Privacy Policy
Who we are
ArchStage is a native desktop application developed and sold by M2GL SOLUTIONS, a company based in the European Union. ArchStage is distributed directly via archstage.app.
For any privacy-related questions, contact us at: privacy@archstage.app
The short version
ArchStage is built with privacy by design.
- Your project files never leave your machine
- We do not track your usage inside the app
- We do not run behavioral analytics inside the app
- We do not sell your data to anyone
- On our public marketing website, we use limited third-party advertising and conversion-tracking technologies to measure the effectiveness of our ads. See §1.5.1 for details and how to opt out.
- The only personal data we process from customers is what is strictly necessary to activate your license and handle your purchase
1. What data we collect and why
1.1 Purchase data
When you purchase ArchStage, your payment is processed by Paddle (Paddle.com Market Ltd.), our Merchant of Record. Paddle collects and processes your payment information (name, email address, billing address, payment method) directly. We do not receive or store your payment card details.
Paddle acts as the Merchant of Record for all ArchStage purchases, meaning they handle VAT collection, invoicing, and payment compliance on our behalf. Their privacy policy is available at paddle.com/legal/privacy.
After a successful purchase, we receive from Paddle:
- Your email address (for license delivery and support)
- Your license key
Legal basis (GDPR): Performance of a contract (Article 6(1)(b))
1.2 License activation data
When you activate your ArchStage license, the app sends a license validation request to Paddle's license API. This request includes:
- Your license key
- A hashed hardware identifier (machine ID) that identifies your device without identifying you personally. This identifier is a one-way hash of hardware properties — it cannot be reversed to identify your machine or you.
This data is used solely to enforce the single-machine activation limit and to validate your license on subsequent launches.
Legal basis (GDPR): Performance of a contract (Article 6(1)(b)) and our legitimate interest in preventing license fraud (Article 6(1)(f))
1.3 Trial registration data
When you launch ArchStage for the first time without a license, the app registers your trial start date against your hashed machine ID on our trial server. This is used solely to enforce the 7-day trial period and prevent trial resets. No personally identifiable information is sent.
Legal basis (GDPR): Legitimate interest (Article 6(1)(f))
1.4 Support communications
If you contact us by email, we receive your email address and the contents of your message. We use this solely to respond to your inquiry. We do not add you to any mailing list without your explicit consent.
Legal basis (GDPR): Legitimate interest (Article 6(1)(f))
1.5 Website
Our website (archstage.app) is designed to minimise data collection:
- All fonts and core scripts are self-hosted — no requests to Google Fonts, CDNs, or general-purpose analytics providers on page load
- We do not run general-purpose web analytics (e.g. Google Analytics, Plausible, Mixpanel)
- We use limited advertising and conversion-tracking technologies on our website to measure the effectiveness of our marketing campaigns — see §1.5.1 below
Legal basis (GDPR): No personal data processing occurs on page load beyond what is described in §1.5.1.
1.5.1 Advertising and conversion tracking
To measure the effectiveness of our paid advertising (e.g. on professional social networks), our website loads third-party tracking technologies provided by our advertising partners. These technologies may:
- Set first-party and third-party cookies in your browser
- Load a tracking pixel or script that reports your visit to the advertising partner
- Receive your IP address, approximate location, user-agent, referrer URL, the page you visited on our site, and — if you are signed in to the partner's service — an identifier linked to your account on that service
This data is used to attribute conversions (e.g. a purchase or trial sign-up) to a specific ad campaign, to measure reach, and to enable us to re-contact ad viewers via that partner's own platform. We do not receive a list of who visited our website; the advertising partner processes this data on their own infrastructure and shares only aggregate campaign metrics with us.
Current advertising partners:
- LinkedIn Insight Tag — provided by LinkedIn Ireland Unlimited Company (registered office: Wilton Plaza, Wilton Place, Dublin 2, Ireland) and LinkedIn Corporation (USA). See LinkedIn's cookie policy at linkedin.com/legal/cookie-policy and privacy policy at linkedin.com/legal/privacy-policy.
We will update this list whenever we add or remove an advertising partner.
How to opt out:
- Disable third-party cookies in your browser, or use a privacy-focused browser that blocks tracking scripts by default
- Manage your LinkedIn advertising preferences at linkedin.com/psettings/advertising
- Use the European Digital Advertising Alliance opt-out page at youronlinechoices.eu
- Enable your browser's "Do Not Track" or "Global Privacy Control" signal
Data retention: controlled by the advertising partner. LinkedIn's tracking cookies typically expire between 30 days and 2 years depending on the cookie; see their cookie policy for specifics.
International transfers: these advertising partners may transfer your data outside the European Economic Area, in particular to the United States. Such transfers are covered by Standard Contractual Clauses (SCCs) and, where applicable, the EU–US Data Privacy Framework.
Legal basis (GDPR): Consent (Article 6(1)(a)) for EU/EEA/UK visitors; legitimate interest (Article 6(1)(f)) in measuring advertising effectiveness for visitors from jurisdictions that permit it. Where consent is required, you may withdraw it at any time using the opt-out methods above.
1.6 What we do NOT collect
- We do not collect analytics or usage data from inside the desktop app
- We do not track which features you use inside the desktop app
- We do not read, access, or transmit your project files or documents
- Beyond the advertising and conversion tracking described in §1.5.1, we do not share your data with third parties for marketing purposes
2. Your project data
All data you create in ArchStage — projects, sprints, backlog items, documents, generated files — is stored locally on your machine in .archstg files (SQLite databases) and in the folder structure you choose.
This data is entirely under your control. We have no access to it, no visibility into it, and no copy of it. Deleting the files from your machine permanently removes them.
The only network calls ArchStage makes are:
- To our licensing server (trial registration, license activation, and periodic validation)
- To our server to check for app updates (on launch; no PII is sent)
- To Anthropic's API via Claude Code CLI (your own account, your own key — we have no involvement in or visibility into these calls)
3. Data retention
| Data | Retention period |
|---|---|
| License key + machine ID | For the lifetime of your license |
| Trial machine ID | 1 year after trial registration |
| Support emails | 2 years from last correspondence |
| Purchase records | As required by applicable law (typically 7 years) |
4. Your rights under GDPR
If you are located in the European Union, you have the following rights:
Right of access — You can request a copy of the personal data we hold about you.
Right to rectification — You can ask us to correct inaccurate data.
Right to erasure — You can ask us to delete your personal data, subject to legal retention obligations.
Right to restriction — You can ask us to restrict processing of your data in certain circumstances.
Right to data portability — You can request your data in a machine-readable format.
Right to object — You can object to processing based on legitimate interests.
Right to withdraw consent — Where processing is based on consent, you can withdraw it at any time.
To exercise any of these rights, contact us at privacy@archstage.app. We will respond within 30 days.
You also have the right to lodge a complaint with your local supervisory authority if you believe your data has been processed unlawfully.
5. Data transfers
Paddle (Paddle.com Market Ltd.) is a UK-based company. Transfers of your purchase data to Paddle are covered by their GDPR compliance measures and Standard Contractual Clauses (SCCs) where applicable. See their privacy policy at paddle.com/legal/privacy for details.
Our trial registration server is hosted in the EU. No personal data is transferred outside the EU in connection with trial registration.
6. Third parties
| Third party | Purpose | Their privacy policy |
|---|---|---|
| Paddle | Payment processing, license management | paddle.com/legal/privacy |
| Anthropic | AI processing via Claude Code (your account) | anthropic.com/privacy |
| LinkedIn (Insight Tag) | Website advertising and conversion tracking (see §1.5.1) | linkedin.com/legal/privacy-policy |
We have no control over Anthropic's data practices for your Claude Code usage. Your use of Claude Code is governed by your own agreement with Anthropic.
7. Security
We take reasonable technical measures to protect the data we hold:
- License keys are stored encrypted on your device using OS-level encryption (macOS Keychain, Windows DPAPI)
- Communications with our license and trial servers use HTTPS
- We do not store payment card data at any point
8. Children
ArchStage is not directed at children under 16. We do not knowingly collect personal data from children.
9. Changes to this policy
If we make material changes to this policy, we will update the date at the top of this page and, where appropriate, notify you by email. Continued use of ArchStage after changes constitutes acceptance of the updated policy.
10. Contact
For any privacy questions or to exercise your rights:
privacy@archstage.app
Response time: within 30 days.