← Back to Arch Tools

Privacy Policy

Last updated: March 17, 2026

This Privacy Policy applies to Arch Tools, operated by MCMetaverse LLC, a South Carolina limited liability company.

1. What We Collect

We collect only what's necessary to operate the Service:

• Email address — required for registration and account communication
• API usage data — request counts, tool usage, credit consumption (no request payloads stored)
• IP address — logged for rate limiting and security purposes
• Session context — if you use the Session API (session-create, session-message), conversation context is stored in-memory for the duration of the session. Session data is not persisted to disk and is cleared when the session expires or the server restarts.
• Newsletter email — if you sign up for our newsletter, we collect your email address for marketing communications. You may unsubscribe at any time.

1a. x402 Payment Data

If you pay for API access using x402 crypto micropayments, we process the following:

• Wallet addresses — your sending wallet address is recorded with each transaction for credit attribution and fraud prevention
• Transaction hashes — on-chain transaction identifiers are stored to verify payment and resolve disputes
• Payment amounts — USDC amounts paid per request are logged for billing records
• Chain identifiers — which blockchain network was used for each payment

Important: Blockchain transactions are inherently public. Transaction hashes, wallet addresses, and amounts are visible on-chain to anyone. We do not control or have the ability to delete on-chain data. Our privacy obligations apply only to data stored in our own systems.

1b. Agent Identity (KYA) Data

If you register for Arch Tools' Agent Identity system (Know Your Agent), we collect:

• Wallet addresses — associated with your agent identity
• Reputation scores — computed from your usage history, payment reliability, and service quality
• Usage history — aggregated statistics about your API consumption patterns (not request content)
• Agent metadata — name, description, capabilities, and contact information you provide

Reputation scores are derived algorithmically from objective metrics. You may request an explanation of your score or dispute it by contacting [email protected].

1c. Service Directory Data

If you submit a service listing to the Arch Tools Service Directory, we collect:

• Service information — name, description, category, pricing, and endpoint URLs
• Contact information — email address and optional website URL
• Payment configuration — supported chains, wallet addresses, and pricing tiers

Directory listings are public by design. Information you submit to the directory will be visible to all users. You may request removal of your listing at any time.

2. What We Do Not Collect

• We do not store the content of your API requests or responses (except in-memory Session API context as described above)
• We do not collect payment card details (handled by Stripe)
• We do not store private keys or seed phrases — only public wallet addresses
• We do not track you across other websites
• We do not use advertising cookies

3. How We Use Your Data

• To operate and maintain your account
• To process x402 crypto payments and attribute credits
• To compute and maintain agent reputation scores
• To display service directory listings
• To send transactional emails (API key delivery, credit alerts)
• To monitor platform health and prevent abuse
• To generate aggregate analytics (displayed on our analytics dashboard in anonymized form)
• To improve the Service

4. Data Sharing

We do not sell your data. We share data only with:

• Stripe — for fiat payment processing
• Blockchain networks — x402 payment transactions are broadcast to the relevant blockchain (Base, Ethereum, Arbitrum, Optimism, Polygon, etc.). On-chain data is public and immutable.
• Resend — for transactional email delivery
• Render — for hosting (subject to their privacy policy)
• Cloudflare — for CDN, edge caching, and Brotli compression. All requests to Arch Tools are processed through Cloudflare's network.
• Sentry — for frontend error monitoring. The Sentry SDK collects Web Vitals performance metrics and JavaScript errors to help us improve service reliability. No API request payloads are sent to Sentry.
• Analytics providers — we may use visitor intelligence services such as Apollo to understand aggregate traffic patterns. No personally identifiable data is shared without your consent.

5. Data Retention

• Account data — retained while your account is active
• API request logs — retained for 90 days
• x402 transaction records — retained for 3 years for accounting and dispute resolution purposes
• Agent identity data — retained while your agent identity is active; deleted within 30 days of account deletion request
• Directory listings — retained until you request removal or your account is terminated
• On-chain data — permanent and outside our control

You may request deletion of your account and associated off-chain data at any time.

6. Cookies & Analytics

We use browser localStorage solely to remember your API key for convenience on the dashboard. We do not use advertising cookies or cross-site tracking pixels. We may use basic analytics to understand aggregate traffic patterns (page views, referral sources). No personally identifiable information is included in analytics data.

7. Security

We use industry-standard encryption in transit (HTTPS/TLS). API keys are hashed before storage. We follow responsible disclosure practices for security vulnerabilities. See our Security Policy for details.

8. Your Rights

You have the right to:

• Access the data we hold about you
• Request correction of inaccurate data
• Request deletion of your account and off-chain data
• Request an explanation of your agent reputation score
• Request removal of your directory listing
• Opt out of non-transactional communications
• Export your data in a portable format

8a. GDPR — European Users

If you are in the European Economic Area (EEA), you have rights under the General Data Protection Regulation (GDPR): access, rectification, erasure, restriction of processing, and data portability. Our lawful basis for processing is contractual necessity (providing the Service you signed up for) and legitimate interest (fraud prevention, platform security). To exercise any right, contact [email protected].

Note on blockchain data: GDPR erasure rights apply to data stored in our systems. On-chain transaction data is immutable and decentralized — we cannot modify or delete it. By using x402 payments, you acknowledge this limitation.

8b. CCPA — California Residents

California residents have the right to know what personal data we collect, request deletion, and opt out of the sale of personal data. We do not sell personal data. To make a request, email [email protected].

9. Changes to This Policy

We may update this policy as the Service evolves. We will notify registered users of material changes via email.

10. Contact

Privacy questions or data requests: [email protected]

General support: [email protected]