Privacy Policy | Arc en Ciel

Controller

ArcEnCiel UG is the controller for the platform at arcenciel.io and its subdomains.

ArcEnCiel UG Am Vietshof 2-4 46236 Bottrop Germany Represented by: Murat Turcan, Managing Director Email: [email protected] Register court: Amtsgericht Gelsenkirchen Register number: HRB 19844

Privacy contact: [email protected]

Supervisory authority: Landesbeauftragte fuer Datenschutz und Informationsfreiheit Nordrhein-Westfalen, https://www.ldi.nrw.de/

Scope and Public Visibility

We process account, profile, community, upload, moderation, security, billing, support, and optional integration data so users can use Arc en Ciel.

Public uploads, comments, reactions, collections, profile text, profile media, and other community activity can be visible to other users, visitors, search engines, and third parties outside our control.

Processing Activities

• Account creation, login, email verification, password resets, two-factor state, authentication cookies, server-side refresh sessions, trusted login devices, login verification emails, and account security.
• Public profile, uploads, model files, images, videos, articles, collections, comments, reactions, and creator workflows.
• Security, moderation, illegal-content notices, abuse prevention, audit logging, guest identifiers, trusted-device identifiers, and hashed IP based deduplication.
• Download history, download counting, supporter memberships, donations, Stripe checkout sessions, billing metadata, and required legal confirmations.
• Optional analytics, optional guest cookies, Cloudflare Turnstile, Discord login or linking, Civitai import or export, Hugging Face downloads, and generator assistant requests.

Cookies and Device Storage

• Necessary cookies include token, refreshToken, loginDeviceId, and twoFactorToken for signed-in use, refresh-session rotation, trusted-device recognition, and account security.
• Optional two-factor remember storage can be used when users choose to remember a browser for two-factor prompts.
• Optional storage can include analytics consent, guest pseudonymous identifiers, theme and rating preferences, Civitai export session state, link-service base URLs, and generator UI preferences.
• Optional analytics and the optional guest cookie are enabled only after consent and can be changed later from Cookie settings in the footer.

Your Rights

Depending on the context, GDPR rights can include access, rectification, erasure, restriction, portability, objection, and the right to withdraw consent where processing is consent based.

You can use product settings where available or contact [email protected]. You can also lodge a complaint with a competent supervisory authority.

Retention and Transfers

Account and public content data is generally retained while the account or content remains active. Refresh sessions expire after about 30 days, trusted login devices after about 180 days unless revoked earlier, and login-verification challenges are short-lived. Expired or revoked login-security records are removed after a limited security retention window.

Security, moderation, audit, legal, billing, backup, and compliance records can remain for limited or legally required periods.

Providers can process data in the EU/EEA and, depending on the provider, in other countries. We rely on provider terms, contractual safeguards, and transfer mechanisms where required.