ArcSolve AI Desktop Privacy Policy
Effective Date: June 17, 2026
ArcSolve (“Company”) establishes and discloses this Privacy Policy in order to protect users’ personal information in accordance with the Personal Information Protection Act and to ensure that related complaints can be handled promptly and smoothly.
This Policy applies specifically to ArcSolve AI (“the App”), a downloadable desktop application that operates as a local AI control plane for provider accounts, an AI gateway, memory, agents, MCP, skills, and Codex chat. The App is local-first: most data is stored on your own device, and AI features run through credentials you provide. This Policy supplements the general ArcSolve Privacy Policy; where this Policy and the general Policy differ, this Policy governs the App.
The App is currently offered worldwide except in the European Union and the European Economic Area (EU/EEA). The Company does not currently market, sell, or support paid access to the App for customers located in the EU/EEA. If a customer located in the EU/EEA contacts the Company or inadvertently completes a purchase, the Company may process the minimum account, support, and billing information necessary to respond, verify the request, and process a refund.
Plain-English Privacy Posture
ArcSolve is not in the business of reading, mining, selling, or training on your local work. The App is designed so that your documents, prompts, provider credentials, memory, analysis database, embeddings, and gateway logs stay on your device unless you choose to send content to a third-party AI provider with your own credentials or enable a feature that necessarily contacts ArcSolve servers, such as account sign-in, entitlement checks, updates, or the optional remote relay. The Company does not collect first-party analytics, telemetry, or crash reports from the App.
1. Categories of Personal Information Collected
A. Account Information
When you sign in to the App with your ArcSolve account (OAuth 2.0 with PKCE), the following information is obtained from the ArcSolve authentication server.
| Category | Items Collected |
|---|---|
| Required | Email address, account identifier (OAuth/sub), email-verification status |
| Optional | Display name, profile image |
Authentication tokens (access token, refresh token, ID token) issued for the signed-in session are stored locally on your device in the operating-system keychain or an encrypted local vault (see Section 9).
B. Subscription and Entitlement Information
The App verifies your paid entitlement by calling the ArcSolve backend. Desktop AI payment itself is processed server-side by Polar, the Company’s Merchant of Record and payment processor for the App; the App does not handle card data. The App stores locally only a sanitized entitlement snapshot (entitlement flag, plan, status, period-end date, cancellation flag) to enable offline access checks.
C. Local Content and Derived Data
Project/workspace files, prompts, local memory entries, usage logs, and other materials you open, enter, or process through the App, and derived data generated from them (such as text chunks, summaries, and embedding vectors computed on your device), are stored locally on your device. This content is not uploaded to the Company’s servers.
D. Local AI CLI Usage Data
To provide the usage and analysis dashboard, the App reads session logs that locally-installed AI command-line tools (such as Claude Code and Codex) write on your device. The App stores the parsed result in a local database on your device, which may include message text in plaintext as well as token counts, model identifiers, timestamps, session identifiers, and workspace labels. This data is kept on your device and is not transmitted to the Company.
E. Provider Credentials
To use AI features, you may provide credentials for third-party AI providers (for example, API keys for OpenAI, Anthropic, Google, or OpenRouter), or the App may read credentials that other tools you have installed already hold on your device. These credentials are stored locally in the operating-system keychain or an encrypted local vault and are used only to authenticate outbound calls you initiate to the corresponding provider and to read your own usage/quota from that provider.
F. Automatically Collected Technical Information
| Items Collected | Purpose of Collection |
|---|---|
| Operating-system family and CPU architecture | Delivering the correct application update binary |
| Device-local key material and host identifiers | The optional remote-control pairing feature (Section 13) |
The App does not collect sensitive information (such as ideology, beliefs, health, or genetic information) or unique identifying information (such as resident registration numbers). The App does not collect first-party analytics or telemetry (see Section 10).
2. Purposes of Collection and Use of Personal Information
| Purpose Category | Detailed Purpose | Legal Basis |
|---|---|---|
| Service provision | Sign-in and authentication, gating of paid features, operation of the local AI gateway and AI features | Conclusion and performance of a contract (PIPA Article 15(1)4) |
| Billing verification | Confirming paid entitlement and managing subscription state | Conclusion and performance of a contract; statutory obligations |
| Local productivity features | On-device indexing, memory, retrieval, and the usage/analysis dashboard | Conclusion and performance of a contract |
| Security and integrity | Secure local storage of credentials, secure remote pairing, signature verification of updates | Legitimate interest (PIPA Article 15(1)6) |
3. Retention, Use Period, and Storage Location
The App is local-first. Most personal information is stored on your own device for as long as you keep it there, and you control its deletion.
| Data Type | Retention / Location |
|---|---|
| Account tokens | Stored locally until you sign out or revoke them; deleted on sign-out |
| Entitlement snapshot | Stored locally; refreshed on access checks and removed on sign-out |
| Local content, derived data, embeddings | Stored on your device until you delete it |
| Local AI CLI usage data (analysis database) | Stored on your device; subject to the App’s local retention/pruning settings |
| Provider credentials | Stored locally until you remove them or sign out |
| Server-side records (account, billing) | Retained by the ArcSolve backend per the general Privacy Policy and applicable statutory periods (e.g., E-Commerce Act) |
You can delete local data at any time by removing the App’s local data directory or by uninstalling the App; signing out removes locally stored credentials and tokens.
4. Procedures and Methods of Destruction
- Local data: Removed when you delete it within the App, remove the App’s local data directory, or uninstall the App. Sign-out removes locally stored authentication tokens and is designed to securely clear stored credentials.
- Server-side data: Account and billing records held by the ArcSolve backend are destroyed in accordance with the general Privacy Policy once the retention purpose is fulfilled or the statutory period expires.
5. Provision of Personal Information to Third Parties
The Company does not provide your personal information to third parties without consent. Exceptions are as follows:
- Where you have given prior consent
- Where disclosure is required by law or requested in accordance with procedures prescribed by law for investigative purposes
Note that when you direct the App to send content to an external AI provider using your own credentials, that transmission is initiated by you under your agreement with that provider (see Sections 7 and 8).
6. Entrustment of Personal Information Processing
For the account, entitlement, update, and remote-relay functions that the App uses, the Company entrusts the following processing tasks. (These relate to the Company’s backend; the App’s local AI features do not route content through these processors.)
| Entrusted Party | Entrusted Task | Retention Period |
|---|---|---|
| Polar | Desktop AI payment processing, Merchant of Record, subscription management, and settlement (server-side) | Until the end of the entrustment contract |
| Google LLC (Google Cloud Platform) | Backend hosting | Until the end of the entrustment contract |
| Supabase, Inc. | Member authentication processing | Until the end of the entrustment contract |
Any changes to the list of entrusted parties will be announced through this Policy.
7. Cross-Border Transfer of Personal Information
The App’s AI features use your own provider credentials. When you use the local AI gateway or an AI feature, the App transmits your prompts and the content you attach directly from your device to the third-party AI provider you have configured, authenticated with your own account or API credentials for that provider. The Company does not relay this content through its own servers and does not configure the provider’s data-handling settings for these calls. The retention, use, and any model-training of content transmitted in this way are governed by the agreement between you and each provider. You should review each provider’s own privacy policy and terms.
A. Transfers to AI Providers (initiated with your own credentials)
These transfers occur only when you configure a provider and use the corresponding feature. Data is transmitted via API call over TLS-encrypted connections.
How to refuse: If you do not wish content to be transferred to a particular provider, do not configure that provider’s credentials and do not use the feature that calls it. No data is transferred to a provider you have not configured.
| Recipient (Country) | Items Transferred | Contact | Purpose | Retention (Basis: PIPA Art. 28-8) |
|---|---|---|---|---|
| OpenAI, Inc. (United States) | Your prompts, instructions, and attached content | [email protected] | Generating AI responses (chat/Codex/OpenAI models) | Governed by your agreement with the provider |
| Anthropic, PBC (United States) | Your prompts, instructions, and attached content | [email protected] | Generating AI responses (Claude models) | Governed by your agreement with the provider |
| Google LLC (United States) | Your prompts, instructions, and attached content | [email protected] | Generating AI responses (Gemini models) | Governed by your agreement with the provider |
| OpenRouter, Inc. (United States) | Your prompts, instructions, and attached content | [email protected] | Routing requests to the AI model you select | Governed by your agreement with the provider and the routed model’s provider |
| Any other AI provider you configure | Your prompts, instructions, and attached content | Per the provider | Generating AI responses for the model you select | Governed by your agreement with the provider |
When the App reads your usage or quota from a provider for monitoring purposes, only account/usage metadata is requested; your prompt content is not sent for those monitoring calls.
B. User-Configured Tool (MCP) Servers
If you add a Model Context Protocol (MCP) server endpoint, the App may connect to the network address you specify and exchange the data necessary to use that tool. You choose and control these endpoints and are responsible for reviewing their data practices.
C. Functional Component Downloads (no user content)
To prepare its runtime, the App may download software components and a local embedding model from sources such as the Python Package Index, the npm registry, Hugging Face, and Astral’s distribution hosts. No user content or personal information is sent in these downloads. After the embedding model is downloaded once, embeddings are computed on your device; document content is not sent to any embedding service.
D. ArcSolve Backend (account, entitlement, updates, remote relay)
Authentication, entitlement checks, the optional remote relay, and application updates communicate with ArcSolve servers (arcsolve.ai, remote.arcsolve.ai, download.arcsolve.ai). See Sections 1, 6, 13, and 14.
8. Data Processing in AI Services
- Your credentials, your providers: AI features operate by sending your requests to the providers you configure, using your own credentials. ArcSolve is not the recipient of this content.
- No training by the Company: The Company does not use your content or derived data to train AI models. Whether a third-party provider uses your content is governed by your agreement with that provider.
- Your responsibility: You are responsible for complying with the terms of each provider you use, and for ensuring you have the right to submit any content (including third parties’ personal information) to those providers.
- AI output disclaimer: Outputs generated by AI features may be inaccurate or incomplete and must not be relied upon as a substitute for professional judgment.
9. Local Storage and Security
- Credentials and tokens are stored using the operating-system keychain or, where that is unavailable, an encrypted local vault, with restrictive file permissions. The Company designs the App to avoid exposing secrets in plaintext to the renderer surface.
- Local content and embeddings are stored in local databases on your device.
- Plaintext local usage data: The local AI CLI usage/analysis database may store message text in plaintext on your device (Section 1.D). Because this data resides on your device, its protection depends in part on your own device security (for example, disk encryption and account access controls). This data is not transmitted to the Company.
- In transit: Network communication uses TLS encryption. The optional remote-control feature is end-to-end encrypted (Section 13).
10. No Analytics or Telemetry
The App does not collect first-party analytics, telemetry, or crash-reporting data, and does not include any analytics SDK. On-device usage logs (such as the gateway activity log) remain on your device and are not transmitted to the Company.
11. Measures to Ensure the Security of Personal Information
- Administrative measures: Internal management plan, minimization of access rights, privacy training.
- Technical measures: OAuth 2.0 PKCE authentication, operating-system keychain / encrypted local vault for secrets, restrictive local file permissions, TLS-encrypted transport, end-to-end encryption for the remote-control relay, and signature (minisign) verification of application updates.
12. Users’ Rights and How to Exercise Them
- You may access, correct, delete, or suspend the processing of your personal information at any time.
- Within the App you can directly:
- Sign out (removing locally stored credentials and tokens)
- Delete local content, embeddings, and local usage data
- Remove stored provider credentials
- Manage your subscription through the customer portal
- For account and billing data held by the ArcSolve backend, you may exercise your rights as described in the general Privacy Policy or by contacting the Data Protection Officer.
13. Remote Control Feature
The App offers an optional feature that lets you control your desktop from another paired device. When enabled, payloads between paired devices are end-to-end encrypted (X25519 key exchange with XChaCha20-Poly1305) and relayed through the ArcSolve relay (remote.arcsolve.ai), which acts as a blind transport and cannot read the payload contents. Device key material for pairing is stored locally. This feature is off unless you enable it.
14. Automatic Updates
When the App checks for updates from download.arcsolve.ai, the request includes your operating-system family and CPU architecture so the correct binary can be served; it does not include personal identifiers. Update packages are verified by digital signature before installation.
15. Personal Information of Children Under 14
The Company does not allow children under the age of 14 to register for the Service and does not knowingly collect their personal information. If the Company discovers that a registered member is under the age of 14, it will immediately restrict the account and delete the personal information without delay, except for information that must be retained under applicable laws.
16. Data Protection Officer and Remedies
Data Protection Officer
- Name: Kyungmin Cho
- Title: Chief Executive Officer
- Email: [email protected]
Remedy Institutions
If you require consultation regarding a personal information infringement, you may contact the following institutions.
- Personal Information Dispute Mediation Committee: www.kopico.go.kr / +82-1833-6972
- Personal Information Infringement Report Center: privacy.kisa.or.kr / 118
- Cyber Investigation Division, Supreme Prosecutors’ Office: www.spo.go.kr / 1301
- Cyber Bureau, Korean National Police Agency: ecrm.police.go.kr / 182
17. Changes to This Privacy Policy
This Privacy Policy takes effect on the effective date, and any changes will be announced through the Service or the App at least 7 days before the effective date of the changes.
For questions about this Policy, please contact [email protected].