Legal
Privacy Policy
Last updated: 14 July 2026
This explains what personal data we collect, why, who we share it with, how long we keep it, and what you can demand from us. Section 4 — what we do and do not see of your proxy traffic — is the one most people are here for.
1.Who is responsible for your data
The controller of your personal data is Ravaiq Ltd., registration number HE485497, Soliou 2, 8560 Peyia, Cyprus (trading as “ARC Proxies”, “we”).
For any privacy question, or to exercise the rights in Section 8, write to contact@arcproxies.io. You can also reach us on Discord, though we ask you to use email for data-protection requests so that we have a record.
2.What we collect
Data you give us when you register:
- Your email address. This is your account identifier — we cannot run an account without it.
- Your name, if you choose to provide one. It is optional.
- Your password, which we store only as a salted hash. We never see it in plain text.
If you sign in with Google or Discord:
- We receive your email address and basic profile information from that provider in order to create or match your account. We do not receive your password, and we do not post anything on your behalf.
When you buy bandwidth:
- Your order: the plan, the number of gigabytes, the amount, the currency, the status, and the date.
- Identifiers issued by Stripe: a customer id, a checkout session id and a payment id, which let us match a payment to your account.
- Whether you have redeemed a one-time discount code, so it cannot be used twice.
We do not receive or store your card number, expiry date or CVC.
Payments are handled entirely by Stripe on their own systems. We only ever see the identifiers above and the outcome of the payment.
When you use the Services:
- Your proxy credentials — the username, and the password, which is encrypted at rest in our database so that we can show you your connection string.
- Your bandwidth balance: how many gigabytes you bought, used and have left.
- A time series of your bandwidth consumption, so the dashboard can chart your usage.
- For dedicated static IPs, the endpoint details of the IPs allocated to you (address, port, country, network).
3.Why we process it, and on what legal basis
- To provide the Services (Art. 6(1)(b) GDPR — performance of a contract). Creating your account, taking payment, provisioning your proxy credentials, crediting your bandwidth, showing you your balance and usage. Without this data we cannot deliver what you paid for.
- To comply with the law (Art. 6(1)(c)). Keeping records of transactions for tax and accounting purposes, and responding to lawful requests from competent authorities.
- To protect the Services (Art. 6(1)(f) — legitimate interests). Preventing fraud, chargeback abuse, duplicate-account discount abuse, and detecting use that violates our Acceptable Use policy. Our interest is in operating a network that is not used for crime; we consider this not to override your rights, and you may object under Section 8.
- To answer you (Art. 6(1)(b) or (f)). Handling your support requests.
We do not use your data for advertising, we do not profile you, and we do not sell your data to anyone. Not now, and not as a “we may in future” clause either.
4.Your proxy traffic: what we do and do not see
We do not log the content of your traffic, the websites you connect to, or the requests you make.
Our systems record how many gigabytes you have consumed. They do not record what those gigabytes contained, where they went, or when you visited a particular destination. There is no browsing history attached to your account, because we never create one.
We also do not record your own IP address or browser user-agent in the application when you use the dashboard.
Two honest caveats, because a privacy policy that overclaims is worse than useless:
- Our servers keep short-lived technical logs. Like any web service, our hosting and infrastructure keep standard server logs, which can include the IP address a request came from, for security and abuse prevention. They are kept only as long as that purpose requires and are not used to build a picture of what you do on the network.
- The network layer is not ours. The proxy network is operated by an upstream provider (Section 5). What happens inside their infrastructure is outside our systems and outside our knowledge. Their published policy states that they monitor the volume of data transferred, keep short-term operational metrics for a maximum of six hours before deleting them, and keep no logs of user activity beyond that. They also state that they do not control the exit IP addresses and cannot link them to individual users.
5.Who we share it with
We share your data only with the parties we need in order to run the Services. Each is bound by a contract that limits what they may do with it.
- Stripe (Stripe Payments Europe, Ltd., Ireland) — to take and manage your payment. Stripe is a controller in its own right for parts of this; see stripe.com/privacy.
- Our upstream network provider — to provision the proxy account and bandwidth that you use. We pass the minimum needed to create and top up your account on their platform, under a data processing agreement that limits what they may do with it.
- Google and Discord — only if you choose to sign in with them, and only to authenticate you.
- Our hosting and infrastructure providers — to run the servers the Services depend on. They act on our instructions only and may not use your data for their own purposes.
- Competent authorities — where we are legally required to disclose, or where we report activity of the kind described in our Terms of Service.
6.Transfers outside the EU/EEA
We are established in Cyprus and prefer to keep data within the EU/EEA. Where a provider processes data outside the EEA, we rely on the European Commission’s Standard Contractual Clauses or an adequacy decision.
If you would like details of the safeguards that apply to a specific transfer, write to us at the address in Section 1 and we will provide them.
7.How long we keep it
- Account data — for as long as your account exists. If you close it, we delete or anonymise your data, except where we must keep it (see below).
- Orders and invoices — retained for as long as Cypriot tax and accounting law requires us to keep them, even after you close your account. We cannot delete these on request; the law requires us to keep them. Once that period has run, we delete them.
- Detailed usage records — raw usage measurements are condensed into daily totals after 30 days, and the detailed rows are deleted. The daily totals remain while your account is open so that your usage history stays meaningful.
- Proxy credentials — deleted when the corresponding account is closed.
- Records of a violation — where we terminated an account for abuse, we keep a minimal record for as long as necessary to defend a legal claim or to prevent the person from returning.
8.Your rights
Under the GDPR you have the right to:
- ask us for a copy of the personal data we hold about you (Art. 15);
- have inaccurate data corrected (Art. 16);
- have your data deleted (Art. 17), except where we are legally required to keep it — invoices being the usual case;
- have processing restricted (Art. 18);
- receive your data in a portable, machine-readable format (Art. 20);
- object to processing we base on legitimate interests (Art. 21) — including our fraud and abuse prevention, which we will then reassess for your case;
- withdraw a consent you gave us at any time, without affecting what we did before you withdrew it (Art. 7(3)).
Write to contact@arcproxies.io and we will respond within one month. We do not charge for this.
If you think we have handled your data unlawfully, you may complain to a supervisory authority — for us, the Office of the Commissioner for Personal Data Protection in Cyprus, or the authority in the EU country where you live. We would rather you came to us first, but it is your right either way.
9.Security
- Passwords are stored as salted hashes, never in plain text.
- Your proxy password is encrypted at rest in our database.
- Card data never touches our servers; Stripe handles it.
- Access to production data is limited to the people who need it to operate the Services.
No system is perfectly secure. If a breach occurs that is likely to result in a risk to your rights, we will notify the supervisory authority within 72 hours and, where the risk is high, we will tell you directly.
10.Cookies
This marketing site sets no tracking cookies and runs no analytics. We store your light/dark theme preference in your browser’s local storage, which never leaves your device.
The dashboard uses cookies and local storage that are strictly necessary to keep you signed in. These do not require consent because the service does not work without them.
11.Children
The Services are not for anyone under 18. We do not knowingly collect data from children. If we learn that we have, we delete it.
12.Changes to this policy
If we change how we handle your data, we will update this page and the date at the top. Where a change materially affects you, we will tell you by email before it takes effect.
