Privacy Policy

Last updated: April 19, 2026

1. Introduction

ARKHITEC PTY LTD (“Arkhitec,” “we,” “our,” or “us”) respects your privacy. This Privacy Policy explains how we collect, use, share, and safeguard your personal information when you visit our website at arkhitec.com (the “Site”) or use our mobile application on iOS or Android (the “App,” and together with the Site, the “Services”).

By using the Services you agree to the practices described in this policy. If you do not agree, please do not use the Services.

Effective date: April 19, 2026

2. Information We Collect

We collect only what we need to operate the Services responsibly. Information is grouped by source below.

2.1 Information you provide

  • Account information — email address (and an optional display name) when you create an account or sign up for early access.
  • Support communications — the content of messages you send us through email or in-app support.
  • User preferences — theme choice, saved mixes, selected affirmation playlists, meditation favorites, and session timer defaults, stored on-device and synced to your account if you opt in.

2.2 Information collected automatically

  • App activity — features accessed, session frequency, and interaction patterns inside the App, used to understand which features work and to improve the product.
  • Device information — device model, operating system version, app version, locale, and a randomized device identifier used for crash attribution.
  • Diagnostic data — anonymized crash reports and performance logs.
  • Log data (Site only) — IP address, user-agent string, referring URL, and access timestamps of visits to arkhitec.com.

2.3 Information received from app stores

When you purchase an Arkhitec subscription via Apple App Store or Google Play, the store shares with us a transaction receipt, subscription status, renewal date, and a platform-scoped user identifier. We do not receive your payment card details, billing address, or government identifiers from the stores.

2.4 Information we do NOT collect

We intentionally limit data collection. We do not collect:

  • Microphone, camera, photos, video, or voice recordings.
  • Precise or approximate location.
  • Contacts, calendar, SMS, or files on your device.
  • Health, fitness, or biometric data.
  • Web browsing history outside our Site.
  • Advertising identifiers (IDFA, AAID).
  • Your payment card number, CVV, or bank account details (Apple and Google handle billing).

3. How We Use Your Information

We use personal information to:

  • Provide the Services — authenticate your account, deliver audio content, sync preferences, and enable subscriptions.
  • Operate and improve the product — understand which features are used (aggregated analytics), reproduce bugs (crash logs), and measure release quality.
  • Communicate with you — send transactional email (account confirmation, subscription receipts, security alerts) and, with your consent, product updates and early-access announcements.
  • Protect the Services — detect and prevent abuse, fraud, and unauthorized access.
  • Comply with law — respond to lawful legal requests and enforce our Terms.

We do not use your personal information for behavioral advertising, cross-app tracking, or profile-building for third parties.

4. Legal Basis for Processing (GDPR / UK GDPR)

If you are in the European Economic Area, the United Kingdom, or a jurisdiction with comparable legislation, we rely on the following legal bases:

  • Performance of a contract — creating and maintaining your account, providing the Services you’ve subscribed to, and handling support requests.
  • Consent — sending marketing or promotional email, which you may withdraw at any time via the unsubscribe link in every such message.
  • Legitimate interests — security, fraud prevention, anonymized analytics that improve the Services, and defense of legal claims. We weigh these interests against your rights and freedoms.
  • Legal obligation — responding to lawful requests from regulators, tax authorities, or courts.

You have the right to object to processing that relies on legitimate interests. See Section 8.

5. Third-Party Services and SDKs

We integrate a small, deliberate set of third-party services. Each is contractually bound to handle your data only on our instructions:

  • Firebase (Google LLC) — we use Firebase for authentication, database (Firestore), and Cloud Messaging (FCM) for delivering push notifications such as session reminders and bedtime prompts. Firebase processes your account details, email, authentication tokens, session metadata, bundle ID, OS information, SDK version, network connection type, FCM registration token, and a randomized installation identifier used to secure and synchronize your account and deliver messages. We do not use Firebase Analytics or Firebase Crashlytics. We do not use push notifications for advertising. Google’s privacy terms for Firebase are at firebase.google.com/support/privacy; see also policies.google.com/privacy.
  • Cloudflare (Cloudflare, Inc.) — audio asset hosting (served from arkhitecaudio.com via Cloudflare Workers and Cloudflare R2 file storage), content delivery, and network security. Cloudflare may process your IP address, user-agent, and request metadata in the course of delivering audio content and protecting the Services from abuse. See cloudflare.com/privacypolicy.
  • RevenueCat (RevenueCat, Inc.) — subscription and in-app purchase management across Apple App Store and Google Play. RevenueCat processes an anonymized app-user ID, purchase history, subscription status, device type, and app version to reconcile entitlements and provide accurate subscription state to the App. RevenueCat does not receive your email, name, or payment card details. See revenuecat.com/privacy.
  • Apple App Store / Google Play — subscription billing and in-app purchase processing.
  • Additional providers — if we add dedicated product analytics, crash reporting, or transactional email providers at or after the 2026 launch, this Section will be updated to name each vendor and describe the data they receive before the integration goes live.

We do not integrate advertising SDKs, social-media trackers, attribution SDKs, or data brokers. We do not use any third-party service for cross-app or cross-site behavioral advertising. We do not collect the iOS advertising identifier (IDFA) or the Android advertising ID (AAID).

6. Data Sharing and Disclosure

We share personal information only in the limited situations below. We do not sell or rent your personal information.

  • With service providers listed in Section 5, under written data-processing agreements.
  • For legal reasons — to comply with subpoenas, court orders, or other lawful process; to enforce our Terms; to protect the safety of users; or to investigate fraud.
  • In a business transfer — if Arkhitec is acquired, merged, or reorganizes, your information may transfer to the successor entity subject to the commitments in this policy. We will notify you before your information becomes subject to a different policy.
  • Aggregated or de-identified data — we may share statistics that cannot reasonably be linked back to you (e.g., “most popular frequency preset this month”).

7. Data Retention

We keep personal information only as long as we need it:

  • Account data — retained while your account is active.
  • After account deletion — removed from production systems within 30 days of the deletion request. Related entries in encrypted backups are purged on the rolling backup cycle, typically within 90 days.
  • Subscription and tax records — retained for the period required by applicable tax, accounting, and consumer-protection laws (typically seven years).
  • Diagnostic and crash data — retained up to 180 days and then anonymized or deleted.
  • Aggregated or anonymized analytics — may be retained indefinitely since it is no longer personal information.

8. Your Privacy Rights

Subject to applicable law, you have the right to:

  • Access the personal information we hold about you.
  • Correct inaccurate or incomplete information.
  • Delete your personal information.
  • Restrict or object to certain processing (e.g., marketing, or processing based on legitimate interests).
  • Withdraw consent at any time where we rely on consent.
  • Data portability — receive your information in a structured, commonly used, machine-readable format.
  • Not be discriminated against for exercising any of these rights.

EEA/UK users additionally have the right to lodge a complaint with a supervisory authority (e.g., the UK ICO or your national DPA). California users have rights under the CCPA/CPRA — see Section 16. Australian users have rights under the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), and may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

9. How to Exercise Your Rights

You can exercise any of the rights in Section 8 by:

  • In-app — Settings → Account → “Delete Account” (this triggers both account deletion and removal of associated personal data).
  • Emailprivacy@arkhitec.com

We will verify your identity (typically by confirming ownership of the account email) and respond within 30 days, or notify you of an extension when legally permitted. We do not charge a fee unless the request is manifestly unfounded or excessive.

10. Account Deletion

We provide two independent paths to permanently delete your account and associated personal data:

  • In the App — open Settings, tap “Account,” and select “Delete Account.” Confirm the action. Deletion is processed within 30 days.
  • By Email — email privacy@arkhitec.com with “Delete my account” as the subject. We will confirm receipt and close your account within 30 days.

Deletion removes: your account record, email, saved mixes, playlists, favorites, preferences, and diagnostic data linked to your device. We may retain transaction records and subscription history where required by tax, accounting, or consumer-protection law (see Section 7).

Note: Cancelling an active Apple or Google subscription is a separate action performed in your App Store / Play Store settings. Deleting your Arkhitec account does not automatically cancel a subscription billed by Apple or Google, and Apple/Google do not refund past billing cycles based on account deletion alone.

11. Children’s Privacy

Arkhitec is not directed to, and we do not knowingly collect information from, children under 13 (or the equivalent minimum age in your jurisdiction under applicable law, such as GDPR Article 8). Users aged 13–17 should use the Services only with the consent and supervision of a parent or legal guardian.

If we learn that we have collected personal information from a child under 13, we will delete it promptly. Parents and guardians can contact us at privacy@arkhitec.com with any concerns.

12. International Data Transfers

Arkhitec is operated by ARKHITEC PTY LTD (Australia) and processes personal information on cloud infrastructure and service providers that may be located in the United States, Australia, the European Union, or other regions, depending on the service. If you access the Services from outside the region where your data is processed, your information will be transferred to and processed in that region.

Where required, we rely on the European Commission’s Standard Contractual Clauses (and the UK International Data Transfer Addendum) as the legal mechanism for cross-border transfers of personal data out of the EEA and UK. Transfers to and from Australia are subject to the safeguards required under the Australian Privacy Principles. You can request a copy of the safeguards in place by emailing privacy@arkhitec.com.

13. Security

We apply industry-standard administrative, technical, and physical safeguards to protect your information:

  • Encryption in transit — TLS 1.2+ for all traffic between your device and our servers.
  • Encryption at rest — data stored in our databases and backups is encrypted.
  • Access controls — role-based access for employees, with audit logging and least-privilege defaults.
  • Secure development — code review, dependency scanning, and periodic security testing.
  • Incident response — a documented process for containment, investigation, and notification; we will notify affected users and, where required by law, the relevant regulator without undue delay.

No system is perfectly secure. If you believe your account has been compromised, contact us immediately at privacy@arkhitec.com.

14. Cookies and Web Tracking

The Site currently uses no cookies, pixels, session replay, or third-party trackers. We do not use cross-site tracking technologies, do not share data with advertising networks, and do not target advertising based on your browsing. If this changes, we will update this policy and implement a consent mechanism before any non-essential cookie is set.

We honor Global Privacy Control (GPC) and “Do Not Track” browser signals as an opt-out of sale or sharing (see Section 16), where applicable law treats such signals as a valid user request.

15. App Tracking Transparency (iOS)

Arkhitec does not track you across apps or websites owned by other companies. Because we do not perform cross-app tracking as defined by Apple’s App Tracking Transparency framework, the App does not present an ATT permission prompt. No advertising identifier (IDFA) is collected.

16. Do Not Sell or Share (California)

California residents have rights under the California Consumer Privacy Act, as amended by the CPRA. Arkhitec does not sell or share personal information as those terms are defined under California law, and we do not use or disclose sensitive personal information for purposes requiring a right to limit.

California residents also have the right to:

  • Know what personal information we collect, use, disclose, and retain.
  • Correct inaccurate personal information.
  • Delete personal information (see Section 10).
  • Non-discrimination for exercising these rights.
  • Opt-out of sale or sharing — not applicable to Arkhitec because we do not sell or share.

To exercise these rights, follow the process in Section 9. You may also designate an authorized agent to submit requests on your behalf; we will require reasonable proof of authorization.

17. Changes to This Policy

We may update this Privacy Policy as the Services evolve. For material changes, we will notify you by email (to the address on your account) at least 30 days before the new policy takes effect and, where possible, by in-app notice. The “Last Updated” date at the top always reflects the most recent revision. Continued use of the Services after the effective date constitutes acceptance of the updated policy.

18. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy, contact us:

This Privacy Policy is issued by ARKHITEC PTY LTD. EEA/UK residents may also lodge a complaint with their national data protection authority.