ArcRails Privacy Policy

Last updated: September 15, 2025

This Privacy Policy explains how ArcRails (“ArcRails,” “we,” “us,” or “our”) collects, uses, shares, and protects information about you when you visit our websites, purchase and access our Notion templates and related digital products, interact with our ads, or otherwise engage with us (collectively, the “Services”). If you do not agree with this Policy, please do not use the Services.

1) Who we are & how to contact us

ArcRails is the controller of your personal data for the activities described in this Policy (except where we act as a processor for a merchant partner—if any—identified to you separately).

2) Scope

This Policy applies to personal data we process about:

  • Visitors to our site(s) and landing pages,
  • Customers who buy or access ArcRails templates, add-ons, or memberships,
  • Individuals who subscribe to our emails or interact with our ads or social media.

It does not apply to third-party websites, services, or platforms we don’t own or control (e.g., Notion, payment processors). Their privacy policies govern their handling of your data.

3) Information we collect

a) Information you provide directly

  • Account/checkout details: name, email, billing address, country, company, tax IDs (if applicable).
  • Purchase details: products purchased, price, currency, date/time, order ID, license/entitlement.
  • Support communications: messages you send us (email, contact form), and any files you attach.
  • Preferences: marketing opt-ins, cookie choices.

We do not collect or store your full payment card numbers; payment processing is handled by our payment provider(s).

b) Information we collect automatically

  • Device and usage data: IP address, device identifiers, browser type/version, OS, language, referring/exit pages, timestamps, pages viewed, clicks, scrolls, and approximate geolocation derived from IP.
  • Cookies and similar technologies: pixels, tags, SDKs, and local storage (see Cookies & tracking).

c) Information from third parties

  • Payment providers: payment status, masked card type/last 4 digits (if available), fraud screening signals.
  • Analytics/advertising partners: aggregated insights, campaign/attribution data (e.g., whether an ad led to a purchase).
  • Email service providers: email engagement (opens, clicks, bounces, unsubscribes).

4) How we use your information (purposes & legal bases)

We process personal data for the following purposes (with typical legal bases under GDPR/UK GDPR in parentheses):

  1. Provide the Services – fulfill orders, deliver template access/links, manage licenses, provide support. (Contract; Legitimate interests)
  2. Operate and secure our sites – debugging, fraud prevention, abuse detection, service quality. (Legitimate interests; Legal obligation where applicable)
  3. Analytics and improvement – measuring performance, understanding usage, developing new features/content. (Legitimate interests; Consent where required)
  4. Marketing and personalization – permitted emails; running and measuring ads (including Meta Pixel and Conversions API); capping frequency; building basic audience segments. (Consent where required; Legitimate interests)
  5. Legal and compliance – tax, accounting, responding to lawful requests, enforcing terms. (Legal obligation; Legitimate interests)

Where we rely on consent (e.g., non-essential cookies/ads in the EU/UK), you can withdraw it at any time via Cookie Settings or the mechanisms described below.

5) Cookies & tracking technologies

We use cookies, pixels, and similar technologies to run our site and to measure and improve our marketing.

Categories we use

  • Strictly necessary – essential site functions, security, checkout.
  • Performance/analytics – traffic and feature usage (e.g., [Google Analytics / Posthog]).
  • Advertising/retargeting – to show or measure ads on platforms such as Meta (Facebook/Instagram).

You can manage preferences via our Cookie Settings link in the footer. In some regions, non-essential cookies are disabled until you consent. Your browser may also allow you to block or delete cookies.

6) Advertising & the Meta Pixel / Conversions API

We use the Meta Pixel and, where implemented, Meta Conversions API to understand the effectiveness of our ads and to reach people who might be interested in ArcRails. This may involve sharing information (such as page views, events like “Add to Cart” or “Purchase”, and hashed identifiers like email if you provide it) with Meta Platforms, Inc. and Meta Platforms Ireland Ltd. for measurement and ad targeting in accordance with Meta’s terms.

What we share: event data about your activity on our site (e.g., pages/products viewed, purchases), technical details (e.g., IP, user agent), and, if you provide it during checkout/newsletter signup, hashed contact information for matching.

Your choices:

  • Use Cookie Settings to opt in/out of advertising cookies (where available).
  • Adjust ad settings with Meta (Facebook/Instagram) and other platforms via your account settings.
  • In some jurisdictions (e.g., California), exercise a “Do Not Sell or Share My Personal Information” right (see Your rights).
  • Use industry tools like the DAA/EDAA opt-out pages and your device’s Limit Ad Tracking options.

7) Analytics

We use analytics tools (e.g., Posthog) to collect aggregated usage statistics and to improve the Services. Where required by law, analytics runs only with your consent. You can withdraw consent via Cookie Settings.

8) Payments

Payments are processed by Stripe. As a result, your payment data is handled in accordance with that provider’s privacy policy. We receive limited information related to your transaction (e.g., payment status, last 4 digits, country) and do not store full card numbers.

9) Email and communications

If you opt in, we may send you product updates, tips, promotions, or new templates. You can unsubscribe anytime using the link in our emails or by contacting us. We may still send you transactional emails (e.g., receipts, access links, service notices).

10) Notion templates and your Notion workspace

When you purchase an ArcRails Notion template, you receive a link to duplicate the template into your own Notion workspace. ArcRails does not have access to the content you create in your personal Notion workspace unless you explicitly share access with us for support. “Notion” is a product of Notion Labs, Inc. and is governed by its own terms and privacy policy.

Trademark note: “Notion” is a trademark of Notion Labs, Inc. ArcRails is not affiliated with or endorsed by Notion Labs, Inc.

11) How we share information

  • Service providers / processors: hosting, analytics, advertising (as described above), email delivery, customer support, payment processing, fraud prevention. Contractually bound to protect data and use it only on our instructions.
  • Advertising partners: limited event/identifier data via pixels/APIs (see Meta Pixel section).
  • Business transfers: in connection with a merger, acquisition, financing, or sale of assets.
  • Legal compliance: to comply with law, enforce our terms, or protect rights, privacy, safety, or property.

We may share aggregated or de-identified information that does not reasonably identify you.

12) Data retention

We retain personal data only for as long as necessary for the purposes set out in this Policy, including to satisfy legal, accounting, or reporting requirements. Typical retention periods include:

  • Orders and tax records: 7–10 years (jurisdiction-dependent).
  • Support tickets: 2–3 years after resolution (or sooner if you request deletion).
  • Marketing data: until you unsubscribe or withdraw consent, or after a defined period of inactivity.

We will delete or anonymize data when it is no longer required.

13) Security

We use administrative, technical, and organizational measures designed to protect personal data (e.g., encryption in transit, access controls). No method of transmission or storage is 100% secure; if we learn of a security incident affecting your data, we will notify you and/or regulators as required by law.

14) International data transfers

If you are located outside the country where our servers or providers are based, your information may be transferred internationally. Where required, we rely on adequacy decisions, Standard Contractual Clauses (SCCs), or other lawful transfer mechanisms, and implement supplemental safeguards as appropriate.

15) Your rights & choices

Your rights depend on your location. Subject to exceptions, you may have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate or incomplete data.
  • Delete your data (erasure).
  • Portability (receive a copy in a portable format).
  • Restrict or object to certain processing (including where based on legitimate interests).
  • Withdraw consent where processing is based on consent.
  • Opt out of marketing at any time (unsubscribe link or email us).

Region-specific disclosures

EEA/UK/Switzerland:

  • Legal bases are listed above. You may lodge a complaint with your local Data Protection Authority (e.g., the ICO in the UK or your EU DPA). Where we rely on legitimate interests, you can object and we will assess your request.

United States (California and other state laws):

  • California residents have rights under the CPRA, including to know, delete, correct, and to opt out of “sale” or “sharing” of personal information for cross-context behavioral advertising.
  • We do not “sell” personal information for money; however, our use of advertising cookies/pixels may be considered a “sale” or “share” under CPRA. You can opt out via Do Not Sell or Share My Personal Information (link in footer) and through Cookie Settings.
  • Where supported, we treat recognized Global Privacy Control (GPC) signals as an opt-out of sale/share for that browser.
  • Similar rights may exist in CO/CT/VA/UT and other states; use the same mechanisms or contact us.

Canada (PIPEDA):

  • You have rights to access and correct personal information and to withdraw consent, subject to legal or contractual restrictions. You may contact the Office of the Privacy Commissioner of Canada about concerns.

To exercise rights, contact us at [email protected]. We may verify your identity before fulfilling your request, and you can designate an authorized agent where allowed by law.

16) Your controls for cookies and ads

  • Use our Cookie Settings to manage non-essential cookies.
  • Adjust your browser or device settings to block cookies (may affect site functionality).
  • Manage platform ad preferences (e.g., Facebook/Instagram, Google) in your account settings.
  • Use browser opt-out tools provided by industry groups (e.g., DAA, NAI, EDAA) where available.
  • Use GPC or similar signals to express opt-out where supported.

17) Children’s privacy

Our Services are not directed to children, and we do not knowingly collect personal information from children under the age required by applicable law (e.g., 13 in the U.S., 16 in parts of the EU without parental consent). If you believe a child has provided personal information to us, contact us and we will take appropriate steps to delete it.

18) Do Not Track

Some browsers send Do Not Track (DNT) signals. There is no industry consensus on how to respond to these signals. We currently do not respond to DNT, but you can use the controls described in Your controls for cookies and ads.

20) Changes to this Policy

We may update this Policy from time to time. The “Last updated” date shows when the latest changes took effect. If changes are material, we will provide additional notice as required (e.g., via the site or email). Your continued use of the Services after the effective date constitutes acceptance of the revised Policy.

21) How to contact us

Questions or requests about this Policy? Email [email protected].