Privacy Policy

Policy at a Glance

1. Introduction and Scope

Archilas ("Archilas", "we", "our", "us") provides infrastructure for deploying, funding, monitoring, and governing autonomous AI agents. This policy applies to website interactions, account creation, dashboard usage, API usage, and runtime workflows.

Contact email: privacy@archilas.com
Physical address: Archilas Privacy Office, DRAFT REGISTERED OFFICE, DRAFT CITY, DRAFT COUNTRY.

If Archilas has no establishment in the EU/UK, Article 27 representatives are listed in Section 14.

2. Data We Collect

• Account Data: name, email, Google OAuth profile image and identifiers.
• Agent Data: prompts, configurations, policy settings, earnings history, transaction logs, wallet addresses.
• Usage Data: pages visited, feature usage, click events, session duration, dashboard interactions.
• Financial Data: wallet addresses, settlement records, commission entries, withdrawals and payout metadata.
• Technical Data: IP address, browser type, operating system, device details, runtime telemetry.
• Communication Data: support tickets, email correspondence, chat and incident remediation logs.
• KYC/AML Data (where required): identity records, sanctions screening outcomes, and compliance case metadata.

Archilas does not store private keys in plaintext. Key material is encrypted at generation and protected using isolated secure enclave controls. Archilas personnel are not granted plaintext private key access. Key artifacts are deleted under secure retention workflows after account lifecycle events [LEGAL REVIEW REQUIRED].

Special Category Data (Article 9 GDPR): Archilas does not intentionally process special category data. If behavior data could indirectly infer special category traits, Archilas applies minimization and restricted-access safeguards.

3. How We Collect Data

• Directly from users during sign-up, onboarding, agent deployment, and funding.
• Automatically through cookies, logs, diagnostics, and security telemetry.
• From third parties such as OAuth providers, payment services, and blockchain/RPC sources.
• From compliance providers for KYC/AML checks where legally required.

4. Legal Basis for Processing (GDPR Article 6)

• Article 6(1)(b): contract performance for service delivery.
• Article 6(1)(a): consent for non-essential cookies and optional marketing.
• Article 6(1)(f): legitimate interests for security, abuse prevention, and reliability.
• Article 6(1)(c): legal obligations (tax, AML/KYC, sanctions, reporting).

Full category mapping (legal basis, retention, sharing, and LIA status) appears inAnnex A.

4A. Regulatory Framework Context

Archilas aligns controls with GDPR/ePrivacy, UK GDPR, CCPA/CPRA, LGPD, DPDPA, PIPEDA, APPI, POPIA, and sector-specific obligations including EU AI Act and DAC8.

DAC8 disclosure: from 2026, EU crypto-asset reporting duties may require Archilas to report identity, wallet, and transaction data to competent tax authorities under legal-obligation processing (Article 6(1)(c) GDPR) [LEGAL REVIEW REQUIRED].

5. How We Use Data

• Provide, operate, and improve the platform.
• Process agent earnings, commissions, and settlement events.
• Provide support and operational notices.
• Detect and prevent fraud, abuse, and security incidents.
• Comply with legal and regulatory obligations.
• Run analytics for reliability and product quality.

LIA summary for Article 6(1)(f): Archilas balances business interests against user rights and applies safeguards including minimization, access controls, and transparency.

6. Data Sharing and Third Parties

• Service providers: hosting, identity/auth, payments, analytics, and monitoring processors.
• Legal disclosures: courts, regulators, or authorities where legally required.
• Business transfers: merger, acquisition, or asset transfer context.
• Consent-based sharing: any additional sharing with explicit consent.

Archilas does not sell personal data.

Archilas also states that it does not share personal information for cross-context behavioral advertising under CPRA definitions [LEGAL REVIEW REQUIRED].

7. Cookies and Tracking

Archilas uses Strictly Necessary, Functional, Analytics, and Marketing cookies. Detailed category examples, retention windows, and controls are provided inAnnex B.

8. Data Retention

• Account data: account life + 30 days after deletion.
• Agent data: agent life + 90 days after deletion.
• Financial/tax records: up to 7 years.
• Usage/security logs: generally 12 months.
• AML/KYC records: typically 5 years where legally required.

9. Data Security

• Encryption in transit (TLS 1.3) and at rest (AES-256 or equivalent).
• Role-based access controls and least-privilege design.
• Audit logging and incident response playbooks.
• Secure enclave controls for sensitive wallet-signing workflows.

DPIA commitment (Article 35 GDPR): Archilas performs Data Protection Impact Assessments for high-risk processing, including autonomous agent monitoring and financial transaction processing.

DPO statement: Archilas has appointed a Data Protection Officer under Article 37(1)(b) GDPR [LEGAL REVIEW REQUIRED].

10. International Data Transfers

Data may be processed in multiple jurisdictions. Where required, Archilas relies on SCCs, adequacy decisions, and contractual safeguards.

11. Your Rights (GDPR, CCPA/CPRA, LGPD and Similar Laws)

• Access, rectification, erasure, restriction, objection, and portability rights.
• Consent withdrawal rights for consent-based processing.
• CCPA/CPRA opt-out and non-discrimination rights.
• Right to lodge a complaint with a supervisory authority.

Submit requests by email (privacy@archilas.com) or via DRAFT PRIVACY REQUEST PORTAL URL [LEGAL REVIEW REQUIRED]. Identity verification may be required for security.

If Archilas cannot honor a request due to legal exemptions, retention obligations, or inability to verify identity, Archilas will provide a written explanation and available appeal route.

Authority examples: ICO, DPC, CNIL, BfDI, Datatilsynet, ANPD, CPPA.

12. Children's Privacy

Archilas is not intended for users under 18 years old. We do not knowingly collect personal data from users under 18 and will delete such data without undue delay if identified.

13. Changes to This Policy

Archilas may update this policy. "Material changes" include changes to data categories, legal bases, third-party sharing, or transfer mechanisms. Material updates are announced by email and/or dashboard. Continued use after the effective date constitutes acknowledgment of the updated policy.

14. Contact and Complaints

Privacy team: privacy@archilas.com
DPO contact: dpo@archilas.com
EU representative: DRAFT EU REP SERVICES LTD, 12 DRAFT COMPLIANCE STREET, DUBLIN, IRELAND, eu-rep@archilas.com
UK representative: DRAFT UK REP SERVICES LTD, 21 DRAFT PRIVACY ROAD, LONDON, UNITED KINGDOM, uk-rep@archilas.com

15. Region-Specific Addenda

California (CCPA/CPRA)

Archilas does not sell or share personal information for cross-context behavioral advertising. Archilas honors Global Privacy Control signals as required under CCPA Section 1798.135.

Sensitive Personal Information controls: DRAFT "Limit the Use of My Sensitive Personal Information" link [LEGAL REVIEW REQUIRED].

California Shine the Light and Nevada SB 220 requests may be submitted to privacy@archilas.com.

Brazil (LGPD)

LGPD legal bases (Article 7) include consent, contract, legal obligation, and legitimate interests. Encarregado contact: dpo@archilas.com. Supervisory authority: ANPD. Response target: 15 days.

India (DPDPA)

Archilas acts as Data Fiduciary for core services and appoints processors where needed. Consent withdrawal and grievance support are available via privacy@archilas.com. Escalation may be made to the Data Protection Board of India.

Canada (PIPEDA and Quebec Law 25)

PIPEDA principles and Quebec Law 25 requirements apply where applicable. Quebec authority: Commission d'acces a l'information (CAI).

South Africa (POPIA)

Supervisory authority: Information Regulator (South Africa). Information Officer contact: privacy@archilas.com [LEGAL REVIEW REQUIRED]. Breach notices are sent as soon as reasonably possible.

Australia (Privacy Act 1988 / APPs)

Archilas applies APP standards and APP 8 cross-border controls. Notifiable incidents are handled under the NDB scheme with OAIC oversight.

16. EU AI Act Compliance (Regulation (EU) 2024/1689)

Autonomous agents deployed through Archilas may fall under limited-risk, high-risk, or general-purpose AI categories depending on use case [LEGAL REVIEW REQUIRED].

• Logging and traceability controls aligned with Articles 12 and 26 where applicable.
• Human oversight with policy controls, approvals, and emergency stop mechanisms.
• Transparency controls aligned with Article 50 for end-user awareness.
• Conformity assessment controls for high-risk use cases where required.

17. AML/KYC and Financial Compliance

Archilas may perform AML/KYC checks where required by law. This can include identity checks, sanctions screening, and transaction risk analysis under legal-obligation grounds (Article 6(1)(c) GDPR).

AML records are generally retained for 5 years under applicable AML frameworks [LEGAL REVIEW REQUIRED]. Required disclosures may be made to financial intelligence units, regulators, or law enforcement.

18. Breach Notification

• GDPR Article 33: supervisory authority notice within 72 hours where required.
• GDPR Article 34: data subject notice without undue delay for high-risk breaches.
• CCPA and other local laws: jurisdiction-specific breach notifications as required.
• LGPD, POPIA, and Australian NDB: regulator and user notification in applicable timelines.

Annex A — Data Processing Table (GDPR/UK GDPR)

Annex B — Cookie Annex

Consent mechanism: users can "Accept All", "Reject All", or "Manage Preferences". Strictly Necessary cookies are always on; all other categories are optional where consent law applies.

For EU/EEA contexts, consent processing may align to IAB TCF v2.2 controls where applicable [LEGAL REVIEW REQUIRED].

Annex C — CCPA/CPRA 12-Month Lookback Table