Arcanada
EN RU
ARCANADA

Privacy Policy

Effective: 20 May 2026

Your data, protected — honestly and transparently

1. Introduction

This document sets out the privacy policy for arcanada.ai and associated domains of the Arcanada ecosystem (the "Site").

The data controller within the meaning of Art. 4(7) GDPR is:

  • Pavel Valentov, individual entrepreneur
  • Republic of Kazakhstan
  • Data protection contact: [email protected]

Please read this Policy carefully. By using the Site, you consent to the processing of your data as described below. If you do not agree, please discontinue use of the Site.

2. What data we process

Depending on your interaction with the Site, we may process the following categories of data:

  • "lang" — a cookie storing the selected interface language (functional, 1 year retention);
  • localStorage "theme" — dark/light theme preference (not transmitted to the server);
  • localStorage "cookie-consent" — your analytics cookie choice (not transmitted to the server);
  • IP address — recorded in server access logs; for long-term storage, hashed using SHA-256 with a rotating salt;
  • Google Analytics 4 — cookies _ga, _ga_G‑3P2XVZKV8J and similar are used only after your explicit consent;
  • Cloudflare — cookies __cf_bm, _cf_bm for bot management and traffic optimisation;
  • Comments and feedback (UGC pipeline) — when you use the future comment system and contact form, we process: Auth Arcana subject ID (UUID), comment/message text, surface and thread identifiers, hashed IP address, and an optional notification email.

3. Lawful basis for processing

We process your data on the following legal bases:

  • Consent (Art. 6(1)(a) GDPR) — for Google Analytics 4 cookies;
  • Legitimate interest (Art. 6(1)(f) GDPR) — for Site security and abuse prevention (Cloudflare Turnstile, fail2ban, anti-bot checks);
  • Contractual necessity (Art. 6(1)(b) GDPR) — when you submit comments or feedback via the UGC pipeline;
  • Legal obligation (Art. 6(1)(c) GDPR) — when required by applicable law or lawful request from authorities.

4. Third parties and cross-border transfers

To operate the Site, we engage the following data processors:

  • Google LLC (USA) — Google Analytics 4. Transfer based on Standard Contractual Clauses (SCCs);
  • Cloudflare Inc. (USA) — CDN, DDoS protection and bot management. Transfer based on SCCs;
  • Hetzner Online GmbH (Germany, EU) — server hosting. Data remains within the EU;
  • Auth Arcana — our own unified authentication infrastructure (internal processing);
  • Anthropic PBC (USA) — Claude API for UGC pre-moderation (no PII transmitted).

5. Retention periods

  • Server access logs — 90 days, then automatic deletion;
  • Google Analytics 4 — 14 months (default retention);
  • UGC comments and messages — until you request deletion, or 24 months of inactivity.

6. Your rights under GDPR

With respect to your personal data, you have the right to:

  • Access (Art. 15 GDPR) — request a copy of the data being processed;
  • Rectification (Art. 16 GDPR) — correct inaccurate or incomplete data;
  • Erasure (Art. 17 GDPR) — request deletion of your data ("right to be forgotten"). For UGC content, an endpoint DELETE /api/ugc/users/:id/content is provided;
  • Restriction of processing (Art. 18 GDPR);
  • Data portability (Art. 20 GDPR);
  • Objection (Art. 21 GDPR) — including objection to processing based on legitimate interest;
  • Withdraw consent (Art. 7(3) GDPR) — at any time, without affecting the lawfulness of processing before withdrawal;
  • Lodge a complaint with a supervisory authority.

7. Cookies and tracking systems

The Site uses functional and analytics cookies, as well as Cloudflare Turnstile technology for human verification when submitting comments and feedback forms. Cloudflare Turnstile does not use cookies for user tracking and does not require consent under ePrivacy.

A detailed list of all cookies, including types, purposes and retention periods, can be found on the Cookie Policy page.

8. Changes to this Privacy Policy

We may update this document from time to time. The effective date of the current version is shown at the top of the page. We encourage you to review this page periodically.

9. Contact

For any questions regarding the processing of your personal data, including requests to exercise your rights, please contact:

  • Email: [email protected]
  • Pavel Valentov, individual entrepreneur, Republic of Kazakhstan

When you submit comments via the comment system (UGC), we use Auth Arcana as the sole identity provider (IdP). IP addresses are hashed using SHA-256 with a rotating salt. Cloudflare Turnstile is used for spam protection.