This Privacy Policy explains how C4CI Group Belgium BV/SRL, enterprise number BE 1030.600.254, registered office at Nieuwstraat 41, 2260 Westerlo, Belgium ("C4CI", "we", "us", or "our"), processes personal data in connection with C4CI Arch and related product surfaces.
For privacy questions or requests, contact support@c4ci.io.
1. Scope and Roles
This policy covers the tenant portal, Admin Hub, authentication, organisation management, billing, support, audit evidence, integrations, browser storage, and related Arch operations.
C4CI acts as controller for personal data that we process to create and manage accounts, secure the service, provide support, handle billing, operate legal acceptance workflows, communicate with users, and meet legal obligations.
For Customer Content and connected-system data processed on behalf of a customer, C4CI generally acts as processor or service provider under the customer's instructions. The customer remains responsible for deciding which systems and data to connect and for ensuring that those connections are lawful. Where a separate data-processing agreement or order form applies, that document controls the processor commitments for the relevant processing.
Third-party cloud, identity, source-control, payment, support, and design tools are governed by their own privacy notices when you use them directly.
2. Personal Data We Process
Depending on how Arch is configured and used, we may process the following categories of personal data:
| Category | Examples |
|---|---|
| Identity and account data | Name, email address, username, identity-provider subject, avatar, language, profile settings, sign-in method, roles, organisation membership |
| Authentication and session data | Session identifiers, access state, refresh state, CSRF controls, selected organisation, login timestamps, logout events |
| Organisation and administration data | Organisation name, project membership, invitations, permissions, administrator actions, legal acceptance records |
| Product usage and audit data | Page and feature activity, scan requests, approvals, drift review actions, audit events, security events, error traces, metering events |
| Connected-system metadata | Cloud subscription identifiers, resource names, repository metadata, cluster metadata, architecture relationships, configuration metadata, drift evidence |
| Customer Content | Diagrams, reports, comments, prompts, uploaded files, generated explanations, remediation drafts, support attachments |
| Billing and payment data | Billing contact details, company details, VAT or tax fields, subscription state, usage quantities, invoice references, payment status |
| Support and communications data | Support messages, diagnostic information, contact preferences, product notices, operational messages |
| Device and browser data | IP address, user agent, request metadata, cookie and local-storage choices, Global Privacy Control signal where available |
Arch is not designed for children or for intentional submission of special categories of personal data, such as health data, biometric data, or data about political opinions, religion, trade-union membership, sex life, sexual orientation, or criminal convictions. Do not submit that data unless a written agreement with C4CI specifically allows it and the required safeguards are in place.
3. Sources of Personal Data
We collect personal data from:
- you, when you create an account, use the product, contact support, configure preferences, or accept legal documents;
- your organisation administrators, when they invite users, assign roles, or manage organisation settings;
- identity providers, cloud providers, repositories, payment processors, and other integrations that you or your organisation connect;
- browsers, devices, and network requests when the service is loaded and used;
- C4CI systems that generate audit logs, security logs, billing events, product diagnostics, and support records.
4. Purposes and Legal Bases
We process personal data for the following purposes and legal bases:
| Purpose | Legal basis |
|---|---|
| Provide, authenticate, route, and administer the service | Performance of a contract; legitimate interests in operating a secure B2B SaaS product |
| Manage organisations, roles, invitations, projects, and legal acceptance | Performance of a contract; legitimate interests in account governance and auditability |
| Generate architecture views, drift evidence, reports, and product outputs | Performance of a contract; customer instructions where C4CI acts as processor |
| Secure the service, detect abuse, prevent fraud, debug issues, and protect tenants | Legitimate interests; legal obligations where applicable |
| Meter usage, bill paid features, manage invoices, and keep accounting records | Performance of a contract; legal obligations; legitimate interests in payment collection |
| Provide support, respond to requests, and communicate operational notices | Performance of a contract; legitimate interests in customer support and product operation |
| Improve reliability, usability, documentation, and product quality | Legitimate interests, using aggregated or minimised data where appropriate; consent where required for non-essential browser storage or analytics |
| Send product, legal, security, or administrative updates | Performance of a contract; legal obligations; legitimate interests |
| Send marketing communications where configured | Consent or legitimate interests where permitted by law, with opt-out controls |
| Comply with law, enforce terms, respond to lawful requests, and preserve claims | Legal obligations; legitimate interests in legal protection |
Where we rely on legitimate interests, we balance those interests against the rights and freedoms of affected individuals. Where we rely on consent, you may withdraw consent at any time through the available product controls or by contacting us.
5. AI-Assisted Features
Arch may use AI-assisted features to summarise connected-system metadata, explain drift, draft diagrams, propose next actions, classify support issues, or help prepare evidence. C4CI does not use AI-assisted features to make solely automated decisions that produce legal or similarly significant effects about users.
AI-assisted outputs require human review before operational, compliance, security, legal, or financial reliance. Customer administrators remain responsible for deciding which connected data may be processed through those features.
6. Cookies and Browser Storage
Arch uses cookies, local storage, session storage, and similar browser technologies to authenticate users, keep the product secure, remember preferences, route organisation context, record privacy choices, and control optional non-essential integrations. The Cookie Policy explains these technologies and choices in more detail.
7. Sharing and Recipients
We share personal data only where needed for the purposes in this policy. The recipient categories may include:
- hosting, infrastructure, database, logging, monitoring, and security providers;
- identity providers and authentication services selected by C4CI or your organisation;
- payment processors, invoicing providers, accounting providers, and banks;
- email, support, customer-communication, and incident-management providers;
- optional analytics, design-capture, or product-improvement providers where configured and allowed by consent or law;
- professional advisers, insurers, auditors, and legal representatives;
- public authorities, regulators, courts, or law-enforcement bodies where required by law or necessary to protect rights, security, or safety;
- successors or counterparties in a merger, acquisition, financing, restructuring, or sale of assets, subject to appropriate confidentiality.
We do not sell personal data.
8. International Transfers
C4CI is established in Belgium. Some providers or support operations may process personal data outside the European Economic Area. Where that happens, we rely on an adequacy decision, standard contractual clauses, transfer-impact safeguards, or another lawful transfer mechanism as required by data-protection law.
You may contact support@c4ci.io for information about the safeguards relevant to your organisation.
9. Retention
We keep personal data only for as long as needed for the purposes described in this policy, unless a longer period is required or permitted by law. Retention depends on the data type, customer configuration, legal obligations, security needs, billing requirements, backup cycles, and whether the data is needed to resolve disputes or preserve audit evidence.
Typical retention criteria include:
| Data type | Retention approach |
|---|---|
| Account and organisation records | Kept while the account or organisation is active, then deleted or minimised after closure unless needed for security, billing, legal, or audit purposes |
| Authentication and session data | Kept for the session or identity-provider lifetime, with security logs retained longer where needed |
| Audit, approval, and legal acceptance records | Kept for the period needed to evidence actions, terms acceptance, security events, compliance workflows, and disputes |
| Billing, tax, and invoice records | Kept for statutory accounting, tax, audit, fraud-prevention, and dispute periods |
| Connected-system metadata and Customer Content | Kept according to customer configuration, product lifecycle, support needs, deletion requests, and backup schedules |
| Support records | Kept while needed to handle the request and maintain service history, then deleted or minimised according to support-retention practices |
| Browser preferences and consent choices | Kept in the browser until changed, cleared, or replaced by a new policy version that requires a fresh choice |
| Backups and logs | Deleted or overwritten through scheduled backup and log-retention cycles unless preserved for security, legal, or incident purposes |
10. Security
C4CI uses technical and organisational safeguards designed to protect personal data, including tenant isolation, role-based access control, encryption, logging, access review, controlled integrations, and operational monitoring. No system can be guaranteed to be perfectly secure.
If you believe personal data or credentials have been exposed through Arch, contact support@c4ci.io promptly.
11. Your Rights
Subject to legal conditions and exceptions, individuals in the European Economic Area and other applicable jurisdictions may have the right to:
- access personal data and obtain a copy;
- correct inaccurate or incomplete personal data;
- request deletion of personal data;
- restrict or object to processing;
- receive portable data where the right applies;
- withdraw consent where processing is based on consent;
- object to direct marketing;
- not be subject to solely automated decisions with legal or similarly significant effects;
- lodge a complaint with a supervisory authority.
To exercise rights, contact support@c4ci.io. We may need to verify your identity and may direct organisation-managed requests to your organisation administrator when C4CI acts as processor.
If you are in Belgium, you may contact the Belgian Data Protection Authority (APD/GBA) at https://www.autoriteprotectiondonnees.be or https://www.gegevensbeschermingsautoriteit.be.
12. Customer Responsibilities
Customers are responsible for:
- giving required notices to their users and other affected individuals;
- ensuring connected systems and Customer Content are lawful to process through Arch;
- configuring access, roles, integrations, retention, exports, and deletion consistently with their obligations;
- responding to rights requests where the customer is controller and C4CI is processor;
- avoiding submission of unnecessary personal data, secrets, or regulated data.
13. Changes to This Policy
C4CI may update this policy as the service, law, subprocessors, or operating model changes. When a new mandatory version materially affects product use or data handling, C4CI may require re-acceptance before continued access to authenticated product surfaces.
The version and effective date at the top of this document identify the active version.
14. Contact
Privacy questions, rights requests, and data-processing questions should be sent to support@c4ci.io.