1. Who We Are
Arky is the backend and Admin for custom frontends. Customers use Arky to run store-scoped business systems behind websites, including content, media, forms, commerce, bookings, customer contacts, support, outreach, workflows, analytics, and connected services.
In this policy, "Arky", "we", "us", and "our" mean the Arky service. "Customer" means the business, agency, developer, or operator that uses Arky. "Store" means a tenant workspace in Arky. "End user" means a visitor, shopper, lead, subscriber, or other person whose information may be processed through a customer's website or store.
For privacy questions or data requests, contact us at [email protected] or through our contact page.
2. Our Role
For Arky account, billing, website, and platform operations data, Arky generally acts as the business deciding how that data is used. For data that a customer collects from its own website visitors, shoppers, subscribers, leads, or clients, Arky generally acts as a service provider or processor for that customer. The customer is responsible for its own privacy notices, lawful basis, consent, permissions, and instructions to Arky.
3. Information We Collect
Depending on how Arky is used, we may collect and process:
- Account and Admin information, such as name, email address, authentication data, team membership, roles, permissions, and support communications.
- Store information, such as store name, settings, locale, market, billing email, support email, access settings, webhooks, and usage records.
- Customer content, such as CMS entries, media, product data, booking data, form definitions, email templates, workflow definitions, support conversations, and operational records.
- End-user data processed for a customer's store, such as form submissions, contact records, email addresses, order and booking information, cart/session data, support messages, action events, contact-list memberships, and campaign or notification records.
- Connected account information, such as provider type, account or page ID, account name, handle, avatar URL, scopes, connection status, capabilities, OAuth tokens, refresh tokens, token expiry, and reconnect status.
- Social publishing information, such as the connected destination, post text, captions, titles, descriptions, media IDs, video references, link URLs, privacy settings, scheduled time, publication status, provider post IDs, provider URLs, attempts, and error messages.
- Payment and subscription information, such as plan, subscription status, billing contacts, invoices, checkout or portal metadata, and payment processor identifiers. Full payment card data is handled by our payment processors, not stored directly by Arky.
- Technical and usage information, such as IP address, device and browser data, logs, error reports, security events, API requests, timestamps, pages visited, and feature usage.
4. How We Collect Information
We collect information from:
- You, when you create an account, contact us, configure a store, upload content, use Admin, or call the API.
- Customer websites and custom frontends that use Arky APIs or SDK helpers.
- Authorized connected services when an operator connects a provider or directs Arky to perform an action.
- Service providers that help us operate hosting, storage, analytics, support, billing, email, security, and infrastructure.
5. How We Use Information
We use information to:
- Provide, secure, maintain, debug, and improve Arky.
- Authenticate users, authorize store access, enforce permissions, and prevent misuse.
- Operate store modules, including CMS, media, forms, commerce, bookings, contacts, action, experiments, support, outreach, notifications, workflows, analytics, and Admin.
- Run connected services that customers authorize, including payment, shipping, email, webhooks, deployment hooks, and social publishing.
- Schedule, validate, publish, cancel, retry, and report status for social publications on connected destinations.
- Process subscriptions, invoices, billing, and plan usage.
- Respond to support, privacy, legal, security, and operational requests.
- Comply with law, enforce our terms, protect rights and safety, and detect fraud, abuse, spam, and security incidents.
6. Social Media And OAuth Accounts
When an authorized store operator connects a social account or destination, Arky uses the permissions granted through that provider's OAuth flow to perform the actions requested by the operator. For social publishing, this may include reading basic account or destination information, storing OAuth credentials securely, validating post requirements, resolving selected media, uploading or publishing content, and storing provider response data such as post IDs, URLs, status, and error details.
Arky does not expose OAuth access tokens or refresh tokens to browser code, Admin responses, SDK consumers, workflow source text, or customer frontends. Provider credentials are used server-side to perform authorized actions.
Arky only publishes to a connected destination when an authorized operator creates, schedules, or triggers a publication. Publishing may be immediate or scheduled. A scheduled publication is not a guarantee that the third-party provider will accept or display the content.
Third-party platforms have their own terms, policies, privacy practices, review processes, data deletion processes, and account controls. Arky is not responsible for what a third-party platform does with content or information after it is sent to that platform at the operator's direction.
7. Google And YouTube API Data
If a store connects a YouTube channel or another Google-powered account, Arky's use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements where applicable. You can also manage or revoke Google account permissions through Google security settings.
8. How We Share Information
We may share information with:
- Service providers that host, store, process, secure, analyze, support, bill, or deliver Arky.
- Third-party services when an authorized operator connects that provider or directs Arky to send information or perform an action.
- Customer-authorized users, team members, Admin users, API clients, workflows, webhooks, and custom frontends within the relevant store permissions.
- Legal, regulatory, safety, or security recipients when required by law or needed to protect rights, safety, service integrity, or enforceable agreements.
- Successors in connection with a merger, financing, acquisition, reorganization, or sale of assets, subject to appropriate confidentiality or privacy protections.
We do not sell personal information. We do not share personal information for cross-context behavioral advertising as those terms are used under California privacy law. If this changes, we will update this policy and provide required choices before using previously collected personal information for a materially different purpose.
9. Customer Responsibilities
Customers decide what they collect through their websites, stores, forms, carts, checkouts, bookings, campaigns, support flows, workflows, and connected services. Customers are responsible for giving their end users legally required notices, obtaining required consents, honoring end-user rights, and using Arky only in ways that comply with applicable law and third-party platform terms.
10. Retention
We keep information for as long as reasonably needed to provide Arky, maintain security, support store operations, comply with legal obligations, resolve disputes, enforce agreements, and preserve audit trails. Store records are generally kept while the store remains active unless deleted by an authorized operator or under an approved data request. OAuth tokens are retained while the connected account is active and are deleted or made unusable when the account is disconnected or deleted, except where backup, security, legal, or audit requirements require limited retention.
Content already published to a third-party platform may remain available on that platform after it is deleted from Arky. To remove published content from a third party platform, use that platform's tools or delete the content directly there.
11. Deletion And Revocation
Authorized store operators can disconnect or delete connected accounts and services in Arky App. Where provider APIs support token revocation, Arky may also revoke or invalidate credentials programmatically. You may also revoke permissions directly with the third-party provider, such as through Google security settings, Meta app settings, or the relevant platform account settings.
To request deletion of personal information collected through an Arky connected account, email [email protected] with enough information to identify the store, connected account, and request. We may need to verify your identity and authority before acting. If the data belongs to a customer's store, we may refer the request to that customer or act on the customer's instruction.
12. Your Privacy Rights
Depending on where you live and how Arky is used, you may have rights to access, know, correct, delete, export, restrict, object to, or withdraw consent for certain processing of your personal information. California residents may also have rights to opt out of sale or sharing, limit certain uses of sensitive personal information, and not be discriminated against for exercising privacy rights.
To exercise rights, contact [email protected]. We may ask for information needed to verify your identity, authority, and the relevant store. If your request concerns a customer's end-user data, the customer may be responsible for responding and we may support them as their processor.
13. Security
We use administrative, technical, and organizational safeguards designed to protect information from unauthorized access, loss, misuse, and alteration. These include access controls, server-side credential handling, secret blanking in public DTOs, and encryption or protected storage paths for credential-bearing provider accounts. No service can guarantee perfect security.
14. International Transfers
Arky and its service providers may process information in countries other than where you live. Where required, we use appropriate safeguards for international transfers, such as contractual commitments, service provider terms, or other lawful transfer mechanisms.
15. Cookies And Similar Technologies
We may use cookies, local storage, pixels, logs, and similar technologies for authentication, preferences, security, analytics, performance, and product operation. Customers using Arky on their own websites are responsible for their own cookie notices and consent tools where required.
16. Children
Arky is not directed to children under 13, and customers may not use Arky to run a child-directed service unless they have a separate written agreement with Arky and comply with all applicable child privacy laws and third-party platform rules.
17. Changes To This Policy
We may update this policy from time to time. If we make material changes, we will update the date above and provide additional notice when required. We will not use previously collected personal information for a materially different purpose without required notice or consent.