Legal
Privacy Policy
1. Data Controller
Arc Sentinel
Bucharest, Romania
CUI (Tax ID): 53934391
Reg. Com.: J2026009910003
Contact: [email protected]
Arc Sentinel SRL ("Arc Sentinel", "we", "us") is the data controller for personal data processed through our websites (arcsentinel.tech, questguardian.tech) and the Quest Guardian platform. We are registered in Romania and operate under the European Union's General Data Protection Regulation (GDPR).
2. Data We Collect
2.1 Website Visitors
When you visit our websites, we process minimal data:
| Data Category | What We Collect | Lawful Basis | Retention |
|---|---|---|---|
| Contact form submissions | Name, email address, interest type, message content | Consent (Art. 6(1)(a) GDPR) | 12 months or until deletion requested |
| Cookie preferences | Consent choice, timestamp | Legitimate interest (Art. 6(1)(f) GDPR) | 12 months (localStorage) |
| Server logs | IP address, user agent, page requested, timestamp | Legitimate interest (security) | 30 days (Cloudflare infrastructure) |
We do not use third-party analytics, advertising trackers, or social media pixels on our websites. Contact form submissions are processed through a Cloudflare Worker on our own domain — data is handled within Cloudflare's network and forwarded to our inbox via Cloudflare Email Routing. No third-party form services are used.
2.2 Quest Guardian Platform Users (Parents)
When parents register for Quest Guardian, we collect:
- Account data: email address, display name, password (hashed, never stored in plaintext)
- Child profiles: display name (chosen by parent), age range, associated devices
- Device data: device name, operating system, Shield application version
- Subscription data: subscription tier, billing status (processed by our payment provider)
Lawful basis: Contract performance (Art. 6(1)(b) GDPR) — necessary to provide the service.
2.3 Child Safety Monitoring Data
Privacy-First Architecture
Quest Guardian's monitoring data (chat content, screenshots, behavioral analysis) is never processed on our servers. All safety analysis occurs on decentralized infrastructure through the Ratio1.ai network, where the parent holds the encryption keys. Our backend server cannot decrypt child monitoring content.
The Quest Guardian Shield desktop application captures monitoring data locally on the child's device. This data is:
- Encrypted on-device using the parent's RSA-4096 public key before transmission
- Processed for safety classification on decentralized AI nodes (not centralized cloud servers)
- Accessible only to the parent using their private key — our server stores encrypted evidence but cannot read it
- Retained for a limited period based on subscription tier (24–72 hours for evidence), then permanently deleted
We store alert metadata (severity, timestamp, category) in our database to power the parent dashboard. The actual content of flagged communications remains encrypted and is only decrypted in the parent's browser.
3. Children's Privacy (COPPA & GDPR-K Compliance)
Protecting children's privacy is foundational to our mission. Quest Guardian is designed to comply with both the U.S. Children's Online Privacy Protection Act (COPPA) and GDPR requirements for processing children's data (Article 8).
- Parental consent required: Only a verified parent or legal guardian can create child profiles and activate monitoring
- No direct data collection from children: Children do not create accounts or interact with our services directly
- No readable child data on our servers: Monitoring content is encrypted with parent-held keys; our server stores only encrypted data it cannot read
- No behavioral advertising: We never use child data for advertising, profiling, or any purpose beyond safety monitoring
- Parental control over data: Parents can view, export, and delete all data associated with their child profiles at any time
- Age-appropriate design: The Shield application operates transparently — children are aware monitoring is active
4. How We Use Your Data
We process personal data exclusively for the following purposes:
- Providing and maintaining the Quest Guardian platform
- Authenticating users and managing sessions
- Delivering real-time safety alerts to parents
- Processing subscription billing (via our payment provider)
- Responding to your contact form inquiries
- Ensuring security and preventing abuse of our services
- Complying with legal obligations
We do not sell personal data. We do not use personal data for advertising. We do not use automated decision-making that produces legal effects concerning you.
5. Data Sharing & International Transfers
We share personal data only with the following categories of recipients, all bound by data processing agreements:
| Recipient | Purpose | Location |
|---|---|---|
| Railway (hosting provider) | Backend API infrastructure | EU (Netherlands) |
| Neon (database provider) | Database hosting | EU (Frankfurt) |
| Cloudflare | CDN, DNS, static hosting, DDoS protection | Global edge (EU-primary) |
| Upstash | Cache and queue services | EU (Frankfurt) |
| Ratio1.ai network | Decentralized AI processing (encrypted data only) | EU |
Our infrastructure is deliberately EU-hosted to minimize international data transfers. All data processors are EU-based or operate EU-primary infrastructure. Contact form data is processed entirely within Cloudflare's network using Workers and Email Routing — no third-party form services are involved.
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Contact form submissions | 12 months, or until deletion requested |
| Account data | Duration of account, plus 30 days after deletion |
| Encrypted evidence (Free tier) | 24 hours |
| Encrypted evidence (Guardian tier) | 48 hours |
| Encrypted evidence (Sentinel tier) | 72 hours |
| Alert metadata | 90 days (configurable by parent) |
| Server logs | 30 days |
Evidence data is permanently deleted after the retention window. Deletion is irreversible — we cannot recover evidence once the retention period expires.
7. Your Rights (GDPR Data Subject Rights)
Under GDPR, you have the following rights regarding your personal data:
- Right of access (Art. 15) — Request a copy of all personal data we hold about you
- Right to rectification (Art. 16) — Correct inaccurate or incomplete personal data
- Right to erasure (Art. 17) — Request deletion of your personal data ("right to be forgotten")
- Right to restriction (Art. 18) — Request that we limit processing of your data
- Right to data portability (Art. 20) — Receive your data in a structured, machine-readable format
- Right to object (Art. 21) — Object to processing based on legitimate interest
- Right to withdraw consent (Art. 7(3)) — Withdraw consent at any time without affecting prior processing
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days as required by GDPR. We may ask for identity verification to protect against unauthorized requests.
If you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) or any EU supervisory authority.
8. Cookies & Local Storage
Our websites use minimal browser storage:
- Cookie consent preference — stored in localStorage to remember your choice (not a cookie itself)
- Cloudflare cookies — Cloudflare may set essential cookies (
__cf_bm) for bot management and security. These are strictly necessary and exempt from consent requirements under ePrivacy Directive Article 5(3).
We do not use analytics cookies, advertising cookies, or social media cookies.
9. Security Measures
We implement appropriate technical and organizational measures to protect personal data, including:
- RSA-4096 encryption for all child monitoring data, with parent-held keys
- AES-256-GCM for symmetric encryption operations
- TLS 1.3 for all data in transit
- Password hashing using industry-standard algorithms (bcrypt)
- Token-based authentication with SHA-256 hashed storage (no raw tokens stored)
- EU-hosted infrastructure with network isolation
- Regular security assessments and penetration testing
10. Changes to This Policy
We may update this privacy policy to reflect changes in our practices or legal requirements. Material changes will be communicated via email to registered users. The "Last updated" date at the top of this page indicates when the policy was last revised.
11. Contact Us
For any questions about this privacy policy, data protection practices, or to exercise your rights, contact:
Arc Sentinel
Email: [email protected]
Website: arcsentinel.tech