Privacy Policy

• Arc is designed for local-first visibility: the CLI records sessions to your machine first, and applies best-effort redaction of known secret patterns before content is written or transmitted.
• Workflow governance records are server-side product records by design, created to operate governed workflows for your organization.
• We do not sell your personal information, and we do not use Customer Content to train third-party foundation models unless you expressly agree.
• When you enable a cloud-hosted AI/model provider or other integration, your data may be processed by that provider under its own terms.
• You can request access, export, correction, or deletion of your data.

We collect information you provide, information created as you use the Services, and information from integrations you connect:

• Account identity — GitHub user ID, login, email, display name, and avatar via GitHub OAuth (we request only the scopes needed to sign you in and identify you).
• Organization/workspace metadata — org, group, team, and membership/role records.
• Billing/customer data — via Stripe (see Section 6).
• Design partner / contact submissions — the details you submit through our forms.
• Diagnostics and logs — request metadata, timestamps, and operational logs used to run and secure the Services.

Depending on the products you use, we process the content and records needed to provide them — for example agent/CLI connection and device metadata, session and relay events, share-link metadata, workflow tickets and configuration, workflow graphs/templates, comments, approvals, evidence, audit logs, planning records, run and cost/token metrics where available, and repository/source configuration metadata. This is your Customer Content; we process it to provide, secure, support, and improve the Services for your organization.

Arc is designed to support local-first visibility into AI-agent activity. Depending on how Arc is configured and used, SICKR may process session metadata, relay events, replay/live data, share-link metadata, diagnostics, and related content needed to provide the service.

The CLI applies best-effort redaction of known secret patterns before content is written to disk or transmitted. Redaction is a safety net, not a guarantee — it may not catch every secret, and you are responsible for what you capture and what you choose to make viewable through a share link or live session. Public links may be cached or indexed by third parties outside our control.

Workflow governance records — including tickets, workflow configuration, approvals, evidence, audit logs, metrics, planning records, and related operational records — are server-side product records by design. They are retained as part of operating governed workflows and audit history for your organization, and are accessible to authorized members and administrators of that organization.

Paid plans use Stripe Checkout. Stripe collects and processes payment details (such as card number, expiry, and billing address); SICKR does not receive or store your full card number or security code. We store a Stripe customer/subscription reference, plan and status, and limited billing metadata to manage your subscription. Stripe’s privacy policy applies to the payment data it holds. We use your email for transactional messages such as receipts, invitations, and security notices.

When you connect a third party — for example GitHub, Stripe, or an AI/model provider and coding agent you choose — we exchange the data needed to operate that integration. When you choose or enable cloud-hosted AI/model providers, their data may be processed by those providers according to the applicable configuration and provider terms. Those providers’ own privacy terms govern their processing.

We use cookies and similar technologies that are necessary to sign you in, keep your session, and operate the Services. Where we use privacy-respecting analytics, it is limited to aggregate, non-advertising usage metrics. We do not use advertising cookies or sell data for advertising.

• Authenticate you and operate the Services you use.
• Process billing and subscriptions, and send transactional communications.
• Maintain security, prevent abuse, and debug and support the Services.
• Improve the Services, using aggregated or de-identified data where practical.
• Comply with law and enforce our Terms and policies.

We do not use the above for advertising or to train third-party foundation models on Customer Content, except as you expressly agree.

We share information only with the categories below:

• Cloud infrastructure for hosting, storage, and delivery.
• Stripe for billing and payments.
• GitHub and other integrations you connect.
• AI/model providers when you enable them.
• Support/diagnostics providers used to operate the Services.
• Your organization’s administrators, who may access organization data.
• Legal/compliance recipients when required, and a successor in a merger or acquisition.

We do not sell personal information. Our current core infrastructure, billing, and integration providers include cloud hosting, Stripe, and GitHub; if we add a provider that processes personal data, we will update this policy.

We retain information for as long as needed to provide the Services, operate audit and workflow history, comply with legal obligations (such as tax records), resolve disputes, and enforce our agreements. Share-link and live-session content is retained for limited, plan-dependent windows and then removed; account and organization records are retained while the account exists and for a period afterward. We keep retention periods no longer than necessary for the purpose each category of data serves.

We use commercially reasonable safeguards, including encryption in transit, encryption at rest on our managed stores, GitHub-based authentication (no SICKR-managed passwords), and access controls limiting production data to staff with operational need. No method of transmission or storage is completely secure. See our Security page.

We operate on global cloud infrastructure, and your information may be processed in regions where we or our providers operate. Where required, we rely on appropriate safeguards for cross-border transfers of personal data.

You can request access, a portable export, correction, deletion, or restriction of your personal data, and you can opt out of non-transactional emails. Submit requests through the privacy contact form; we respond within a reasonable period. Residents of certain jurisdictions (for example California, Colorado, Connecticut, Virginia, Utah, the EU/EEA, and the UK) may have additional rights, and we honor those rights where they apply to you.

The Services are not intended for anyone under 18, and we do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will delete it.

We may update this policy. For material changes we will provide notice (for example by email or in-app) before they take effect.

For privacy requests and questions about this policy, use the privacy contact form. For security concerns, use the security disclosure form. For general product support, use the support contact form.