Local-first by default
The ArchiHQ macOS app stores your notes, voice memos, goals, and personal data on your Mac. We don't have a copy. The only network calls ArchiHQ makes are to whichever AI provider you've configured with your own API key.
What we collect
When you sign up, take the assessment, or buy something, we collect your name, email address, business name, and payment metadata (handled by Stripe — we never see your card number). If you use our consulting services, we also collect project files, business information, and any content you share with us to do the work. If you submit an application, we collect the answers you provide. We also collect device type, browser type, IP address, and approximate location through standard web server logs. We do not collect sensitive personal data such as race, ethnicity, political opinions, religious beliefs, health data, or biometric data.
Legal basis for processing (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data under the following legal bases. Contract performance: processing necessary to deliver the services you purchased or requested (account creation, project delivery, payment processing). Legitimate interest: processing for purposes like improving our services, preventing fraud, and ensuring security, where our interests do not override your fundamental rights. Consent: where you have given us explicit consent for a specific purpose (e.g., marketing emails, voice recording). Legal obligation: processing required to comply with applicable laws, such as tax record-keeping. You may withdraw consent at any time by emailing contact@archihq.ai. Withdrawal does not affect the lawfulness of processing performed before the withdrawal.
Why we collect it
To deliver the product or service you bought, communicate about your account, send transactional emails, and improve ArchiHQ. We do not sell your data. Period. We do not share it with advertisers. We do not use it to train AI models.
AI processing
Our consulting services use AI tools from Anthropic (Claude) and OpenAI (GPT) to build systems, generate content, and analyze data for your projects. When we use these tools on your behalf, your project data is sent to their APIs for processing. Both Anthropic and OpenAI have published terms confirming that API inputs are not used to train their models. We have Data Processing Agreements (DPAs) in place with each provider. Your data goes in, the output comes back, and nothing is kept on their end for training purposes.
Voice notes and recordings
Some consulting engagements involve voice calls or recorded sessions. We only record with your consent. All recordings are transcribed immediately using OpenAI's Whisper API. The original audio files are deleted right after transcription. Only the text transcript is stored. You can request deletion of any transcript at any time. If you are in a two-party consent state (California, New York, Florida, Pennsylvania, or Illinois), we will always ask for your explicit permission before recording begins.
Data storage and security
Your data is stored on Supabase, which is SOC 2 Type 2 and ISO 27001 certified. All data is encrypted at rest (AES-256) and in transit (TLS 1.2+). We use row-level security policies so each account can only access its own data. Backups are encrypted. Access to production databases is restricted to authorized personnel only. We conduct periodic security reviews of our systems and third-party integrations.
International data transfers
ArchiHQ Inc. is based in the United States. If you are accessing our services from outside the US, your data will be transferred to and processed in the United States. For users in the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate protection for international data transfers. Our third-party processors (Supabase, Vercel, Stripe, Anthropic, OpenAI) maintain their own transfer mechanisms in compliance with applicable data protection laws. By using our services, you acknowledge that your data will be processed in the United States.
Third-party services
We use the following services to operate ArchiHQ. Each processes data only to deliver their specific function. Stripe handles payments — we never see or store your card number. Supabase provides our database, authentication, and file storage. Vercel hosts our website and runs our server functions. Anthropic (Claude API) and OpenAI (GPT API, Whisper API) power our AI tools. Resend handles transactional email. Vercel Analytics provides anonymous website performance data. Each provider is bound by their own privacy terms and data processing agreements. We do not share your data with any third parties for marketing, advertising, or profiling purposes.
Data retention
Completed project deliverables are kept on our servers for 7 days after delivery, then permanently deleted. You keep your local copies forever. Active consulting clients have data retained for the duration of the engagement plus 30 days. Cancelled accounts are fully deleted within 14 days of cancellation. Payment records are retained as required by tax law (typically 7 years). Server logs containing IP addresses are retained for no more than 90 days. You can request early deletion of non-financial data at any time.
Your rights (CCPA)
If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). Categories of personal information we collect: identifiers (name, email), commercial information (purchase history, project details), and internet activity (basic analytics). We do not sell personal information. We do not share it for cross-context behavioral advertising. We have not sold or shared personal information of any consumer in the preceding 12 months. Your rights: you can request access to all data we hold about you; request deletion of your data; opt out of any future data collection; request correction of inaccurate data; request a portable copy of your data; and limit the use of sensitive personal information. We will not discriminate against you for exercising any of these rights. To make a request, email contact@archihq.ai. We respond within 45 days. You may also designate an authorized agent to make requests on your behalf.
Your rights (GDPR — EEA, UK, Switzerland)
If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR). Right of access: request a copy of the personal data we hold about you. Right to rectification: request correction of inaccurate or incomplete data. Right to erasure: request deletion of your data when it is no longer necessary for the purpose it was collected. Right to restrict processing: request that we limit how we use your data. Right to data portability: receive your data in a structured, machine-readable format. Right to object: object to processing based on legitimate interests, including profiling. Right to withdraw consent: withdraw consent at any time where processing is based on consent. Right to lodge a complaint: file a complaint with your local data protection authority. To exercise any of these rights, email contact@archihq.ai. We respond within 30 days. There is no fee for exercising your rights unless requests are manifestly unfounded or excessive.
SMS and text messaging
When you opt in to receive SMS or text messages from ArchiHQ, we collect your mobile phone number and your consent preferences (marketing vs. non-marketing messages). Consent is collected through clearly labeled checkboxes on our contact and signup forms. We use your phone number solely to send you the types of messages you consented to: appointment confirmations, project updates, service notifications, and — only if you separately opt in — promotional messages about ArchiHQ services. You can opt out at any time by replying STOP to any message. Message frequency varies. Message and data rates may apply. For help, reply HELP or email contact@archihq.ai. No mobile information will be shared with third parties or affiliates for marketing or promotional purposes. We retain your phone number and consent records for the duration of your engagement plus 30 days after opt-out, as required for compliance documentation. For full details on our SMS program, see our SMS Consent & Terms page at https://archihq.ai/sms-consent.
Cookies
We use a small number of essential cookies for login sessions and preferences. We don't run third-party advertising trackers on this site. Vercel Analytics uses anonymous, cookie-free measurement. For full details on the cookies we use, see our Cookie Policy.
Do Not Track
Some browsers send a Do Not Track (DNT) signal. There is no industry standard for how websites should respond to DNT. We do not currently respond to DNT signals. However, we do not track you across third-party websites, and we do not serve behavioral advertising.
Children
ArchiHQ is not directed at children under 16 (or under 13 in the United States) and we don't knowingly collect their data. If you believe a child has provided us with personal information, contact us and we will delete it promptly.
Data Protection Officer
For privacy-related inquiries, you can contact our data protection team at contact@archihq.ai. If you are in the EEA and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local supervisory authority.
Changes
We may update this policy. Material changes will be announced by email or in-app notification at least 14 days before they take effect. The 'Last updated' date at the top always reflects the current version. We encourage you to review this policy periodically.
Questions about your data? Contact us.