Privacy Policy

Last updated: April 5, 2026

Overview

Arcalotl ("we", "us", "our") operates the Arcalotl platform, including our website at arcalotl.com, our Discord bot, our Stoat bot, and our web dashboard (collectively, the "Service"). This Privacy Policy describes how we collect, use, and protect information when you use the Service.

Information we collect

Account information. When you connect your community platform (Discord, Stoat) to Arcalotl, we receive your platform user ID, server/community ID, username, and avatar. We use this to identify your account and associate it with your server configuration.

Stripe information. When you connect your Stripe account via Stripe Connect, Stripe shares your Stripe account ID with us. We do not receive or store your bank account details, tax information, or personal financial records. Stripe handles all sensitive financial data under their own privacy policy.

Subscription data. We store subscription records including plan selections, subscription status, billing cycle, and role assignments. This data is necessary to manage the subscription lifecycle, process role grants/revokes, and operate retention features.

Payment metadata.We store transaction metadata such as payment amounts, timestamps, success/failure status, and Stripe charge IDs. We never store, process, or have access to raw credit card numbers, CVVs, or full card details. All payment processing is handled by Stripe's PCI-compliant infrastructure.

Event data. We log platform events (subscription created, payment failed, cancellation requested, etc.) for operational purposes including dunning sequences, retention flows, analytics, and debugging. Event metadata is stored in our database; raw event payloads are stored in S3-compatible object storage.

Usage data. We collect aggregated, non-identifying analytics including page views on our website, feature usage patterns, and error rates. We do not use third-party tracking pixels or advertising cookies.

How we use your information

  • To operate the Service: managing subscriptions, processing role assignments, executing dunning and retention flows
  • To provide analytics: MRR tracking, subscriber counts, recovery rates, and save rates in your dashboard
  • To communicate with your members on your behalf: DM sequences for dunning, cancellation save offers, and term optimization prompts
  • To calculate and collect platform fees: 2% transaction fee and 5% recovery fee via Stripe application fees
  • To improve the Service: analyzing usage patterns, fixing bugs, developing new features
  • To provide support: responding to your questions and troubleshooting issues

Data sharing

We do not sell your data. We share information only in these circumstances:

  • Stripe. Payment and subscription data is shared with Stripe to process transactions via Stripe Connect. Stripe's privacy policy governs their handling of this data.
  • Platform APIs. We interact with Discord and Stoat APIs to manage roles, send messages, and operate bot functionality. Data shared is limited to what these platforms require for API operations.
  • Infrastructure providers. Our servers, database, and object storage are hosted on infrastructure providers who may process data on our behalf under data processing agreements.
  • Legal requirements. We may disclose information if required by law, regulation, or legal process.

Data retention

We retain subscription and transaction data for as long as your account is active and for a reasonable period afterward for accounting, tax, and legal compliance purposes. Event logs are retained for operational and debugging purposes. You may request deletion of your data by contacting us.

Security

We implement industry-standard security measures including encrypted connections (TLS), secure credential storage, webhook signature verification, and access controls. We never store raw payment card data — all card processing is handled by Stripe's PCI DSS Level 1 certified infrastructure.

Your rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data
  • Object to or restrict certain processing
  • Data portability

To exercise these rights, contact us at privacy@arcalotl.com.

Children

The Service is not directed to children under 13 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children.

Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and updating the "Last updated" date. Continued use of the Service after changes constitutes acceptance of the updated policy.

Contact

For privacy-related questions or requests, contact us at privacy@arcalotl.com.