Privacy Policy

1. End-to-End Encryption (Arc Protocol)

All messages, voice notes, photos, videos, files, reactions, and call signaling sent through Arc are protected by Arc Protocol, our end-to-end encryption (E2EE) system built on libsignal v0.94.1 — the same cryptographic library used by Signal and WhatsApp, integrated via Rust FFI.

• PQXDH key exchange: Hybrid post-quantum handshake combining X25519 (classical elliptic curve) and ML-KEM-1024 (NIST FIPS-203 post-quantum KEM), protecting against future quantum-computer “harvest now, decrypt later” attacks.
• Double Ratchet: Each individual message derives a unique encryption key. If any one key is compromised, past and future messages remain secure (forward and post-compromise secrecy).
• Sender Keys for group chats: Group messages use Signal's Sender Key protocol with per-group ratchet state, scaling to 1,000-member groups while preserving E2EE properties.
• XEdDSA signatures: All identity and prekey signatures use XEdDSA via libsignal — we do not roll our own primitives.
• Sealed Sender: Even our server cannot see who is sending messages to whom for most communications.

Cryptographic keys are generated and stored exclusively on your device using platform-native secure storage (iOS Keychain, Android Keystore, macOS Keychain). Private keys never leave your device, are never escrowed, and are never transmitted to our servers.

2. Information We Collect

We collect the minimum information necessary to operate Arc:

• Account identifier: Your chosen Arc ID (e.g. arc_XXXX) and an opaque Firebase Authentication user ID. We do not require a phone number, real name, or government identifier.
• Encrypted public keys: Your X25519 identity key, signed prekey, KyberPreKey (ML-KEM-1024) public key, and one-time prekey bundles. These enable other users to start E2EE sessions with you. Public keys only — we never see private keys.
• Push notification token: A platform-issued opaque device token (FCM / APNs) used to deliver encrypted notifications. The notification payload is also E2EE.
• Routing metadata: Encrypted message envelopes contain only the recipient identifier and timestamp — necessary for delivery, deleted after successful delivery and acknowledgment.
• Optional profile data: If you choose to set a display name, avatar, status, or language preference, these are stored E2EE on your device and replicated to your other linked devices.
• Diagnostic data (opt-in): Anonymous crash reports and aggregate usage counts (e.g. number of reactions sent, never which reactions or to whom). You can disable this in Settings → Privacy.

3. Information We Do NOT Collect

By architecture rather than by promise, Arc cannot collect:

• Your message content (text, photos, voice, video, files, calls) — all E2EE.
• Your reactions, read receipts, typing indicators when E2EE is active — these travel as encrypted payloads.
• Your contact list — Arc does not request or upload your phone contacts.
• Your location — unless you explicitly enable the Mesh Network feature (see section 7).
• Your phone number — Arc does not use phone number authentication.
• Browsing history outside of Arc, advertising identifiers, or cross-device tracking signals.

4. Information We Will Never Share or Sell

Atlas Associates Inc. does not, and will not:

• Sell, rent, lease, or trade any user data to advertisers, data brokers, marketing networks, or analytics partners.
• Provide message content to any third party. We do not possess the keys required to decrypt it.
• Use your data to train AI models, recommend ads, or build behavioral profiles.
• Run advertising of any kind that targets you based on the content of your communications.

Third-party infrastructure providers (Google Cloud, Firebase, Cloud Run) process encrypted payloads on our behalf solely to deliver the Service, under data-processing agreements that prohibit them from inspecting or using the data. They never receive plaintext message content.

5. Government and Law Enforcement Requests

We respond to lawful, properly-served legal process from competent authorities. However:

• We cannot produce message content. We do not possess it; we do not have the cryptographic keys; we cannot decrypt it. Even a lawful order cannot compel us to produce data we do not have.
• We can produce only the limited metadata listed in section 2 (account identifier, public keys, push token, last connection timestamp).
• We do not provide bulk data access, real-time message monitoring, or content surveillance to any government, intelligence agency, or law enforcement body. There is no back door. There will be no back door.
• We will publish an annual Transparency Report disclosing the number of lawful requests received and our response. To date: zero requests received.

6. Message Storage and Retention

Arc implements ephemeral-by-default storage through IGF (Intelligent Governance Framework). Each message carries a sender-configured expiry time; once that time passes, the message is purged from both devices and servers. Server-side sweep cadence depends on the sender's plan:

• Essential: daily batch at 00:00 JST. Expired messages are removed within 24 hours of expiry.
• Premium: every six hours (00:00 / 06:00 / 12:00 / 18:00 JST). Expired messages are removed within 6 hours of expiry.
• Intelligence: every five minutes via Cloud Tasks. Expired messages are removed within 5 minutes of expiry.

Once a message is delivered and acknowledged, the encrypted envelope is removed from delivery queue storage; only undelivered envelopes persist (and are removed upon delivery).

Mutual Burn (Vanish-on-Read): In 1:1 chats, when both parties tap the mail icon to confirm read, a burn animation overlays the message and the plaintext is purged from devices; the encrypted server-side copy follows the plan-tiered sweep above. Mutual Burn is available on all plans. Group chat support is planned for a future release.

Account deletion via Settings → Account → Delete Account removes all server-side records associated with your account without delay.

7. Mesh Network and Location

The Arc Mesh Network is an optional Bluetooth Low Energy (BLE) relay feature that allows offline message delivery between nearby devices. When and only when you enable Mesh, Arc uses BLE proximity data on-device to discover relays. We do not collect GPS coordinates. Mesh-relayed messages remain end-to-end encrypted; intermediate relay devices cannot read them.

8. Children

Arc is not directed to children under 13 (under 16 in the European Economic Area). We do not knowingly collect information from children below those ages. If you believe a child has provided us information, contact us and we will delete the account.

9. Your Choices and Rights

Depending on applicable law, you may have rights to access, correct, delete, or export your account data. You can exercise these rights directly within the app or by contacting us:

• Access / export: In-app Settings → Account → Export Data.
• Correct / update: Edit your profile directly in Settings.
• Delete your account: In-app Settings → Account → Delete Account. This action is immediate and irreversible.
• Disable diagnostic data: Settings → Privacy → Anonymous Diagnostics.

For inquiries or to exercise rights that cannot be exercised in-app, email support@atlasassociates.io.

10. Service Providers

We rely on a small set of infrastructure providers (Google Cloud, Firebase, Cloud Run on europe-west1, Bridgefy for mesh) under data-processing agreements that prohibit them from accessing user content. A current list of sub-processors is available upon request to support@atlasassociates.io.

11. International Transfers

Arc's primary user base is in EMEA (Europe, Middle East, Africa). To serve users in those regions with low latency, our prekey API and Phoenix server are hosted in Google Cloud europe-west1 (Belgium). Encrypted message routing is handled by Firebase Cloud Messaging globally. Where data transfers are subject to applicable law (e.g. the EU/UK GDPR), we rely on standard contractual clauses with our sub-processors.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified via the app and via this page. The Effective date at the top of this document indicates when the current version took effect. We do not delete prior versions — historical versions are available upon request.

13. Governing Language

The authoritative language of this Privacy Policy is English. Any translation is provided for convenience; in the event of conflict between the English version and a translation, the English text governs.

14. Contact

For questions or concerns regarding this Privacy Policy, contact support@atlasassociates.io.

For technical detail on Arc's cryptographic design, see our Security Whitepaper.