Privacy Policy

For privacy matters, please put “Privacy Request” in the subject line so we can route and respond to your request within the timelines required by applicable law.

This policy distinguishes between three groups, because different rules apply to each:

• Website visitors and prospects — anyone who visits agentarc.dev, fills out a contact form, books a call, or receives outreach from us.
• Clients — businesses (and their authorized representatives) that engage us for AI consulting, agent development, or related services.
• Client end-users — individuals whose data is processed by AI systems we build for our clients. For this category, our client is the data controller and we act as a data processor on their behalf. Our handling of that data is governed primarily by the agreement (and any Data Processing Addendum) between us and that client. If you are an end-user of a system we built and want to exercise your rights, please contact the company that operates the product first; we will support them in responding to your request.

We use information for the following purposes:

• To respond to inquiries and follow up on contact-form submissions, calls, and emails.
• To deliver our services — design, build, deploy, support, and improve the AI systems and consulting deliverables you’ve engaged us for.
• To manage our business — invoicing, payments, accounting, tax compliance (including retention required under Canadian tax law), and contract management.
• To send marketing communications — newsletters and direct outreach to businesses we believe may benefit from our services. You can unsubscribe at any time (see Section 9).
• To improve our internal tooling, prompts, and processes in aggregated or anonymized form. We may study patterns across our work to refine our methods, but we do not use any client data to train or fine-tune AI models (see Section 5).
• To secure our systems and detect, prevent, and respond to fraud, abuse, or security incidents.
• To comply with legal obligations, respond to lawful requests, and enforce our agreements.

Because we are an AI agency, we want to be explicit about how we handle data in AI workflows.

We use the following service providers to operate our business. Each receives only the information needed to perform its function and is bound by its own privacy and security commitments:

We do not sell your personal information, and we do not share it with third parties for their own marketing purposes.

We are based in Canada. Several of our service providers — including AWS, Anthropic, OpenAI, Stripe, Vercel, Google, and HighLevel — are located in or transfer data to the United States and other countries.

For transfers of personal data from the European Economic Area, the United Kingdom, or Switzerland, we rely on appropriate safeguards, including the European Commission’s Standard Contractual Clauses (SCCs) (and the UK International Data Transfer Addendum where applicable), together with supplementary measures where needed.

For transfers from Canada, we comply with PIPEDA’s accountability requirements: we use contractual measures to ensure transferred information receives a comparable level of protection.

You can request more information about the specific safeguards in place by emailing taha@agentarc.dev.

We retain personal information only as long as necessary for the purposes described in this policy or as required by law:

• Lead and prospect data: up to 24 months after our last meaningful contact, then deleted or anonymized.
• Client project data: for the duration of the engagement and up to 7 years after the engagement ends, to satisfy Canadian tax-record retention requirements and to support warranty, audit, and legal-defense needs. Clients may request earlier deletion of project materials that are not required for tax or legal purposes.
• Billing and tax records: 7 years from the end of the relevant tax year.
• Website hosting and security logs: retained by Vercel under its standard retention windows (typically short — days to weeks).
• Marketing list data: until you unsubscribe, plus a brief suppression-list retention so we honour your unsubscribe request going forward.
• Aggregated or anonymized data: may be retained indefinitely, since it is no longer personal information.

When the retention period ends, we delete, destroy, or anonymize the information.

We send newsletters and conduct B2B outreach to businesses we believe may benefit from our services.

• Every commercial electronic message we send identifies us, includes our mailing address, and contains a working unsubscribe link or instruction.
• We honour unsubscribe requests promptly (and within the 10-business-day window required by Canada’s Anti-Spam Legislation, CASL).
• For recipients in the EEA/UK and other consent-based jurisdictions, we obtain consent where required.
• You can unsubscribe at any time by clicking the unsubscribe link in any of our emails or emailing taha@agentarc.dev with the word “unsubscribe.”

Depending on where you live, you may have the following rights over your personal information:

• Access — request a copy of the personal information we hold about you.
• Correction — ask us to fix inaccurate or incomplete information.
• Deletion / erasure — ask us to delete your information (subject to legal retention obligations).
• Restriction or objection — ask us to limit or stop certain processing.
• Portability — receive your information in a portable format.
• Withdraw consent — where we rely on consent, withdraw it at any time without affecting prior processing.
• Opt out of marketing — at any time, with no effect on our services to you.
• Lodge a complaint with a supervisory authority — for EU/UK residents, your local Data Protection Authority; for Canadians, the Office of the Privacy Commissioner of Canada (OPC); for Ontario residents, the Information and Privacy Commissioner of Ontario where applicable.

We use reasonable administrative, technical, and physical safeguards to protect personal information, including:

• Encryption in transit (TLS) and, where supported by our providers, encryption at rest.
• Access controls, least-privilege permissions, and authentication on accounts handling client data.
• Secrets management for API keys and credentials.
• Vetting of sub-processors and use of providers with established security programs (SOC 2, ISO 27001, or equivalent where available).
• Confidentiality obligations on all personnel and contractors.
• Routine review of our practices and prompt investigation of suspected incidents.

No system is perfectly secure. If we become aware of a breach affecting your personal information, we will notify you and the relevant regulators in accordance with applicable law.

Our services are directed at businesses, not children. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided us with personal information, contact taha@agentarc.dev and we will delete it.

Our website and communications may contain links to third-party sites. We are not responsible for the privacy practices of those sites. We encourage you to review their privacy policies.

We may update this policy from time to time. When we make material changes, we will update the “Last Updated” date above and, where appropriate, provide additional notice (for example, by email or a prominent notice on the website). Your continued use of our services after the update means you accept the revised policy.

For any questions, requests, or complaints about this Privacy Policy or our handling of your personal information: