Privacy Policy

Arca is entropy infrastructure. We collect human-generated randomness and deliver it to applications that need verified randomness. This policy explains what data we collect, how we protect it, and what rights you have.

If you're a Contributor using an app like Gambino, their privacy policy also applies to you. This policy covers what Arca specifically does with your data.

Arca's architecture separates data into two isolated systems:

4.1 From Contributors

4.2 From Suppliers

4.3 From Consumers

• Real names (unless required by Supplier for KYC)
• Government IDs (Suppliers handle identity verification)
• Location data (beyond what device sensors provide for entropy)
• Browsing history
• Contacts or phone data
• Financial account information

This is the core of our privacy model:

After entropy extraction:

• Raw traces are deleted
• Only the entropy bits remain
• Bits are mixed with thousands of other contributions
• The final output is cryptographically unlinkable

We Share With:

We Never Share:

• Raw timing and motion data with anyone
• Contributor identity with Consumers
• Cross-Supplier user data
• Data for advertising purposes

Where Data Lives

• Attribution data: Encrypted at rest, access-controlled databases
• Entropy batches: Public blockchain anchors (Hedera), no PII
• Backups: Encrypted, geographically distributed

Security Measures

• TLS 1.3 for all data in transit
• AES-256 encryption at rest
• Ed25519 signatures for authentication
• Regular security audits
• Access logging and monitoring

Breach Response

If we discover unauthorized access to personal data:

• We will notify affected Suppliers within 72 hours
• Suppliers are responsible for notifying their users
• We will take immediate remediation steps

All Contributors Have The Right To:

For Direct Arca Users (Mobile)

If you use Arca directly (not through a Supplier):

• Access your data at your dashboard
• Delete your account through the app or by emailing us
• Export your account for device migration

For Supplier/Consumer Businesses

• Access your organization's data through your admin dashboard
• Request data export by contacting us
• Delete your account with 30 days notice

What Happens When You Delete Your Account

Legal Retention

Some data may be retained beyond deletion if required for:

• Legal compliance
• Fraud prevention
• Dispute resolution

Arca services are not intended for children under 18. We do not knowingly collect data from minors.

• Suppliers are responsible for age verification
• If we learn a Contributor is under 18, we will delete their data
• Parents/guardians may contact us to request deletion

Arca operates globally. Your data may be processed in:

• United States
• Other countries where our infrastructure operates

We apply consistent privacy protections regardless of location. For EU/UK users, our legal basis for processing is:

• Legitimate interest (entropy extraction, service delivery)
• Consent (optional features like email sync)
• Contract (for Suppliers and Consumers)

Arca Infrastructure

We use minimal cookies for:

• Session management (if you have a direct Arca account)
• Security (CSRF protection)

We do not use:

• Advertising cookies
• Third-party tracking
• Cross-site tracking

Supplier Applications

Suppliers may use their own cookies and tracking. See their privacy policies.

We may update this policy as:

• The protocol evolves
• Regulations change
• We expand services

Material changes will be announced:

• On our website
• Via email to registered Suppliers/Consumers
• Through Supplier notifications to Contributors

For privacy questions or requests:

Email: privacy@arca.io

For Suppliers and Consumers:

Contact your account representative or use the admin dashboard.

For Contributors:

Contact your Supplier first (e.g., Gambino support). If your issue is specifically about Arca's data handling, contact us directly.