Privacy Policy

This Privacy Policy explains how ARCIS processes personal data when you visit our website, contact us, request a demo, book a consultation or interact with us in a business context.

ARCIS is currently operated as a pre-incorporation project by Onur Yilmaz and Birkan Kolcu in the context of the EXIST start-up programme. The incorporation process has been initiated and this Privacy Policy will be updated once the legal entity has been established.

We process personal data in accordance with the General Data Protection Regulation — GDPR — and applicable German data protection laws.

1. Controller

The persons jointly responsible for the processing of personal data on this website are:

ARCIS is currently operated as a pre-incorporation project by Onur Yilmaz and Birkan Kolcu in the context of the EXIST start-up programme. The incorporation process has been initiated. Once ARCIS has been incorporated, the controller information will be updated to reflect the legal entity.

For privacy-related questions or requests, please contact us at: [email protected]

2. Data Protection Contact

We have not appointed a data protection officer at this stage. For any privacy-related questions or requests, please contact: [email protected]

Under German law, private organisations generally need to appoint a data protection officer if, as a rule, at least 20 persons are regularly involved in automated processing of personal data, or in certain higher-risk cases.

3. Personal data we process

Depending on how you interact with us, we may process the following categories of personal data:

• Website usage data: When you visit our website, technical data may be processed automatically. This can include your IP address, browser type, operating system, referring URL, pages visited, date and time of access, and server log data.
• Contact and demo request data: If you contact us, request a demo or submit a form, we may process your name, email address, phone number, company name, role, message content and any additional information you choose to provide.
• Business communication data: If we communicate with you as a potential customer, partner, expert, supplier or ecosystem contact, we may process your business contact details, communication history, meeting context and relevant notes.
• Newsletter and update data: At this stage, ARCIS does not use a dedicated newsletter or email marketing tool. If you subscribe to updates or request information from us, we may use your email address to send relevant ARCIS updates manually or through our regular business email systems.
• Consultation and meeting data: If you book or attend a meeting with us, we may process your name, email address, company, calendar metadata, meeting notes and any business information you voluntarily share with us.

4. Purposes and legal bases

We process personal data for the following purposes:

Providing and securing the website

We process technical data to display the website, maintain security, prevent misuse, diagnose errors and ensure reliable operation.
Legal basis: Art. 6(1)(f) GDPR — legitimate interest.

Responding to inquiries and demo requests

We process contact data to respond to your request, prepare meetings and discuss potential collaboration.
Legal basis: Art. 6(1)(b) GDPR — pre-contractual measures, and Art. 6(1)(f) GDPR — legitimate interest.

Managing business relationships

We process business contact and communication data to manage commercial conversations, partnerships, follow-ups and potential customer relationships.
Legal basis: Art. 6(1)(b) GDPR — contract or pre-contractual measures, and Art. 6(1)(f) GDPR — legitimate interest.

Sending requested updates

If you ask to receive updates from ARCIS, we process your email address to send relevant information.
Legal basis: Art. 6(1)(a) GDPR — consent, or Art. 6(1)(f) GDPR where communication relates to an existing business relationship.

Complying with legal obligations

We may process certain data to comply with legal, tax, accounting or regulatory obligations.
Legal basis: Art. 6(1)(c) GDPR.

5. Website hosting

Our website is hosted on infrastructure provided by Google Cloud, currently using the Frankfurt, Germany / EU region, where technically configured.

When you access the website, Google Cloud may process technical server data necessary to provide the website securely and reliably. This may include IP address, time of access, requested URL, browser information, device information and server log data.

We use hosting services to make the website available, ensure performance, maintain security and prevent misuse.
Legal basis: Art. 6(1)(f) GDPR — legitimate interest.

If the hosting configuration changes, this Privacy Policy will be updated accordingly.

6. Contact forms and demo requests

If you submit a form, request a demo or contact us by email, we process the information you provide in order to respond to your request. This may include Name, Email address, Phone number, Company, Role or position, Message content, and Business context you voluntarily provide.

We use this data to understand your request, respond to you, arrange a meeting and evaluate potential collaboration.

We generally retain inquiry and business communication data for up to 24 months after the last interaction, unless a business relationship is established or legal obligations require longer retention.

7. Newsletter and updates

ARCIS currently does not use a dedicated newsletter provider, marketing automation tool or CRM-based email campaign system.

If you request updates, briefings or information from us, we may use your email address to contact you manually or through our standard business email system. You can unsubscribe or object to further communication at any time by contacting: [email protected]

If ARCIS later introduces a newsletter or CRM provider, this Privacy Policy will be updated before or at the time such tools are used.

8. Calendar and video meetings

For scheduling and conducting meetings, we may use Google Calendar and Google Meet. When a meeting is scheduled, Google may process calendar and technical data such as name, email address, meeting time, meeting link, device information and connection metadata.

We use these tools to coordinate and conduct business meetings.
Legal basis: Art. 6(1)(b) GDPR — pre-contractual measures, and Art. 6(1)(f) GDPR — legitimate interest.

We do not record meetings without informing participants in advance.

9. Analytics — PostHog

We use PostHog as our product analytics tool to understand how visitors use our website, in aggregate, so we can improve content and usability. PostHog is provided by PostHog Inc., 2261 Market Street #4008, San Francisco, CA 94114, USA. For our website we use the PostHog EU instance (eu.i.posthog.com), so analytics data is processed on infrastructure located in the European Union (Frankfurt, Germany).

PostHog is only loaded and only processes data after you have given consent via our consent banner. If you decline, or until you make a choice, no PostHog cookies are set, no identifiers are stored on your device, and no analytics events are sent.

When active, PostHog may process:

• Page views, click events, and other interactions on this website
• A pseudonymous device or session identifier stored in a first-party cookie and local storage
• Technical metadata such as browser type, operating system, device type, screen size, language, referring URL and approximate location derived from the IP address

We have disabled session recording. We do not create identified user profiles for anonymous website visitors.

Legal basis:Art. 6(1)(a) GDPR — consent. The corresponding storage of and access to information on your device is based on § 25(1) TTDSG (now TDDDG) — consent.

Withdrawal:You can withdraw your consent at any time with effect for the future by clicking “Cookie Settings” in the website footer and choosing “Decline”, or by clearing the cookies and local storage for this site in your browser. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

International transfers:Although we use the PostHog EU instance, PostHog Inc. is a US-based company and personnel based outside the EEA may have administrative access to the platform. Where personal data is transferred to such recipients, transfers are based on the EU Standard Contractual Clauses and PostHog’s Data Processing Addendum.

More information: PostHog Privacy Policy · PostHog DPA.

10. Cookies and similar technologies

Our website uses two categories of cookies and similar technologies:

Strictly necessary

Used to operate the website, maintain security, remember essential settings such as your cookie choice, prevent abuse and ensure technical functionality. These do not require consent.
Includes a small entry in your browser’s local storage (key arcis-cookie-consent) that records whether you have accepted or declined analytics, so we do not show the banner again.

Analytics (consent required)

First-party PostHog cookies and local storage entries that are only set after you click “Accept” in the consent banner. See section 9 for details.
Legal basis: Art. 6(1)(a) GDPR and § 25(1) TTDSG / TDDDG — consent.

We do not use advertising or retargeting cookies.

Under German law, accessing or storing information on a user’s device generally requires consent unless it is strictly necessary to provide the service requested by the user. You can manage or withdraw your analytics consent at any time via the “Cookie Settings” link in the website footer.

11. Fonts, images and external content

We aim to load website assets such as fonts, images and media locally where possible. If external resources are loaded from third-party servers, those providers may receive technical data such as your IP address and browser information.

Where possible, ARCIS avoids unnecessary third-party tracking and externally loaded assets.

12. AI-assisted internal workflows

ARCIS builds AI-enabled operational workflows. In the context of inquiries, consultations or demo preparation, we may use AI-assisted internal tools to summarize business conversations, prepare proposals, understand customer needs or structure internal notes.

We do not use personal data submitted through the website to train public AI models. We do not sell personal data.

Where external AI or software providers are used in the future, we will take appropriate safeguards, limit processing to what is necessary and update this Privacy Policy where required.

13. Recipients and processors

We may share personal data with trusted service providers where necessary to operate the website and manage business communication. This may include:

• Hosting providers (Google Cloud, EU region)
• Product analytics: PostHog Inc. (EU instance), see section 9
• Email infrastructure providers
• Calendar and video meeting providers
• IT and security service providers
• Legal, tax or accounting advisors
• Public authorities, where legally required

Where required, we use data processing agreements under Art. 28 GDPR.

14. International data transfers

Where possible, we use providers and infrastructure located within the European Economic Area.

If personal data is transferred outside the European Economic Area, we ensure that appropriate safeguards are in place. These may include an adequacy decision by the European Commission, Standard Contractual Clauses or other legally recognized transfer mechanisms.

15. Storage periods

We retain personal data only for as long as necessary for the purposes described in this Privacy Policy. Typical retention periods are:

• Server logs: generally up to 30 days, unless longer retention is necessary for security or legal reasons
• Contact and demo inquiries: up to 24 months after the last interaction
• Business communication data: for the duration of the business relationship and applicable limitation periods
• Meeting notes: as long as relevant for the business relationship or potential collaboration
• Tax and accounting-related data: where applicable, according to statutory retention obligations

Where retention periods cannot be stated precisely, we determine them based on the purpose of processing, legal obligations, limitation periods and legitimate business interests.

16. Security

We apply appropriate technical and organisational measures to protect personal data against unauthorised access, loss, misuse, alteration or disclosure. These measures may include:

• Encryption in transit
• Access controls
• Secure hosting
• Role-based permissions
• Regular software updates
• Internal confidentiality practices
• Backups and monitoring where appropriate

We avoid making security claims that go beyond our actual technical implementation.

17. Your rights

Under the GDPR, you have the following rights:

• Right of access — Art. 15 GDPR
• Right to rectification — Art. 16 GDPR
• Right to erasure — Art. 17 GDPR
• Right to restriction of processing — Art. 18 GDPR
• Right to data portability — Art. 20 GDPR
• Right to object — Art. 21 GDPR
• Right to withdraw consent — Art. 7(3) GDPR
• Right to lodge a complaint with a supervisory authority — Art. 77 GDPR

To exercise your rights, contact: [email protected]. We may need to verify your identity before responding to your request.

18. Right to object

Where we process personal data based on legitimate interests under Art. 6(1)(f) GDPR, you have the right to object to such processing at any time on grounds relating to your particular situation.

If we process your personal data for direct marketing purposes, you may object at any time without giving reasons. After your objection, we will no longer process your personal data for direct marketing.

19. Withdrawal of consent

If processing is based on your consent, you may withdraw that consent at any time with effect for the future. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

20. Complaint authority

You have the right to lodge a complaint with a data protection supervisory authority. For private-sector organisations in Bavaria, the competent authority is generally:

21. No obligation to provide data

You are not legally required to provide personal data when visiting our website. However, certain data may be necessary to display the website, respond to your inquiry, arrange a meeting or provide requested information. If you do not provide required information, we may not be able to respond to your request.

22. Children

Our website and services are not directed at children. We do not knowingly collect personal data from persons under the age of 16.

23. Changes to this Privacy Policy

We may update this Privacy Policy to reflect changes to our processing practices, technical changes, or changes in legal requirements. The updated version will be published on our website with a new “Last updated” date.

We recommend reviewing this Privacy Policy regularly.