1. Data Collection Scope

We collect minimal information necessary for operation:

Account Information (Required):

• Email address (for login, notifications, and invitation codes)
• Username (Display name, customizable)
• Encrypted Passwords (Stored using bcrypt; cannot be viewed or reversed)

Donation Information (If applicable):

• Donation Amount transmitted via Buy Me a Coffee (payment details are not stored)
• Email address (used to send invitation codes)

Technical Logs (Automatically collected):

• IP Address (for security auditing and geographic restrictions)
• Browser User-Agent (for compatibility optimization)
• Timestamps and Page URLs (for anonymized usage analysis)

2. Use of Information

Restricted Use Policy:

• ✅ Account Authentication: Verifying identity and sending login alerts
• ✅ Invitation Code Issuance: Sending automated emails after donations
• ✅ Service Notifications: Rare updates or policy changes (opt-out available)
• ✅ Security Auditing: Detecting unusual activity and preventing abuse
• ✅ Service Improvement: Analyzing anonymized logs to improve UI/UX

We WILL NOT:

• ❌ Sell your personal information to third parties
• ❌ Use your information for commercial marketing
• ❌ Use your email for non-project related promotions
• ❌ Analyze your specific market behavior (e.g., tracking specific stocks viewed)

3. Information Sharing & Disclosure

Strict Confidentiality:

We may share data with:

• ✅ Email Providers (e.g., SendGrid): Strictly for verification and notification emails
• ✅ Server Providers (e.g., Vultr/AWS): For hosting the website and database
• ✅ CDN Providers (e.g., Cloudflare): For acceleration and DDoS protection

We NEVER share data with:

• ❌ Advertisers or data analytics firms
• ❌ Data brokers
• ❌ Financial institutions
• ❌ Unauthorized third parties

Mandatory Disclosure:
Information will only be disclosed if required by a valid court order or formal law enforcement request. We will advocate for your privacy to the fullest extent possible.

4. Data Storage & Security

Storage Locations:

• Main Server: New York, USA (Vultr/AWS)
• Database: PostgreSQL on an independent server
• Backups: Encrypted daily backups to AWS S3

Security Measures:

• ✅ Transmission Encryption: Site-wide HTTPS forced (TLS 1.3)
• ✅ Password Encryption: Salted bcrypt hashing
• ✅ Database Encryption: Encryption-at-rest (AES-256)
• ✅ Access Control: Strictly limited permissions for server/DB access
• ✅ Log Retention: Access logs are automatically deleted after 30 days

5. Your Rights & Control

You have the following rights:

• ✅ Right to Access: View your registered email and username after login
• ✅ Right to Rectify: Modify your username in account settings (email change requires verification)
• ✅ Right to Erasure: Permanently delete your account; all data cleared within 30 days
• ✅ Right to Portability: Request account data export (JSON format, sent within 72 hours)
• ✅ Right to Opt-out: Unsubscribe from all non-essential notifications

Exercising Your Rights:

• Visit the "Account Settings" page after logging in
• Or email legal@arkvol.com (Response time: 3 business days)

Account Deletion:

• Deletion is irreversible and invitation codes become void
• Donation records are retained but anonymized for financial compliance

6. Cookies & Tracking

Cookies we use:

Essential Cookies (Cannot be disabled):

• Session ID: To maintain login status
• CSRF Token: To prevent Cross-Site Request Forgery
• Language Preference: To store your UI settings

Analytics Cookies (Optional, disabled by default):

• Cloudflare Web Analytics: Privacy-first analytics without individual identifiers
• Any future use of Google Analytics will employ IP Anonymization and Cookieless Mode

Your Control:

• You may disable non-essential cookies via browser settings
• Note: Disabling essential cookies may break core site functionality

Do Not Track (DNT):
We respect browser DNT settings and do not track your cross-site behavior.

7. Children's Privacy

Age Restrictions:

• This service is not intended for children under 13
• We do not knowingly collect information from children

Parental Rights:

• If you discover your child has registered, contact legal@arkvol.com immediately
• We will delete the account and clear all data within 24 hours

8. Data Retention

While Account is Active:

• Account info, donation history, and invitation code logs are retained
• Access logs are kept for 30 days for security auditing

After Account Deletion:

• Account Info: Permanently deleted within 30 days
• Donation Records: Retained but anonymized for compliance
• Technical Logs: Deleted automatically after 30 days

Anonymized Data:
Aggregated, anonymized statistics may be kept indefinitely for service improvement

9. International Data Transfers

Cross-border Transfer Notice:

• Servers are located in the USA; data will be transferred across borders
• If you are in the European Economic Area (EEA), your data will be transferred to the USA
• We rely on Standard Contractual Clauses (SCCs) and Data Minimization principles to protect your privacy

10. Policy Updates

Notification Methods:

• Major updates (affecting your rights) via email (7-day notice)
• General updates via site announcements
• Updates are effective immediately upon posting

Historical Versions:
Archive links are provided at the bottom of this page

Disagreement:

• You may request account deletion via legal@arkvol.com
• Continued use constitutes acceptance of updated policies

11. Contact Information

Privacy Officer: arkvol.com Operator
Email: legal@arkvol.com
Response Time: Within 3 business days

Note: There is no dedicated support team; privacy requests are handled via email by the developer.

12. Governing Law

Applicable Law: Laws of the Hong Kong Special Administrative Region (interpreted in favor of the operator).

Dispute Resolution: Disputes shall be submitted to the Hong Kong International Arbitration Centre (HKIAC) under its current rules. You waive any right to class action.

• Place of Arbitration: Hong Kong
• Language: Chinese or English (at the operator's discretion)
• Awards are final and binding

Class Action Waiver:
You explicitly waive the right to participate in class actions and agree to individual arbitration.