Arkhelion

Privacy & your data

Effective 2026-06-07 · arkhelion.ai

The short version. If you join the early-access list, the only thing I collect is what you type in: your email address. I use it to send you updates about Arkhelion — nothing else.

I don't run analytics, I don't set tracking cookies, I don't build a profile on you, and I never sell or rent your information. You can leave the list, or ask me to delete everything, at any time: [email protected].

What this covers

This policy is about the arkhelion.ai website and the early-access email list — the form where you reserve a spot, and the emails I send you afterward.

The Arkhelion desktop app is a separate thing. The app stores your data in a local vault on your own Mac, encrypted with a key only your Keychain holds. That data does not pass through my servers — your data stays yours, private by design. The app has its own in-app terms; this page does not cover it.

What I collect, and why

When you submit the signup form, the form sends a small request to my own server (a Cloudflare Worker at api.arkhelion.ai). It records:

  • Your email address — so I can email you a confirmation link and, once you confirm, the early-access updates you signed up for. Stored as you typed it, plus a one-way hash of it used to look you up without scanning the plaintext.
  • A status — pending, confirmed, or unsubscribed — so I know whether to email you.
  • A source tag — which signup page you came from (defaults to arkhelion.ai) — so I can tell where signups originate.
  • A truncated IP address — the last part is zeroed out before it's stored (e.g. 203.0.113.0). It's kept only to slow down abuse and spam, and it can't identify your exact device.
  • A one-way hash of your browser's user-agent string — the raw user-agent is never stored, only an irreversible fingerprint, again for abuse prevention.
  • A country code — the two-letter country your request came through (e.g. US), from Cloudflare's edge. No finer location than that.
  • Timestamps — the lifecycle of your signup: when you consented and signed up, when the confirmation was sent, when you confirmed, when you unsubscribed, and when the record was last updated.
  • One-way token hashes — irreversible hashes of the confirmation and unsubscribe links emailed to you, stored so those links can be validated when you click them. The link values themselves are never stored.

That's the entire list. I don't ask for your name, and I don't collect anything the form doesn't show you.

What I don't do

  • No analytics or tracking. There's no Google Analytics, no pixels, no third-party trackers, and no advertising scripts on this site. The page loads only its own files and a Cloudflare anti-bot widget (below).
  • No selling or renting. I do not sell, rent, or trade your information, and I do not share it for cross-context behavioral advertising — not now, not ever.
  • No profiling. I don't combine your email with data from other sources to build a profile, and I don't make automated decisions about you.

Who can see it

Your information is held by me and by two service providers that operate strictly on my behalf, under their own data-protection terms. They are processors, not partners — they're contractually limited to handling your data only to provide these services, and don't get to use it for their own purposes.

  • Cloudflare — hosts the signup server and the database that stores the list, and runs the anti-bot challenge on the form. That challenge (Cloudflare Turnstile) inspects browser and network signals to tell humans from bots; it sets no tracking cookies, and I don't get access to its bot-detection logs.
  • Resend — delivers the confirmation, welcome, and update emails. To send you an email, Resend necessarily receives your email address.

I may also disclose information if the law genuinely requires it. I'll resist over-broad requests, and I'll tell you if I'm allowed to.

How long I keep it

I keep your information for as long as you're on the list. If you unsubscribe, I mark your record as unsubscribed and stop emailing you, and I keep a minimal suppression record — just your email and unsubscribed status — for as long as the list runs, so I don't accidentally add you back. There's no fixed calendar period; that record exists only to honor your opt-out. If you ask me to delete everything, I remove your record entirely, suppression record included — see your rights below.

Your rights

Wherever you live, you can email me and I'll honor these. If you're in California, the CCPA/CPRA gives you the right to:

  • Know and access what I've collected about you.
  • Delete it.
  • Correct it if it's wrong.
  • Opt out of sale or sharing — there's nothing to opt out of, because I don't sell or share your data, but the right stands.
  • Not be discriminated against for exercising any of these. I won't treat you differently for asking.

California's CPRA also adds a right to limit the use of sensitive personal information — but I don't collect any (no government IDs, financial details, precise location, health data, or the like), so there's nothing to limit here.

To use any of these, email [email protected] from the address you signed up with (or tell me which address), and say what you want. I'll respond within 45 days, as the law requires — usually much sooner, since it's just me. You can also unsubscribe instantly using the link at the bottom of any email I send.

Notice at Collection (California)

At the point you sign up, here's the required summary:

  • Categories collected: identifiers (your email address, a truncated IP, a hashed user-agent, a country code), a source tag, lifecycle timestamps, token hashes, and your email-opt-in consent record.
  • Purpose, by category: your email — to send the confirmation and the early-access updates you asked for; the truncated IP and hashed user-agent — to detect and block signup-form abuse; country, source, timestamps, and token hashes — operational record-keeping and validating your confirm/unsubscribe links. Nothing else.
  • Sold or shared? No — never sold, and never shared for cross-context behavioral advertising.
  • How long: until you unsubscribe or ask me to delete it (see above).

Cookies & tracking

This site sets no tracking cookies. The signup form uses Cloudflare Turnstile to tell humans from bots; it may set a short-lived, privacy-preserving token to run that check, and it does not track you across other sites.

Changes

If I change this policy, I'll update the effective date at the top, and for anything significant I'll say so in an email to the list. The current version always lives at arkhelion.ai/privacy.

Contact

Arkhelion is built by one person, Brock, in Southern California. Reach me directly at [email protected] — privacy questions, deletion requests, or anything else.

← Back to arkhelion.ai