Privacy Policy
Last updated: April 5, 2026
1. Introduction
This Privacy Policy describes how arch-market (“we”, “us”, “our”), operated at market.thearchkit.com, collects, uses, and shares your personal information when you use our service. By using arch-market, you agree to the collection and use of information as described in this policy.
2. Data Controller
The data controller for your personal information is arch-market, operated by the archkit project. For data protection inquiries, contact us at [email protected].
3. Information We Collect
3.1 Information you provide
- Account information: Name, email address, username, display name, and bio when you create an account
- Authentication data: Data received from GitHub or Google when you sign in via OAuth (profile name, email, avatar URL)
- Content: Configs you publish (skills, graphs, presets), reviews, comments, and reports
- Communications: Messages sent via the contact form
3.2 Information collected automatically
- Usage data: Pages visited, searches performed, configs downloaded, features used
- Technical data: IP address, browser type and version, device type, operating system
- Cookies: Session cookies for authentication, preferences cookies for consent state (see Section 7)
4. Legal Basis for Processing (GDPR)
We process your personal data under the following legal bases:
- Contract performance: To provide the Service, manage your account, and deliver configs you request (Article 6(1)(b))
- Legitimate interests: To improve the Service, ensure security, prevent fraud, and enforce our Terms (Article 6(1)(f))
- Consent: For optional features such as email notifications and cookie preferences (Article 6(1)(a))
- Legal obligation: To comply with applicable laws and regulations (Article 6(1)(c))
5. How We Use Your Information
- Provide, maintain, and improve the Service
- Create and manage your account
- Process and display your published content
- Send transactional emails (account verification, password reset, notification alerts)
- Respond to contact form submissions
- Monitor and enforce compliance with our Terms of Service
- Detect and prevent security threats, fraud, and abuse
- Generate aggregated, anonymized usage statistics
6. Data Sharing and Third-Party Services
We share your personal data with the following categories of third parties, solely to operate the Service:
| Provider | Purpose | Data shared |
|---|---|---|
| Hetzner (Germany) | Server hosting | All data stored on servers |
| Cloudflare (US) | CDN, DDoS protection, DNS | IP address, request metadata |
| Resend (US) | Transactional email delivery | Email address, email content |
| GitHub (US) | OAuth authentication | OAuth tokens during login |
| Google (US) | OAuth authentication | OAuth tokens during login |
We do not sell your personal data. We do not share your data with third parties for their marketing purposes.
7. Cookies
We use the following types of cookies:
- Essential cookies: Authentication session cookies managed by Keycloak. Required for the Service to function. Cannot be disabled.
- Preference cookies: Cookie consent state stored in localStorage. Remembers your consent choice.
We do not currently use advertising cookies or third-party tracking cookies. If we introduce advertising in the future, we will update this policy and request your consent before setting any advertising cookies.
8. International Data Transfers
Your data may be transferred to and processed in countries outside your country of residence, including the United States (Cloudflare, Resend, GitHub, Google) and Germany (Hetzner). Where transfers occur outside the EEA, we rely on standard contractual clauses or adequacy decisions as appropriate to ensure adequate protection of your data.
9. Data Retention
- Account data: Retained for as long as your account is active. Deleted within 30 days of account deletion.
- Published content: Retained until you delete it or your account. Previously downloaded copies by other users are not affected.
- Usage logs: Retained for up to 90 days for security and debugging purposes, then deleted or anonymized.
- Contact form messages: Retained for up to 12 months, then deleted.
10. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
10.1 GDPR Rights (EEA/UK residents)
- Access: Request a copy of your personal data
- Rectification: Request correction of inaccurate data
- Erasure: Request deletion of your data (“right to be forgotten”)
- Data portability: Request your data in a machine-readable format
- Restriction: Request restriction of processing
- Objection: Object to processing based on legitimate interests
- Withdraw consent: Withdraw consent at any time where processing is based on consent
You can exercise your right to access, portability, and erasure directly through the account settings page (GDPR data export and account deletion). For other requests, contact us at [email protected].
10.2 CCPA Rights (California residents)
- Right to know: What personal information we collect and how we use it
- Right to delete: Request deletion of your personal information
- Right to opt-out: Opt out of the sale of personal information (we do not sell personal data)
- Non-discrimination: We will not discriminate against you for exercising your rights
11. Children's Privacy
The Service is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal data, please contact us at [email protected] and we will delete it promptly.
12. Security
We implement appropriate technical and organizational measures to protect your personal data, including encryption in transit (TLS), encrypted storage, access controls, and regular security reviews. However, no method of transmission or storage is 100% secure. We cannot guarantee absolute security of your data.
13. Data Breach Notification
In the event of a data breach that poses a risk to your rights and freedoms, we will notify affected users via email within 72 hours of becoming aware of the breach, as required by GDPR Article 33. We will also notify the relevant supervisory authority where required.
14. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. The “Last updated” date at the top reflects the most recent revision. Continued use of the Service after changes constitutes acceptance of the updated policy.
15. Contact
For privacy-related questions, data access requests, or concerns, contact us at: [email protected]
If you are in the EEA and believe your data protection rights have been violated, you have the right to lodge a complaint with your local data protection supervisory authority.