arxi.me
what he does integrations careers enterprise say hi
what he does integrations careers enterprise

Privacy Policy

Last updated: 2026-06-11 · Effective: 2026-06-11

1. Who we are

arxi ("arxi", "we", "us") is a delegated-intelligence assistant that operates inside messaging channels. It is built and run by arxi lab, a small independent project based in Barcelona, Spain. For anything about your privacy, write to privacy@arxi.me — the full legal and contact details of the data controller are at the end of this Policy (Section 14).

Because arxi is operated from Spain and processes data on infrastructure located in the European Union, this Policy is written to comply with the EU General Data Protection Regulation (GDPR) and Spanish data-protection law (LOPDGDD). It applies to all users regardless of where they are located.

2. Scope

This Policy explains what personal data arxi collects, why, who we share it with, how long we keep it, and the rights you have. It covers all arxi channels (Telegram bot, web channel, and future channels) and the arxi.me website.

3. What data we collect

3.1 Identity & account data. A channel identifier (e.g. your Telegram user ID), and — if you sign in to the web channel — your Google account identifier and email address. We do not require your real name.

3.2 The content you send to arxi. The messages, questions, instructions, and files you send. arxi is an assistant, so by design it processes the content of your conversations in order to answer and act on them.

3.3 Memory ("what arxi remembers about you"). To be useful over time, arxi maintains a private memory profile derived from your conversations (facts, preferences, reminders, contacts, and similar). This memory is private to you and is never made public. It is stored in your personal workspace and can be inspected, exported, or deleted by you (see Section 8). This processing may include building a profile of your preferences; we describe it transparently here for that reason.

3.4 Workspace files (Vault). Files you upload or that arxi creates on your behalf are stored in your personal workspace ("Vault").

3.5 Usage & billing data. Subscription tier, subscription status, and a record of your usage of language-model capacity (token/cost counts) used to calculate charges. Payment card details are handled by our payment provider (see Section 5) and are never stored by arxi.

3.6 Technical & operational data. Limited metadata needed to run and debug the service — timestamps, model/route used, latency, token counts, and error events. We do not log the text of your messages in our operational logs; only metadata.

4. Why we use your data, and our legal bases

PurposeLegal basis (GDPR Art. 6)
Provide the assistant and respond to your requestsPerformance of a contract (Art. 6(1)(b))
Maintain your private memory so arxi stays useful over timePerformance of a contract / your consent (Art. 6(1)(b)/(a))
Process payments and prevent abuse of billingContract / legitimate interests (Art. 6(1)(b)/(f))
Keep the service secure, debug and improve reliabilityLegitimate interests (Art. 6(1)(f))
Comply with legal and tax obligationsLegal obligation (Art. 6(1)(c))

We do not sell your personal data, and we do not use the content of your conversations to train our own models.

5. Who we share data with (subprocessors)

arxi relies on a small number of third-party processors. Some are used on every message (core processing); others are only used when arxi performs a specific action you asked for ("tool-time"). Each receives only the data needed for its function.

Core processing (used to operate the service)

ProcessorPurposeWhat it receives
Google Cloud — Vertex AILanguage-model inference (the model that powers arxi)The content of your conversation, system instructions, and conversation history needed to generate a response
Hetzner Online GmbH (Germany, EU)Server hosting; all data resides here at restAll data, stored on EU infrastructure
TelegramMessage delivery for the Telegram channelYour messages, to and from the bot
Polar.shPayments & subscription management (Merchant of Record)Your channel identifier and subscription/usage metadata — never your message content
PostHog (EU instance)Product analyticsMasked user identifier and event metadata (cost, model, tokens) — never your message content
Google (OAuth)Sign-in for the web channelYour email and Google account identifier, only if you sign in

Tool-time processing (only when arxi performs that action for you)

ProcessorPurposeWhat it receives
Google Cloud — Search groundingWeb search to ground answers in current factsYour search query text only
BrowserbaseBrowser automation, when arxi visits a website for youThe web traffic of that browsing session (pages visited, content, form input)
X.com (Twitter) APIRead-only access to public X/Twitter contentYour search/query terms only (read-only)
AnthropicLanguage-model inference for the optional /opus capabilityConversation content, only if you invoke /opus

We enter into data-processing agreements with our processors where required by GDPR Art. 28. The list above reflects services that are active. We do not enable optional/legacy providers without updating this Policy.

6. International data transfers

Your data is stored at rest in the European Union (Hetzner, Germany).

However, some processing is performed by providers that may process data outside the EU (for example, Google Cloud Vertex AI, Anthropic, Browserbase, and X are US-headquartered and may route requests through non-EU regions). Where data is transferred outside the EEA, we rely on the European Commission's Standard Contractual Clauses (SCCs) and the providers' applicable transfer frameworks (e.g. the EU–US Data Privacy Framework where the provider is certified).

7. How long we keep your data

  • Conversation content & memory: kept for as long as your account is active, so arxi can remember and assist you. You can delete it at any time (Section 8).
  • Operational metadata/logs: kept for a limited period for security and debugging, then rotated.
  • Billing records: kept as required by applicable tax and accounting law.

When you delete your data or close your account, your workspace, memory, and files are removed and the running environment is destroyed.

8. Your rights

Under the GDPR you have the right to: access your data; correct it; delete it ("right to be forgotten"); restrict or object to processing; data portability; and to withdraw consent.

arxi gives you direct, self-service control:

  • /pleasedeletemydata — deletes your workspace, memory, and files, and destroys your environment.
  • You can ask arxi to show or export what it remembers about you at any time.

To exercise any right, use the in-product commands above or contact privacy@arxi.me. You also have the right to lodge a complaint with the Spanish supervisory authority, the Agencia Española de Protección de Datos (AEPD), or your local EU authority.

9. International users and regional rights

arxi is available to users outside the European Union. Because arxi is operated by an EU-based controller on EU infrastructure, this Policy and the GDPR standard apply to all users, wherever you are located. We do not apply a lower standard to non-EU users.

Some regions grant additional rights, which we honour where they apply:

California residents (CCPA/CPRA). You have the right to know what personal information we collect and how we use it (described above), to request access to or deletion of your personal information, and to be free from discrimination for exercising these rights. We do not sell your personal information, and we do not share it for cross-context behavioural advertising. To exercise these rights, contact privacy@arxi.me or use /pleasedeletemydata.

Other jurisdictions (e.g. the United Kingdom, Brazil, Canada) have data-protection laws that closely mirror the GDPR; the rights and protections described in this Policy are intended to satisfy them. If a mandatory local right applies to you and is not covered above, contact us and we will honour it where legally required.

10. Security

All connections to external services use encryption in transit (HTTPS/TLS). Each user runs in an isolated virtual machine; environments are not reused between users. Credentials you store are kept encrypted, and the model never sees raw provider credentials (they are proxied). Memory and files are private to your workspace.

11. Public prompt, private memory ("Verified AI")

A core principle of arxi: the instructions that define arxi's behaviour (its "prompt") are public and verifiable — published with a hash and a changelog. What arxi knows about you is the opposite: it is private to you and never published. Transparency applies to how arxi behaves; privacy applies to your data.

12. Children

arxi is not directed to children under 16 (or the minimum age of digital consent in your country). We do not knowingly collect data from children below that age.

13. Changes to this Policy

We may update this Policy. Material changes will be announced through the service. The "Last updated" date at the top reflects the current version.

14. Contact

Questions or requests: privacy@arxi.me

Data controller: Trofim Pochinkov (autónomo), trading as arxi lab — NIE Z2367839V, Carrer de Mallorca 304, 08037 Barcelona, Spain

the mind is public. the memory is yours.

© 2026 arxi lab · your personal autonomous AI home Terms of Use Privacy Policy legal@arxi.me