Privacy Policy

Archon by Archon Holdings Pte. Ltd.

1. Introduction and Controller

This Privacy Policy ("Policy") describes how Archon Holdings Pte. Ltd., a company incorporated in Singapore ("Archon", "we", "us", "our"), collects, uses, discloses, retains, and protects Personal Data in connection with the Platform accessible at rearchon.com and all associated Services.

Archon acts as the data controller in respect of Personal Data processed under this Policy. This Policy is incorporated into and subject to the Terms of Service. Capitalised terms not defined in this Policy have the meanings assigned to them in the Terms of Service.

We are committed to processing Personal Data in accordance with Undang-Undang Nomor 27 Tahun 2022 tentang Pelindungan Data Pribadi ("UU PDP") and other applicable Indonesian data-protection regulations. Where we engage Sub-processors established in jurisdictions subject to comparable frameworks (including the General Data Protection Regulation of the European Union), we apply contractual and technical safeguards consistent with those frameworks.

2. Definitions

For the purposes of this Policy:

Personal Data — any information relating to an identified or identifiable natural person, as defined in UU PDP.
Processing — any operation performed on Personal Data, including collection, storage, use, disclosure, transmission, and deletion.
Sub-processor — a third-party entity engaged by Archon to process Personal Data on Archon's behalf in connection with the delivery of the Services.
Connected Exchange — a third-party cryptocurrency exchange account linked to the Platform by the User via Exchange Credentials, as defined in the Terms of Service.
User Content — all data, inputs, prompts, portfolio information, watchlists, chat messages, and memory entries submitted by the User to the Platform, as defined in the Terms of Service.

3. Personal Data We Collect

We collect the minimum Personal Data necessary to operate the Services. The categories of Personal Data we collect are set out below.

Category	Examples	Source
Identification & Account Data	Email address, hashed password, Subscription Tier, language preference, account creation date	Provided directly by the User at registration or in account settings
Subscription & Billing Data	Midtrans transaction tokens, billing status, charge history, subscription period dates	Generated through Midtrans payment processing; no raw card PAN is stored by Archon
Platform Interaction Data	Chat prompts, Agent transcripts and run logs, portfolio inputs, watchlist entries, memory entries, order history generated by Agents	Generated by User activity on the Platform
Connected Exchange Data	Exchange API key fingerprints (keys stored encrypted at rest), account balances, open positions, order history retrieved at User request	Provided by User (credentials) and retrieved from Connected Exchange APIs on User's behalf
Technical & Device Data	IP address, browser type and version, operating system, screen resolution, session duration, Sentry-captured error context and stack traces (scrubbed of sensitive values)	Collected automatically when you access the Platform

We do not collect or store raw payment card numbers, card verification codes, or banking credentials. All payment transactions are processed by Midtrans, which is subject to its own privacy policy and PCI-DSS obligations.

4. Legal Bases for Processing

We process Personal Data on the following legal bases under UU PDP and applicable law:

Performance of contract — Processing necessary to provide the Services, authenticate your account, execute Agent workflows, and process billing under your Subscription.
Legitimate interests — Processing necessary for Archon's legitimate interests in operating a secure, reliable platform, preventing fraud and abuse, enforcing these Terms, and improving the Services through aggregate analytics, provided those interests are not overridden by your rights and interests.
Legal obligation — Processing necessary for Archon to comply with applicable Indonesian law, including tax-record retention requirements and lawful requests from competent authorities.
Consent — Where consent is required under UU PDP or other applicable regulation (for example, for any optional marketing communications), we will request your explicit consent separately and will not condition access to the Services upon it.

5. How We Use Personal Data

We use the Personal Data we collect for the following purposes:

Creating, maintaining, and authenticating your account
Providing and operating the Platform and all features available under your Tier
Executing Agent workflows, including where you have authorised Agent trade-execution scope, routing orders to your Connected Exchange
Processing and managing your Subscription and billing, including invoicing, payment collection, and dunning through Midtrans
Sending transactional emails, including account confirmation, billing receipts, password reset, and material service notices, via Resend
Monitoring Platform performance, diagnosing errors, and capturing error context via Sentry for debugging and reliability purposes
Detecting, investigating, and preventing fraudulent transactions, unauthorised access, and other security incidents
Producing aggregated, anonymised analytics to understand usage patterns and improve product features; such analytics do not identify individual users
Complying with applicable Indonesian law and responding to lawful requests from regulatory or law-enforcement authorities

We do not sell, rent, or otherwise commercialise your Personal Data to any third party. We do not use your Personal Data for advertising profiling or cross-site tracking.

6. International Transfers

Several of our Sub-processors, including Supabase, Vercel, Anthropic, Resend, and Sentry, operate infrastructure located outside the Republic of Indonesia, including in the United States, the European Union, and Singapore. Transfers of Personal Data to these Sub-processors are governed by data-processing agreements that incorporate appropriate safeguards, which may include standard contractual clauses or equivalent mechanisms recognised under applicable law.

By using the Services, you acknowledge that your Personal Data may be transferred to and processed in jurisdictions outside Indonesia. We will take all steps reasonably necessary to ensure that such transfers are subject to appropriate protections consistent with UU PDP.

7. Data Retention

We retain Personal Data only for as long as necessary to fulfil the purposes for which it was collected or as required by applicable law. The following retention periods apply:

Identification & Account Data — retained for the duration of your account. Deleted or anonymised within thirty (30) days of account closure, subject to the exceptions below.
Platform Interaction Data (chat transcripts, Agent run logs, order history) — retained for a default period of twenty-four (24) months from creation, after which records are deleted or anonymised. Users may request earlier deletion in accordance with Section 11.
Subscription & Billing Data — retained for a minimum of ten (10) years from the date of the relevant transaction, as required under Indonesian tax law (UU No. 36/2008 and applicable implementing regulations).
Technical & Device Data — raw server logs retained for up to ninety (90) days; anonymised aggregates may be retained indefinitely for capacity planning and security analysis.
Connected Exchange Data — API key credentials deleted within thirty (30) days of account closure or disconnection; cached portfolio data deleted within thirty (30) days of account closure.

Where retention beyond the periods above is required by a lawful order or regulatory requirement, we will retain the minimum Personal Data necessary to comply with that obligation and will notify you to the extent permitted by law.

8. Security

We implement industry-standard technical and organisational measures to protect Personal Data against unauthorised access, disclosure, alteration, or destruction, including:

Transport Layer Security (TLS 1.2 or higher) enforced on all connections to and from the Platform
Encryption at rest for Exchange Credentials using industry-standard symmetric encryption
Row-Level Security (RLS) policies on all Supabase database tables, ensuring that users can only access their own data
Bcrypt-hashed password storage; plaintext passwords are never stored or logged
Least-privilege access controls for internal systems and Sub-processor integrations
Automated scrubbing of sensitive field values from Sentry error reports prior to transmission

No security measure is entirely without risk. In the event of a Personal Data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and any applicable supervisory authority in accordance with UU PDP and the timeframes prescribed therein.

9. Cookies and Local Storage

The Platform uses strictly necessary session cookies to maintain authenticated sessions and to protect against cross-site request forgery. These cookies are essential to the operation of the Platform; disabling them in your browser will prevent you from logging in to your account.

We do not use advertising cookies, cross-site tracking cookies, or any cookie that links your Platform activity to your identity for the purpose of serving targeted advertisements. Browser-level analytics collected by Sub-processors such as Vercel are limited to anonymised request metadata and are not linked to individual user accounts.

The Platform may use browser local storage to persist UI state preferences (for example, panel layout or theme settings). This data is stored locally on your device and is not transmitted to Archon's servers.

10. Your Rights under UU PDP

Subject to applicable law and any limitations prescribed by UU PDP, you have the following rights with respect to your Personal Data:

Right of access — to obtain confirmation of whether we process your Personal Data and, if so, to receive a copy of that data.
Right of rectification — to request correction of any Personal Data that is inaccurate or incomplete.
Right of erasure — to request deletion of your Personal Data where processing is no longer necessary for the original purpose, consent has been withdrawn, or processing is unlawful, subject to Archon's legal retention obligations.
Right to restriction of processing — to request that we limit the processing of your Personal Data in specified circumstances.
Right to object — to object to processing based on legitimate interests on grounds relating to your particular situation.
Right to data portability — to receive your Personal Data in a structured, commonly used, and machine-readable format.
Right to withdraw consent — where processing is based on your consent, to withdraw that consent at any time without affecting the lawfulness of processing prior to withdrawal.

To exercise any of the foregoing rights, please submit a request to info@rearchon.com. We will acknowledge your request within five (5) business days and will respond substantively within fourteen (14) business days, or such other period as required by applicable law. We may request verification of your identity before processing any request.

If you believe that your Personal Data has been processed in a manner inconsistent with UU PDP, you have the right to lodge a complaint with the competent Indonesian data-protection supervisory authority as established under applicable law.

11. Children

The Services are not directed at, and are not intended for use by, any person under the age of eighteen (18) years. Archon does not knowingly collect Personal Data from minors. If we become aware that we have inadvertently collected Personal Data from a person under the age of eighteen, we will take prompt steps to delete that data from our systems. If you believe we have collected Personal Data from a minor, please notify us at info@rearchon.com.

12. Automated Decisions and AI

The Platform employs large language model inference (via the Anthropic Claude API) and rule-based automation to power the Agent workflows available to Users. Where you have enabled trade-execution scope for an Agent, that Agent may place, modify, or cancel orders on your Connected Exchange without requiring manual confirmation for each individual order, based on the parameters and strategy you have configured.

This constitutes automated processing that produces effects on your exchange account. You retain full control over whether and to what extent you grant trade-execution scope, and you may pause, restrict, or revoke that authority at any time through the Platform settings. The legal basis for this automated processing is the performance of the contract between you and Archon (your Subscription and the Terms of Service).

AI Outputs generated by the Agents — including market analyses, strategic frameworks, and any order suggestions — are produced by probabilistic model inference and may contain errors or omissions. Archon does not represent that AI Outputs are free from hallucination or that they reflect current market conditions. You remain responsible for reviewing Agent behaviour and for all consequences of orders executed under your authority.

13. Changes to This Policy

Archon may update this Policy from time to time to reflect changes in our data-processing practices, applicable law, or Sub-processor arrangements. In the case of material changes, we will notify you by email to your registered address and by in-Platform notice at least fourteen (14) days before the revised Policy takes effect. Non-material corrections or clarifications may be published without advance notice.

Your continued use of the Platform after the effective date of any revised Policy constitutes your acceptance of the updated terms. If you do not accept the revised Policy, you must cease use of the Platform and may request deletion of your Personal Data in accordance with Section 11.

14. Contact

For privacy inquiries, data-subject rights requests, or any question regarding this Policy, please contact:

Archon Holdings Pte. Ltd.
[Registered office — to be updated]
info@rearchon.com

We are committed to resolving all privacy concerns promptly and in good faith.