Privacy Policy

◆ 1. Who We Are

ArcTactic ("ArcTactic," "we," "us," or "our") is a product of Zentrio (Pty) Ltd, a South African based business (Registration Number: 2026/489361/07). Zentrio operates an AI workforce automation platform that provides businesses with AI employees (including Archie, Voice AI, Marketing AI, and Analytics AI) to automate CRM pipelines, outbound communications, and sales analytics.

Responsible Party / Data Controller: Zentrio (Pty) Ltd (operating as ArcTactic)
Registered Office: South Africa
Registration Number: 2026/489361/07
Privacy Contact / Information Officer: legal@arctactic.com

This Privacy Policy applies to our marketing website (arctactic.com), our web application console, and all services delivered through our AI workforce platform. By accessing our services, you acknowledge this Policy.

◆ 2. Data We Collect

We collect data in three ways:

a) Data You Provide Directly

• Full name and business email address (account registration)
• Company name, industry, and team size
• Billing information (credit card details processed exclusively by Stripe — we never store raw card data)
• CRM contact records, deal stages, and notes you upload or configure
• Documentation, FAQs, and pipeline rules you create within your workspace

b) Data Generated by AI Agent Activity

• Telephony call recordings and transcripts processed by Voice AI
• SMS message logs sent or received by AI agents
• Email drafts, sequences, and engagement metadata managed by Marketing AI
• Sales analytics and forecast data generated by Analytics AI
• CRM opportunity routing decisions and pipeline event logs

c) Technical & Usage Data Collected Automatically

• IP address and approximate geographic location
• Browser type, operating system, and device identifiers
• Pages visited, session duration, and click-path data
• Authentication session tokens managed by WorkOS
• Performance and error telemetry from the application console

d) Data Scraped or Enriched via Third-Party APIs

• Data extracted using web scraping tools (e.g., Apify) or enrichment services integrated into your ArcTactic workflows.
• Important: When you direct ArcTactic AI agents to scrape public websites or utilize third-party data enrichment APIs, you act as the Data Controller for that data. You are strictly responsible for ensuring that the collection, use, and transfer of scraped data complies with applicable terms of service and data privacy regulations.

◆ 3. Legal Basis for Processing (GDPR & POPIA)

For users in the European Economic Area (EEA), United Kingdom, or South Africa, we rely on the following legal bases under Article 6 GDPR and Section 11 of the South African Protection of Personal Information Act (POPIA):

• Contract performance: Processing necessary to provide the ArcTactic service you have subscribed to, including running AI agent pipelines, billing, and account management (GDPR Art. 6(1)(b) / POPIA Sec. 11(1)(b)).
• Legitimate interests: Platform security, fraud prevention, product analytics (aggregated/anonymized), and improving AI routing logic — balanced against your privacy interests (GDPR Art. 6(1)(f) / POPIA Sec. 11(1)(f)).
• Legal obligation: Compliance with applicable laws (e.g., tax records, anti-money laundering) (GDPR Art. 6(1)(c) / POPIA Sec. 11(1)(c)).
• Consent: Non-essential cookies and marketing communications. You may withdraw consent at any time (GDPR Art. 6(1)(a) / POPIA Sec. 11(1)(a)).

For special category data (if any call transcripts contain health or other sensitive information), we rely on explicit consent or as necessary for legal claims.

◆ 4. How We Use Your Data

• Deliver and operate the AI workforce platform and CRM automation services
• Authenticate user identity and manage workspace permissions via WorkOS
• Process subscription billing and generate invoices via Stripe
• Execute outbound calls, SMS, and email sequences as configured by your pipeline rules
• Route CRM leads, generate opportunity cards, and produce sales forecasts
• Provide customer support, debugging, and account troubleshooting
• Send transactional notifications (billing receipts, agent alerts)
• Monitor platform security and prevent fraudulent access
• Comply with legal obligations and enforce our Terms of Service

We do not:

• Sell your personal data or CRM records to third parties
• Use your call transcripts, documents, or proprietary data to train public or shared AI/ML models
• Share your data with advertisers or data brokers

◆ 5. Data Sharing & Subprocessors

We share data only with trusted subprocessors required to deliver our service, each bound by data processing agreements:

• Convex Inc. — Cloud database hosting and reactive real-time queries (US-based servers)
• WorkOS Inc. — Identity authentication, MFA, SSO, and role-based access management
• Stripe Inc. — Payment processing and subscription billing
• Telephony Provider(s) — Outbound voice calling and SMS transmission for Voice AI functions

We may also disclose data to:

• Law enforcement or government authorities when required by law or valid legal process
• Successor entities in the event of a merger, acquisition, or asset sale (with advance notice to you)
• Professional advisors (attorneys, accountants) under confidentiality obligations

◆ 6. International Data Transfers

Our primary infrastructure is hosted in the United States. If you access ArcTactic from the EEA, UK, or other jurisdictions with data transfer restrictions, your personal data will be transferred to the US.

We rely on Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914) to lawfully transfer EEA personal data to our US-based subprocessors. For UK transfers, we use the UK International Data Transfer Addendum.

You may request a copy of our applicable transfer mechanisms by contacting legal@arctactic.com.

◆ 7. Data Retention

• Account & CRM data: Retained for the duration of your active subscription plus 90 days after cancellation to allow data export, then deleted.
• Call recordings & transcripts: Retained for 12 months from the date of recording, or as required by applicable law.
• Billing records: Retained for 7 years to comply with tax and financial regulations.
• Analytics & aggregated logs: May be retained indefinitely in anonymized form.
• Support communications: Retained for 3 years following resolution of the support request.

Upon account deletion, we will purge or anonymize your personal data within 30 days, unless retention is required by law.

◆ 8. Your Privacy Rights

Depending on your jurisdiction (such as GDPR in the EU/UK or POPIA in South Africa), you may have the following rights:

• Right of Access: Request a copy of the personal data we hold about you (GDPR Art. 15 / POPIA Sec. 23).
• Right to Rectification: Correct inaccurate or incomplete data (GDPR Art. 16 / POPIA Sec. 24).
• Right to Erasure ("Right to be Forgotten"): Request deletion of your data, subject to legal retention requirements (GDPR Art. 17 / POPIA Sec. 24).
• Right to Restriction: Ask us to restrict processing in certain circumstances (GDPR Art. 18).
• Right to Data Portability: Receive your data in a structured, machine-readable format (GDPR Art. 20).
• Right to Object: Object to processing based on legitimate interests or for direct marketing (GDPR Art. 21 / POPIA Sec. 11(3)).
• Right to Withdraw Consent: Where processing is based on consent, withdraw it at any time without affecting prior processing.
• Right to Lodge a Complaint: File a complaint with your local data protection authority (e.g., the South African Information Regulator or EU member state supervisory authority).

To exercise any of these rights, contact us at legal@arctactic.com. We will respond within 30 days (extendable by 2 months for complex requests with notice).

◆ 9. California Residents — CCPA/CPRA Rights

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you additional rights:

• Right to Know: The categories and specific pieces of personal information we have collected about you in the past 12 months.
• Right to Delete: Request deletion of personal information we have collected, subject to exceptions.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: We do not sell or share personal information for cross-context behavioral advertising.
• Right to Limit Use of Sensitive Personal Information: Limit our use of sensitive personal information to what is necessary to provide the service.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
• Automated Decision-Making Technology (ADMT): You have the right to request information about the logic involved in our AI systems and the right to opt-out of the use of automated decision-making for significant impacts.

Categories of Personal Information Collected (last 12 months): Identifiers, commercial information (subscription records), Internet/network activity, audio/electronic data (call recordings), and professional information.

To submit a verifiable consumer request, email legal@arctactic.com with the subject line "CCPA Request."

◆ 10. Children's Privacy

ArcTactic is a B2B platform intended exclusively for business users aged 18 and older. We do not knowingly collect personal information from individuals under the age of 16. If we discover we have inadvertently collected data from a minor, we will delete it promptly. If you believe a minor has provided us data, contact legal@arctactic.com.

◆ 11. Security Measures

We implement industry-standard technical and organizational measures to protect your data:

• TLS 1.3 encryption for all data in transit
• AES-256 encryption for all data at rest in Convex database environments
• Multi-Factor Authentication (MFA) and SSO via WorkOS
• Role-based access controls limiting internal employee access
• Regular security audits of AI routing logic and infrastructure
• Incident response procedures with mandatory breach notification under GDPR Art. 33 (72-hour authority notice) and applicable US state laws

No system is completely secure. In the event of a data breach affecting your rights, we will notify you as required by applicable law.

◆ 12. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, or legal requirements. We will post the revised policy on this page with an updated "Last Updated" date. For material changes, we will notify active subscribers by email at least 14 days in advance.

Your continued use of the service after the effective date constitutes acceptance of the updated policy.

◆ 13. Contact & Information/Data Protection Officer

For privacy inquiries, rights requests, or data protection concerns:

• Email: legal@arctactic.com
• Subject line: "Privacy Request" or "POPIA / GDPR / CCPA Request"
• Response time: Within 30 days

If you are in South Africa, you have the right to lodge a complaint with the South African Information Regulator:

• Website: inforegulator.org.za
• Email: enquiries@inforegulator.org.za / PAIAComplaints@inforegulator.org.za

EU/UK users may also contact your local supervisory authority. A list of EU data protection authorities is available at edpb.europa.eu.