ArchiveLM Privacy Policy
Effective date: 2026-05-12 Last updated: 2026-05-12
1. Who we are
ArchiveLM is operated by Michael De La Guera, an individual operating ArchiveLM as a sole proprietorship, with a registered address at (business mailing address available on request — write to legal@archivelm.com). References in this policy to "we," "us," and "ArchiveLM" mean Michael De La Guera. References to "you" mean the individual or institutional user accessing the platform.
For questions about this policy or to exercise the rights described below, contact us at legal@archivelm.com.
2. What this policy covers
This policy describes how we collect, use, share, and protect personal data when you visit archivelm.com, create an account, upload documents, use AI features (search, chat, research tools), or otherwise interact with the platform. It does not cover third-party sites you may navigate to from the platform.
3. Personal data we collect
3.1 Information you give us
| Category | Examples | Why we collect |
|---|---|---|
| Account identifiers | Email address, password (hashed) | To create and authenticate your account |
| Beta application metadata | Full name, organization, role, research interest, referral source | To review beta access requests |
| Communications | Messages you send to us via email or in-platform forms | To respond to you |
| Billing information (paid plans) | Card details processed by Stripe — we do not store full card numbers | To process payments |
3.2 Information collected automatically
| Category | Examples | Why we collect |
|---|---|---|
| Usage data | Pages visited, features used, errors encountered | To operate, improve, and debug the platform |
| Device data | Browser type, operating system, IP address (truncated), session identifiers | Same |
| Analytics | Page views, click events via Google Analytics and Vercel Analytics | To understand aggregate usage |
| Cookies | See our Cookie Policy | To maintain session, prevent abuse, measure usage |
3.3 Content you upload
| Category | Treatment |
|---|---|
| Document scans (images, PDFs) | Stored in your account-isolated bucket. Never accessed by other users. Used for OCR processing, search indexing, and serving back to you. |
| Extracted text and structured data | Stored in your account-isolated database rows. Used to power search, chat, and research tools for you. |
| Vector embeddings of your content | Stored in our vector database, scoped to your account. Used to enable semantic search. |
3.4 Inferred and generated data
When you use AI features, the platform generates derived data — search results, chat answers, research summaries, AI-generated historical context. These are scoped to your account.
4. Sources of personal data
We collect personal data directly from you (account creation, beta application, document uploads), automatically (usage and device data when you visit the site), and from third-party services we integrate with (Stripe billing events, Supabase authentication events).
5. How we use personal data
We use personal data to:
- Provide and operate the platform — authenticate your account, process your documents, return search and AI results
- Communicate with you — beta-status notifications, transactional service email, billing email, and (only with your consent) updates about platform changes
- Improve the platform — fix bugs, optimize performance, identify problem areas. We use aggregated analytics for this; we do not train AI models on your uploaded documents (see Section 8)
- Maintain security and prevent abuse — detect suspicious account activity, respond to security incidents, enforce our Acceptable Use Policy
- Comply with legal obligations — respond to lawful requests from authorities, enforce contractual obligations, defend legal claims
6. Legal bases for processing (GDPR users)
If you are in the European Economic Area, the United Kingdom, or another jurisdiction with comparable rules, our legal bases for processing your personal data are:
| Purpose | Basis |
|---|---|
| Account creation and operation | Contract (Article 6(1)(b)) |
| Billing and payment | Contract |
| Beta application review | Legitimate interest (Article 6(1)(f)) — operating a controlled-access platform |
| Service email (account, billing, beta status) | Contract |
| Marketing email | Consent (Article 6(1)(a)) — opt-in only; you can opt out at any time |
| Analytics and performance | Legitimate interest, with cookie consent where required |
| Legal compliance and security | Legal obligation (Article 6(1)(c)) and legitimate interest |
You have the right to object to processing based on legitimate interest. See Section 11.
7. Cookies and similar technologies
We use cookies for authentication (Supabase session cookies), analytics (Google Analytics, Vercel Analytics), and basic site functionality. We do not use cookies for cross-site advertising. See our Cookie Policy for the full list and your controls.
8. AI processing of your content
When you use AI features:
- Your uploaded documents are processed by our extraction pipeline, which sends document images to AI providers (currently Google AI / Gemini) for OCR. We have a contractual data-processing agreement with Google.
- Your chat queries and search queries are processed by AI providers (currently OpenRouter, which routes to Anthropic and OpenAI models). We send the query plus relevant retrieved excerpts from your own collection.
- We do not train AI models on your data. We instruct our AI providers not to train on your data; their compliance with that instruction is governed by their respective terms.
- AI-generated outputs (search results, chat answers, summaries) are stored in your account and treated as your account data.
A complete list of AI subprocessors and their roles is in our Subprocessors document.
9. How we share personal data
We share personal data only as described below:
| Recipient | What is shared | Why |
|---|---|---|
| Subprocessors (Supabase, Vercel, Google AI, OpenRouter, Resend, Stripe, n8n self-hosted) | Whatever is technically necessary to provide the corresponding part of the service | To operate the platform — see Subprocessors |
| Strategic partners (e.g., authorized resellers) | Aggregated, non-identifying usage information | Reporting on partner-referred customers |
| Legal authorities | When required by valid legal process | Compliance |
| Acquirer (in a corporate transaction) | All collected data | Continuity of service |
We do not sell your personal data. We do not share your personal data with advertisers.
10. Data retention
| Data category | Retention |
|---|---|
| Active account data | For as long as your account is active |
| Uploaded documents and extractions | For as long as your account is active, plus 30 days after deletion to allow recovery |
| Beta application data (denied) | 24 months from denial, then deleted |
| Billing records | 7 years after last payment, for tax and accounting compliance |
| Server access logs | 90 days |
| Analytics aggregates | Retained indefinitely in non-identifying form |
You may request earlier deletion at any time (Section 11), subject to legal retention obligations.
11. Your rights
Depending on your jurisdiction, you have some or all of the following rights:
- Access — request a copy of your personal data
- Rectification — correct inaccurate data
- Erasure ("right to be forgotten") — request deletion of your data
- Restriction — restrict processing in certain circumstances
- Portability — receive your data in a portable format
- Objection — object to processing based on legitimate interest, including profiling
- Withdrawal of consent — for processing based on consent
- Complaint — lodge a complaint with your local data protection authority
To exercise these rights, email legal@archivelm.com with your request and verification of your identity (we will ask). We will respond within 30 days. There is no fee for reasonable requests.
12. International data transfers
ArchiveLM is operated from the Province of Ontario, Canada and uses subprocessors in the United States and other locations. Where personal data is transferred outside your jurisdiction, we rely on appropriate safeguards including:
- For EEA/UK transfers: Standard Contractual Clauses with each subprocessor
- For other regions: Equivalent contractual safeguards as required by local law
Contact us for a list of the safeguards in place for any specific transfer.
13. Security
We implement reasonable technical and organizational measures to protect your data:
- Encryption in transit (TLS 1.2+) for all connections
- Encryption at rest for stored data (Supabase-provided)
- Database row-level security ensuring user data isolation
- Access controls limiting subprocessor and operator access to your data
- Regular dependency updates and vulnerability scanning
- Incident response procedures
No system is perfectly secure. If you believe your account or data has been compromised, contact us immediately at legal@archivelm.com.
14. Children's data
ArchiveLM is not intended for children under 18, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.
15. California privacy rights (CCPA/CPRA)
If you are a California resident, you have additional rights including the right to know what personal information we collect and disclose, the right to delete personal information, the right to correct inaccurate information, and the right to opt out of "sale" or "sharing" of personal information (we do not sell or share for cross-context behavioral advertising).
To exercise these rights, contact legal@archivelm.com. We will not discriminate against you for exercising your rights.
16. Changes to this policy
We will post material changes to this page with an updated "Last updated" date. For substantive changes that materially affect your rights, we will notify you by email at least 30 days before the changes take effect.
17. Contact
For all privacy questions, requests, and complaints:
legal@archivelm.com Michael De La Guera (business mailing address available on request — write to legal@archivelm.com)
For users in the EEA/UK who require a Data Protection Officer contact, our DPO is reachable at legal@archivelm.com.
Version: 1.0