Privacy Policy

This Privacy Policy explains how ARBIT LAB (“we,” “us,” or “our”) handles your information when you use our website at arbitlab.com, create an account, subscribe to a plan, or download and run the ARBIT LAB desktop application. We respect your privacy and are committed to being transparent about what we collect and why.

If you have questions, reach us at hello@arbitlab.com.

1. Information We Collect

Account data

When you create an ARBIT LAB account, we store your email address, display name (if provided), a hashed password (we never store your password in plain text), and the timestamp of account creation. We do not collect payment card details directly — those are handled by Stripe (see below).

Billing data

Subscriptions and one-time purchases are processed by Stripe, Inc. When you subscribe, Stripe shares with us a customer identifier, subscription status, plan ID, and renewal dates. Your full card number, CVC, and billing address are collected and stored solely by Stripe under their own Privacy Policy.

Usage and telemetry

The desktop application includes optional, opt-in telemetry powered by PostHog. If you enable telemetry (disabled by default), we collect anonymised events such as which features you use and application performance metrics. We do not collect the content of your prompts, agent outputs, file contents, or source code. You can disable telemetry at any time in the application Settings or by setting the environment variable TELEMETRY_ENABLED=false.

Log data

Our servers may log standard HTTP request metadata (IP address, browser user-agent, request path, timestamp, and response code) for security, debugging, and abuse prevention. Log lines are automatically scanned and redacted to remove patterns that look like secrets or tokens before they are stored.

2. Your Code Stays Local

ARBIT LAB is a local-first desktop application. Your repositories, source code, worktrees, and agent conversation history are stored in a local SQLite database on your machine. We do not upload, sync, or transmit your source code to our servers. When agents run tasks, your code and prompts travel only to the AI provider CLI of your choosing (Claude Code, Codex, Gemini, etc.) — governed by that provider’s own terms and privacy policy. ARBIT LAB acts as an orchestration layer and never stores or proxies the content of your agent sessions.

3. Cookies and Session Storage

We use session-only cookies on the web account portal to maintain your login state. We do not use tracking cookies, advertising cookies, or persistent analytics cookies beyond the session. The session cookie is HTTP-only, Secure, and is deleted when you close your browser or explicitly sign out.

4. How We Use Your Information

• —Authenticating you and maintaining your account.
• —Processing subscription payments and managing your license through Stripe.
• —Sending transactional emails (password reset, subscription receipts, security alerts). We do not send marketing email without your consent.
• —Detecting and preventing fraud, abuse, and unauthorized access.
• —Improving the product through anonymised, aggregated telemetry (only if you opt in).
• —Complying with applicable legal obligations.

5. Data Sharing and Third Parties

We do not sell your personal data. We share data only with:

• —Stripe — for payment processing.
• —Our hosting provider — for serving the web portal (your data remains within their data centers under standard processor agreements).
• —PostHog — for optional, anonymised product analytics.
• —Law enforcement or regulators — only where required by law or to protect our users and systems.

6. Data Retention

We retain your account data for as long as your account is active. If you delete your account, we will delete your personal data within 30 days, except where we are required to retain it for legal or accounting purposes (e.g. billing records may be retained for up to 7 years as required by tax law). Anonymised, aggregated analytics data may be retained indefinitely.

7. Your Rights

Depending on your jurisdiction, you may have the right to access, correct, export, or delete the personal data we hold about you. To exercise any of these rights, email us at hello@arbitlab.com with the subject line “Privacy Request.” We will respond within 30 days.

8. Security

We store passwords using a modern, salted hashing algorithm. Connections to our web portal are encrypted via TLS. We employ rate limiting, session invalidation, and pattern-based secret redaction in logs. No method of transmission over the internet is 100% secure; if you believe your account has been compromised, contact us immediately at hello@arbitlab.com.

9. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be announced via the account portal or by email to your registered address. The “Last updated” date at the top of this page reflects the most recent revision. Continued use of the service after the effective date constitutes acceptance of the revised policy.

10. Contact

For privacy-related questions, requests, or concerns: