Terms

The fine print.

Terms of Use

You acknowledge that all content on this Web Site, including the Web Site's design, graphics, text, formatting, sounds, pictures, images, software, and other materials and information on this Website, and the selection and arrangement thereof (collectively, "Content"), are the property of Arch Labs, Inc. (henceforth referred to as “Arch Labs” or “Arch”) or its licensors, and are subject to and protected by United States and international copyright and other intellectual property laws and rights. All rights to Content not expressly granted in these Terms of Use are reserved to their respective intellectual property right owners. Except as expressly authorized in these Terms of Use or on the Web Site, you may not copy, reproduce, distribute, republish, download, perform, display, post, transmit, exploit, create derivative works or otherwise use any of the Content in any form or by any means, without the prior written authorization of Arch Labs or the respective intellectual property rights owner. Arch Labs authorizes you to view and download the Content only for personal, non-commercial use, provided that you keep intact all copyright and other proprietary notices contained in the original Content. You may not modify or adapt the Content in any way or otherwise use them for any public or commercial purposes. The trademarks, service marks, trade names, trade dress and logos (collectively, "Marks") contained or described on this Web Site (including, without limitation, Arch and Arch Labs) are the sole property of Arch and its licensors and may not be copied, imitated or otherwise used, in whole or in part, without the prior written authorization from Arch and/or its licensors. In addition, all page headers, custom graphics, button icons and scripts are Marks of Arch and may not be copied, imitated or otherwise used, in whole or in part, without the prior written authorization of Arch. Arch will enforce its intellectual property rights to the fullest extent of the law.

II. LINKS TO THIRD PARTY WEBSITES

Links on the Web Site to third party websites are provided only as a convenience to you. If you use these links, you will leave the Web Site. Arch does not control or endorse any such third party websites expect those in relation to Arch. You agree that Arch and its affiliates will not be responsible or liable for any content, goods or services provided on or through these outside websites or for your use or inability to use such websites. You will use these links at your own risk. You are advised that other websites on the Internet, including third party websites linked from this Web Site, might contain material or information that some people may consider offensive or inappropriate; or that is inaccurate, untrue, misleading or deceptive; or that is defamatory, libelous, infringing of others' rights or otherwise unlawful. Arch expressly disclaims any responsibility for the content, legality, decency or accuracy of any information, and for any products and services, that appear on any third party website. Arch recommends that you make yourself aware of and read the legal and privacy notices of all other websites that you visit.

II. DISCLAIMER OF WARRANTIES

Arch strives to provide accurate and up-to-date material on this Web Site. However, we make no warranties or representations as to the accuracy or timeliness of the Content on this Web Site. YOUR USE OF THE WEB SITE IS AT YOUR SOLE RISK. THE WEB SITE AND THE CONTENT CONTAINED ON THIS WEB SITE ARE PROVIDED ON AN "AS IS" AND "AS AVAILABLE" BASIS. Arch EXPRESSLY DISCLAIMS ALL WARRANTIES OF ANY KIND, WHETHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. Arch MAKES NO WARRANTY THAT (I) THE WEB SITE WILL MEET YOUR REQUIREMENTS, (II) THE WEB SITE WILL BE UNINTERRUPTED, TIMELY, SECURE, OR ERROR-FREE, (III) THE RESULTS THAT MAY BE OBTAINED FROM THE USE OF THE WEB SITE WILL BE ACCURATE OR RELIABLE, (IV) THE WEB SITE IS FREE FROM VIRUSES OR OTHER HARMFUL COMPONENTS, OR (V) ANY ERRORS IN THE WEB SITE WILL BE CORRECTED. ANY MATERIAL DOWNLOADED OR OTHERWISE OBTAINED THROUGH THIS WEB SITE IS PROVIDED AT YOUR OWN RISK, AND YOU ARE SOLELY RESPONSIBLE FOR ANY DAMAGE TO YOUR COMPUTER SYSTEM OR LOSS OF DATA THAT RESULTS FROM YOUR USE OF THE WEB SITE, INCLUDING WITHOUT LIMITATION, DAMAGES RESULTING FROM COMPUTER VIRUSES. SOME JURISDICTIONS MAY NOT PERMIT CERTAIN DISCLAIMERS OF WARRANTIES, SO SOME OF THE EXCLUSIONS ABOVE MAY NOT APPLY TO YOU. IN SUCH JURISDICTIONS, WE DISCLAIM WARRANTIES TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW.

II. DISCLAIMER OF DAMAGES AND LIMITATION OF LIABILITY

NEITHER Arch OR ITS AFFILIATES SHALL UNDER ANY CIRCUMSTANCES BE LIABLE FOR ANY DAMAGES OF ANY KIND ARISING OUT OF, IN CONNECTION WITH OR RELATING TO YOUR ACCESS TO, OR USE OF OR INABILITY TO USE THIS WEB SITE OR ANY MATERIAL, OR ANY OTHER WEBSITE YOU ACCESS THROUGH A LINK FROM THIS WEB SITE, OR ANY INCORRECT OR INACCURATE INFORMATION ON THIS WEB SITE. THIS IS A COMPREHENSIVE LIMITATION OF LIABILITY THAT APPLIES TO ALL DAMAGES OF ANY KIND, INCLUDING ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES (INCLUDING BUT NOT LIMITED TO PROPERTY DAMAGE, LOSS OF USE, LOSS OF DATA, LOSS OF BUSINESS, ECONOMIC LOSS OR LOSS OF PROFITS), WHETHER BASED ON BREACH OF CONTRACT, BREACH OF WARRANTY, TORT (INCLUDING NEGLIGENCE) OR OTHERWISE, EVEN IF Arch HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE OR LOSS. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, YOU EXPRESSLY WAIVE ALL CLAIMS AGAINST Arch AND ITS AFFILIATES AND THEIR OFFICERS, DIRECTORS, EMPLOYEES, SUPPLIERS AND PROGRAMMERS THAT MAY ARISE FROM YOUR ACCESS OR USE OF THIS SITE.

II. INDEMNIFICATION AND RELEASE

You agree to indemnify, defend and hold harmless Arch and its affiliates against all claims, demands, causes of action, losses, expenses, damages and costs, including any reasonable attorneys' fees, resulting or arising from or relating to your use of or conduct on the Web Site, any activity related to use of the Web Site by you, any message or material that you submit to, post on or transmit through the Web Site, your violation of these Terms of Use, your infringement or violation of any rights of another, or termination of your access to the Web Site. If you have a dispute with one or more users, you release Arch and its affiliates from claims, demands and damages (actual and consequential) of every kind and nature, known and unknown, arising out of or in any way connected with such disputes.

NO UNLAWFUL OR PROHIBITED ACTIVITY

As a condition of your use of this Web Site, you agree not to use the Web Site for any purpose that is unlawful or prohibited by these terms and conditions. You further agree that you are responsible for your use of and communications on the Web Site. You agree not to post on or transmit through this Web Site any unlawful, infringing, threatening, harassing, defamatory, vulgar, obscene, profane, indecent, offensive, hateful or otherwise objectionable material of any kind, including any material that encourages criminal conduct or conduct that would give rise to civil liability, violates the privacy rights of others, infringes others' intellectual property rights or otherwise violates any applicable local, state, national or international law. You agree not to use this Web Site in any manner that interferes with its normal operation or with any other user's use and enjoyment of the Site. You agree to use reasonable efforts to scan and remove any viruses or other contaminating or destructive features before submitting any material. Arch reserves the right, in its sole discretion, to suspend or terminate your access to this Web Site and prohibit any and all current and future use of this Web Site (or any portion thereof) by you, if you fail to comply with any term or provision of these Terms of Use or your use is harmful to the interests of another user of this Web Site.

SHUT-DOWN OF WEBSITE

Arch reserves the right at any time and from time to time to modify or discontinue, temporarily or permanently, the Web Site (or any part thereof) with or without notice or consent. Arch and its afliates shall have no responsibility or liability for failure to store or delete any Content or User Content submitted to the Web Site.

GOVERNING LAW AND DISPUTE RESOLUTION

These Terms of Use shall be governed by, and construed in accordance with, the laws of the United States and the State of New York, without giving effect to conflicts of law principles thereof. Arch makes no representations that the material and information on this Web Site are appropriate or available in all national locations or languages. You agree that any action at law or in equity arising from or relating to the use of this Web Site or to these Terms of Use shall be brought exclusively in the Federal or State Courts residing in New York. You hereby consent and submit to personal jurisdiction in of such courts for the purposes of any action relating to this Web Site, your access or use thereof, or these Terms of Use, and to extra-territorial service of process.

SEVERABILITY

If any provision of these Terms of Use is held to be unlawful, void, or for any reason unenforceable by a court of competent jurisdiction, then the invalid or unenforceable provision shall be replaced by a valid, enforceable provision that most closely matches the intent of the original provision, and the validity and enforceability of any remaining provisions shall not be a ected.

13. NO WAIVER

The failure of Arch and its affiliates to enforce any part of these Terms of Use shall not constitute a waiver of such term or provision, and shall not be considered a waiver or limit Arch's right thereafter to insist upon strict adherence to that term or any other provision of these Terms of Use.

Last Update: May 2, 2018

Privacy Policy

This Privacy Policy describes the policies and procedures of Arch Labs, Inc. ("Arch Labs,” “we,” “our,” or “us”) on the collection, use, and disclosure of your information on arch.co (the “Site”), and the related services, features, content, mobile applications, and products that we offer (collectively with the “Site,” the “Services”).

How You Accept This Policy

By accessing and using Arch Labs, creating a user account, or purchasing services through the Site, you agree to the use, disclosure, and procedures outlined in this Privacy Policy.

What Information Does Arch Labs Collect?

The information we collect from you falls into two categories: (i) personally identifiable information (i.e., data that could potentially identify you as an individual) (“Personal Information”); and (ii) non-personally identifiable information (i.e., information that cannot be used to identify who you are) (“Non-Personal Information”). This Privacy Policy covers both categories and outlines how we might collect and use each type.

We may collect a variety of Personal Information, including:

  • Information from Third Party Services (defined below) that you explicitly give us access to;
  • Your contact information, such as email address (or other contact information depending on how you contact us); and
  • Your name to the extent that you set it in your username.

We may also collect a variety of Non-Personal Information, including various analytics data such as:

  • the IP address of the computer you use to access the Site;
  • the type of browser software you are using;
  • the operating system you are using;
  • the date and time you access or use the Site;
  • the website address, if any, that linked you to our Site;
  • the website address, if any, you leave our website and travel to; and
  • other non-personally identifiable traffic data.

Information we will not collect

  • Special category data such as: individual's: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health information, and sexual life or orientation;
  • Criminal conviction data;

How We Collect Information

When You Create a Profile or Provide Us with Information to Purchase a Membership Subscription   

If you create a profile on our Site, we may request certain Personal Information. This may include contact information such as your email address, phone number, and billing address.

We, or companies that provide services on our behalf, may also collect certain financial information from you. By using Arch Labs, you give us consent to use and provide your financial information, as we consider necessary to provide the Service. We may collect financial information that you provide to us and store on our platform, including: tax information, capital calls, account balances, distributions, and investment workflows. Arch Labs users also have the option of inviting their own accountants, advisors, or clients, to manage and collaborate on accounts as well, so any related documents or communications provided by these parties may also be collected and stored.

Information We Automatically Collect

Like most websites, Arch Labs may incorporate technology such as “pixel tags,” “web beacons,” and “cookies.” Pixel tags and web beacons are tracking devices on websites, or in emails, that can monitor the behavior of the user visiting the website or sending the e-mail. Cookies are small files that web servers may place on your computer when you visit a website.

Here at Arch Labs, we use cookies to help identify and track usage of the Site, and to deliver a more personalized experience. You can learn more about our cookie policy here

Third Party Services

This Site includes links to third-party products, services, and websites, as well as materials provided by third parties (collectively “Third Party Services”). If you authorize us to connect with these Third Party Services, you grant us permission to collect certain Personal Information, such as your name, email address, phone number, and any other information that the Third Party Service makes available to us.

For example, if you register your Bank of America account with us, we will aggregate your Bank of America information via our Site in order to present it to you. If you choose to access bills online through our Services, we may store a PDF or HTML representation of your bills on our servers.

Please note that your use of Third Party Services is governed by their respective Terms of Service and Privacy Policies. We use and disclose any collected information in accordance with our own Privacy Policy.

Communications You Initiate with Us

We do everything possible to ensure you have an amazing experience when using Arch Labs. If you contact us in person, by phone, email, instant message, live chat, social media, or by some other means (either through our Site or through a Third Party Service), we may keep a record of your contact information and correspondence for later reference to help improve our Site.

How We Use the Information We Gather

We primarily use the information we collect and store to enhance Arch Labs. Except if we sell all or a portion of our business, or as otherwise described below, we do not rent, trade, or sell your Personal Information.

Use of Information to Provide Arch Labs to You

We use Personal Information to create an awesome experience. Some ways we may internally use your information are to:

  • Provide our Services;
  • Contact you when necessary;
  • Respond to your comments or questions;
  • Provide you with additional information according to your preferences;
  • Customize and personalize your Arch Labs experience;
  • Generate aggregated statistics to help us improve the customer experience;
  • Make Arch Labs easier and more convenient for you (such as by prepopulating forms when you have already provided identical information);
  • Provide recommendations to you;
  • Send you information and marketing materials about services and products available on our Site;
  • Train our team members; or
  • Other internal business purposes.

How we share and disclose information

  • Displaying and operating the Services. Because of the nature and functionality of the Services, Information will be displayed as part of the Services to Authorized Users in a Customer Instance. For example, information about Customer's Tax Documents may be shared with their Authorized Tax Team.
  • Third-party service providers and partners. Arch may engage third parties (service providers or business partners) to process Information and support its business, such as virtual computing and storage services. These parties are bound by appropriate and commercially reasonable confidentiality obligations. Additional information about the subprocessors Arch uses is set forth in our list of Arch Subprocessors.
  • Third-Party Services. Customers can enable or permit Authorized Users to enable Third-Party Services. Arch requires these services to disclose all permissions for information access, but does not guarantee they do so. Arch may share Information with Third-Party Services when enabled and requested by the Customer. Third-Party Services are not owned or controlled by Arch and have their own policies and practices for data collection, use, and sharing. Users are advised to check permissions, privacy settings, and notices for these services or contact the service provider.
  • Corporate affiliates. Arch may share Information with its corporate affiliates, parents, and/or subsidiaries.
  • During a change to Arch's business. If Arch engages in a merger, acquisition, bankruptcy, dissolution, reorganization, sale of assets or stock, financing, public offering of securities, or similar transaction, some or all Information may be shared or transferred, subject to appropriate and commercially reasonable confidentiality arrangements.
  • Aggregated or de-identified data. Arch may disclose or use aggregated or de-identified information for any purpose, including sharing with prospects, partners, or service providers for business or research purposes. These parties may also share aggregated information with us.
  • To Comply with Laws. We may access, read, preserve, and disclose information as reasonably necessary to comply with law, enforce our terms, cooperate with law enforcement, or protect the rights, property, or safety of Arch Labs, our users, or others.
  • To enforce our rights, prevent fraud, and for safety. Information may be shared to protect and defend the rights, property, or safety of Arch or third parties, including enforcing contracts or policies, or in connection with investigating and preventing fraud or security issues.
  • With consent. Arch may share Information with third parties when Arch has consent to do so.

Agents or Third Party Partners

We may provide your Personal Information to our employees, contractors, agents, service providers, and designees (“Agents”) to enable them to perform certain services for us exclusively, including:

  • Payment processing;
  • Website-related services, such as web hosting;
  • Improvement of website-related services and features;
  • Maintenance services; or
  • Distribution of advertisements and other marketing materials on our behalf.

Protection of Us and Others

We reserve the right to access, read, preserve, and disclose any information that we reasonably believe is necessary to: comply with the law or a court order; cooperate with law enforcement; enforce or apply our Terms of Use and other agreements; or protect the rights, property, or safety of Arch Labs, our employees, our users, or others.

What Personal Information Can I Access or Change?

Arch allows amending your Personal Information on the settings page (https://arch.co/portal/settings) or by emailing support@arch.co. Additionally, for deleting or revising Personal Information, or for any other privacy related questions, please contact us at privacy@arch.co or by submitting a privacy request here.

If you decide you don’t want to receive email or other mail from us, you can select the “opt out” provision in our communications or in your profile settings to unsubscribe. Unsubscribing will stop you from receiving most types of communication, but it may not apply to emails about orders or transactions you place through the Site or to respond to your specific request.

Data Retention

We will retain Service Data in accordance with the applicable MSA, Customer’s use of Services functionality, and as required by applicable law.

We may retain Other Information for as long as necessary for the purposes described in this Privacy Policy. This may include keeping Other Information for the period of time needed for us to pursue legitimate business interests, conduct audits, comply with (and demonstrate compliance with) legal obligations, resolve disputes, and enforce our agreements.

  • We retain customer data and credentials for up to a month following account termination, unless deletion is requested earlier.
  • We retain website visitor information for up to a year following the last visit to our website.

Following a data deletion request, we may still retain some Personal Information that you have provided to us in order to maintain our services or to comply with relevant laws.

Data Security

We are committed to ensuring your information is protected and have selected third-party vendors that help keep your Personal Information safe. Unfortunately, we do not control these third parties and therefore cannot guarantee complete security.

We do employ several physical and electronic safeguards to keep your information safe, including encrypted user passwords and securing all connections with industry standard transport layer security.

If you log into your account on a shared computer, be sure to sign out of your account when finished. If you believe an unauthorized third party has access to your account, you must let us know as soon as possible.

Even with all these precautions, we cannot fully guarantee against the access, disclosure, alteration, or deletion of data through events, including, but not limited to, hardware or software failure or unauthorized use. Any information that you provide to us is done so entirely at your own risk.

Children

We are especially sensitive about children’s information. Our Services are not targeted towards children, and we do not knowingly collect information from children under the age of 13. If you are a parent or legal guardian of a minor child, we will treat any information that you provide us while using Arch Labs on behalf of your minor child as Personal Information as otherwise provided in this Privacy Policy. If you have questions concerning our information practices with respect to children, or if you learn that a child under the age of 13 has used Arch Labs, created a user account, or provided us with personal information, please email us at support@arch.co.

Online Tracking and How We Respond to Do Not Track Signals

Online tracking is the collection of data about an individual’s Internet activity used to deliver targeted advertisements and for other purposes. Some web browsers (including, Safari, Internet Explorer, Firefox, and Chrome) incorporate a “Do Not Track” (DNT) or similar feature that signals to websites that a visitor does not want to have his/her online activity and behavior tracked. If an online service elects to respond to a particular DNT signal, the service may refrain from collecting certain personal information about the browser’s user. Not all browsers offer a DNT option and there is currently no industry consensus as to what constitutes a DNT signal. For these reasons, many website operators, including Arch Labs, do not take action to respond to DNT signals. For more information about DNT signals, visit https://allaboutdnt.com.

We Reserve the Right to Update and Revise This Privacy Policy at Any Time

We occasionally review this Privacy Policy to confirm it complies with applicable laws and conforms to changes in our business. We may need to update this Privacy Policy, and we reserve the right to do so at any time. If we do revise this Privacy Policy, we will update the “Last Updated” section at the top of this page so that you can tell if it has changed since your last visit and we will do our best to notify you. Please review this Privacy Policy regularly to ensure that you are aware of its terms. Any use of Arch Labs after an amendment to our Privacy Policy constitutes your acceptance to the revised or amended agreement.

Your Rights as a California Resident

If you are a California resident, you have the ability to ask us for a notice identifying the categories of Personal Information we share with our affiliates and/or third parties for marketing purposes and the contact information for such affiliates and/or third parties (under California Civil Code Sections 1798.83–1798.84). If you are a California resident and would like a copy of this notice, please submit a written request to support@arch.co.

International Users and Visitors

Arch Labs is hosted in the United States. Because the Internet is global, you should note that by providing Personal Information as an international visitor or user, you are: (i) permitting the transfer of your Personal Information to the United States, which may not have the same data protection laws as the country in which you reside; and (ii) permitting the use of your Personal Information in accordance with this Privacy Policy.

If you are located in the European Economic Area (“EEA”), we only process your Personal Information based on a valid legal ground, which encompasses: when we need your Personal Information to provide our services, including for account registration, to respond to your inquiries, or for customer support; when we have a legal obligation to use your Personal Information (such as to enforce our terms and conditions); when we or a third party have a legitimate interest in using your Personal Information (for example, to detect and prevent fraud, to conduct business analytics, or for a service provider to help us deliver or improve our services), and such use is not overridden by your data protection rights.

If you are a resident of the EEA, you are also entitled to certain individual rights, such as the following rights to: access and rectify your data; request erasure of your data; object or restrict our processing of your data; receive and transmit your data; and right to lodge a legitimate complaint to your data protection authority.

Our Representatives

Data Protection Officer

To contact Arch’s DPO please contact:

dpo@arch.co, +1 (646) 452-8275, 111 E 18th St New York, NY 10003

Under Article 27 of the GDPR, we have appointed an EU Representative to act as our data protection agent.

Our EU Representative:

Adam Brogden, contact@gdprlocal.com, + 353 15 549 700, INSTANT EU GDPR REPRESENTATIVE LIMITED Office 2 12A Lower Main Street, Lucan Co. Dublin K78 X5P8 Ireland

Our UK Representative:

Adam Brogden, contact@gdprlocal.com, + 441 772 217 800, GDPRLocal Ltd. 1st Floor Front Suite 27-29 North Street, Brighton England BN1 1EB

Questions?

We’d be happy to answer them. Shoot us an email or send us a note:
Email: support@arch.co
Mailing Address:
Arch Labs, Inc.
111 E 18th St, Floor 11
New York, NY 10003

Last Updated: August 4, 2025

Cookie Policy

1. Application

This policy applies to Arch employees, contractors, and vendors while doing business with Arch Labs, Inc. (henceforth referred to as "Arch Labs" or "Arch") and others who have access to European Union (EU) and the European Economic Area (EEA) data subject information ("personal data") in connection with Arch's operating activities.

2. Policy

Arch believes in transparency about collection and use of data. This policy provides information about how and when Arch uses cookies for these purposes. Capitalized terms used in this policy but not defined have the meaning set forth in our Privacy Policy, which also includes additional details about the collection and use of information at Arch.

What is a cookie?

Cookies are small text files sent by us to your computer or mobile device, which enable Arch features and functionality. They are unique to your account or your browser. Session-based cookies last only while your browser is open and are automatically deleted when you close your browser. Persistent cookies last until you or your browser delete them or until they expire.

Does Arch use cookies?

Yes. Arch uses cookies and similar technologies like pixel tags and web beacons. Arch uses both session-based and persistent cookies. Arch sets and accesses cookies on the domains operated by Arch and its corporate affiliates (collectively, the "Sites"). In addition, Arch uses third party cookies, like Google Analytics or Intercom.

How is Arch using cookies?

Arch does not use first-party cookies that are associated with your account and personal information.

Arch contracts with third parties, who may use cookies that are associated with your account and personal information to remember that you are logged in and which workspaces you are logged into.

Arch can use first-party and third-party cookies that are not tied to your account but are unique and allow us to carry out analytics and customization, among other similar things.

Cookies can be used to recognize you when you visit a Site or use our Services, remember your preferences, and give you a personalized experience that is consistent with your settings. Cookies also make your interactions faster and more secure. Visit our Appendix A: Cookie Tables to learn more.

Categories of use

  • Authentication: If you are signed into the Services, cookies help Arch show you the right information and personalize your experience.
  • Security: Arch uses cookies to enable and support security features, and to help detect malicious activity.
  • Preferences, features, and services: Cookies denote which language you prefer and what your communications preferences are. They can help fill out forms on our Sites more easily. They also provide you with features, insights, and customized content.
  • Marketing: Arch may use cookies to help deliver marketing campaigns and track their performance (e.g., a user visited Arch.co and then made a purchase). Similarly, Arch’s partners may use cookies to provide us with information about your interactions with their services, but use of those third-party cookies would be subject to the service provider’s policies.
  • Performance, Analytics, and Research: Cookies help Arch learn how well the Sites and Services perform. Arch also uses cookies to understand, improve, and research products, features, and services, including to create logs and record when you access our Sites and Services from different devices, such as your work computer or your mobile device.

What third-party cookies does Arch use?

You can find a list of the third-party cookies that Arch uses on our sites along with other relevant information in the Appendix A: Cookie Tables. Arch does its best to keep this table updated, but please note that the number and names of cookies, pixels, and other technologies may change from time to time.

How are cookies used for advertising purposes?

Cookies and other ad technology such as beacons, pixels, and tags help Arch market more effectively to users that may be interested in the Services. They also help with aggregated auditing, research, and reporting.

What can you do if you don't want cookies to be set or want them to be removed?

You have the option to disable and delete cookies that are not necessary for the basic functionality of our website. Please note, blocking categories may impact your experience on our website. You may access the Cookie Manager at any time in the footer of our website.

Does Arch respond to Do Not Track Signals?

The Sites and Services do not collect personal information about your online activities over time and across third-party websites or online services. Therefore, "do not track" signals transmitted from web browsers do not apply to the Sites or Services, and Arch does not alter any data collection and use practices upon receipt of such a signal.

Appendix A: Cookie Tables

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but that will cause some parts of the site to not work. These cookies do not store any personally identifiable information.

Cookie Subgroup Cookies Cookies used
*.auth0.com _com.auth0.auth.######_compat
com.auth0.auth.######		 Third party
*.intercom.com intercom-session-######
intercom-device-id-######		 Third party

Performance Cookies

These cookies (Arch uses Google Analytics and Amplitude) allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. If you do not allow these cookies we will not know when you have visited our site and will not be able to monitor its performance.

To view an overview of the privacy of your Google Analytics cookies please visit: https://support.google.com/analytics/answer/6004245.

You may install a Google Analytics opt-out browser add-on by visiting: https://tools.google.com/dlpage/gaoptout?hl=en-GB.

To view an overview of the privacy of our Intercom cookies please visit: https://www.intercom.com/legal/cookie-policy.

Cookie Subgroup Cookies Cookies used
*.amplitude.com AMP_######
AMP_######
AMP_MKTG_######
AMP_MKTG_###### 		Third party
*.google.com _ga
_ga_######
_gat
_gid 		Third party

Third Party Website Cookies

When using our website, you may be directed to other websites for such activities as surveys, to make payment, for job applications, and to view content hosted on those sites such as an embedded video or news article. These websites may use their own cookies. We do not have control over the placement of cookies by other websites you visit, even if you are directed to them from our website.

How To Control and Delete Cookies

1. Using Your Browser

Many of the cookies used on our website and through emails can be enabled or disabled through our consent tool or by disabling the cookies through your browser. To disable cookies through your browser, follow the instructions usually located within the “Help,” “Tools” or “Edit” menus in your browser. Please note that disabling a cookie or category of cookies does not delete the cookie from your browser unless manually completed through your browser function.

2. Cookies Set in the Past

Collection of your data from our analytics cookies can be deleted. If cookies are deleted, the information collected prior to the preference change may still be used. However, we will stop using the disabled cookie to collect any further information from your user experience. For our marketing cookie, when a user opts out of tracking, a new cookie is placed to prevent users from being tracked.

Last Updated: July 2025

GDPR Compliance Policy

Application

This policy applies to employees, contractors, and vendors while doing business with Arch Labs, Inc. (henceforth referred to as "Arch Labs" or "Arch") and others who have access to European Union (EU) and the European Economic Area (EEA) data subject information ("personal data") in connection with Arch's operating activities.

Policy

Arch is committed to protecting the security, confidentiality, and privacy of its information resources including EU and EEA personal data in accordance with the requirements set forth in the General Data Protection Regulation (EU) 2016/679 ("GDPR", "Regulation"). Personal data shall only be processed when there is a legal basis to do so, data shall be managed to ensure that security, confidentiality, and privacy are maintained, and data will be used only for authorized purposes. Arch employees and contractors of Arch share the responsibility for safeguarding personal data to which they have access.

When performing commercial activities in support of Arch products and services that impact EU/EEA personal data, Arch may engage in certain activities which may require it to receive, store, process, transmit, create, or access and use data which may trigger compliance requirements with the provisions applicable to GDPR. This policy and the GDPR Policies adopted hereunder are intended to support the mission of Arch and to facilitate data processing activities that are important to Arch by:

  • Ensuring compliance with requirements imposed by GDPR and Arch's regulatory obligations
  • Providing for the establishment of GDPR Policies that set forth, among other things, the required technical, physical, and administrative safeguards to maintain the security, confidentiality, and privacy of personal data
  • Setting forth the roles and responsibilities necessary for Arch to meet its obligations with respect to activities related to the processing of personal data in accordance with GDPR

Roles and Responsibilities

Policy Adoption

Arch shall, in cooperation with relevant stakeholders, develop and adopt necessary and appropriate GDPR Policies, which will include, among other things, the technical, physical, and administrative safeguards required to ensure the confidentiality, integrity, and privacy of personal data, and protect personal data against reasonably anticipated threats or hazards and unauthorized uses or disclosures. Relevant Arch stakeholders shall cooperate with Arch in the development and implementation of the GDPR Policies.

The Arch Information Security and Data Privacy Policies are a component of the GDPR Policies and implement controls which support GDPR compliance.

Responsible Person

The Security team is responsible for the overall oversight of Arch's GDPR compliance program.

Data Protection Officer

The Data Protection Officer (DPO) shall have the responsibilities set forth in this Policy and GDPR Article 39. The DPO is tasked with daily and ongoing oversight and management of Arch's GDPR Compliance Program, which includes the following responsibilities:

  • Monitoring Arch's internal compliance with GDPR
  • Providing guidance at the earliest stage possible on aspects of data protection
  • Keeping Arch stakeholders appraised of changes to GDPR and other relevant laws and regulations
  • Assisting the controller or processor in monitoring internal compliance with the Regulation, including:
    • Collecting information to identify processing activities
    • Analysing and checking the compliance of processing activities
    • Informing, advising and issuing recommendations to the controller or the processor
  • Acting in an independent manner, and ensuring there is no conflict of interest in other roles or interests that the DPO may hold
  • Maintaining inventories of personal data stored on behalf of the data controller or processor
  • Responding to security, privacy, and data access requests and complaints from data subjects
  • Managing data security and critical business continuity issues that could impact personal data
  • Providing guidance, as requested, to the data controller to complete a data protection impact assessment ("DPIA")
  • Providing guidance on responding to accidental or malicious activity that could impact personal data
  • Cooperate with the supervisory authority as needed
  • To act as the contact point for the supervisory authority on issues relating to processing, and to consult, where appropriate, with regard to any other matter

Data Protection Officer. Members of Arch have appointed a data protection officer. The appointed person may be reached at privacy@arch.co

Article 27 Local Representative

For entities operating outside of the EU, Representatives must be named (a Representative is defined in Article 4 as “a natural or legal person established in the [EU] who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under the GDPR.”). Representatives must be established in one of the EU Member States where the data subjects whose personal data the company processes are located. Companies operating in the UK must also appoint a UK Representative. Primary responsibilities include:

  • Serving as the contact point for issues related to the company's processing of personal data under the GDPR, including as a contact point for supervisory authorities
  • Understanding current data protection laws, legal or compliance requirements, and interfacing with regulatory authorities

Representative(s) is/are:

EU Representative: Adam Brogden, contact@gdprlocal.com, + 353 15 549 700, INSTANT EU GDPR REPRESENTATIVE LIMITED Office 2 12A Lower Main Street, Lucan Co. Dublin K78 X5P8 Ireland

UK Representative: Adam Brogden, contact@gdprlocal.com, + 441 772 217 800, GDPRLocal Ltd. 1st Floor Front Suite 27-29 North Street, Brighton England BN1 1EB

Implementation

Data Protection

All personal data requires a legal basis for processing, and will be accessible on a strict need-to-know basis. Personal data is to be kept confidential and must be protected and safeguarded from unauthorized access, modification and disclosure.

  • Storage and Transmission: Personal data must be encrypted, with strong cryptography, whenever stored on or transmitted by Arch systems.
  • Disposal: Paper records must be securely shredded prior to disposal. Electronic media must be securely wiped, sanitized or physically destroyed prior to disposal or reuse.
  • Awareness Training: Relevant personnel will receive appropriate training on their information security and data privacy responsibilities with regard to GDPR and the handling of personal data as well as the Data Subject Access Request (DSAR) procedure.
  • Arch will not transmit EU or UK PII to any third-party or vendor until an appropriate Data Protection Addendum has been fully executed by Arch and the third-party.
  • The company shall retain Record of Processing Activity in accordance with Article 30 of the GDPR. Records shall include:
    • the name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer;
    • the purposes of the processing;
    • a description of the categories of data subjects and of the categories of personal data;
    • the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organizations;
    • where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
    • where possible, the envisaged time limits for erasure of the different categories of data;
    • where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

Breach Notification

Notification of any reportable unauthorized use or disclosure of personal data will be sent to affected parties in accordance with the GDPR notification requirements and the Incident Response Policy.

Data Subject Access Requests (DSAR/SAR)

Subject to the exceptions noted below in this policy, Arch will comply with any SAR concerning the following rights of the data subject:

  • Access (a copy of the personal data undergoing processing)
  • Rectification of personal data (correction of data stored or processed)
  • Erasure ('right to be forgotten')
  • Restriction of processing
  • Notification regarding rectification or erasure
  • Data portability (In the event of a Data Portability Request, Arch will export the customers data in an industry standard format and make it internet accessible for download only by the data subject)
  • Objection to processing (withdrawal of consent to processing)
  • Automated individual decision-making, including profiling
  • Do Not Sell requests under the CCPA

SAR when Arch is the data controller:

  • A SAR must be made on Arch's privacy page (arch.co/legal.html#privacy-policy). Arch may provide an "interface" or self-service mechanism that the data subject is instructed to use to initiate the SAR process.
  • A SAR can also be made using the email address privacy@arch.co.
  • Where required, the data subject must provide reasonable evidence of their identity in the form of valid identity, such as but not limited to, email verification.
  • When submitting the SAR via the interface, the data subject must identify the SAR type that is being requested, e.g., erasure.
  • If a SAR is submitted by an agent, the submission must include the identification of the data subject.

SAR when Arch is the data processor:

  • The SAR must be submitted via the user interface in the Arch Services.
  • The controller must identify the SAR that is being requested.

SAR requirements:

  • The date by which the SAR is submitted, identification is verified, and the specification of the SAR request type must be recorded; Arch will acknowledge any manual requests within 3 business days.
  • Arch has one month from the initial request date to complete the request.
  • The SAR application will be documented and can be audited using the GDPRLocal platform or Arch's internal processes.

Arch as the data processor:

  • Customers will be provided instructions on how to access the data through the user interface or APIs.
  • To the extent the customer is unable to access the data or has issues with accessing the data, Arch will assist the customer in accessing their data.
  • Arch will collect the data specified by the data subject and process according to the instructions provided by the data controller.
  • Arch will maintain a record of requests for data and of its receipt, including dates.

Arch as the data controller:

  • Collect the data specified by the data subject
  • Search databases and relevant filing systems (manual files and electronic) in Arch, including archived files, email folders and archives. Back-up files are not indexed or searchable and are maintained solely for disaster recovery purposes; therefore, they will only be included in the search if they have been restored or reloaded into an active system. Arch maintains a record that identifies where personal data in Arch is stored.
  • Arch will maintain a record of requests for data and of its receipt accessible by Arch’s Data Protection Officer and any other designated Arch representatives. Arch will also keep a record of processing to include dates.
  • Provide data subjects an online mechanism to making requests and ensure such requests will be logged.
  • Arch will acknowledge the SAR within three (3) days of the initial request and respond to any SAR within 30 days of the acknowledgement.
  • SARs from employees or previous employees will be coordinated with HR and the employees’ current or previous departmental leadership.

SAR Exemptions

Arch may withhold information requested under SAR in accordance with Article 23 of the GDPR or any similar exemption under applicable law. Any such exemption must be reviewed and approved by the Data Protection Officer or Arch’s Legal Team.

SAR Limits

Where permitted by law, such as Article 15 of the GDPR, for any further copies of personal data collected by Arch that are requested by the data subject, Arch may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic format.

Compelled Disclosure

Arch governs the compelled disclosure of customer Personally Identifiable Information pursuant to valid third-party legal demands for such information, such as court orders, search warrants, subpoenas, government investigations, and similar demands, and is incorporated by reference into Arch’s Privacy Policy.

Upon receipt of legal demands for information, Arch will immediately notify Arch’s Legal Team, and Data Protection Officer. Arch will investigate the demands, and if it is determined at Arch’s sole discretion that they are valid, we will search for and disclose the information that is specified and that we are reasonably able to locate and provide. We are unable to process overly broad or vague demands, and we will not disclose information that is not specifically demanded, except in response to follow-up demands.

Arch may contact customers if we are compelled to disclose their information pursuant to valid legal demands for such information, but we are not required to do so, and in some instances, we may be legally prohibited from doing so.

All external communications with customers, regulators and law enforcement shall be approved by Arch.

Enforcement

The security team and legal team are responsible for the enforcement of this policy.

Employees who may have questions should contact privacy@arch.co as appropriate.

Disciplinary Action

Failure to comply with any provision of this policy may result in disciplinary action, including, but not limited to, termination.

Reporting

All suspected violations or potential violations of this policy, no matter how seemingly insignificant, must promptly be reported either to privacy@arch.co or security@arch.co.

As long as a report is made honestly and in good faith, Arch will take no adverse action against any person based on the making of such a report. Failure to report known or suspected wrongdoing of which you have knowledge may subject you to disciplinary action up to and including termination of employment.