ARCTICCODEX

Privacy Policy

Last updated: January 2026 | ArcticCodex Hosted Subscription Platform

1. Introduction

ArcticCodex is operated by Tristan Salisbury (operating as BearPack Online Services), Ontario, Canada ("Company", "we", "us"). We are committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your data.

2. What Data We Collect

2.1 Account Information

When you sign up via Google OAuth, we collect:

  • Name and email address (from Google)
  • Profile picture (if available)
  • Subscription tier and billing details
  • Account creation date and last login

2.2 Conversation Data

We store:

  • Your chat messages and AI responses
  • Model name and parameters used
  • Timestamps and token usage per message
  • IP address and user agent

2.3 Usage Metrics

We track:

  • Daily token consumption (for quota enforcement)
  • Model selections and request frequency
  • Feature usage (models accessed, file uploads, exports)
  • API errors and usage patterns

2.4 Billing & Payment

We collect:

  • Billing name and address (from Stripe)
  • Payment method (last 4 digits only; full details held by Stripe)
  • Transaction history and refund records
  • Stripe Customer ID

2.5 Support & Communications

When you contact support, we collect:

  • Support tickets and messages
  • Email correspondence
  • Feedback and feature requests

3. How We Use Your Data

We use data to:

  • Provide and maintain the Service
  • Process your subscription and handle billing
  • Enforce usage quotas and limits
  • Improve and optimize platform performance
  • Respond to support requests and legal inquiries
  • Prevent fraud, abuse, and security violations
  • Send transactional emails (receipts, billing alerts, service updates)

We do NOT:

  • Train models on your conversations (without explicit opt-in)
  • Sell or share your data with third parties for marketing
  • Use your data for behavioral profiling or advertising

4. Third-Party Data Sharing

4.1 Model Providers

When you send a message, your request is sent to the model provider you selected (OpenAI, Anthropic, Google, etc.). Each provider has its own data policies. You are responsible for reviewing their terms:

  • OpenAI (ChatGPT, GPT-4, o1): May use conversations for training unless you opt out. See openai.com/privacy
  • Anthropic (Claude): Does not train on conversations. See anthropic.com/privacy
  • Google (Gemini): May use for training per Google's AI Principles. See privacy.google.com
  • DeepSeek: See DeepSeek's privacy policy for data handling
  • Mistral: See mistral.ai/privacy for data practices

4.2 Payment Processor

Billing is processed by Stripe, Inc. We share your name, email, and billing address with Stripe. Stripe handles payment data under their privacy policy: stripe.com/privacy

4.3 Infrastructure Providers

We use the following providers to host and operate the Service:

  • Vercel: Hosting and deployment (vercel.com/privacy)
  • Supabase (PostgreSQL): Database and auth (supabase.com/privacy)

These providers may process your data as outlined in their privacy policies and data processing addendums.

4.4 Legal Requirements

We may disclose data if required by law (subpoena, court order, government request) or to protect our legal rights.

5. Data Retention & Deletion

5.1 Retention Periods

  • Active Accounts: Conversations and usage data retained as long as your account is active
  • Inactive Accounts: Accounts inactive for 2 years may be deleted automatically
  • Account Deletion: All data deleted within 30 days of deletion request
  • Billing Records: Retained for 7 years (legal/tax requirement)
  • Audit Logs: Retained for 90 days for security purposes

5.2 Deletion Rights

You can:

  • Delete individual conversations from your chat history anytime
  • Request full account deletion via account settings
  • Request data export (PDF/JSON format) of all your conversations

Deletion is permanent and cannot be undone. We will delete your data within 30 days of your request.

6. Data Security

We implement industry-standard security measures:

  • HTTPS encryption for all data in transit
  • AES-256 encryption for sensitive data at rest
  • Row-level security (RLS) in database with role-based access
  • Regular security audits and penetration testing
  • OAuth 2.0 for authentication (no passwords stored)

However, no security system is 100% secure. We cannot guarantee absolute security against all threats.

7. Cookies & Analytics

We use:

  • Session Cookies: To keep you logged in (necessary for functionality)
  • Analytics: Vercel Analytics (anonymized, no third-party tracking pixels)
  • No Third-Party Ads: We do not use Google Analytics, Facebook Pixel, or advertising trackers

8. Your Rights (GDPR/CCPA)

If you are in the EU (GDPR) or California (CCPA), you have the right to:

  • Access: Request a copy of all your personal data
  • Correction: Ask us to fix incorrect data
  • Deletion: Request complete account and data deletion ("Right to be Forgotten")
  • Portability: Export your data in a machine-readable format
  • Opt-Out: Withdraw consent for data processing anytime

To exercise these rights, email privacy@arcticcodex.com. We will respond within 30 days.

9. Children's Privacy

Our Service is not intended for users under 13 years old (or your local equivalent). We do not knowingly collect data from children. If we learn a child has created an account, we will delete it immediately.

10. Changes to This Privacy Policy

We may update this policy anytime. We will notify you via email of material changes. Continued use after changes means you accept the updated policy.

11. Contact Us

Questions about privacy? Contact us at:

  • Email: legal@bearpackonlineservices.com
  • General Inquiries: contact@bearpackonlineservices.com
  • Address: Tristan Salisbury (BearPack Online Services)
    2375 Tecumseh Rd W, Ste 1 #1255
    Windsor, ON N9B 1W2, Canada