Privacy Policy - MCP EU AI Act

1. Data Controller

ArkForge is responsible for the processing of your personal data when you use the MCP EU AI Act service (mcp.arkforge.fr).

DPO Contact: contact@arkforge.fr

2. Data Collected

We only collect data necessary for the operation of the MCP EU AI Act service:

Data	Purpose	Legal Basis
Email address	Pro account creation, communication, support	Contract performance
Scanned projects metadata (Pro API)	Providing the compliance scanning service	Contract performance
Payment data	Payment processing via Stripe	Contract performance
IP address, User-Agent	Security, abuse prevention, rate limiting	Legitimate interest
Usage data (analytics)	Service improvement	Legitimate interest

Free MCP scanner: Runs entirely locally. Your source code never leaves your machine.

We do not collect sensitive data (health, political opinions, religion, sexual orientation, biometric data).

3. How Your Data Is Used

Service delivery: compliance scanning, generating reports, sending scan results
Communication: transactional emails (API key delivery, risk alerts), technical support
Billing: payment processing, invoice delivery
Improvement: anonymized usage analysis to improve the scanner
Security: abuse and intrusion detection and prevention

We do not use your data for advertising purposes. We do not sell your data.

4. Data Recipients

Your data may be shared with the following processors, strictly for the purposes described:

Processor	Role	Location
Stripe Inc.	Payment processing	United States (Standard Contractual Clauses)
OVH SAS	Server hosting	France (Roubaix)
Plausible Analytics	Analytics (no cookies, privacy-friendly)	European Union

No other third party has access to your data. For transfers outside the EU (Stripe), Standard Contractual Clauses (SCC) compliant with GDPR are in place.

5. Data Retention

Account data: retained for the duration of your subscription + 3 years (legal obligation)
Billing data: 10 years (French accounting obligation)
Scan data: 90 days after account deletion
Security logs: 12 months
Analytics data: continuously anonymized (Plausible does not store personal data)

6. Your GDPR Rights

Under the General Data Protection Regulation (GDPR), you have the following rights:

Right of access: obtain a copy of your personal data
Right to rectification: correct inaccurate data
Right to erasure: request deletion of your data
Right to portability: receive your data in a structured format
Right to object: object to the processing of your data
Right to restriction: restrict processing in certain cases

To exercise your rights, send an email to contact@arkforge.fr specifying your request and the email address associated with your account. We will respond within 30 days.

If you believe your rights are not being respected, you may file a complaint with the CNIL (French Data Protection Authority).

7. Security Measures

Encryption in transit: all communications are encrypted via TLS/HTTPS
Encryption at rest: sensitive data is encrypted on our servers
Access control: data access is limited to what is strictly necessary
Backups: regular encrypted backups
Secure payments: we never store your credit card data (processing exclusively by Stripe, PCI DSS certified)
Monitoring: continuous infrastructure monitoring

8. Cookies

We use Plausible Analytics, a privacy-friendly analytics solution that does not set any cookies and does not collect personal data.

We do not use tracking cookies, advertising cookies, or third-party cookies.

Only cookies strictly necessary for service operation (authentication session) may be used. These cookies are exempt from consent under the ePrivacy Directive.

9. Changes

This privacy policy may be updated to reflect changes in our practices or legal requirements. In case of substantial changes, we will notify you by email.

The date of the last update is shown at the top of this page.