Arch DStudio

Privacy Policy

Effective
2026-05-19
Last updated
2026-05-19
Version
1.0.0

1. Who We Are

This Privacy Policy explains how Arch D Studio (“Arch D,” “we,” “us”) collects, uses, shares, and protects personal information when you use our website, application, and related services (the “Service”).

The Service is operated from Longmont, Colorado, United States. For privacy questions or to exercise your rights, contact privacy@archd.studio.

2. Information We Collect

2.1 Information You Provide

  • Account information: name, email address, password (stored hashed), and optional profile details.
  • Billing information: processed by Stripe. We receive a token and limited metadata (last four digits of card, billing country, subscription status); we do not receive or store full payment card numbers.
  • User Content: images you upload as references, prompts you enter, masks and markup you draw, product references you save, project names, filenames, and any other content you submit.
  • AI-generated outputs: images and other content the Service produces from your inputs.
  • Communications: messages you send us through support, email, or in-app channels.

2.2 Information We Collect Automatically

  • Usage data: pages viewed, features used, generation requests, credit consumption, click patterns, session duration, and similar interaction metrics.
  • Device and connection data: IP address, browser type and version, operating system, device identifiers, screen resolution, language preference, and referring URL.
  • Cookies and similar technologies: see Section 7.
  • Log data: server logs, error reports, and diagnostic information.

2.3 Information from Third Parties

  • OAuth providers: if you sign in with Google, we receive your name, email address, and profile picture from Google. We do not receive your Google password.
  • Stripe: subscription status, payment method status, and tax residency where applicable.
  • Catalog vendors: publicly available product data including names, prices, images, and descriptions.

3. How We Use Your Information

  • Provide the Service: authenticate you, process generation requests, store your projects, deliver outputs, manage subscriptions and credits.
  • Process payments: handle subscriptions, one-time purchases, refunds, and chargebacks via Stripe.
  • Communicate with you: send service announcements, transactional emails, security alerts, and respond to support inquiries.
  • Improve the Service: analyze usage to fix bugs, prioritize features, monitor performance, and detect abuse.
  • Comply with law: respond to legal process, enforce our Terms, prevent fraud, and protect rights and safety.
  • Marketing (only with consent or where permitted): send product updates and offers. You can unsubscribe at any time.

We do not sell your personal information for money.

3.1 Use of User Content with AI Models

Your User Content is transmitted to our AI sub-processors solely to process your generation request and return the output to you. See our sub-processor list for the current active providers. Per the published terms of those providers, content sent via their paid API tiers is not used to train their models without explicit opt-in. We do not opt in.

We do not use your User Content to train our own models. We may use anonymized and aggregated metadata to improve the Service.

The AI landscape changes fast. We periodically evaluate alternative providers for image generation, vision, and language tasks (including, but not limited to, OpenAI, Stability AI, Black Forest Labs, fal.ai, and Replicate) so we can route to the best model for each capability. Any change to the active sub-processor list will be reflected on the sub-processors page and announced under the change-notice policy in Section 13.

4. Legal Bases for Processing (EU/UK Users)

If you are in the EEA, UK, or Switzerland, we process your personal information on the legal bases of performance of a contract, legitimate interests, consent (where required), and legal obligation, as applicable. You may withdraw consent at any time without affecting the lawfulness of prior processing.

5. How We Share Your Information

We share personal information only as described below. See our sub-processor list for the full set of service providers and what data they receive. Each is contractually bound to protect your data and use it only to provide services to us.

We may also share information when required by legal process, to enforce our Terms, to protect rights or safety, in connection with a merger or acquisition (with notice), or at your direction.

No sale of personal information.We do not sell personal information for monetary consideration. To the extent that sharing with analytics providers may be considered “sharing” or “selling” under the CCPA or similar laws, you can opt out by contacting privacy@archd.studio or via a Global Privacy Control (GPC) signal.

6. Data Retention

  • Account information: retained until you delete your account, then purged within 30 days, except as required for legal, tax, or fraud-prevention purposes.
  • User Content: retained while your account is active. Deleted projects are removed from active systems within 7 days and from backups within 90 days.
  • Generated outputs: retained alongside the project that produced them.
  • Billing records: retained for at least 7 years for tax and accounting compliance.
  • Server logs: retained for 30 to 90 days, then deleted or anonymized.
  • Support communications: retained for up to 3 years.

7. Cookies and Tracking Technologies

We use cookies and similar technologies for:

  • Strictly necessary cookies: authentication, session management, security. These cannot be disabled.
  • Functional cookies: remember your preferences (theme, last-used model, etc.).
  • No third-party advertising cookies.

We honor Global Privacy Control (GPC) signals where applicable.

8. Your Privacy Rights

8.1 Universal Rights

Regardless of jurisdiction, you can:

  • Access the personal information we hold about you.
  • Correct inaccurate information.
  • Delete your account and associated personal information.
  • Export your User Content in a portable format.
  • Opt out of marketing emails at any time.

To exercise these rights, email privacy@archd.studio. We will respond within 45 days, or sooner where required by law.

8.2 Colorado Residents (Colorado Privacy Act)

Colorado residents have the right to confirm processing and access personal data, correct inaccuracies, delete personal data, obtain a portable copy, and opt out of targeted advertising, sale, and profiling. We do not currently engage in these activities, but we honor opt-out signals including the Universal Opt-Out Mechanism (UOOM) as required. To appeal a denial of your request, contact privacy@archd.studio. If your appeal is denied, you may contact the Colorado Attorney General at https://coag.gov/file-complaint/.

8.3 California Residents (CCPA/CPRA)

California residents have the rights described above plus the right to know specific categories of personal information collected, the right to non-discrimination for exercising privacy rights, and the right to limit the use of sensitive personal information.

In the prior 12 months, we have collected the following categories of personal information: identifiers (name, email, IP), commercial information (subscription, purchase history), internet activity (usage data), geolocation (general region), professional or business information (where provided), and inferences drawn from the above. We have not “sold” personal information for money.

8.4 EU, UK, and Swiss Residents (GDPR/UK GDPR)

You have the rights of access, rectification, erasure, restriction of processing, data portability, and objection to processing. You may also lodge a complaint with your local data protection authority.

8.5 Verification and Authorized Agents

To protect your information, we will verify your identity before fulfilling rights requests. You may designate an authorized agent to make requests on your behalf with written authorization.

9. Children’s Privacy

The Service is not directed to children under 18. We do not knowingly collect personal information from anyone under 18. If you believe a child has provided us personal information, contact privacy@archd.studio and we will delete it promptly.

10. International Data Transfers

We operate from the United States, and our sub-processors are primarily U.S.-based. If you access the Service from outside the U.S., your information will be transferred to, processed, and stored in the U.S. We rely on appropriate safeguards (including Standard Contractual Clauses where required) for transfers from the EEA, UK, and Switzerland to the U.S.

11. Security

We use commercially reasonable administrative, technical, and physical safeguards to protect your information, including encryption in transit (TLS 1.2+) and at rest, hashed passwords, access controls and least-privilege principles for staff, row-level security on user data, regular dependency updates and security monitoring, and secret management outside of source control.

No system is perfectly secure. You are responsible for keeping your account password confidential and notifying us immediately of any suspected unauthorized access.

12. Data Breach Notification

If we discover a breach affecting your personal information, we will notify you and applicable authorities as required by law, typically within 72 hours of discovery for jurisdictions requiring it.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email and/or in-app notice at least thirty (30) days before they take effect, except where shorter notice is required by law. Your continued use of the Service after changes take effect constitutes acceptance, except where consent is required and separately obtained.

14. Contact Us

For privacy questions, rights requests, complaints, or to designate an authorized agent: privacy@archd.studio. Response time: within 45 days, or sooner where required by law.