PRIVACY POLICY

Last Updated: 4. December 2025

Effective Date: 4. December 2025

NATURE OF SERVICE & COMPANY OVERVIEW

1. Introduction (Who We Are)

Archaster Labs (“Archaster,” “we,” “our,” or “us”) is operated by Lehmann Sisters (Org. nr.: 925 301 795, Oslo, Norway).

We deliver our intelligence through two primary methods:

1. The SaaS Platform: A subscription-based software interface ("The Archaster OS") that provides ongoing, real-time access to our AI reasoning engine, satellite verification tools, and organizational knowledge graph.

2. Digital Intelligence Assets: Standalone, one-time purchase digital products (such as "Strategic Blueprints," "Risk Audits," and "Intelligence Sprints"). These are standardized, software-generated PDF reports and guides designed for immediate strategic application.

Important Notice: Whether accessed via the SaaS platform or downloaded as a digital report, our services constitute automated data processing and information services. They do not constitute manual consulting, legal counsel, or professional advisory services.

For the purposes of applicable data protection laws, Archaster Labs is the data controller for the personal data described in this Privacy Policy.

We are committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and safeguard your information when you use our Services.

2. Age Restriction

Our Services are intended for users aged 18 and over.
By using our Services, you confirm you are at least 18 years old.

3. AI Transparency & Professional Use Disclaimer

Wherever you interact with Archaster, the interface clearly indicates that you are using an AI system, and all AI-generated output must be verified by qualified professionals.

Our AI:

• provides informational and advisory outputs,

• is not certified for legal, regulatory, environmental, structural, or safety-critical assessments, and

• should not be used as a substitute for professional engineering, compliance, LCA, EIA, biodiversity assessments, or legal advice.

3.1 Sustainability & Environmental Intelligence Disclaimer

Environmental and sustainability recommendations may rely on general models, public datasets, or regionally inferred information. Therefore:

• outputs are not site-validated,

• environmental claims may be incomplete or non-specific,

• outputs must be verified by qualified sustainability or environmental professionals,

• outputs do not replace on-site ecological surveys, LCAs, geotechnical studies, EIA reports, or regulatory compliance work.

This is required under the EU AI Act, EU Green Claims Directive, and general consumer protection law.

3.2 Satellite & Geospatial Data Disclaimer

If you provide coordinates, addresses, or polygons, Archaster may use satellite or remote-sensing data (e.g., Copernicus/Sentinel) to generate insights. Such insights:

• rely on automated interpretation of publicly available imagery,

• may contain inaccuracies, outdated information, or missing data,

• do not constitute certified environmental or geospatial assessments, and

• must be validated independently before use in professional or regulatory contexts.

4. Information We Collect

4.1 Account Information

• Email address

• Full name

• Encrypted password

4.2 Profile Information (Optional)

• Role, profession, or function

• Project details

• Location or region

• Sustainability goals

• Other context you provide to personalize AI responses

4.3 Usage Data

We collect limited usage data necessary for the functioning of the service, including:

• Your chat inputs (prompts)

• AI-generated responses

• Conversation topics automatically extracted

• Query counts (for rate limiting)

• Chat creation & update timestamps

We do not track detailed UI behavioral analytics (e.g., heatmaps, click tracking) unless explicitly stated in future updates.

4.4 Technical Information

• IP address

• Browser type

• Device information

• Operational telemetry
  Retention: 90 days (security & performance).

5. How We Use Your Information

5.1 Legal Bases for Processing

We process your data under:

• Contract (Art. 6(1)(b)): operating the Archaster OS, account services, generating AI responses, delivering purchased reports.

• Legitimate Interest (Art. 6(1)(f)): security, service logs, infrastructure protection, preventing abuse.

• Consent (Art. 6(1)(a)): marketing emails, non-essential cookies if introduced later.

5.2 Service Delivery

To operate and improve our AI systems, generate responses, and maintain platform functionality.

5.3 Authentication & Security

To protect accounts, prevent unauthorized access, and maintain service integrity.

5.4 Communication

To send system updates, service notices, and respond to your inquiries.

5.5 Chat Message Storage

• Authenticated users: chats stored in our backend (Supabase/Lovable Cloud).

• Guest users: chats stored only in your browser, but prompts are transmitted to our edge functions and AI providers to generate responses. They are not persistently stored by Archaster.

5.6 Chat Deletion

You can delete chats at any time. Deleted items are:

• removed from production systems within 30 days,

• removed from backups within 90 days,

• permanently irrecoverable once deleted.

6. Client Data for Digital Reports & Zero-Retention Processing

For standalone digital services (“Risk Audits,” “Intelligence Sprints,” etc.):

6.1 Confidential Inputs

You may submit confidential business data such as:

• Bill of Materials (BOMs)

• Ingredient lists

• Supplier names

• Internal policy documents

This data is classified as Strictly Confidential Proprietary Data.

6.2 No-Leak AI Processing

Your proprietary inputs:

• are used only to generate your specific report,

• are never used to train public AI models,

• are never included in outputs to other clients.

6.3 Aggregated Insights (Optional)

We may generate anonymized, aggregated, non-identifiable statistics (e.g., “cotton from region X tends to have high water risk”).
These cannot be traced back to your organization.

6.4 Zero-Retention Policy

For paid audit products:

• Raw input data is stored only in ephemeral processing,

• Deleted immediately after report delivery,

• No backups are kept,

• Re-running the report requires re-submission.

7. AI Processing & Third-Party Providers

7.1 AI Processing

We use:

• Lovable AI Gateway

• Google Gemini AI models

• Supabase (Lovable Cloud)

• Archaster edge functions

Your prompts are sent to these services for real-time processing.

Providers state that:

• prompts are not used to train their public models;

• any logs retained are short-term (typically ≤30 days);

• retention occurs only for abuse detection, legal compliance, or operational monitoring.

We will update this section if our contractual terms with these providers change.

7.2 URL Content Fetching

Up to 5 URLs per conversation may be fetched temporarily.
PDFs are not supported.
Fetched content is not stored.

7.3 Cloudflare Turnstile

Used for bot detection.
Processes IP, browser info, and interaction data.

8. Guest Mode Data Processing

If you use Archaster without creating an account:

• Chat data is stored locally in your browser only.

• Messages are transmitted to our edge functions and AI providers solely to generate responses.

• Guest data is not stored in our database and is not linked to an identity.

• AI providers may retain prompts transiently (≤30 days).

• Clearing your browser removes all guest data immediately.

• Guest mode has limited functionality (reduced query limits).

9. Cookies and Tracking

9.1 Strictly Necessary Cookies

Used for authentication and security.

9.2 Functional Cookies

Used to remember your UI settings.

9.3 Analytics Cookies

We do not currently use analytics cookies.
If this changes, we will update this policy and seek consent where required.

We do not use advertising or tracking cookies.

10. Data Security

We use industry-standard security measures, including:

• HTTPS/TLS encryption

• Secure password hashing

• Access controls

• Periodic security reviews

• We regularly test our systems for vulnerabilities and continuously improve our security measures.

  No internet system is 100% secure.

11. Data Sharing

We do not sell your data.

We share data only with vetted service providers under strict DPAs or when required by law.

12. International Data Transfers

Some providers operate outside the EEA.
Transfers use:

• Standard Contractual Clauses (SCCs)

• Technical & organizational safeguards

• Provider-published data protection commitments

We will update this section as soon as final processing-region details are confirmed.

13. Service Data vs Personal Data

• Service Data: high-level usage info used to improve functionality.

• Customer Personal Data: identifiable data like your name and email.

14. Your Rights

Under GDPR and Norwegian law, you may:

• Request access to your data

• Update or correct it

• Delete your account and associated data

• Delete chat history at any time

• Request data portability

• Object to certain processing

• Withdraw consent (where applicable)

You also have the right to complain to your supervisory authority.
In Norway: Datatilsynet – www.datatilsynet.no

15. Children’s Privacy

We do not knowingly collect data from individuals under 18.

16. Automated Decision-Making

We do not use personal data for automated decisions with legal or significant effects.
AI outputs are advisory only.

17. Changes to This Policy

We may update this Privacy Policy periodically.
Material changes will be communicated via email or in-app notices.
Continued use of the Service indicates acceptance.

18. Contact Information

For privacy questions, rights requests, or complaints:

Email: privacy@archasterlabs.earth
Address: 0652 Oslo, Norway
Website: https://archasterlabs.earth