Privacy Policy
Effective date: [INSERT DATE] · Last updated: April 2026
1. What Data We Collect
| Category | Data | Purpose |
|---|---|---|
| Account | Name, email, password hash | Account creation and authentication |
| Preferences | Investment goal, budget range, property priorities | Personalization |
| Subscription | Tier, status, Stripe Customer ID | Billing and content access |
| Identity (KYC) | Passport/ID copy, liveness data | Identity verification for Tier 2 content access |
| Usage | Page views, property views, search queries | Platform improvement (via Vercel Analytics) |
| Referral | Referral code, referred-by agent ID | Referral attribution |
| Communications | Email, marketing consent flag | Transactional and marketing emails (Resend) |
| Technical | IP address, browser, device type | Security, fraud prevention |
| Cookies | Session token, analytics cookie | Auth persistence, usage analytics |
2. How We Use Your Data
We use your data to:
- —Provide access to subscribed content based on your tier (enforced via Supabase RLS)
- —Process payments via Stripe (we never store card numbers)
- —Send transactional emails (account events, subscription confirmations)
- —Send marketing emails only if you have opted in (marketing_consent = true)
- —Verify identity for KYC-gated content
- —Attribute referrals between agents and buyers
- —Detect fraud and enforce platform security
We do not sell your data to third parties. We do not use your data to train AI models.
3. Third-Party Processors
| Service | Purpose | Data Shared |
|---|---|---|
| Supabase | Database, auth, file storage | All platform data |
| Stripe | Payment processing | Email, billing info |
| Cloudflare | CDN, WAF, R2 storage | IP address, request metadata |
| Mapbox | Interactive maps | Map interaction events |
| Vercel | Hosting, analytics | Usage data, IP |
| Resend | Transactional email | Email address, name |
| Anthropic | AI Agent responses | Conversation content |
| Sentry | Error tracking | Technical error data, device info |
Conversations with the AI Agent are sent to Anthropic's API. Anthropic does not use API traffic to train models under their current enterprise data processing terms.
4. Cookies
See our Cookie Policy for full details on cookies used, their purpose, and how to manage them.
5. Data Retention
| Data type | Retention period |
|---|---|
| Account data | Until account deletion request |
| KYC documents | [X years per Argentine regulatory requirement] |
| Payment records | 7 years (Argentine tax law) |
| AI conversation logs | 90 days, then anonymized |
| Analytics data | 24 months |
| Marketing consent logs | Until consent withdrawn + 3 years |
6. Your Rights
All users: Access, correct, or delete your account data via Account page → Danger Zone, or by emailing legal@theark.ink.
California residents (CCPA): Right to know what categories of personal information we collect, opt out of the sale of personal information (we do not sell data), and non-discrimination for exercising your rights.
EU/EEA residents (GDPR): Data portability, right to object to processing, right to lodge a complaint with your local supervisory authority.
Argentine residents (Law 25.326): Access, rectification, and deletion of personal data.
7. Security
All data in transit encrypted via HTTPS/TLS. Database encrypted at rest (Supabase). KYC documents stored in private Supabase Storage bucket accessible via signed URLs only. Row Level Security (RLS) enforces data access at the database layer. Stripe handles all card data — no card numbers ever reach our servers.
8. International Transfers
The Platform operates with services in the United States (Vercel, Stripe, Anthropic) and globally (Cloudflare, Supabase). By using the Platform, you consent to the transfer of your data to these jurisdictions.
9. Changes to This Policy
We will notify you by email of material changes. The current version is always linked in the footer.
10. Contact
Privacy inquiries: legal@theark.ink