1. Who We Are

ArchGuard.io is an AI-powered Terraform architecture review service operated by Rost CAMP, a company incorporated in the Netherlands.

For the purposes of the General Data Protection Regulation (GDPR), the data controller for archguard.io is Rost CAMP (KVK: 95487530), a company registered in the Netherlands.

Company: Rost CAMP

KVK: 95487530

VAT: NL005158863B35

Jurisdiction: Netherlands

Privacy contact: privacy@archguard.io

2. What Data We Collect

We collect only what is necessary to provide the service. The table below describes each category of data, its source, and why we process it.

Data Type	Source	Purpose
Email address	Sign-up / early access form	Account creation, product updates, billing
Terraform files / IaC code	User upload	Core product functionality — review generation
Usage data (page views, feature interactions)	Plausible Analytics (cookieless)	Product improvement
Billing data	Stripe (when payment is introduced)	Payment processing
IP address / browser metadata	Server logs	Security, abuse prevention

Important: Terraform File Handling

Terraform files uploaded for architectural review are processed solely to generate your requested review report. Files are not stored after analysis completes. They are deleted from our systems immediately upon report generation. We never use your infrastructure code to train AI models, and we never share it with third parties except as required to perform the analysis (see Section 4).

3. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), we process personal data only where we have a lawful basis to do so under Article 6 of the GDPR.

Processing Activity	Legal Basis
Account creation and login	Contract performance (Art. 6(1)(b))
Sending product and update emails	Legitimate interest (Art. 6(1)(f)) or consent (Art. 6(1)(a))
Analytics (Plausible — cookieless, no PII)	Legitimate interest (Art. 6(1)(f))
Terraform file analysis	Contract performance (Art. 6(1)(b))
Billing and payment processing	Contract performance + legal obligation (Art. 6(1)(b) and (c))

4. Data Sharing & Sub-Processors

We do not sell your data. We do not use your Terraform code to train AI models.

We share data only with the following sub-processors, strictly to the extent necessary to operate the service:

Plausible Analytics — Privacy-first analytics

EU-hosted. Does not collect personally identifiable information. No cookies.

Stripe — Payment processing

Applicable when payment is introduced. Stripe is PCI-DSS Level 1 certified.

Amazon Web Services (AWS) — Cloud infrastructure hosting

EU region (eu-west-1). Infrastructure for compute, storage, and email delivery.

Amazon SES — Transactional email delivery

Used to send account notifications and product emails.

We may disclose data to law enforcement or regulatory authorities where required by applicable law, and only to the minimum extent necessary to comply.

5. Data Retention

Data	Retention Period
Terraform files	Deleted immediately after review generation — not stored
Account data (email, profile)	Retained while account is active + 30 days post-deletion
Billing records	7 years (Dutch tax law requirement)
Analytics data	Aggregated and non-personal — retained indefinitely
Server logs (IP, browser metadata)	90 days

6. Your Rights (GDPR)

If you are located in the EEA, you have the following rights regarding your personal data:

→

Right of access: Request a copy of the personal data we hold about you.

→

Right to rectification: Request correction of inaccurate or incomplete data.

→

Right to erasure: Request deletion of your personal data ("right to be forgotten").

→

Right to restriction: Request that we limit processing of your data in certain circumstances.

→

Right to data portability: Receive your personal data in a structured, commonly used format.

→

Right to object: Object to processing based on legitimate interests.

→

Right to withdraw consent: Where processing is based on consent, withdraw it at any time.

To exercise any of these rights, contact us at privacy@archguard.io. We will respond within 30 days as required under GDPR Article 12.

You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens): autoriteitpersoonsgegevens.nl

7. Cookies & Analytics

ArchGuard.io uses Plausible Analytics, a privacy-first analytics tool that does not use cookies and does not collect personally identifiable information. No cookie consent banner is required for Plausible under GDPR.

We may set a session cookie to maintain your authenticated state while you are logged in. This cookie is strictly necessary for the service to function and is deleted when you end your session.

Name	Purpose	Duration	Type
session	Maintain authenticated session	Session (deleted on browser close)	Strictly necessary

8. International Transfers

Our primary infrastructure is hosted in the EU (AWS eu-west-1, Ireland). Some of our sub-processors, including AWS globally and Stripe, may process data in the United States or other third countries.

Where data is transferred outside the EEA, we rely on Standard Contractual Clauses (SCCs) adopted by the European Commission, or applicable adequacy decisions, to ensure that your data receives an equivalent level of protection.

9. Changes to This Policy

We will notify you by email at least 14 days before any material change to this Privacy Policy takes effect. The “Last updated” date at the top of this page reflects the most recent revision. Non-material changes (such as typographical corrections or clarifications that do not affect your rights) may be made without prior notice.

10. Contact

For privacy-related enquiries, GDPR rights requests, or questions about this policy:

ArchGuard.io is a product of Rost CAMP.

Rost CAMP · KVK: 95487530 · VAT: NL005158863B35

Netherlands · privacy@archguard.io