OpenArtemis
/ Legal

Privacy Policy

Last updated · April 2026

1. Introduction

This Privacy Policy explains how OpenArtemis Ltd. ("OpenArtemis", "we", "our", or "us") collects, uses, stores, and shares personal information when you use our services, including the ArvoCode platform, the THDB API, and our websites (collectively, the "Services").

We are committed to protecting your personal data and to handling it in accordance with the EU General Data Protection Regulation (GDPR), the UK GDPR, the Data Protection Act 2018, and other applicable data protection laws.

2. Data We Collect

We collect the following categories of personal data when you use the Services:

  • Account information — name, email address, organization, and password (hashed).
  • Billing information — billing address, VAT details, and payment metadata (processed by our payment processors; full card numbers are never stored on our servers).
  • Usage logs — API requests, endpoints accessed, response metadata, timestamps, and IP addresses.
  • API keys — generated, rotated, and retained securely on your behalf.
  • Content — prompts and outputs you submit or generate through the Services, to the extent required to deliver them.
  • Technical data — device information, browser type, operating system, and cookie identifiers.

3. How We Use Your Data

We process personal data to:

  • Provide, operate, and maintain the Services.
  • Authenticate users and secure the Services.
  • Process payments, manage subscriptions, and prevent fraud.
  • Monitor performance, debug issues, and improve reliability.
  • Comply with applicable legal obligations and respond to lawful requests.
  • Communicate with you about product updates, security notices, and, with your consent, marketing.

We do not train foundation models on your API request content without explicit opt-in consent.

4. Data Retention

We retain personal data only for as long as is necessary for the purposes set out in this Policy, or as required by law. Account and billing data are retained while your account is active and for up to 7 years thereafter for audit and tax purposes. Usage logs are retained for up to 90 days. You may request earlier deletion in accordance with Section 7.

5. Data Storage & Security

Personal data is stored on encrypted infrastructure operated by trusted cloud providers, with access restricted to authorized personnel under the principle of least privilege. We employ industry-standard administrative, technical, and physical safeguards, including encryption in transit (TLS 1.3) and at rest (AES-256).

No method of transmission or storage is completely secure. We cannot guarantee absolute security, but we work continuously to protect your data.

6. Third-Party Services

We use a limited number of third-party processors to deliver the Services, including cloud hosting providers, payment processors, email infrastructure providers, and analytics tools. These processors are contractually bound to handle your data solely on our instructions and in accordance with this Policy and applicable law.

We do not sell your personal data to third parties under any circumstances.

7. Your Rights

Subject to applicable law, you have the following rights with respect to your personal data:

  • Right of access (GDPR Article 15) — request a copy of the personal data we hold about you.
  • Right to rectification (Article 16) — request correction of inaccurate or incomplete data.
  • Right to erasure (Article 17) — request deletion of your personal data, subject to legal retention obligations.
  • Right to restriction of processing (Article 18).
  • Right to data portability (Article 20) — receive your data in a structured, machine-readable format.
  • Right to object to processing and withdraw consent at any time.
  • Right to lodge a complaint with a supervisory authority, such as the UK Information Commissioner's Office (ICO).

To exercise any of these rights, contact us at [email protected].

8. Cookies

Our websites use a minimal set of cookies for authentication, session management, and optional analytics. Non-essential cookies are set only with your consent. You can control or disable cookies through your browser settings. Disabling essential cookies may impair functionality.

9. Children's Privacy

The Services are not directed to children under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact [email protected] and we will take steps to delete it.

10. International Transfers

OpenArtemis legal operations are registered in England and Wales. Your data may be transferred to, stored, and processed in jurisdictions outside your country of residence. Where such transfers involve personal data of EU or UK residents, we implement appropriate safeguards, including Standard Contractual Clauses where applicable.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be posted on this page and, where appropriate, communicated to you directly. The "Last updated" date at the top of this page reflects the most recent revision.

12. Governing Law

This Privacy Policy is governed by the laws of England and Wales, without regard to its conflict-of-laws rules.