This Privacy Policy explains what information ARC ("we", "us") collects when you visit witharc.app or use the ARC platform and mobile applications (the "Service"), why we collect it, and the rights you have over it. It is written to comply with Lebanese Law No. 81 of 2018 on Electronic Transactions and Personal Data and drafted with international good practice (including GDPR principles) in mind.
1. What we collect
- Account information — name, business name, email, phone number, password (stored only as a secure hash, never in plain text).
- Business data you enter — products, sales, inventory, customer and supplier records, invoices, accounting entries, employee records you choose to keep, and files you upload. This data belongs to you (see the Data Processing Agreement).
- Payment information — plan, billing history, and payment references. Card details are handled by our payment providers (Stripe, Whish Money); ARC never stores full card numbers.
- Usage and device data — IP address, browser/device type, pages used, and technical logs (errors, security events) needed to run and protect the Service.
- Communications — support conversations and messages you send us, including the contact form on witharc.app.
- AI Guide conversations — the questions you ask the AI and the answers given, so the feature works and can be audited. Payroll data is never included.
2. Why we collect it
- To provide, operate, and secure the Service (performance of our contract with you).
- To bill subscriptions and keep the accounting records the law requires us to keep.
- To support you and to notify you of important service or legal changes.
- To improve the Service using aggregated, non-identifying usage patterns.
- To send product news only if you opted in — you can withdraw this consent at any time.
3. Where data is stored
ARC production data is hosted on DigitalOcean infrastructure located in Frankfurt, Germany (European Union), with encrypted backups in the same region. Some service providers listed below process limited data in other jurisdictions; we choose providers that offer contractual data-protection safeguards.
4. How long we keep it
Retention periods are set out in the Data Retention Policy. In summary: business and accounting records are kept while your account is active and as required by the Lebanese Code of Commerce (up to 10 years for accounting documents); a deleted account is recoverable for 30 days and then permanently erased; backups roll over every 30 days; technical logs are kept for up to 12 months.
5. Who can access it
- Your own team — according to the roles and permissions you configure in your workspace.
- ARC staff — a small number of authorised operators, only for support, maintenance, and security, under confidentiality obligations and with actions logged.
- Service providers (processors) — listed in section 7. We never sell personal data.
- Authorities — only where a valid Lebanese legal obligation or court order requires disclosure.
6. Security measures
Data is encrypted in transit (TLS) and at rest; passwords are stored using strong one-way hashing; workspaces are isolated per tenant; access is role-based and audit-logged; backups are taken daily and encrypted. Details are in the Security Policy. No system is perfectly secure — if a breach affects your personal data we will notify you without undue delay (see the DPA for processor commitments).
7. Third-party services we use
- DigitalOcean — cloud hosting (Frankfurt, EU).
- Stripe and Whish Money — payment processing.
- Anthropic — AI processing for the ARC AI Guide (prompts and relevant business context are sent to generate answers).
- Meta / WhatsApp — when you use WhatsApp features, message content and recipient numbers transit WhatsApp.
- Brevo — transactional email (verification, notifications).
- Google Analytics — visitor statistics on the marketing website only (see the Cookie Policy).
- Sentry — error monitoring (technical error reports may include identifiers such as user or tenant IDs, never passwords).
8. Cookies
The marketing website uses a small number of cookies for analytics; the application uses only what is strictly necessary to keep you signed in. See the Cookie Policy.
9. Your rights
Under Law No. 81/2018 you may, at any time:
- Access the personal data we hold about you and ask for a copy;
- Correct inaccurate data (most account data you can edit yourself);
- Delete your data ("right to erasure") subject to records we must keep by law;
- Object to or restrict certain processing, and withdraw marketing consent;
- Export your business data in a portable format from within the Service.
To exercise a right, email arc7solutions@gmail.com from your account email. We respond within 30 days. If you are a customer of one of our customers (e.g. a shopper whose number a business stored in ARC), please contact that business first — it controls that data; we will assist it in fulfilling your request.
10. How to request deletion
Workspace owners can request account deletion from their profile or by email. We soft-delete the workspace for 30 days (so an accidental request can be reversed), then permanently erase it, except invoices and accounting records retained under Lebanese law. Confirmation is sent when erasure completes.
11. Children
The Service is for businesses and is not directed at children. We do not knowingly collect data from anyone under 16.
12. Changes
We may update this Policy; material changes are announced by email or in-app and take effect no earlier than 15 days after notice. Each version is numbered and dated.
13. Contact
Data questions and requests: arc7solutions@gmail.com — ARC, Beirut, Lebanon.
