Privacy Policy
Last updated: 2 May 2026
This Privacy Policy explains what information Arcora (the “Service”), provided by Rulz & Co (“we”, “us”) collects when you use it, how we use that information, who we share it with, and what rights you have.
1. Overview
Arcora is a workspace that helps people in their first 90 days at a new job. To do that we need to know things like your role, company name, manager, and goals. We try to collect the minimum we need to run the Service well, and to be transparent about what happens with that data.
- We do not sell your personal data.
- We do not train AI models on your data.
- You can export and delete your data at any time.
2. Who is the data controller?
The data controller is Rulz & Co, based in Manchester, United Kingdom. You can reach the controller at hello@switchtoux.com.
3. What we collect
We collect three categories of information:
- Account info: name, email, password (stored hashed), profile photo if you upload one, and authentication metadata such as session timestamps and recent IP addresses (for security and account-lockout protection).
- Plan data: information you provide when building your 90-day plan — role title, company name, function, start date, work model, goals, success definition, stakeholders, knowledge-base notes, journal entries, and any documents (e.g. job description) you choose to upload.
- Usage data: how you interact with the Service (page views, feature usage, errors). We use this to improve the product. We may use a privacy-friendly analytics service (e.g. PostHog or Plausible) configured to avoid tracking cross-product identifiers.
Billing payment details (card numbers) are handled directly by Stripe. We never see or store full card details — only the last four digits and brand for receipt display.
4. How we use it
- To create your account and authenticate you.
- To generate your personalised 90-day plan and the related milestones, prompts, and insights.
- To deliver transactional emails (verification, password reset, plan-ready, daily reminders, weekly reflections, manager invites, and so on).
- To process and manage your Pro subscription if you choose to upgrade.
- To respond to support requests.
- To detect, investigate, and prevent abuse, fraud, and security incidents.
- To comply with legal obligations.
5. Lawful basis (UK / EU)
If UK GDPR or EU GDPR applies to you, we rely on:
- Performance of a contract — to provide the Service you signed up for.
- Legitimate interests — to keep the Service secure, to prevent abuse, and to improve the product. These interests are balanced against your rights and freedoms.
- Consent — for optional features like the newsletter signup. You can withdraw consent at any time.
- Legal obligation — where law requires us to retain or disclose data (for example, tax records).
6. AI processing of your data
Arcora generates plans and other personalised content using third-party AI providers — currently Anthropic (Claude) and OpenAI. To produce useful output, we send relevant parts of your plan data and uploaded documents to these providers as part of API requests.
- Both providers are bound by their data processing agreements with us.
- Neither provider trains their general-purpose models on data we send through their APIs.
- Your data is sent over encrypted HTTPS connections.
- You can review and delete the inputs at any time by editing or removing your plan content.
7. Sub-processors
We use the following third-party services to run Arcora. Each one only receives the data necessary for its function.
| Provider | Purpose | Location |
|---|---|---|
| Convex | Application database and backend functions | United States |
| Vercel | Web app hosting and edge networking | United States |
| Stripe | Payment processing for the Pro subscription | United States / United Kingdom |
| Resend | Transactional email (verification codes, plan-ready, reminders, invitations) | United States |
| Anthropic (Claude) | AI generation of plans, milestones, and analysis | United States |
| OpenAI | AI generation and embeddings for knowledge-base search | United States |
| Upstash (optional) | Distributed rate limiting | United States |
| Beehiiv (optional) | Newsletter and waitlist email delivery | United States |
We'll update this list when we add or remove sub-processors and notify users of material changes via email.
8. Sharing your information
We share information only:
- With sub-processors as described above.
- With managers and collaborators you explicitly invite (and only the parts of your plan you choose to share).
- To comply with valid legal requests (court orders, lawful subpoenas).
- To protect rights, property, or safety where necessary.
- If we ever go through a sale, merger, or asset transfer, with notice to you.
We don't sell your personal data, and we don't share it with advertisers.
9. Retention
- Active accounts: data retained while your account is active.
- Account deletion: data deleted or anonymised within 90 days.
- Billing records: kept for at least 6 years where required by tax law.
- Inactive accounts (12+ months no login): we may delete or anonymise data after notifying you by email.
10. Security
We use TLS in transit, encrypted databases at rest (managed by Convex), bcrypt-hashed passwords, account-lockout protection, and single-use email codes for sensitive actions. No system is 100% secure, but we follow industry-standard practices and review them regularly.
11. Your rights
If UK GDPR or EU GDPR applies, you have the right to:
- Access the personal data we hold about you.
- Correct inaccurate or incomplete data.
- Delete your data (subject to legal-retention exceptions).
- Restrict or object to processing in certain circumstances.
- Receive a copy of your data in a portable format.
- Withdraw consent where processing is based on consent.
- Lodge a complaint with the UK Information Commissioner's Office (ico.org.uk) or your local data protection authority.
To exercise any of these rights, email hello@switchtoux.com. We'll respond within 30 days.
12. International transfers
Some of our sub-processors are located outside the UK / EEA (mostly in the United States). Where we transfer personal data internationally, we rely on Standard Contractual Clauses or equivalent safeguards, as offered by those providers' data processing agreements.
13. Cookies and tracking
We use a small number of strictly necessary cookies to keep you signed in and to remember your settings (e.g. dark-mode preference). We do not use advertising cookies and we do not track you across other websites.
If we add product analytics, we will use a privacy-friendly provider configured to avoid persistent cross-site tracking, and we'll update this section before turning it on.
14. Children's privacy
Arcora is not intended for children under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we'll delete it.
15. Changes to this policy
We may update this policy. If we make material changes, we'll notify you by email or in-app at least 14 days before the change takes effect. The “Last updated” date at the top will always reflect the most recent revision.
16. Contact
Questions about this policy or your data? hello@switchtoux.com
See also: Terms of Service