Privacy Policy

Effective date: 2026-05-12

Controller: Aethyia Inc., operator of the Arkin Vault product, with notice address [INSERT REGISTERED ADDRESS]. Data Protection contact: privacy@arkinvault.com.

1. Scope

This policy describes how Aethyia Inc. ("we", "us"), as operator of the Arkin Vault product, processes personal data when you (a) administer documents through our admin interface or (b) access a document that has been shared with you through our viewer interface. By using either interface you acknowledge this policy.

2. Categories of personal data we process

Admin users: the admin password hash you set, session cookies, IP addresses observed at login, and timestamps of administrative actions.
Document recipients: name and email address you provide on the access form; IP address and user-agent at the time of access; timestamps and page numbers of each page view, download, print, and NDA signing event; the contents of any NDA you electronically sign (your typed name, title, organization, IP, user-agent, signature timestamp, and a cryptographic hash of the NDA text).
We do not intentionally collect special categories of data (health, biometric, political, etc.) and ask that recipients do not submit such data through the platform.

3. Purposes and legal bases

Operation of the service (authenticating admins, gating recipient access, rendering documents) — legitimate interests and, where the recipient consents to the NDA, contract.
Audit and security (logging access events, retaining signed NDAs) — legitimate interests and legal obligation where applicable.
Compliance with law — legal obligation.

4. Recipients and processors

Our infrastructure runs on Amazon Web Services (data centers in the US East region for the global product; Mumbai region for Arkin Vault India). We use Caddy as a reverse proxy and Let's Encrypt as our TLS certificate authority. We do not sell personal data and do not share it with advertisers.

5. International transfers

Personal data of EU/UK/India residents may be processed in the United States. Where required, transfers are governed by Standard Contractual Clauses or analogous mechanisms.

6. Retention

Signed NDA records, and access logs associated with an NDA or signed-document delivery, are retained for seven (7) years to satisfy electronic-signature (ESIGN) and audit obligations. Access logs not associated with an NDA are retained for two (2) years. After these periods the records are automatically deleted by a scheduled retention process. Recipients may request earlier deletion subject to our legal-hold obligations.

6a. Cookies

We use only strictly-necessary cookies: a session cookie that maintains login and viewing-session integrity (HttpOnly, SameSite, Secure in production), which expires after eight (8) hours of inactivity. We set no analytics, advertising, or third-party tracking cookies, so no cookie-consent banner is presented. Document recipients receive a short-lived viewing session only.

7. Your rights

Depending on your jurisdiction you may have the right to access, correct, delete, restrict, or port your personal data, and to object to certain processing. To exercise these rights contact privacy@arkinvault.com. We respond within statutory deadlines (30 days under GDPR; 45 days under CCPA).

8. Security

We implement administrative, technical, and physical safeguards reasonable to the sensitivity of the data including TLS for all traffic, bcrypt password hashing, encrypted backups, least-privilege access controls, and audit logging. No system is perfectly secure; we cannot guarantee absolute security.

9. Children

The service is not directed to children under 16, and we do not knowingly process data of children.

10. Changes

We may update this policy from time to time. Material changes will be highlighted on the admin interface, and continued use after the effective date of an update constitutes acceptance.

11. Contact

privacy@arkinvault.com