Legal

Privacy policy

Last updated: July 2026

1. Controller

ArcemCloud AS (org.nr 933 755 630), Inkognitogata 8, 0258 Oslo, Norway, is the controller for personal data processed through the ArcemCloud platform and this website. Contact: post@arcemcloud.no.

2. What we process

We process the minimum needed to operate a metered, auditable platform:

  • Account and identity data — name, work email and authentication records, held in Zitadel, an identity provider we host ourselves inside the platform. No third-party identity service sees your logins.
  • Usage metadata — token counts, GPU-seconds and endpoint activity per project, used for metering and billing.
  • Audit records — administrative actions (key issuance, deployments, configuration changes) written to a tamper-evident audit log.

We do not store prompt or completion content. Inference requests are processed in memory to produce a response; only token counts are retained.

3. Purposes and legal bases

  • Providing and administering the service, including authentication — performance of a contract (GDPR Art. 6(1)(b)).
  • Metering, billing and invoicing — performance of a contract (Art. 6(1)(b)) and legal obligations under Norwegian bookkeeping law (Art. 6(1)(c)).
  • Audit logging and security monitoring — legitimate interest in operating a secure, accountable platform (Art. 6(1)(f)) and, where applicable, legal and contractual compliance obligations.
  • Responding to enquiries sent to us — legitimate interest (Art. 6(1)(f)).

4. No third-country transfers

All processing takes place in Norway, on infrastructure owned and operated by ArcemCloud AS. We use no US processors and no sub-processors subject to non-EEA jurisdiction. Personal data is not transferred to third countries, and no transfer mechanism (SCCs, adequacy decisions) is needed because no transfer occurs.

5. Retention

  • Account data is retained for the life of the customer relationship and deleted on account closure, except where retention is legally required.
  • Usage metadata is retained as long as needed for billing and for the retention periods required by Norwegian bookkeeping law.
  • Audit records are retained for compliance and security-accountability purposes; the hash-chained log is append-only by design.

6. Your rights

Under the GDPR you have the right to access, rectification, erasure, restriction, portability and objection with respect to your personal data. Write to post@arcemcloud.no and we will respond within the statutory deadlines. You also have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet).

7. Security

The platform runs on a self-hosted, open-source stack with hard tenant isolation (dedicated namespaces, default-deny networking), self-hosted identity (Zitadel) and secrets management (OpenBao), a tamper-evident hash-chained audit log, and a pinned, mirrored supply chain. Details are on the security page.

8. Contact

Questions about this policy or our processing: post@arcemcloud.no, ArcemCloud AS, Inkognitogata 8, 0258 Oslo, Norway.