1. Data Collected by ArcticNodes

We collect data necessary to provide, maintain, and secure our high-performance hosting services. This includes:

1.1 Account and Identity Data

• Email Address: Essential for account creation, login, security, and communications.
• Mobile Number: Used for security verification, multi-factor authentication, and urgent service alerts.
• Display Name/Username: Used for platform identification and interaction.
• Parent/Guardian Details: Collected only where required for compliance with age verification requirements concerning minors.

1.2 Technical, Device, and Network Data

• IP Addresses: Logged for fraud detection, geo-restriction, security audit trails, and abuse prevention.
• Device Identifiers: Includes browser fingerprints, system user agents, and OS signatures to enhance security and prevent unauthorized access.
• Login Timestamps and Session Metadata: Records of access times and session parameters for auditability and session management.
• Region and Timezone: Used for localization, service optimization, and legal compliance tracking.

1.3 Platform and Usage Data (Non-Personal)

This data relates directly to the technical operation of the hosting service:

• Server Configuration Details: Specifications of the services provisioned (e.g., RAM, CPU allocation, storage type).
• Console Usage Logs: Records of interactions with the server console, including commands executed and output messages.
• API Activity: Logs of programmatic interactions with the ArcticNodes API.
• Resource Consumption Metrics: Data on CPU, network, disk usage, and performance to ensure service quality and billing accuracy.
• Abuse Detection Events: Internal flags generated by our systems related to potential policy violations or malicious activity.

1.4 Payment Metadata (Processed via Razorpay)

All payment transactions are handled by our accredited payment processor, Razorpay. We do not store full payment card details. Data we receive and retain from Razorpay includes:

• Payment and Order IDs: Unique transaction identifiers.
• Amount and Transaction Status: Details necessary for financial reconciliation (e.g., captured, refunded, disputed, chargeback status).
• Partial Card/UPI Identifiers: Non-sensitive fragments used for user identification and refund processing (e.g., last four digits of a card).

1.5 AI-Service Interaction Data

When users voluntarily enable and utilize ArcticNodes AI Agents (for tasks like automated debugging or deployment):

• Server Logs: Technical logs relevant only to the task requested (e.g., error tracebacks).
• Configuration Files: Specific files required by the AI Agent to perform configuration analysis.
• Debug Information and Deployment Scripts: Data explicitly provided or generated during the AI operation.

2. How ArcticNodes Uses Collected Data

We use the data collected for the following legitimate business and operational purposes:

• Service Provision: To configure, manage, and operate the requested hosting services, databases, and ancillary tools.
• Security and Fraud Prevention: To verify account legitimacy, detect, and mitigate fraud, unauthorized access, denial-of-service attacks, and other security risks.
• Payment Processing: To facilitate, verify, and reconcile financial transactions through Razorpay.
• Compliance and Audit: To maintain legally required audit trails and operational logs for regulatory adherence.
• AI Functionality: To support the user-invoked AI-assisted debugging, deployment, and optimization features.
• Platform Improvement: To analyze aggregated, anonymized usage metrics to improve infrastructure, performance, and user experience.
• Policy Enforcement: To investigate, confirm, and enforce the platform's Terms of Service and security rules.

3. Principles of Data Handling

We strictly adhere to the following principles:

• No Sale of Data: We do not sell or rent user data, personal or otherwise, to any third parties.
• No Marketing Sharing: We do not share personal identity data for external marketing or advertising purposes.
• Limited Access to Server Content: We do not manually read, inspect, or access customer server files or databases unless:
  • Explicitly authorized by the user (e.g., enabling an AI Agent to access logs).
  • Required by law enforcement via a valid legal order.
  • Necessary for an active and documented abuse investigation.

4. Data Sharing and Disclosure

We share data only when necessary to operate the services, comply with legal obligations, or when authorized by the user:

• Payment Processors: Shared with Razorpay for transaction processing and mandatory compliance.
• Infrastructure Vendors: Shared with Cloud providers (compute, storage, networking) necessary to deliver the hosting services.
• Analytics Services: Shared with performance monitoring services using anonymized or pseudonymized data (typically IP/session metadata only, not identity).
• AI Services: Shared with approved models (GPT, Gemini, Claude) only when the user triggers the AI function, and limited strictly to technical server data (logs, config files).
• Law Enforcement: Disclosed only in response to a valid and legally binding request or court order from competent authorities.
• User-Enabled Integrations: Shared when a user explicitly enables third-party services, APIs, or integrations within their server environment.

5. Data Retention Policy (Strict and Long-Term)

Due to the nature of operating a hosting platform that is vulnerable to fraud, abuse, and regulatory scrutiny (particularly involving minors and financial disputes), we maintain a strict, long-term retention policy.

5.1 Permanent Retention Categories

The following categories of data are retained permanently and are not deleted even upon account closure:

• Payment Logs and Metadata (Razorpay requirement).
• Core Account Identifiers (Email, Mobile Number, Device Fingerprint).
• Abuse Flags, Security Logs, and Audit Trails.
• Fraud Prevention and Ban Data.

5.2 Account Deletion Protocol

When a user submits a request for account deletion:

• The account status is marked as "closed" but the data is not immediately erased.
• Operational data is retained for a minimum of 30 days to handle final financial disputes, rollbacks, or service-related issues.
• After 30 days, the data is archived for long-term legal and security retention purposes.
• If the account was ever associated with any abuse, chargeback, policy violation, or fraud event, all related data is kept indefinitely.

5.3 Data Erasure Appeals (Right to Erasure under DPDP)

Users may formally request a complete data erasure, which is subject to rigorous compliance review. Erasure will be considered only if:

• The account is confirmed to be "clean" (no history of violations).
• No pending disputes, chargebacks, fraud investigations, or legal holds exist.
• It is legally permissible and does not compromise our security or regulatory obligations.

6. AI Data Usage Policy

ArcticNodes is committed to strict data segregation when using AI models:

• Technical Data Only: AI models receive only necessary technical server data (logs, configuration files, debug output).
• No Personal Identity: Personal details (email, phone number, identity) are never transmitted to AI models, whether internal or external.
• Controlled Models: We utilize globally recognized and compliant models: GPT (OpenAI), Gemini (Google), and Claude (Anthropic).
• Geo-Compliance: We do not use or plan to use China-based Large Language Models (LLMs) such as DeepSeek due to security and data sovereignty concerns.
• Future Internal AI: Any future India-based, in-house AI engines will adhere to the exact same restrictions and data governance standards.

7. Cookies and Tracking Technologies

We employ minimal, functionality-based cookies to maintain operational integrity:

• Authentication Cookies: Essential for verifying user identity and maintaining secure sessions.
• Session Persistence: Necessary for tracking user preferences and state across sessions.
• Security & Fraud Prevention: Cookies used to implement device fingerprinting and abuse detection.

We do not use advertising or invasive third-party tracking cookies.

8. Minors and Parental Consent

Our services are generally intended for users who are legally able to enter into contracts.

• Minors (under 18) must have explicit parental or guardian permission to use any payment methods on our platform.
• Unauthorized use of a parent/guardian's payment instrument is considered financial fraud and will result in the indefinite retention of all account and security logs to protect against fraudulent chargebacks.

9. Your Rights (In accordance with the DPDP Act)

As an ArcticNodes user, you have certain rights over your personal data (Data Principal Rights), subject to verification and overriding legal or security mandates:

• Right of Access: You may request confirmation and access to the personal data we hold about you.
• Right to Correction: You may request the correction of inaccurate or incomplete personal data.
• Right to Erasure: You may request the deletion of your personal data, provided you meet the strict eligibility criteria detailed in Section 5.3.
• Right to Withdraw Consent: You may withdraw consent for data processing where consent was the lawful basis (excluding necessary operational or legal requirements).
• Right to Grievance Redressal: You have the right to raise a complaint regarding the handling of your data.

10. Data Security Measures

We employ industry-standard security protocols to protect user data from unauthorized access, loss, or disclosure:

• Encryption: Data is stored using encrypted storage mechanisms.
• Access Control: Strict role-based access control (RBAC) governs internal access to sensitive systems.
• Security Logging: Continuous IP logging, device fingerprinting, and automated audit trails are maintained.
• Abuse Detection: Proprietary algorithms are used to monitor and flag malicious or unauthorized activity.

Disclaimer: While we strive for maximum security, no system is guaranteed 100% immune to all threats. Users bear the responsibility for securing their login credentials and maintaining the security of their server content.

11. Policy Updates

ArcticNodes reserves the right to modify or update this Privacy Policy at any time to reflect changes in our practices or regulatory requirements. We will notify users of material changes via email or platform announcement. Continued use of the services after any such update constitutes your acceptance of the revised terms.

12. Contact Information

For any questions, concerns, or to exercise your rights under this Privacy Policy, please contact our Data Protection Officer:

Email: privacy@arcticnodes.io