TL;DR
In plain language.
Arcane is research, not advice. You agree not to redistribute, reverse-engineer, or resell the service. We agree to publish what we publish and keep the uptime we commit to. Either of us can end the relationship with appropriate notice.
01 · ACCEPTANCE
Accepting these terms.
By accessing any Arcane product — the Website, the Product, the API, or any Briefing — you agree to these Terms. If you're accepting on behalf of a firm, you represent you have authority to bind that firm.
These Terms form a binding contract between you and Arcane Intelligence Ltd, a private limited company registered in England & Wales (no. 14983027), registered office 40 Eastbourne Terrace, London W2 6LG.
02 · NOT INVESTMENT ADVICE
What Arcane is — and isn't.
Arcane is a research and intelligence service. Nothing published — in the Product, API, Briefings, or via Alpha — constitutes investment advice, a recommendation, or a solicitation to transact. Arcane is not registered as an investment adviser, broker-dealer, or futures commission merchant in any jurisdiction.
You alone are responsible for your decisions. Past regime readings do not predict future behaviour.
03 · ACCEPTABLE USE
What you can and can't do.
Subject to these Terms, Arcane grants you a non-exclusive, non-transferable, revocable license to access and use the Product. You may not:
- Redistribute, resell, or republish Briefings or Signals outside your firm.
- Reverse-engineer the model or scrape the Product at scale.
- Use Arcane to train competing ML systems.
- Operate the API for a third-party product without a commercial agreement.
- Use Arcane in any way that violates applicable law, sanctions, or export controls.
04 · SUBSCRIPTIONS & BILLING
Pricing, renewal, cancellation.
Subscriptions renew automatically at the published rate. Cancel any time from Your Arcane · Plan & billing. Cancellation takes effect at the end of the current billing period; annual plans are pro-rated on cancellation.
Overage billing applies when API usage exceeds your plan quota, at the rates on Pricing. You may set a hard cap in Build settings.
We may change pricing with 30 days' notice (monthly) or 60 days' notice (annual). Institutional pricing is contract-bound.
05 · AVAILABILITY & SLA
Uptime commitments.
Arcane targets 99.9% monthly uptime on Pro and Desk, 99.95% on Institutional. Scheduled maintenance is excluded and announced at least 48 hours in advance.
| Monthly uptime | Credit | Plans |
|---|
| ≥ 99.9% | None | All |
| 99.0% — 99.9% | 10% of fee | Pro · Desk · Institutional |
| 95.0% — 99.0% | 25% of fee | Pro · Desk · Institutional |
| < 95.0% | 50% of fee | Institutional |
06 · INTELLECTUAL PROPERTY
Who owns what.
The Product, Model (VIDI), methodology, and Briefings remain Arcane's intellectual property. Your account data — watchlists, preferences, custom signals — is yours. You grant Arcane a limited license to process that data solely to provide the service.
07 · TERMINATION
Ending the agreement.
You may terminate any time. Arcane may terminate for material breach, prolonged non-payment, illegal use, or — with 90 days' notice — for any reason. On termination, account data is deleted per the Retention schedule except as legally required to retain.
08 · LIMITATION OF LIABILITY
Limits.
To the maximum extent permitted, Arcane's liability is limited to fees paid in the 12 months preceding the claim. Arcane is not liable for lost profits, lost trading opportunity, or consequential damages.
09 · GOVERNING LAW
Jurisdiction.
These Terms are governed by the laws of England & Wales. Disputes are subject to the exclusive jurisdiction of the courts of England & Wales.
TL;DR
In plain language.
We collect only what's necessary to run the product. We never sell your data, never share it across tenants, and never train on your trade data — which we don't receive. Export or delete any time. Your data lives in the EU unless you're on a US-residency Institutional contract.
01 · WHAT WE COLLECT
The data.
| Category | Examples | Retention |
|---|
| Account | name, email, org, role, billing | Life of account + 7 yr (tax) |
| Product usage | watchlist, prefs, API calls | Life of account + 90 d |
| Behavioural | page views, feature usage (aggregated) | 13 mo rolling |
We do not collect trade data, positions, P&L, or broker identifiers. The model is trained on public market microstructure, not on user behaviour.
02 · LAWFUL BASIS
Why we use it.
Under UK GDPR: contract (to deliver the service), legitimate interest (product improvement, security), legal obligation (tax, anti-fraud), consent (marketing, revocable any time).
03 · SHARING
Who sees it.
Your data is shared only with the sub-processors listed on the DPA tab — all bound by data-processing agreements. We never sell, rent, or share with advertising networks. We never share between tenants.
04 · YOUR RIGHTS
Access, export, delete.
At any time you may: access all data we hold; export it as JSON or CSV; correct inaccuracies; delete your account (which removes personal data within 30 days, excluding tax-required billing records); restrict or object to processing; port data elsewhere; lodge a complaint with a supervisory authority (UK: ICO).
Requests: privacy@arcane.io · response within 30 days.
05 · RESIDENCY
Where it lives.
Default residency: EU (AWS eu-west-1, Ireland). US-residency Institutional customers: us-east-2 (Ohio). Data never leaves the elected region for production processing. Cross-region transfer only for debugging with explicit consent.
06 · CONTACT
DPO.
Our Data Protection Officer is Ingrid Halverson. dpo@arcane.io · 40 Eastbourne Terrace, London W2 6LG, UK.
TL;DR
In plain language.
ISO 27001 certified · SOC 2 Type II in progress · TLS 1.3 everywhere · AES-256 at rest · 2FA on all plans (mandatory on Institutional) · quarterly pen tests · coordinated disclosure program.
01 · CERTIFICATIONS
What we're certified against.
| Standard | Status | Expires |
|---|
| ISO 27001 | Certified | JAN 2027 |
| SOC 2 Type II | In progress | Q3 2026 target |
| Cyber Essentials Plus | Certified | NOV 2026 |
| EU-US DPF | Self-certified | Annual |
Audit reports available under NDA from trust@arcane.io.
02 · ENCRYPTION
In transit & at rest.
TLS 1.3 with forward secrecy on all connections. HSTS enforced. Legacy TLS disabled. AES-256-GCM at rest via AWS KMS; keys rotate every 90 days. Database backups encrypted separately.
03 · AUTHENTICATION
Who gets in.
Passwords: Argon2id, conservative parameters. 2FA via TOTP on all plans; mandatory on Institutional. SAML SSO available on Desk (add-on) and Institutional (included). SCIM provisioning on Institutional.
04 · TESTING
What we verify.
External penetration testing quarterly by an independent firm. Internal red-team exercises twice a year. SAST on every commit; DAST weekly. Public disclosure program — report to security@arcane.io, acknowledged within 24h, researcher credit on resolution.
05 · INCIDENT RESPONSE
What happens if.
Dedicated on-call rotation. Customer-affecting incidents are posted to status within 30 minutes of confirmation. Institutional customers are notified directly by the named account manager. Post-incident reports published within 7 days.
TL;DR
Our sub-processors.
A short, curated list. We don't use any sub-processor we haven't vetted for security, GDPR compliance, and data-handling practice. Changes are announced 30 days in advance; customers can object.
01 · SUB-PROCESSOR LIST
Who we work with.
| Sub-processor | Purpose | Data | Region |
|---|
| AWS (Amazon Web Services) | Primary infrastructure | All production data | EU · US |
| Cloudflare | CDN & DDoS protection | Request metadata only | Global |
| Stripe | Payments | Billing · tax · card | EU · US |
| Postmark | Transactional email | Email addresses, email body | US |
| Twilio | SMS delivery (opt-in) | Phone numbers, message body | US |
| Sentry | Error monitoring | Error payloads · scrubbed | EU |
| Linear | Customer support ticketing | Support correspondence | US |
02 · REQUESTING A DPA
Getting the contract.
Pro and Desk customers can download the standard DPA from the link at the top of this page. Institutional customers receive a negotiated DPA as part of the MSA; contact your account manager.
03 · NOTIFICATION OF CHANGES
When we change a sub-processor.
New sub-processors are announced 30 days before production use. Customers can subscribe to dpa-notifications@arcane.io for explicit notice. Objections to a new sub-processor can be raised in that window; Institutional customers have a contractual right to work with us on an alternative or terminate.
TL;DR
In plain language.
Arcane uses a short list of cookies. Most are strictly necessary (authentication, session). We don't use advertising cookies. We don't share cookie data with third parties. You can opt out of the two non-essential ones below without losing any functionality.
01 · WHAT WE SET
The cookies.
| Name | Purpose | Type | Duration |
|---|
| ark_session | Authentication, session state | Necessary | 30 days |
| ark_csrf | CSRF protection | Necessary | Session |
| ark_prefs | UI preferences (theme, layout) | Necessary | 1 year |
| ark_mau | First-party product analytics (aggregated) | Optional | 13 months |
| ark_error | Error correlation (Sentry) | Optional | 30 days |
No third-party advertising cookies. No Google Analytics. No Meta pixel. We use first-party product analytics that report aggregate behaviour only.
02 · MANAGING COOKIES
Controlling them.
From Your Arcane · Privacy, you can opt out of the two Optional cookies individually. Browsers also allow you to clear or block cookies at the site level. Blocking the Necessary cookies will prevent you from signing in.
03 · DNT & GPC
Do-not-track signals.
Arcane honours Global Privacy Control (GPC) headers. When a GPC signal is detected, Optional cookies are disabled for that session without requiring explicit opt-out.