Privacy Policy

Arctik ("we," "us," or "our") provides a HubSpot portal audit platform that helps teams identify issues, optimize their CRM setup, and take action through AI-powered recommendations and step-by-step Fix Kits.

This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our website and application at arctikhq.com (the "Service").

Account Information

When you create an account, we collect your name, email address, and password (hashed and stored securely via Supabase Auth).

HubSpot Portal Data

When you connect your HubSpot portal via OAuth, we access your portal data using read-only permissions to run audit checks. This includes metadata about your contacts, companies, deals, pipelines, workflows, properties, forms, emails, tickets, and integrations. We do not modify your HubSpot data during an audit.

OAuth access tokens and refresh tokens are encrypted at rest using AES-256-GCM encryption before being stored in our database.

Usage Data

We collect information about how you use the Service, including audit runs, Fix Kit views, AI Copilot messages, and feature usage. This data is used to enforce plan limits and improve the product.

AI Conversations

Messages you send to the AI Copilot are stored in your account to maintain conversation history. These messages are sent to our AI provider (Anthropic) for processing. We do not use your conversations to train AI models.

Audit Logs

We maintain security audit logs of significant account actions (logins, audit runs, portal connections, account changes) for security monitoring and compliance purposes.

• To provide, maintain, and improve the Service
• To run audits on your connected HubSpot portal
• To generate AI-powered recommendations and insights
• To enforce plan limits and manage your subscription
• To send transactional emails (account confirmation, password reset)
• To detect and prevent fraud, abuse, and security incidents
• To comply with legal obligations

We do not sell your personal information. We do not use your HubSpot data for any purpose other than providing you with audit results and recommendations.

We share your information only with the following categories of service providers, and only as necessary to operate the Service:

• Supabase — Authentication and database hosting
• Anthropic — AI processing for recommendations and Copilot (messages are sent without personally identifying information where possible)
• Vercel — Application hosting and delivery
• Stripe — Payment processing (when applicable)
• Upstash — Rate limiting infrastructure

We may also disclose information if required by law, subpoena, or other legal process, or to protect the rights, property, or safety of Arctik, our users, or others.

We implement industry-standard security measures to protect your data:

• OAuth tokens encrypted at rest with AES-256-GCM
• All data transmitted over HTTPS (TLS 1.2+)
• Row-level security on all database tables
• Server-side rate limiting on all API endpoints
• Content Security Policy, HSTS, and other security headers
• Session cookies are HttpOnly and Secure
• Passwords are hashed (never stored in plaintext)

In the event of a confirmed data breach that affects your personal information, we will notify affected users within 72 hours of confirmation via the email address associated with your account. The notification will include the nature of the breach, the data affected, the steps we are taking to address it, and any actions you should take to protect yourself.

We will also notify relevant supervisory authorities where required by applicable law (including GDPR Article 33 where applicable).

We retain your account data and audit results for as long as your account is active. You can export all your data or delete your account at any time from the Settings page.

When you delete your account, all associated data is permanently deleted, including your profile, audit history, AI conversations, usage records, and portal connections. HubSpot OAuth tokens are revoked during the deletion process.

Security audit logs may be retained for up to 90 days after account deletion for compliance and security investigation purposes.

Depending on your jurisdiction, you may have the following rights:

• Access — Request a copy of all data we hold about you (available via Settings → Export My Data)
• Deletion — Request permanent deletion of your account and data (available via Settings → Delete Account)
• Correction — Update inaccurate personal information (available via Settings → Profile)
• Portability — Export your data in a machine-readable format (JSON)
• Objection — Object to processing of your personal information

To exercise any of these rights, use the self-service tools in Settings or contact us at the email below.

We use essential cookies only — specifically, session cookies required for authentication. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

A temporary cookie (hs_oauth_nonce) is set during the HubSpot OAuth flow and automatically deleted after 5 minutes.

The Service is not intended for users under the age of 16. We do not knowingly collect personal information from children.

For enterprise customers or organizations that require a Data Processing Agreement (DPA) under GDPR or other applicable data protection regulations, we provide a standalone DPA upon request. Contact us at privacy@arctikhq.com to obtain a copy.

Our DPA covers the scope of data processing, sub-processor obligations, data transfer mechanisms, and your rights as a data controller.

We maintain a list of sub-processors in Section 4 of this policy. We will update this policy and notify users via email at least 30 days before engaging any new sub-processor that processes personal data. If you object to a new sub-processor, you may terminate your account before the change takes effect.

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised "Last updated" date. Your continued use of the Service after changes constitutes acceptance of the updated policy.

If you have questions about this Privacy Policy or our data practices, contact us at:

Arctik
Email: privacy@arctikhq.com