Privacy at ARCY AI
What ARCY collects, what it never touches, and how long data is retained.
ARCY runs inside your product. This page explains what we collect during normal SDK operation, what we never access, and how data is retained.
What ARCY collects
Session events
When the ARCY SDK is installed, it collects the following per user session:
- Session start and end timestamps
- The active route when a session begins
- Events tied to
data-arcyattributes you place in your UI - Guided flow progress (which steps were started, completed, or skipped)
userIdandrole, if you pass them toARCYProvider
What we do not collect: email addresses, passwords, form field values, or any text your users type.
Source files from arcy init
arcy init reads your source files locally and sends them to AWS Bedrock. Up to 30 files are sent (layouts, pages, key components), capped at 120KB total. Config files (.env, *.pem, *.key) are always excluded.
AWS Bedrock does not train on customer data. ARCY does not store your file contents after analysis completes.
What we never do
- Log or retain your source code after analysis completes
- Read, transmit, or log
.envfiles or any file matching.env* - Share session data across organizations
- Give ARCY team members access to your production session data without an explicit support request from you
- Sell or share your data with third parties
Data retention
| Data type | Retention |
|---|---|
Source files from arcy init | Deleted after analysis completes |
| Session events | Retained while your account is active |
.arcy/ knowledge graph | Stored server-side, updated on each arcy push |
userId and role | Retained while your account is active |
To delete your account and all associated data, email support@arcyai.com. We process deletion requests within 30 days.