Privacy Policy

Privacy Policy

Last Updated: April 30, 2026

Arcio (“Arcio,” “we,” “us,” or “our”) is operated as a sole proprietorship based in the Commonwealth of Massachusetts, United States. This Privacy Policy explains how we collect, use, share, and protect personal information when you visit getarcio.com (the “Site”) or use the Arcio plugin for WordPress (the “Plugin,” together with the Site, the “Service”). It also describes your rights under the EU/UK General Data Protection Regulation (GDPR) and the California Consumer Privacy Act, as amended by the CPRA (collectively, “CCPA”).

If you have questions about this Policy, please reach out via our Contact Page.

1. The Short Version

  • When you trigger an analysis, your post text is sent from your WordPress site to an Arcio relay endpoint on our server, which authenticates with Google’s Gemini API using our API key and forwards the request to Google. The relay processes the content in memory only — we do not log, store, persist, or sell your post content. Responses from Gemini are returned through our relay back to your site.
  • This means your content briefly transits our infrastructure. Under EU/UK data-protection terminology, Arcio acts as a data processor in this flow and Google is a sub-processor.
  • We do not have access to your WordPress database, settings, drafts, or any document stored on your server. The Plugin runs on your infrastructure.
  • We do see basic license and usage telemetry: who installed the Plugin, who upgraded to Pro, and how many analyses each license has consumed in the current billing period (for free-tier limits and Pro billing).
  • Payments for Pro are processed by Freemius, Inc. as our Merchant of Record. We do not see or store your payment card data.
  • We do not sell your personal information.

2. Information We Collect

a) Information you provide directly. When you contact us through the Site, subscribe to our newsletter, or comment on the blog, we receive the information you submit (typically name, email, and message content).

b) License and account information (via Freemius). When you install the free Plugin or purchase a Pro license, Freemius collects and shares with us limited account information necessary to provision and support your license, including: your name, email address, the URL of the WordPress site where the Plugin is activated, your subscription tier and status, license key, the IP address used at activation, and basic billing metadata (country, last four digits of card, plan, renewal date). We do not receive your full payment card number, expiration, or CVV.

c) Usage telemetry. The Plugin reports a small amount of operational data back to our service so we can enforce plan limits and provide support: an anonymous site identifier, plugin version, WordPress version, PHP version, and a counter of how many AI analyses have been performed in the current billing month. We do not log post titles, post bodies, internal links generated, or AI prompts/responses.

d) Site analytics. The Site uses Google Analytics (via Google Site Kit) to understand aggregate traffic. This places cookies on your device and collects information such as IP address (truncated), browser type, pages viewed, referrer, and approximate location. See our Cookie Policy for details.

e) Server logs. Our hosting provider keeps standard server logs (IP address, timestamp, request URL, user-agent) for security and abuse prevention.

3. AI / LLM Data Flow Disclosure

The Arcio Plugin uses a Large Language Model to analyze your post content and suggest internal links. The data flow is as follows:

  • When you trigger an analysis, the Plugin running on your WordPress site sends the post text and a short instruction prompt over HTTPS to an Arcio relay endpoint on our server. This is what allows the “managed AI” experience — you do not need to bring your own API key.
  • Our relay authenticates with Google’s Gemini API using our own API key and forwards the request to Google for processing. Gemini returns suggestions, and the relay returns them through to your site.
  • Your post content is held in our relay’s memory only for the duration of the request. We do not log, store, persist, or share the post content. We do not use it to train any model. We do not sell it. Standard webserver access logs (URL path, timestamp, IP, status code) are retained for security and abuse-prevention only and do not include request bodies.
  • Google processes the content as a sub-processor under its API terms. As of the date of this Policy, Google states that Gemini API content provided through paid endpoints is not used to train its generally available models. Review Google’s current terms: Google AI / Gemini API Terms and Google Privacy Policy.
  • Output suggestions returned to your site are written to your WordPress database (on your server) for your review. Arcio does not retain a copy.

In GDPR terms, Arcio acts as a data processor for the post content during the analysis call, and Google is a sub-processor. You remain the data controller for any personal information that may be present in your post text.

If you do not consent to your post content being processed in this way, do not trigger an analysis. The free tier does not run any analysis until you initiate it.

4. How We Use Your Information

We use the limited information described above to:

  • Provision, deliver, and maintain the Service, including issuing license keys and verifying entitlements.
  • Enforce free-tier monthly usage limits (10 analyses per month) and Pro plan allotments.
  • Provide customer support and respond to inquiries.
  • Send transactional emails (license activation, renewal reminders, security notices) and, with your consent, occasional product updates.
  • Detect, prevent, and address fraud, abuse, security incidents, and license violations.
  • Comply with legal obligations, including tax and accounting recordkeeping.
  • Improve the Service through aggregate, non-identifying analytics.

5. Legal Bases for Processing (GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following lawful bases under Article 6 of the GDPR:

  • Performance of a contract — to provision your license and deliver the Service you requested.
  • Legitimate interests — for security, fraud prevention, abuse mitigation, and aggregate product analytics, where these are not overridden by your rights.
  • Consent — for non-essential cookies, marketing communications, and any optional data submission. You may withdraw consent at any time.
  • Legal obligation — to comply with applicable tax, accounting, and law-enforcement requirements.

6. How We Share Your Information

We do not sell your personal information. We share limited information with the following categories of recipients, only as necessary:

  • Freemius, Inc. — our Merchant of Record for Pro purchases, billing, license issuance, and refund handling. Freemius Privacy Policy.
  • Google LLC — for Site analytics (Google Analytics / Site Kit) and, as a sub-processor, for AI-powered post-content analysis via the Gemini API when you trigger an analysis from the Plugin.
  • Hosting and email providers — that operate the Site and deliver transactional email on our behalf.
  • Professional advisors — accountants, lawyers, or auditors, under confidentiality.
  • Authorities — where required by law, subpoena, or to protect our rights, your safety, or the safety of others.
  • Business transfers — if Arcio is acquired or merged, your information may transfer to the successor entity, subject to this Policy.

7. International Data Transfers

Arcio is operated from the United States. Freemius and Google also process data in the United States and other countries. When personal information is transferred from the EEA, UK, or Switzerland to the United States, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses, the EU-U.S. Data Privacy Framework where applicable, and the equivalent UK and Swiss mechanisms. By using the Service, you understand that your information may be transferred to and processed in countries whose data-protection laws may differ from those in your country of residence.

8. Data Retention

We retain personal information only as long as necessary for the purposes described in this Policy:

  • License and billing records: for the life of your license plus up to seven (7) years thereafter, to satisfy U.S. tax and accounting obligations.
  • Support correspondence: up to twenty-four (24) months after the case is closed.
  • Newsletter subscribers: until you unsubscribe.
  • Analytics data: Google Analytics is configured with a 14-month retention period for user-level data.
  • Server logs: typically 30–90 days.

Once retention periods expire, data is deleted or irreversibly anonymized.

9. How We Protect Your Information

We use commercially reasonable technical and organizational safeguards, including TLS encryption in transit, hardened hosting, principle-of-least-privilege access for the operator, and outsourced payment processing through Freemius. No internet transmission is 100% secure; we cannot guarantee absolute security but commit to notifying you and the appropriate authorities of any breach affecting your personal information as required by law.

10. Your Rights Under the GDPR (EEA, UK, Switzerland)

If you are located in the EEA, the United Kingdom, or Switzerland, you have the following rights:

  • Access — obtain a copy of the personal information we hold about you.
  • Rectification — correct inaccurate or incomplete information.
  • Erasure (“right to be forgotten”) — request deletion of your information, subject to legal retention requirements.
  • Restriction — ask us to limit how we process your information.
  • Portability — receive a machine-readable copy of information you provided to us.
  • Objection — object to processing based on legitimate interests, including direct marketing.
  • Withdraw consent — for any processing based on consent, at any time, without affecting prior lawful processing.
  • Lodge a complaint — with your local supervisory authority (e.g., the UK ICO, Ireland’s DPC, or your national DPA).

To exercise these rights, contact us via our Contact Page. We will respond within 30 days. We may need to verify your identity before fulfilling a request.

11. Your Rights Under the CCPA (California Residents)

If you are a California resident, you have the following rights under the CCPA/CPRA:

  • Right to know — the categories and specific pieces of personal information we have collected, the sources, the purposes, and the categories of recipients.
  • Right to delete — request deletion of personal information we have collected, subject to legal exceptions.
  • Right to correct — request correction of inaccurate personal information.
  • Right to opt out of sale or sharing — we do not sell or share your personal information for cross-context behavioral advertising as those terms are defined under the CPRA.
  • Right to limit use of sensitive personal information — we do not use sensitive personal information beyond what is necessary to provide the Service.
  • Right to non-discrimination — we will not discriminate against you for exercising any of these rights.
  • Authorized agent — you may designate an authorized agent to make a request on your behalf, with proof of authorization.

Categories of personal information collected in the past 12 months: identifiers (name, email, IP), commercial information (subscription history), internet/network activity (analytics), and geolocation (approximate, from IP). To exercise your rights, contact us via our Contact Page.

12. Children’s Privacy

The Service is not directed to children under the age of 16. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.