Claim Your
Off Discount

EU Privacy Policy

This privacy policy is valid for users living in the European Union. If you live in another jurisdiction, please refer to our privacy policy here.

This Privacy Policy provides you with information on how Arc Studio Labs, Inc., ("Arc Studio", "we, "us", "our") processes your personal data insofar as you are located in the EU/ EEA. We are committed to protecting your personal data and respecting your privacy rights under the EU General Data Protection Regulation (“GDPR”). This Privacy Policy explains how we collect, use, share, store and secure your personal data when you use our SaaS platform.

1 - Controller Contact Details

Arc Studio Labs, Inc., represented by Michail Huber

2810 N Church St
19802 Wilmington
Delaware
USA

Contact: privacy@arcstudiopro.com

Representative in the EU:

David Reimann, Attorney at Law (Germany/Austria)
Contact: eu-rep@arcstudiopro.com

2 - Provision of the website and creation of log files

When you visit our website https://www.arcstudiopro.com ("website") for purely informational purposes, the browser used on your device automatically sends information to the server of our website. This information is temporarily stored in a so-called log file. Log files contain the following data:

  • IP address of the requesting device,
  • Date and time of access,
  • Name and URL of the accessed file,
  • Website from which the access was made (referrer URL),
  • browser and operating system of your device.

The data is stored to ensure a smooth connection setup, correct display and proper operation of the website. The data is also used to ensure convenient use and optimization of the website and to ensure the security and stability of our information technology systems. These purposes also constitute our legitimate interest. The legal basis for the processing of the data is Art. 6 para. 1 lit. f GDPR.

The collection of data is absolutely necessary for the provision and operation of the website. There is therefore no possibility for you to object. The data is deleted when it is no longer required for the above-mentioned purposes. Depending on the hosting provider, this usually happens within 7 days and at the latest within 30 days.

3 - Cookies and similar technologies

We use cookies, local storage objects, and similar technologies (collectively: "cookies") to make our website more user-friendly and enable certain functions. Cookies are text files stored by your internet browser on your end device when you access a website. These cookies contain a unique string of characters that allows your browser to be identified when you visit the website again. Cookies allow the website to adapt its content to your interests more quickly. Cookies usually contain the name of the domain from which the cookie originates, the cookie's expiration date, and a randomly generated number. Cookies alone do not allow any conclusions to be drawn about your identity.

Some cookies are necessary for the operation of our website and may be set without your consent ("necessary cookies"). If necessary cookies also process personal data, the processing is carried out in accordance with Art. 6 para. 1 lit. b GDPR, either to initiate or execute a contract with you, or in accordance with Art. 6 para. 1 lit. f GDPR to safeguard our legitimate interests in ensuring the website's optimal functionality and an effective, customer-friendly design.

Beyond necessary cookies, our website site uses "non-necessary cookies" for statistical analysis, marketing purposes, and to integrate external media only if you actively consent to this use. If these cookies process personal data, the legal basis for doing so is Art. 6 para. 1 lit. a GDPR, based on your consent. For further information, see section 4 below.

The first time you visit our website, a banner will appear to inform you about the name, type, provider, purpose, and expiration date of the cookies used, as well as the type and scope of any personal data processed. On the banner, you can accept or reject the use of non-necessary cookies. You can access the banner at any time by clicking the "Cookie Settings" link on the website. There, you can also revoke your consent to the use of non-essential cookies.

We use the Cookiebot service, provided by Usercentrics A/S (Havnegade 39, 1058 Copenhagen, Denmark), for the cookie banner. Cookiebot processes your data as specified in Section 2. The legal basis for this processing is our legitimate interest according to Art. 6 para. 1 lit. f GDPR in providing an efficient, legally compliant solution for managing your consent to, and rejection of, non-essential cookies, as well as providing all necessary information about the cookies we set.

Please note that you can set your browser to notify you about the use of cookies, allowing you to decide whether to accept or reject them.

4 - Website statistics, marketing, embedding of external media

If you have consented to the use of non-necessary cookies, we will integrate one or more of the following services on our website. If personal data is processed when using these services, the legal basis for doing so is Art. 6. para. 1 lit. a GDPR due to your consent to the setting of the respective non-necessary cookie (see section 3 above). The lawfulness of processing carried out on the basis of consent remains unaffected until its revocation. More information about the services we use is available by clicking the "Cookie Settings" link on the website.

Google Services

We use a range of services provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”) to operate and improve our website. These services may involve the transfer of personal data to the United States. We have activated IP anonymization in our Google setup. This ensures your IP address is truncated within the EU before it is transmitted to Google servers in the United States.

We use Google Analytics to understand how visitors interact with our website. Google Analytics uses cookies to collect pseudonymized information such as:

  • Page visits, session duration, bounce rates
  • Browser, device type and operating system
  • Country and IP address (truncated)
  • Referring URLs and user interactions

We rely on Google Analytics to improve the performance, usability, and content of our site based on aggregated usage trends. Analytics data is retained for 14 months, after which it is automatically deleted.

We use Google Tag Manager (GTM) to deploy scripts (including Analytics, ads, and tracking tools) in a centralized way. GTM itself does not collect or process personal data directly. It serves as a container to load other scripts. However, it may trigger third-party scripts that do process data (e.g., Google Analytics) and load from US-based servers.

Some pages on our website may use Google Fonts, a library of open-source font files. Fonts are potentially loaded directly from Google’s CDN (fonts.googleapis.com) when you access our website. This connection may result in your IP address being sent to Google servers in the U.S. and logged for security and performance purposes.

We may embed videos on our website that are hosted on YouTube, a platform operated by Google. When you access a page with an embedded video, YouTube may:

  • Collect your IP address, browser/device info
  • Set tracking cookies or use device fingerprinting
  • Link usage data to your Google profile (if logged in)

Further Information on Google Services:

Vimeo

We embed videos on our website using Vimeo, a service operated by Vimeo, Inc., 330 West 34th Street, 5th Floor, New York, NY 10001, USA ("Vimeo")

When you access a page that contains an embedded Vimeo video, Vimeo uses cookies to collect information as:

  • IP address, device/browser details, and referring URL
  • Associate usage data with your Vimeo profile if you are logged in

Please consult Vimeo's Privacy Policy for further information: https://vimeo.com/privacy

5 - Use of Contact Forms and Other Communication Channels

If you contact us via the contact form on our website or by email, we will store your email address, name, and other contact details for the purpose of processing your request and addressing any follow-up questions. If your request is aimed at concluding a contract, the legal basis for this processing is Art. 6 para. 1 lit. b GDPR. In other cases, the legal basis is Art. 6 para. 1 lit. f GDPR. Our legitimate interest lies in processing your request. Any data you provide will be deleted after processing is complete, unless there are legal obligations to retain it.

6 - Newsletter

By subscribing to our newsletter and confirming your subscription via the "double opt-in" procedure ("DOI"), you consent to our use of your first name, last name, and email address for the purpose of sending you the newsletter. The legal basis for processing this data is Art. 6 para. 1 lit. a GDPR. You may unsubscribe from the newsletter at any time, free of charge, thereby revoking your consent. Each newsletter contains a link that you can use to do so. Your email address will then be deleted from the newsletter distribution list.

7 - Use of our Screenwriting Software

We collect, store, and use the following data if you provide it to us in the context of using our Screenwriting SaaS:

  • Identification & contact data – legal/display name, avatar, e-mail, postal/billing address, VAT/tax ID
  • Authentication & account-security data – hashed passwords + salt, OAuth/SAML IDs, session/refresh tokens, MFA seed
  • User-generated content – script text & title, comments/notes, uploaded files, revision history
  • Collaboration & classroom metadata – team name, role (Admin/Member), invitee e-mails, classroom/course code, assignment & grade feedback
  • Usage & technical logs – IP address, timestamps, browser/OS user agent, device ID/cookie, feature-usage events, crash reports
  • Billing & payment data (controller capacity) – tokenised card brand & last-4, expiry date, Stripe customer & payment-method IDs, billing address, VAT/tax ID, invoice PDFs (full card data held only by Stripe)
  • Support & feedback data – help-desk tickets, chat transcripts, call recordings, satisfaction ratings
  • Consent & preference records– marketing-opt-in/out flags, notification settings, cookie-consent log

The legal basis for the processing of the data is Art. 6 para. 1 lit. b GDPR as it is necessary for the performance of a contract with you.

We process these data for the following purposes:

  • Deliver the core screen-writing SaaS: create, edit, store and sync scripts, notes and uploads in real time
  • Enable collaboration workflows: invite users, assign roles, manage teams & classrooms, grade student assignments
  • Safeguard confidentiality, integrity and availability: authenticate users, control access, log activity, run backups/DR, block abuse
  • Diagnose and resolve technical issues & support requests raised by customers
  • Produce aggregated, non-identifying usage metrics that help customers monitor adoption and let Arc Studio improve performance and UX (no marketing use)
  • Register and manage user accounts, subscriptions, invoicing, tax/VAT compliance and payment disputes
  • Send mandatory service notifications

We may use use data to conduct internal product analytics and A/B testing. The legal basis for this specific kind of processing of the data is Art. 6 para. 1 lit. f GDPR as it is our legitimate interest to enhance features and security of our product. The contents of your documents are not used for this purpose.

Customer data is retained and deleted according to the following principles:

  • Automatic purge: once the customer requests account deletion, all project data (scripts, notes, uploads, comments, classroom material) are flagged pending-delete and immediately become inaccessible to users.
  • Primary stores: Customers and project data flagged for deletion is deleted within 30 days from our primary stores.
  • Back-ups & replicas: Encrypted snapshots containing those records expire and are overwritten within the next backup cycle (≤ 35 days), so full eradication is complete ≤ 65 days from the trigger date.
  • Logs: Operational logs are kept for less than a year.
  • Billing & tax files (invoices, Stripe payment records) are retained for the statutory 7–10 years required by tax law, then deleted.
  • Support tickets & e-mail threads are kept for at least 6 years.

8 - Use of external Service Providers

We work with several external service providers to perform contracts with our customers and manage our business. In this context, we may transfer personal data to these service providers. Unless otherwise specified in this privacy policy, the legal basis for processing this data is Art. 6 para. 1 lit. b GDPR when it is necessary for initiating and/or performing the contract with you. If the involvement of external service providers is for the purpose of administering and improving our internal processes, then this constitutes our legitimate interest in data processing. The legal basis for this data processing is Art. 6 para. 1 lit. f GDPR.

We work exclusively with external service providers who are professionally or contractually bound by a data processing agreement to comply with data protection regulations.

Our service providers are located outside the EU/EEA. In order to ensure an adequate level of data protection, we only transfer personal data in third countries if suitable guarantees to ensure an adequate level of data protection are in place (Art. 44 et seq. GDPR). We only collaborate with service providers that are contractually bound by the EU standard contractual clauses for the transfer of personal data in third countries and/ or are covered by the EU Commission's current adequacy decisions for third countries.

In addition to the external service providers mentioned elsewhere in this privacy policy, we work with the following providers and may transfer your personal data to them:

  • Cloud storage and hosting: Amazon Web Services, Inc. (USA)
  • Payment processing: Stripe, Inc. (USA)
  • Error and crash reporting: SmartBear Software Inc. (USA)
  • Log aggregation and retention: SolarWinds (USA), Papertrail (USA)
  • Customer-support inbox: FrontApp, Inc. (USA)
  • Staff email: Google, Inc. (USA)
  • Lifecycle / onboarding e-mails, Transactional emails: Customer.io, Inc. (USA)
  • Feature-request board: Nolt.io (Canada)
  • Optional video-meeting integration: Zoom Video Communications, Inc. (USA)
  • Optional table read text-to-speech functionality: Eleven Labs, Inc. (USA), Murf Inc. (USA)
  • Optional image generation features: Runway AI, Inc.
  • Optional research assistant features: OpenAI OpCo, LLC (USA), Anthropic PBC (USA), Perplexity AI, Inc. (USA)

9 - Data Subject Rights

You have the following data protection rights:

  • Art. 15 GDPR: right to obtain information about the personal data we have stored about you
  • Art. 16 GDPR: right to request the correction of inaccurate data or the completion of incomplete data stored by us
  • Art. 17 GDPR: right to request the erasure of your stored data
  • Art. 18 GDPR: right to restrict the processing of your data
  • 20 GDPR: Right to Data Portability
  • Art. 7(3) GDPR: Revocation of consent.

You also have the right to lodge a complaint with a supervisory authority pursuant to Art. 77 GDPR.

Right to Object

If we process your data on the basis of legitimate interests pursuant to Art. 6 para. 1 lit. f GDPR, you may object to the processing of your data pursuant to Art. 21 GDPR, provided that there are reasons arising from your particular situation, or if the objection is directed against direct marketing. In the latter case, you have a general right to object, which we will honor without requiring you to specify a particular situation.

To exercise your rights, simply send an email to privacy@arcstudiopro.com.

We reserve the right to change or adapt this privacy policy at any time in accordance with applicable data protection law.

Last updated: 2025/09/08