Privacy Policy

Thank you for using Arco! This Privacy Policy explains how Arco (“Arco,” “we,” “us,” or “our”) collects, uses, and shares information about you when you use our platform at arcolist.com (the “Platform”).

If you are a resident of the European Union, please note that this Privacy Policy includes information required under the General Data Protection Regulation (“GDPR”) throughout the relevant sections below.

Table of Contents

1. Who Controls My Personal Information
2. Personal Information We Collect
3. How We Use Information We Collect
4. Sharing and Disclosure
5. Third-Party Processors and Partners
6. Cookies and Similar Technologies
7. Artificial Intelligence and Automated Processing
8. International Data Transfers
9. Your Rights
10. Security and Breach Notification
11. Retention
12. Children's Privacy
13. Changes to This Privacy Policy
14. Contact Information

1. Who Controls My Personal Information

1.1 Controller

Where this Policy mentions “Arco,” “we,” “us,” or “our,” it refers to the Arco entity that is responsible for your information under this Privacy Policy (the “Controller”). The Controller is Arco Global B.V. (KvK: 94568189).

1.2 Payments Controller

This Privacy Policy also applies to payment services provided through the Platform. When using payment services, you will also be providing your personal information to our payment service providers (the “Payments Controller”), which will be responsible for your payment-related information.

1.3 Professionals as Data Controllers

When Professionals use the Arco Platform to publish projects containing personal data (e.g., photographs of individuals or identifiable properties), they act as independent data controllers for that data. Arco processes such data as instructed by the Professional. Professionals are responsible for obtaining all necessary consents and permissions before uploading personal data to the Platform.

2. Personal Information We Collect

2.1 Information Needed to Use the Arco Platform

We collect personal information about you when you use the Arco Platform. Without it, we may not be able to provide all services requested. This information includes:

2.1.1 Contact, Account, and Profile Information

Such as your first name, last name, phone number, postal address, email address, and profile photo, some of which will depend on the features you use.

2.1.2 Identity and Verification Information

Where appropriate, we may ask you for verification information, such as your email address, phone number, company domain ownership, or other authentication information to verify your identity or business affiliation.

2.1.3 Payment Transaction Information

Such as payment account, credit card information, bank account information, payment instrument used, date and time, payment amount, payment instrument expiration date and billing postcode, and other related transaction details.

2.2 Information You Choose to Give Us

You can choose to provide us with additional personal information, including:

2.2.1 Additional Profile Information

Such as preferred language(s), company description, services offered, and any additional profile information you provide.

2.2.2 Information About Others

Such as contact information belonging to another person, including when you invite professionals to be credited on a project. By providing us with personal information about others, you certify that you have permission to provide that information to Arco for the purposes described in this Privacy Policy.

2.2.3 Messaging and Introduction Requests

Messages sent through the introduction request feature, including message content, sender name, email address, and phone number (if provided). Messages are stored on the Platform and shared with the receiving Professional.

2.2.4 User-Generated Content

Such as project photos, videos, descriptions, and other content you choose to provide.

2.2.5 Support Information

Such as information collected to provide customer support services, including investigating and responding to user concerns.

2.3 Information Automatically Collected by Using the Arco Platform

When you use the Arco Platform, we automatically collect certain information. This information may include:

2.3.1 Geolocation Information

Such as precise or approximate location determined from your IP address or other information you share with us, depending on your device settings.

2.3.2 Usage Information

Such as searches, projects you have viewed, professionals you have saved, access dates and times, the pages you've viewed or engaged with, and other actions on the Arco Platform. This information is only collected with your consent via analytics cookies (see Section 6).

2.3.3 Device Information

Such as IP address, hardware and software information, device information, unique identifiers, and crash data.

2.4 Information We Collect from Third Parties

We may collect personal information from other sources, such as:

2.4.1 Third-Party Authentication

If you choose to sign in to the Arco Platform with a third-party service, such as Google or Apple, you direct the service to send us information such as your name, email address, and profile photo as controlled by that service.

2.4.2 Google Places API

When you create a company profile, we may retrieve business information from the Google Places API, including business name, address, phone number, and website. This information is used to pre-populate your company profile and may be edited by you.

2.4.3 Other Sources

To the extent permitted by applicable law, we may receive additional information about you from third-party service providers and combine it with information we have about you.

3. How We Use Information We Collect

We use personal information as outlined in this Privacy Policy.

If you are a resident of the European Union, each use of your personal information described below is based on one or more legal bases under the GDPR: (i) Performance of Contract, (ii) Legitimate Interests, (iii) Consent, or (iv) Compliance with Legal Obligations. See the end of each subsection for applicable legal bases.

3.1 Provide the Arco Platform

We may process this information to:

• enable you to access the Arco Platform and make and receive payments,
• enable you to communicate with professionals through introduction requests,
• process and respond to your requests,
• provide you with support,
• send you messages, updates, security alerts, and account notifications, and
• enable your use of our services.

Legal Basis (EU Residents): Performance of Contract

3.2 Improve and Develop the Arco Platform

We may process this information to:

• perform analytics, debug, and conduct research (with your consent for analytics cookies),
• improve and develop our products and services, and
• provide customer service training.

Legal Basis (EU Residents): Legitimate Interests; Consent (for analytics)

3.3 AI-Assisted Content Generation

We may process project and company information to:

• generate project descriptions using artificial intelligence,
• translate content between languages,
• enrich company profiles with publicly available information, and
• improve content quality and accuracy.

Legal Basis (EU Residents): Legitimate Interests

3.4 Safeguard the Arco Platform and Community

We may process this information to:

• detect, prevent, assess, and address fraud and security risks,
• protect our community from illegal activities or other harmful behaviors,
• verify or authenticate information provided by you,
• implement rate limiting to prevent abuse,
• comply with our legal obligations,
• resolve disputes with our users, and
• enforce our Terms of Service and other policies.

Legal Basis (EU Residents): Legitimate Interests; Compliance with Legal Obligations

3.5 Provide, Personalize, Measure, and Improve our Marketing

We may process this information to:

• send you promotional and marketing messages (with your consent),
• administer referral programs, rewards, surveys, contests, or other promotional activities, and
• invite you to events and relevant opportunities.

Legal Basis (EU Residents): Consent (where required by law); Legitimate Interests

3.6 Provide Payment Services

Personal information is used to enable payment services, such as to:

• process subscription payments,
• verify your identity,
• detect and prevent fraud,
• comply with applicable legal obligations, and
• provide and improve payment services.

Legal Basis (EU Residents): Performance of Contract; Compliance with Legal Obligations

3.7 Automated Decision-Making

We use automated processing for the following purposes:

• Project ranking and visibility on the platform, based on content quality, engagement, and recency
• Spam detection in introduction requests
• Rate limiting to prevent abuse

These automated processes do not produce legal effects or similarly significantly affect you. You have the right to request human review of any automated decision.

Legal Basis (EU Residents): Legitimate Interests

3.8 Legal Bases Explained (EU Residents)

If you are a resident of the European Union, here is an explanation of the legal bases we rely on under the GDPR:

• Performance of Contract: We process your personal information to perform our contract with you. This includes processing necessary to provide you with the Arco Platform services, process payments, enable communications between users, and provide customer support.
• Legitimate Interests: We process your personal information based on our legitimate interests, including to improve and develop the Platform, personalize your experience, safeguard our community, prevent fraud, conduct research, and enforce our policies. We only rely on legitimate interests where our interests are not overridden by your rights and interests.
• Consent: Where required by law, we process your personal information based on your consent. This includes processing for analytics cookies, certain marketing communications, and collection of precise geolocation data. You may withdraw your consent at any time.
• Compliance with Legal Obligations: We process your personal information to comply with applicable legal obligations, including tax and accounting requirements, identity verification requirements, and responses to valid legal requests from authorities.

4. Sharing and Disclosure

4.1 Sharing With Your Consent or at Your Direction

Where you provide consent or direct us to share your information, we share your information as described at the time of consent or choice. For example, when you send an introduction request, your name, email, and message are shared with the receiving Professional.

4.2 Who We Share With

We may share your information with:

4.2.1 Other Users

To help facilitate interactions between users, we may share information in certain situations, such as your name and contact details when you send an introduction request to a Professional.

4.2.2 Service Providers

We share personal information with service providers to help us run our business. See Section 5 for a detailed list of our third-party processors.

4.3 Why We May Share Your Information

4.3.1 Build Your Public Profile

Information you share publicly on the Arco Platform may be indexed through third-party search engines. We may make certain information publicly visible to others, such as your company profile and project information.

4.3.2 Comply with Law

As we reasonably deem appropriate, we may disclose your information to courts, law enforcement, governmental authorities, or authorized third parties, if and to the extent we are required or permitted to do so by law or where disclosure is reasonably necessary to: (i) comply with our legal obligations, (ii) comply with a valid legal request, (iii) respond to a valid legal request relating to a criminal investigation, (iv) enforce and administer our agreements with users, (v) investigate potential violations of applicable law, or (vi) protect the safety, security, rights, or property of Arco, its employees, its users, or members of the public.

4.3.3 Effectuate Business Transfers

If Arco undertakes or is involved in any merger, acquisition, reorganization, sale of assets, bankruptcy, or insolvency event, then we may sell, transfer, or share some or all of our assets, including your information in connection with such transaction. In this event, we will notify you before your personal information is transferred and becomes subject to a different privacy policy.

5. Third-Party Processors and Partners

We use the following third-party service providers to process your personal information:

Transfers to US-based processors (Anthropic, Resend, Firecrawl, Vercel, Google) are protected by Standard Contractual Clauses (EU 2021/914) incorporated into our data processing agreements with these providers. PostHog, Supabase, and Upstash process data within the EU.

6. Cookies and Similar Technologies

6.1 Essential Cookies

We use the following essential cookies that are necessary for the Platform to function. These do not require your consent:

• Authentication cookies (Supabase): maintain your login session
• Locale preference: remember your language selection (EN/NL)
• Cookie consent: remember your cookie preference

6.2 Analytics Cookies

With your consent, we use analytics cookies to understand how visitors interact with the Platform:

• PostHog: collects usage data including pages viewed, features used, and device information. PostHog data is processed in the EU. These cookies are only set after you click “Accept” on our cookie consent banner.

6.3 Managing Your Cookie Preferences

You can manage your cookie preferences at any time by:

• Clicking “Reject” on the cookie consent banner when first visiting the site
• Clearing your browser cookies and localStorage (this will reset your consent choice and show the banner again)
• Adjusting your browser settings to block or delete cookies

Rejecting analytics cookies does not affect your ability to use the Arco Platform.

7. Artificial Intelligence and Automated Processing

7.1 How We Use AI

Arco uses artificial intelligence (powered by Anthropic Claude) to assist with content creation. When you import a project or request a description, the project text and publicly available information may be sent to our AI provider for processing. Specifically, AI is used to:

• Generate project descriptions from imported web pages
• Translate content between English and Dutch
• Enrich company profiles with relevant information

7.2 Data Handling by AI Providers

Content sent to our AI provider (Anthropic) is processed for the specific request only and is not retained by the provider for training or other purposes beyond the immediate request, in accordance with our data processing agreement. You can review and edit all AI-generated content before it is published.

7.3 Your Rights Regarding AI Processing

You are responsible for reviewing and verifying any AI-generated content associated with your projects or company profile. You may edit or delete AI-generated content at any time. You have the right to request human review of any content generated through automated processing.

8. International Data Transfers

8.1 Transfers Outside the EEA

If you reside in the European Economic Area (“EEA”), your personal information may be transferred to countries outside the EEA, including to the United States, where some of our service providers are located (see Section 5).

8.2 Safeguards for International Transfers

We rely on the following safeguards for international data transfers:

• Standard Contractual Clauses: We use Standard Contractual Clauses (EU 2021/914) approved by the European Commission to protect personal information transferred to US-based processors including Anthropic, Resend, Firecrawl, Vercel, and Google.
• EU-Based Processing: Where possible, we use EU-based processors. Supabase (database), PostHog (analytics), and Upstash (rate limiting) process data within the EU.

8.3 Your Rights Regarding Transfers

You have the right to obtain information about the safeguards we use for international transfers. To request this information, please contact us at privacy@arcolist.com.

9. Your Rights

You may exercise any of the rights described in this section consistent with applicable law.

9.1 EU Residents

If you are a resident of the European Union, you have the following rights under the GDPR:

• Right of Access: You have the right to obtain confirmation that we process your personal information and to request a copy of your personal information.
• Right to Rectification: You have the right to correct inaccurate or incomplete personal information.
• Right to Erasure: You have the right to request deletion of your personal information in certain circumstances. You can delete your account at any time through the Account settings page.
• Right to Restrict Processing: You have the right to request that we restrict processing of your personal information in certain circumstances.
• Right to Data Portability: You have the right to receive your personal information in a structured, commonly used, and machine-readable format (JSON). To request a data export, email privacy@arcolist.com. We will provide your data within 30 days, including your profile information, uploaded content, messages, and activity history.
• Right to Object: You have the right to object to processing of your personal information based on legitimate interests or for direct marketing purposes.
• Right to Withdraw Consent: Where processing is based on your consent (e.g., analytics cookies), you have the right to withdraw consent at any time by rejecting cookies or adjusting your preferences.
• Right to Lodge a Complaint: You have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) or your local supervisory authority.

To exercise any of these rights, please contact us at privacy@arcolist.com.

9.2 How to Opt Out

You can control your data in the following ways:

• Marketing emails: Click the unsubscribe link in any marketing email
• Analytics cookies: Reject cookies via the cookie consent banner, or clear arco_cookie_consent from your browser's localStorage
• Account deletion: Go to Account settings > Delete account
• Data export: Email privacy@arcolist.com

10. Security and Breach Notification

10.1 Security Measures

We implement appropriate technical and organizational measures to protect your personal information against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures include:

• Encryption of data in transit (TLS) and at rest
• Row-level security policies on all database tables
• Access controls and authentication procedures
• Rate limiting to prevent abuse
• Regular security assessments

While we strive to protect your personal information, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security of your information.

10.2 Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) within 72 hours of becoming aware of the breach. We will notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms, as required by GDPR Article 34.

11. Retention

We retain your personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy. Specifically:

• Account information: Duration of your account plus 30 days after deletion, to allow for account recovery and comply with legal obligations
• Project content and photos: Duration of your account. Upon deletion, content is removed unless published anonymously
• Introduction request messages: 2 years after last activity
• Analytics data (PostHog): 12 months
• Transaction and payment records: 7 years (as required by Dutch tax law)
• Email delivery logs: 90 days
• Rate limiting data: 24 hours
• Marketing communications data: Until you unsubscribe or withdraw consent

When personal information is no longer needed, we will securely delete or anonymize it in accordance with applicable law.

12. Children's Privacy

The Arco Platform is not directed at children under 16 years of age. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete that information promptly. If you believe we have collected information from a child under 16, please contact us at privacy@arcolist.com.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by posting the updated Privacy Policy on our Platform with a new “Last Updated” date and, where appropriate, by email.

We encourage you to review this Privacy Policy periodically. Your continued use of the Arco Platform after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

If you do not agree with any changes, you may close your account through Account settings or by contacting us.

14. Contact Information

For privacy-related questions, concerns, data access requests, or to exercise your rights under GDPR:

Email: privacy@arcolist.com

Controller:
Arco Global B.V.
KvK: 94568189

Supervisory Authority:
Autoriteit Persoonsgegevens
www.autoriteitpersoonsgegevens.nl