs
Authenticate you: Verify your identity via JWT tokens stored in httpOnly secure cookies
Send transactional emails: Account verification, password resets, billing receipts, trial reminders
Enforce multi-tenancy: Ensure your data is isolated from other customers at the database level (PostgreSQL Row-Level Security)
Improve the product: Analyze anonymized usage patterns to prioritize features and fix issues
Provide customer support: Respond to your requests and troubleshoot issues

3. What We Do NOT Do

We do not sell your personal data to third parties
We do not use your content (system descriptions, blueprints, code) to train AI models
We do not share your data with other Archiet customers
We do not serve advertising or use advertising tracking cookies
We do not store your LLM API keys in plaintext or log them

4. Data Storage and Security

Your data is stored in PostgreSQL databases hosted on Azure infrastructure. We implement the following security measures:

Encryption in transit: All connections use TLS 1.2+ (HTTPS enforced via HSTS)
Encryption at rest: LLM API keys use Fernet encryption; database volumes use Azure disk encryption
Row-Level Security: PostgreSQL RLS policies ensure workspace data isolation at the query level
Authentication: JWT tokens in httpOnly, Secure, SameSite=Lax cookies — never in localStorage
Password hashing: bcrypt with cost factor 12
Account lockout: After 5 failed login attempts, accounts are locked for 15 minutes
Rate limiting: API endpoints are rate-limited to prevent abuse

5. Third-Party Services

We use the following third-party services that may process your data:

Service	Purpose	Data Shared
Paddle	Payment processing	Email, billing info
Resend / Postmark	Transactional email	Email address, email content
PostHog	Product analytics	Anonymized usage events
Sentry	Error monitoring	Error traces (no customer content)
Your LLM provider	AI generation	System descriptions sent for processing

When you use AI generation features, your system description and context are sent to your chosen LLM provider (Anthropic, OpenAI, etc.) for processing. Each provider has their own data handling policies. We recommend reviewing your LLM provider's terms regarding data retention and training.

6. Data Retention

Active accounts: Data is retained for the lifetime of your account
After account deletion: All personal data and content is permanently deleted within 30 days
Billing records: Transaction records are retained for 7 years for legal and tax compliance
Audit logs: Security audit logs are retained for 90 days

7. Your Rights

Depending on your jurisdiction, you may have the following rights:

Access: Request a copy of the personal data we hold about you
Rectification: Update or correct inaccurate personal data
Deletion: Request deletion of your account and all associated data
Export: Download your data in a portable format (available in Settings > Privacy)
Restriction: Request that we limit processing of your data
Objection: Object to processing of your data for specific purposes

To exercise any of these rights, email accounts@archiet.com. We will respond within 30 days.

8. International Data Transfers

Our servers are located in Azure data centres. If you access Archiet from outside the hosting region, your data will be transferred internationally. We ensure appropriate safeguards are in place for such transfers.

9. Children's Privacy

Archiet is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at accounts@archiet.com and we will delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or in-app notification at least 14 days before the changes take effect.

11. Contact

For privacy questions or data requests:

Email: accounts@archiet.com
Company: REQARCHITECT LTD

Loading…