Back to Home
Legal

Privacy Policy

Last Updated: June 1, 2026

This Privacy Policy explains how ArcaLabs AI, Inc., a Delaware corporation ("ArcaLabs," "we," "us," or "our"), collects, uses, discloses, and protects information in connection with our websites at arcalabs.ai and related domains (the "Sites") and our AI agent and workflow-automation platform and related services (the "Services").

ArcaLabs provides a business-to-business platform used by financial-services organizations (such as investment banks, private-equity and venture firms, and their advisers) to automate professional workflows. The Services are designed for business use by organizations and their authorized personnel and are not directed to consumers or to children.

Contents

1. Our Role: Controller vs. Processor / Service Provider

Our role depends on the type of information:

  • When we act as a processor / service provider. When our business customers ("Customers") use the Services, they submit and generate content — including documents, spreadsheets, models, cap tables, deal materials, emails, connected-account data, and prompts ("Customer Content") — which may contain personal information about the Customer's own personnel, clients, counterparties, and other individuals. We process Customer Content on behalf of and under the instructions of the Customer. For this information, the Customer is the controller (or "business"), and ArcaLabs is the processor (or "service provider"). If you are an individual whose personal information appears in Customer Content, please direct privacy requests to the relevant Customer; we will support the Customer in responding. Our processing of Customer Content is governed by our agreement with the Customer (including, where applicable, a Data Processing Addendum), which controls over this Policy to the extent of any conflict.
  • When we act as a controller. We act as a controller for information we determine the purposes and means of processing — for example, account and registration data, billing and business-contact data, Site-visitor data, security and audit logs, usage and telemetry data, and marketing communications. This Policy describes those practices.

2. Information We Collect

2.1. Information you and your organization provide

  • Account and identity data. When Authorized Users access the Services, we (through our identity provider, currently Clerk) collect identifiers such as name, email address, organization/workspace, role, and authentication identifiers. We may also collect custom instructions and preferences that users configure.
  • Business and billing contact data. Names, business email addresses, phone numbers, company details, and billing or order information for administrators and purchasing contacts.
  • Communications. Information you provide when you contact us for sales, support, or other inquiries, including the contents of your messages.

2.2. Customer Content processed on the Customer's behalf

When enabled and directed by a Customer, the Services process Customer Content, which may include:

  • Documents and files uploaded or generated, such as spreadsheets and financial models (including .xlsx/.xlsm), word-processing documents (.docx), presentations (.pptx), PDFs, images, and structured data (.csv/.json).
  • Deal and workspace data, such as deal records, notes, journal and log entries, chat and agent conversation history, and reference materials.
  • Email and messages. Where a Customer connects email or uses agent mailboxes, we process inbound and outbound email and messages, including sender/recipient addresses, subject lines, message bodies, headers, and attachment metadata, in order to provide the Services the Customer has enabled.
  • Connected-account data. Where a Customer connects a Third-Party Service (such as Google Drive/Gmail, Microsoft 365/OneDrive/Outlook/SharePoint/Teams, Dropbox, or Egnyte), we access and process the files, folders, messages, and metadata that the Customer authorizes, using the permissions granted during connection.
  • Firm-profile and writing-style ("voice") configuration. Where a Customer enables these features, the Services analyze samples of the Customer's materials (which may include the Customer's email, where the Customer chooses to include it) to derive style, formatting, and conventions used to tailor Outputs. These features are controlled by the Customer, are subject to in-product consent where applicable, and can be disabled and deleted by the Customer.

The categories, sensitivity, and content of Customer Content are determined by the Customer. Customers are responsible for the legality of, and for providing notices and obtaining consents for, the personal information they submit. See Section 1.

2.3. Information collected automatically

  • Usage, log, and telemetry data. We collect information about access to and use of the Services and Sites, such as IP address, device and browser information, user agent, pages and features used, actions taken, timestamps, and diagnostic and performance data.
  • Audit and security events. To operate the Services securely and support our Customers' governance needs, we record audit events (such as logins, configuration changes, runs, approvals, and administrative actions), which may include actor identifiers, IP address, user agent, and timestamps.
  • Operational/usage metering. We record metering data associated with use of the Services (including AI/model usage and associated costs) to operate, secure, support, and bill for the Services.
  • Cookies and similar technologies. We and our providers use cookies and similar technologies on the Sites and in the Services. See Section 14.

2.4. Information from third parties

We may receive information from our identity, security, analytics, payment, and infrastructure providers, and from Customers about their Authorized Users.

We do not intentionally collect special categories of personal data or sensitive personal information through the account/Site channels we control; Customers should not submit such data as Customer Content unless their agreement and applicable law permit, and they are responsible for doing so lawfully.

3. How We Use Information

We use information for the following purposes:

  • To provide and operate the Services, including authenticating users, executing workflows and agents, generating Outputs, connecting Third-Party Services, and delivering features the Customer enables.
  • To process Customer Content on the Customer's instructions, as described in Section 1.
  • To secure, monitor, and maintain the Services and Sites, including preventing, detecting, and responding to fraud, abuse, security incidents, and technical issues, and maintaining audit and access logs.
  • To support Customers, respond to inquiries, and provide administration and troubleshooting.
  • To bill and manage accounts, including metering usage and managing subscriptions.
  • To improve and develop our Services using Service Data and aggregated or de-identified data, as described in Section 4.
  • To communicate with you about the Services, including service, security, and transactional messages, and (subject to your choices) product and marketing communications.
  • To comply with law and enforce our agreements, including responding to lawful requests and protecting the rights, safety, and property of ArcaLabs, our Customers, and others.

Legal bases (EEA/UK). Where the GDPR or UK GDPR applies and we act as a controller, we rely on the following legal bases: performance of a contract; our legitimate interests (such as securing, operating, and improving the Services, and B2B marketing), balanced against your rights; compliance with legal obligations; and consent where required (which you may withdraw).

4. Artificial Intelligence and Your Data

The Services use AI and machine-learning models, including large language models provided by AI sub-processors. Our practices:

  • We do not use Customer Content or Outputs to train foundation or general-purpose models, and we require our AI sub-processors to be contractually prohibited from using Customer Content or Outputs submitted through the Services to train their generally available models.
  • We may use Service Data and aggregated/de-identified data to operate, secure, analyze, and improve the Services. Aggregated and de-identified data does not identify any individual, Customer, or Authorized User, and we do not attempt to re-identify it.
  • AI Outputs may be inaccurate and require human review. Our handling of Outputs is described in the Terms of Service.

5. How We Disclose Information

We do not sell personal information, and we do not "share" it for cross-context behavioral advertising (as those terms are defined under California and other U.S. state privacy laws), and we do not share Customer Content with third parties for those third parties' own purposes. Beyond the operational disclosures necessary to provide, secure, and support the Services (such as to the sub-processors described in Section 6 and to recipients you direct or connect), any optional sharing or additional use of data is opt-in and controlled by the Customer. We disclose information only as follows:

  • To sub-processors and service providers who process information on our behalf to provide the Services, under contracts that require appropriate confidentiality and security and limit their use of the information to providing services to us. See Section 6 for the categories of sub-processors and a current list.
  • To the Customer. Information processed within a Customer's workspace is accessible to that Customer and its administrators and Authorized Users, according to the roles, permissions, and configurations the Customer establishes. Customer administrators may be able to access, monitor, export, and delete content and audit records within their workspace.
  • To third parties you connect. When a Customer connects or directs Outputs to a Third-Party Service (for example, to save a file to Google Drive or send an email), we transmit the relevant information to that service at the Customer's direction.
  • For legal and safety reasons, to comply with applicable law, regulation, legal process, or enforceable governmental request; to enforce our agreements; and to protect the rights, property, safety, and security of ArcaLabs, our Customers, and others.
  • In connection with a business transaction, such as a merger, acquisition, financing, reorganization, or sale of assets, in which case we will require the recipient to honor this Policy or provide notice of any material change.
  • With your consent or at your direction.

6. Sub-Processors and Service Providers

We engage sub-processors to provide the Services. As of the Last Updated date, the categories and principal sub-processors include those listed below. We maintain a current list and, where required by our agreements, provide a mechanism for Customers to receive notice of changes.

CategoryProvider(s)Purpose
Cloud infrastructure, storage, compute, key managementAmazon Web Services (AWS)Hosting, database, object storage, encryption key management, and execution compute
AI / large language modelsAnthropic (Claude); other model providers as configuredAI agents, analysis, and document/Output generation
Sandbox execution environmentE2BIsolated execution of agent and workflow code
Authentication & organization managementClerkUser authentication, identity, and organization/workspace management
Financial market & reference dataFactSetFinancial market, securities, and reference data
Regulatory filings dataSEC EDGAR / SEC filing data providerAccess to public regulatory filings
Email infrastructure for agentsAgentMail (and webhook delivery providers, e.g., Svix)Agent mailboxes and inbound/outbound email processing
Customer-connected file & email servicesGoogle (Workspace/Drive/Gmail), Microsoft (365/Graph), Dropbox, EgnyteConnectors the Customer chooses to enable
Supporting servicesLogo/branding imagery (Logo.dev) and similar operational providersAncillary product functionality

7. Connected Accounts; Google and Microsoft API Limited Use

When a Customer connects a Third-Party Service, we access only the data permitted by the scopes the Customer grants, and we use it only to provide the Services the Customer has enabled.

Google API Services. ArcaLabs' use and transfer of information received from Google APIs adhere to the Google API Services User Data Policy, including its Limited Use requirements. We use Google user data only to provide and improve the user-facing features the Customer has enabled, do not use it for advertising, do not transfer it except as necessary to provide those features (or for security, legal, or as required with the user's consent), do not allow humans to read such data except with consent, for security, to comply with law, or where the data has been aggregated and de-identified, and do not use such data to train generalized AI/ML models.

Microsoft Graph and other connectors. Our use of data accessed through Microsoft 365 / Microsoft Graph and other connectors is similarly limited to providing the Customer-enabled features, in accordance with the applicable provider's requirements.

Customers and their users can revoke connector permissions at any time through the relevant provider's settings or within the Services.

8. International Data Transfers

ArcaLabs is based in the United States, and we and our sub-processors may process information in the United States and other countries that may have different data-protection laws than your country. Where we transfer personal data from the EEA, the UK, or Switzerland to a country not deemed to provide an adequate level of protection, we rely on appropriate safeguards, such as the European Commission's Standard Contractual Clauses (and the UK Addendum), where applicable. Certain data-residency configurations may be available to Customers under their agreements. You may contact us for more information about transfer mechanisms.

9. Data Retention

We retain personal information for as long as necessary to fulfill the purposes described in this Policy, unless a longer or shorter period is required or permitted by law or by our agreement with the Customer.

For Customer Content, retention is configured by the Customer and governed by the Customer's agreement. The Services support configurable retention tiers — for example, short-lived/transient data, a standard retention period, and an extended "compliance" retention period intended to support recordkeeping needs (which may be on the order of several years). Customers control retention settings, archival/legal holds, and deletion for their workspace.

When information is no longer needed, we delete or de-identify it, or isolate it from further use, in accordance with our retention practices, subject to backups made in the ordinary course (which are overwritten or deleted on a rolling basis) and to any legal-hold or recordkeeping obligations.

10. Security

We maintain administrative, technical, organizational, and physical safeguards designed to protect information, including encryption of data in transit and at rest, key management, encryption of stored credentials and tokens, isolation of execution environments with a deny-by-default egress posture, least-privilege access controls, logging and monitoring, and audit logging. We maintain an information-security program designed to align with recognized industry standards and are currently undergoing a SOC 2 Type II examination (in the audit/observation period). No security measures are perfectly secure, and we cannot guarantee absolute security. Customers are responsible for configuring the Services appropriately and for securing their own systems, credentials, and users. If you have reason to believe your interaction with us is no longer secure, contact us at security@arcalabs.ai.

11. Your Privacy Rights and Choices

Depending on where you live and the role we play, you may have rights regarding your personal information, such as the rights to access, correct, delete, port, and restrict or object to certain processing, and to withdraw consent. Where we rely on consent, you may withdraw it at any time without affecting prior processing.

  • Requests about Customer Content. If your personal information is contained in Customer Content (i.e., where a Customer is the controller), please submit your request to the relevant Customer. We will assist that Customer in responding, as required by our agreement and applicable law.
  • Requests where we are the controller. You may exercise your rights by contacting us at privacy@arcalabs.ai. We will verify your request and respond as required by applicable law. You may also be entitled to appeal a decision and to lodge a complaint with your local data-protection authority or other regulator.
  • Marketing choices. You may opt out of marketing emails using the unsubscribe link or by contacting us. We may still send you transactional and service messages.
  • Cookies. See Section 14 for cookie choices.

We will not discriminate against you for exercising your rights.

11.1. U.S. State Privacy Rights (including California)

To the extent U.S. state privacy laws (such as the California Consumer Privacy Act, as amended by the CPRA, and similar laws in other states) apply and ArcaLabs is the business/controller:

  • We collect the categories of personal information described in Section 2 (identifiers, professional/business information, internet/network activity, and communications content), for the business purposes described in Section 3, from the sources described in Section 2, and disclose them to the categories of recipients described in Section 5.
  • We do not sell personal information and do not "share" it for cross-context behavioral advertising, and we have not done so in the preceding 12 months. Any optional data-sharing features are off by default and enabled only at the Customer's or Authorized User's direction (opt-in).
  • We do not knowingly collect or sell the personal information of minors.
  • California residents and residents of other states with applicable laws may exercise the rights described above, including the rights to know, delete, correct, and (where applicable) opt out and limit the use of sensitive personal information (we do not use sensitive personal information for purposes that would trigger a "limit" right). You may use an authorized agent to submit requests, subject to verification.

11.2. EEA/UK/Swiss Rights

If you are in the EEA, UK, or Switzerland, you have the rights described above under the GDPR/UK GDPR. Our EU/UK representative (where required) and Data Protection Officer (where applicable) can be reached at the contacts in Section 17. You have the right to lodge a complaint with a supervisory authority.

12. Children's Privacy

The Services and Sites are intended for business use by adults and are not directed to children. We do not knowingly collect personal information from anyone under the age of 18 (or the age required for B2B services in your jurisdiction). If you believe a child has provided us personal information, please contact us so we can delete it.

13. Automated Decision-Making

We do not use personal information to make decisions that produce legal or similarly significant effects about individuals without human involvement. The Services generate AI Outputs that are intended to be reviewed by the Customer's personnel; Customers are responsible for any decisions they make using the Services.

14. Cookies and Similar Technologies

We and our providers use cookies and similar technologies on the Sites and in the Services for purposes such as authentication, security, preferences, and analytics. You can control cookies through your browser settings and, where offered, through a cookie-preference tool. Some cookies are strictly necessary for the Services to function. We do not use cookies to "sell" or "share" personal information for cross-context behavioral advertising.

15. Third-Party Sites and Services

The Sites and Services may link to or integrate with third-party websites and services that we do not control. This Policy does not apply to those third parties, and we are not responsible for their privacy practices. We encourage you to review their privacy notices.

16. Changes to This Policy

We may update this Policy from time to time. If we make material changes, we will provide notice by updating the "Last Updated" date and, where appropriate, by additional notice (such as email or through the Services). Your continued use of the Services after the effective date constitutes acceptance of the updated Policy.

17. Contact Us

If you have questions or requests regarding this Policy or our privacy practices, contact:

ArcaLabs AI, Inc. (a Delaware corporation)
Attn: Privacy
Email: privacy@arcalabs.ai
Security: security@arcalabs.ai
Address: 1881 Page Mill Road, Palo Alto, CA 94304
Website: https://www.arcalabs.ai

Looking for our terms? Read the Terms of Service.

Contact our team

ArcaLabs builds AI agents that run sell-side workflows (comps, IC memos, pitchbook profiles) for investment banks and PE funds. Official FactSet Partner. From the makers of Arcafeed (acquired).

Solutions

Company

© 2026 ArcaLabs AI, Inc. All rights reserved.

Privacy Terms