Last updated: 30 April 2026
This privacy notice describes how arkestrator.com ("we", "us") collects, uses, and stores personal data when you use the website, sign in via GitHub, Google, Sign in with Apple, or an email magic link, publish or install community skills, subscribe to a paid tier, or use features that interact with your Arkestrator installation. We aim to collect the minimum data possible and give you full control over it.
The controller of your personal data under the GDPR is:
A postal address is available on request to the email above. We have not appointed a Data Protection Officer; given the scale and nature of processing, none is required under Art. 37 GDPR.
You can sign in to arkestrator.com in four ways: GitHub OAuth, Google OAuth, Sign in with Apple, or an email magic link. We only request the minimum profile scope each provider exposes, and what we store depends on the method you choose.
| Data | Why we collect it | Lawful basis (GDPR) |
|---|---|---|
Provider identifier — GitHub user ID, Google sub claim, or Apple sub claim, depending on which provider you used. (No identifier for magic-link sign-in beyond your email address.) |
Authenticate you on arkestrator.com on subsequent visits without us holding a password. | Performance of a contract (Art. 6(1)(b)) |
| Verified email address — from the chosen OAuth provider, or the address you typed for magic-link sign-in. | Send the magic-link email; deliver transactional account email; link your account to our payment processor (Stripe) by email if you subscribe to a paid tier. Never used for marketing without your consent. | Performance of a contract (Art. 6(1)(b)) for transactional / billing email; legitimate interest (Art. 6(1)(f)) for account linking |
| Display name and avatar URL — supplied by GitHub or Google when available; not provided by Sign in with Apple or by magic-link sign-in. | Show your name and avatar on the site (e.g. attribution on community skills and forum posts). | Performance of a contract (Art. 6(1)(b)) |
| GitHub account snapshot (when you sign in with GitHub) — public-repo count, follower count, two-factor-enabled flag, and account-creation date. | Compute a "trust tier" for skill publishing and abuse prevention. We use this only to decide how much moderation a new submission needs; we do not display it publicly. We do not query GitHub for repository contents, organisation membership, private profile data, or activity feeds. | Legitimate interest (Art. 6(1)(f)) — keeping the community skills registry free of spam and malware |
| Optional profile fields you choose to fill in — short bio, profession, company, location, website URL, and forum signature. | Power your public forum profile. All of these fields are optional and you can clear them at any time from your account settings. | Consent (Art. 6(1)(a)) |
| Agent feature usage counters (total install count, last-active timestamp) | Estimate operating cost, identify heavy users before the paid tier launches, and (post-beta) enforce the floating-seat cap on team subscriptions. Stored as running counters — we do not log individual install events. | Legitimate interest (Art. 6(1)(f)) |
| Session token + expiry (14-day cookie or Bearer token) | Keep you signed in securely. | Performance of a contract (Art. 6(1)(b)) |
| Community skills you publish (SKILL.md content, metadata) | Public-facing features you actively chose to use. | Consent (Art. 6(1)(a)) |
| Pro Tunnel seat records — the public IP address and User-Agent string of devices that fetch a Pro license token through your tunnel, with first-seen and last-seen timestamps. Stored only while you have an active Pro Tunnel subscription, and only if you actually use it. | Enforce the per-seat device cap on Pro Tunnel plans. A row is created the first time a new IP+device pair fetches a token, expires automatically 24 hours after its last use, and is deleted on the next seat check thereafter. Used purely for cap enforcement; not used to build a profile of you, not shared with any third party, and not retained after the subscription ends. | Performance of a contract (Art. 6(1)(b)) and legitimate interest (Art. 6(1)(f)) in preventing licence abuse |
| Stripe billing records — customer ID, subscription ID, invoice / checkout history, and the email Stripe associates with your customer record. We retain webhook events Stripe sends us so we can reconcile your subscription state. | Run subscriptions, issue invoices, calculate VAT, and meet Dutch fiscal record-keeping obligations. | Performance of a contract (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c)) under Dutch tax law |
The primary database (a single SQLite file) is stored on a server hosted by Hetzner Online GmbH in Germany (EU). Forum file attachments and other user-uploaded objects are stored in Hetzner Object Storage in the EU (Falkenstein region), which is S3-compatible. Hetzner acts as a data processor under its standard Data Processing Agreement. Hosted Service customer instances run on additional Hetzner Cloud servers and volumes in the EU, also covered by the same DPA.
We use a small number of sub-processors. Each one is named below with the scope of data they receive and the legal safeguard for any transfer outside the EEA. Data Processing Agreements (or equivalent terms) are in place with each, and copies are available on request to privacy@arkestrator.com.
| Sub-processor | Purpose | Location | Transfer safeguard |
|---|---|---|---|
| Hetzner Online GmbH | Server hosting, object storage, and Hosted Service infrastructure. | Germany (EU) | EU; no transfer needed. |
| Stripe Payments Europe, Ltd. (with Stripe, Inc. as further processor) | Payment processing for Pro and Hosted subscriptions, VAT calculation via Stripe Tax, EU VAT OSS filing, and invoicing. Stripe is the controller of cardholder data and a processor for the customer email and subscription metadata we share. | Ireland and the United States | EU Standard Contractual Clauses and Stripe's certification under the EU–US Data Privacy Framework. |
| Resend, Inc. | Sending transactional email (magic-link sign-in, account email, billing receipts, Hosted Service status notifications) and any opt-in announcement email. Resend receives the recipient address and message body. | United States | EU Standard Contractual Clauses with Resend's published DPA. |
| Cloudflare, Inc. | TLS termination and proxying for the Pro Tunnel data path; DNS for tunnel hostnames. See the Pro Tunnel paragraph below. | United States (with EU edge nodes) | EU Standard Contractual Clauses and Cloudflare's certification under the EU–US Data Privacy Framework. |
| Apple Inc. (App Store Server API) | Validating StoreKit receipts when you buy or restore Arkestrator Pro through the iOS app's In-App Purchase flow. We send only the JWS receipt; we do not send any other personal data. | United States | EU Standard Contractual Clauses and Apple's certification under the EU–US Data Privacy Framework. |
| GitHub, Inc., Google Ireland Ltd., and Apple Inc. (OAuth / Sign in with Apple) | Identity-provider role when you choose one of those sign-in methods. They are independent controllers for the data they hold; we receive only the limited claims listed in the data table above. | United States and Ireland | Their own SCCs / Data Privacy Framework certifications apply on the provider side. |
When you enable a Pro tunnel, traffic between your browser and your Arkestrator server passes through Cloudflare, which proxies the connection and handles TLS termination. Cloudflare therefore handles request/response data in transit through the tunnel under its Data Processing Addendum and does not inspect content beyond what is necessary to route, cache, and protect the service. If you prefer that no third party be in the data path, use the Pro License (no tunnel) or self-host without the tunnel feature enabled.
To keep the arkestrator.io tunnel namespace free of abuse, we periodically send a small request to a dedicated endpoint on your tunnel (/.well-known/arkestrator-attest) that returns a signed acknowledgement. The probe only verifies that an Arkestrator server is answering — it does not read your pages, uploads, or any other content. A tunnel that repeatedly serves something other than Arkestrator is torn down automatically.
The primary database, the Hosted Service, and forum object storage are entirely within the EU. Some sub-processors listed above (Stripe, Resend, Cloudflare, Apple, GitHub, Google) are based in the United States or process data there. For each transfer outside the EEA we rely on the European Commission's Standard Contractual Clauses (2021/914), supplemented where applicable by the recipient's certification under the EU–US Data Privacy Framework. A copy of the relevant transfer mechanism for any specific sub-processor is available on request.
By default we only send you transactional email — magic-link sign-in codes, billing receipts, password-reset codes, Pro / Hosted lifecycle messages, and security notices. Transactional email cannot be opted out of while your account is active because it is necessary for the service.
Separately, we may occasionally send announcement email — for example major Arkestrator releases, beta-to-paid pricing notices, or significant changes to this policy. Announcement email is sent on a soft opt-in basis under Article 11.7(3) of the Dutch Telecommunications Act (the local implementation of the ePrivacy Directive): we send it only to people who already have an account or paid subscription, only about our own similar products, and every message contains a clear unsubscribe link. You can opt out at any time by clicking unsubscribe in any message or by emailing privacy@arkestrator.com; once you opt out we record an opt-out marker on your account so we do not send you announcement email again. We do not sell your email address, run advertising, or share it with third-party marketers.
The Arkestrator iOS app is a thin client for an Arkestrator server you run yourself — either a self-hosted instance or one running on our Hosted Service. It is intentionally minimal in what it touches on your device and what it sends back to us.
Bun.password).tauri-plugin-notification), generated on-device while the app is foregrounded in response to events on your WebSocket.The iOS app sells the following products through Apple In-App Purchase:
com.arkestrator.mobile.pro.monthly — Arkestrator Pro, monthly auto-renewing subscription.com.arkestrator.mobile.pro.yearly — Arkestrator Pro, yearly auto-renewing subscription.com.arkestrator.mobile.app_perpetual — one-time, non-consumable unlock of the iOS companion app for users running their own Arkestrator deployment and tunnel. This unlock does not grant Pro features.Auto-renewal. Subscriptions purchased through Apple IAP renew automatically at the end of each period unless auto-renew is turned off at least 24 hours before the period ends. Payment is charged to your Apple ID at confirmation of purchase and at each renewal. You can manage your subscription, see the next renewal date, or cancel at any time in your Apple ID account settings (Settings → [Your Name] → Subscriptions on the device, or App Store → Account → Subscriptions).
Restoration. The app supports "Restore Purchases" so you can reinstate your IAPs after reinstalling or signing into a new device with the same Apple ID.
External purchases. The Subscribe screen also exposes a link to purchase or upgrade Arkestrator Pro directly on arkestrator.com — for example, multi-seat plans or bandwidth top-ups that are not offered as IAPs. Web purchases are handled by Stripe, not Apple, and the Apple auto-renewal terms above do not apply to them.
The corresponding App Store Connect privacy disclosure for the iOS app is:
Under the GDPR you have the following rights. You can exercise any of them by emailing privacy@arkestrator.com; the website also exposes self-service endpoints for the most common ones. We respond within one month (Art. 12(3)).
GET /api/user/me/export (authenticated). The self-service export covers your account record, subscription state, feature-usage counters, and published community skills. Forum posts and attachments, Hosted Service records, audit log entries, and billing history are not included in the self-service export but are available on written request to the email above.DELETE /api/user/me (authenticated), or by emailing the address above. Published community skills are preserved under an anonymous attribution. Stripe billing records are retained for the 7-year period required by Dutch tax law.We do not carry out solely automated decision-making with legal or similarly significant effects on you within the meaning of Art. 22 GDPR.
OAuth credentials are never seen by us; passwords used in the iOS app are hashed with Argon2id on your own Arkestrator server and never sent to arkestrator.com. Session tokens are stored as random opaque values, transmitted only over HTTPS, and set as HttpOnly + Secure cookies. We will notify affected users and the Dutch Data Protection Authority of any personal-data breach that is likely to result in a risk to your rights and freedoms, in line with Articles 33 and 34 GDPR.
The agent community skill search and install feature is currently in free beta. Usage counters are recorded to inform pricing when it becomes a paid feature later. Beta users will receive advance notice and preferential pricing when billing launches.
We will update this page when the data we collect changes, and bump the "Last updated" date at the top. For changes that materially expand the data we collect or the purposes for which we use it, we will give advance notice via the GitHub releases page and, where we have your verified email, an announcement email so you can object before the change takes effect.