Arqiv
Privacy Policy

ARQIV PRIVACY POLICY

Effective Date: January 1, 2026

Last Updated: January 1, 2026

This Privacy Policy describes how Arqiv, Inc. ("Arqiv," "we," "us," or "our") collects, uses, discloses, and otherwise processes information about individuals in connection with Arqiv's products and services, including our websites, applications, dashboards, customer experiences, APIs, and integrations (collectively, the "Services").

This Privacy Policy applies to information about:

  • Business users and representatives (including merchant employees and administrators) who access the Services on behalf of an organization;
  • End users who access customer-facing features of the Services; and
  • Visitors to our websites.

For certain business relationships, Arqiv may process personal information on behalf of a merchant or other business customer. In those cases, Arqiv acts as a service provider/processor and the business customer's privacy notices may also apply.

1. INFORMATION WE COLLECT

We collect information in the following categories:

A. Account and Profile Information

  • Identifiers and contact information (such as name, email address, phone number, and authentication credentials).
  • Account type and role information (e.g., merchant, customer, admin).
  • Organization and tenant information for business users (such as merchant name, location, and configuration settings).

B. Receipt and Transaction Information

The Services may process item-level receipt data and related transaction metadata, which can include:

  • Purchase details (line items, item descriptions, quantities, prices, discounts, taxes, totals);
  • Transaction and order identifiers;
  • Date/time and store/location data; and
  • Other metadata associated with the receipt or order.

C. Integration and Connected Account Information

If you connect a third-party service (such as Square), we may collect and process:

  • OAuth tokens and integration identifiers;
  • Transaction events or other data made available through the integration; and
  • Integration configuration and status information.

D. Communications

  • Information you provide when you contact us (support requests, emails, form submissions, and feedback).
  • If enabled by a merchant, communications delivered through the Services (e.g., operational receipt delivery or offer-related messages).

E. Device, Usage, and Log Information

We collect information automatically when you access the Services, such as:

  • Device and browser characteristics;
  • IP address and general location derived from IP;
  • Access timestamps and usage/activity data within the Services; and
  • Security and audit logs (including login events and administrative actions).

F. Cookies and Similar Technologies

We may use cookies and similar technologies to operate our websites and Services, keep you signed in, and understand usage. Session tokens are stored in httpOnly cookies for security. We also use browser localStorage for client-side session management. You can control cookies through your browser settings; disabling cookies may affect functionality.

2. SOURCES OF INFORMATION

We collect information:

  • Directly from you;
  • From merchants or business customers with whom you have a relationship (for example, when a merchant enables a customer experience or provides necessary operational data);
  • From third-party services you authorize to connect to the Services (such as Square);
  • Automatically through your use of the Services.

3. HOW WE USE INFORMATION

We use information to:

  • Provide, operate, maintain, and secure the Services, including authentication, tenant-scoped access control, and data isolation;
  • Ingest, normalize, and present receipts and related information in the Services;
  • Generate merchant-facing analytics and reporting within a merchant's tenant;
  • Facilitate offer creation and delivery where enabled by a merchant;
  • Communicate with you (including support, service notices, and administrative messages);
  • Monitor for fraud, abuse, and security incidents; enforce our Terms; and protect Arqiv and users;
  • Improve and develop the Services, including debugging, testing, and performance monitoring; and
  • Comply with legal obligations and respond to lawful requests.

4. HOW WE DISCLOSE INFORMATION

We disclose information in the following circumstances:

A. With Service Providers

We disclose information to vendors and service providers who help us operate the Services (such as hosting, monitoring, security, email/SMS delivery, and customer support). These providers are contractually required to protect information and use it only to provide services to Arqiv.

B. With Merchants and Business Customers

  • Business-user information and activity may be visible to the merchant organization that administers the tenant.
  • Where a customer experience is enabled, certain receipt and offer information may be presented to the customer and, within the merchant tenant, to authorized merchant users.

C. With Third-Party Integrations You Authorize

If you authorize a connection to a third-party service (such as Square), we may exchange data with that service as needed to provide the integration.

D. For Legal, Safety, and Security Reasons

We may disclose information if we believe disclosure is reasonably necessary to:

  • Comply with law, regulation, legal process, or governmental request;
  • Protect the rights, property, or safety of Arqiv, our users, or others;
  • Detect, prevent, or address fraud, abuse, or security issues.

E. Corporate Transactions

We may disclose information in connection with an actual or contemplated merger, acquisition, financing, reorganization, bankruptcy, or sale of some or all of our business or assets.

5. AGGREGATED AND DE-IDENTIFIED DATA

We may create and use aggregated and/or de-identified data derived from the Services for analytics, product improvement, and reporting, provided the data does not reasonably identify an individual or a specific merchant. We do not sell identifiable receipt data to data brokers.

6. DATA RETENTION

We retain information for as long as reasonably necessary to provide the Services, meet contractual obligations, comply with law, resolve disputes, and enforce agreements. Default retention periods include: webhook events (90 days), expired receipt tokens (30 days past expiration), and security logs (365 days). Retention periods may vary depending on the type of data, operational needs, and legal requirements. Backups and logs may persist for limited periods.

7. SECURITY

We maintain administrative, technical, and organizational measures designed to protect information. These measures include access controls, encryption in transit (TLS 1.3), encryption at rest for sensitive data (AES-256-GCM), secure password hashing (scrypt), and monitoring/logging practices. No system is completely secure; we cannot guarantee absolute security.

8. YOUR CHOICES AND RIGHTS

A. Account Information

You may update certain account information through the Services or by contacting us.

B. Marketing Communications

Where applicable, you can opt out of marketing emails by using the unsubscribe link or contacting us. Operational and transactional communications may still be sent.

C. Data Rights (Access, Deletion, Portability)

Depending on your location and applicable law, you may have rights to request access to, correction of, deletion of, or portability of certain personal information. Currently, customers may request deletion of their account data, and both merchants and customers may export their order/receipt data in multiple formats (CSV, XLSX, JSON, PDF). We will respond to verified requests as required by law.

9. U.S. STATE PRIVACY NOTICES (INCLUDING CALIFORNIA)

If you are a resident of California or certain other U.S. states, you may have additional rights regarding personal information, including rights to know, delete, correct, and opt out of certain disclosures. Arqiv does not sell personal information as that term is defined under the California Consumer Privacy Act ("CCPA"). To submit a request, contact us using the information in Section 13.

10. INTERNATIONAL USERS

If you access the Services from outside the United States, your information may be transferred to, stored, and processed in the United States or other jurisdictions where Arqiv or its service providers operate. We take steps designed to ensure appropriate safeguards for cross-border transfers where required by law.

11. CHILDREN

The Services are not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided us personal information, please contact us.

12. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time. If we make material changes, we will provide notice through the Services or by other means. The effective date at the top indicates when the latest version took effect.

13. CONTACT US

Arqiv, Inc.

Email: legal@arqiv.com

Support: support@arqiv.com