Legal
Privacy policy
Last updated: July 2026
1. Controller
ArcemCloud AS (org.nr 933 755 630), Inkognitogata 8, 0258 Oslo, Norway, is the controller for personal data processed through the ArcemCloud platform and this website. Contact: post@arcemcloud.no.
2. What we process
We process the minimum needed to operate a metered, auditable platform:
- Account and identity data — name, work email and authentication records, held in Zitadel, an identity provider we host ourselves inside the platform. No third-party identity service sees your logins.
- Usage metadata — token counts, GPU-seconds and endpoint activity per project, used for metering and billing.
- Audit records — administrative actions (key issuance, deployments, configuration changes) written to a tamper-evident audit log.
We do not store prompt or completion content. Inference requests are processed in memory to produce a response; only token counts are retained.
3. Purposes and legal bases
- Providing and administering the service, including authentication — performance of a contract (GDPR Art. 6(1)(b)).
- Metering, billing and invoicing — performance of a contract (Art. 6(1)(b)) and legal obligations under Norwegian bookkeeping law (Art. 6(1)(c)).
- Audit logging and security monitoring — legitimate interest in operating a secure, accountable platform (Art. 6(1)(f)) and, where applicable, legal and contractual compliance obligations.
- Responding to enquiries sent to us — legitimate interest (Art. 6(1)(f)).
4. No third-country transfers
All processing takes place in Norway, on infrastructure owned and operated by ArcemCloud AS. We use no US processors and no sub-processors subject to non-EEA jurisdiction. Personal data is not transferred to third countries, and no transfer mechanism (SCCs, adequacy decisions) is needed because no transfer occurs.
5. Retention
- Account data is retained for the life of the customer relationship and deleted on account closure, except where retention is legally required.
- Usage metadata is retained as long as needed for billing and for the retention periods required by Norwegian bookkeeping law.
- Audit records are retained for compliance and security-accountability purposes; the hash-chained log is append-only by design.
6. Your rights
Under the GDPR you have the right to access, rectification, erasure, restriction, portability and objection with respect to your personal data. Write to post@arcemcloud.no and we will respond within the statutory deadlines. You also have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet).
7. Security
The platform runs on a self-hosted, open-source stack with hard tenant isolation (dedicated namespaces, default-deny networking), self-hosted identity (Zitadel) and secrets management (OpenBao), a tamper-evident hash-chained audit log, and a pinned, mirrored supply chain. Details are on the security page.
8. Contact
Questions about this policy or our processing: post@arcemcloud.no, ArcemCloud AS, Inkognitogata 8, 0258 Oslo, Norway.