Arqueosfera

This Privacy Policy describes how Arqueosfera ("we", "us", "our") processes personal data when you use the Arqueosfera platform. Contact our privacy team at privacy@archsphere.app.

Arqueosfera is a B2B workspace product. When your organization uses Arqueosfera to manage participants (employees, collaborators, or other individuals), your organization is generally the data controller for participant data and Arqueosfera acts as a data processor (operator) on your organization's instructions.

1. Roles: controller and processor

For account registration data (name, email, organization, authentication credentials), Arqueosfera is the data controller.

For participant records, assessments, performance notes, and workspace content entered by your organization about third parties, your organization is the data controller. Arqueosfera processes that data solely to provide the service under your organization's account.

Your organization is responsible for establishing a lawful basis to collect and process participant data and for informing data subjects as required by applicable law.

2. Personal data we process

Account data: full name, work email, optional organization name, password hash, profile avatar URL, authentication session data.

Participant data (entered by your organization): name, role, department, photo, behavioral and communication assessments, mood-state observations, skill scores, performance results, and links to user accounts when applicable.

Usage data: workspace preferences, theme and language settings (with consent), onboarding state, and in-app notifications.

We do not intentionally collect sensitive personal data. Mood-state and behavioral assessments may include information that your organization should treat as high-impact personal data under LGPD.

3. Purposes and legal bases (LGPD Art. 7)

Provide and secure the service (contract performance — Art. 7, V).

Authenticate users and maintain sessions (contract / legitimate interest — Art. 7, V and IX).

Process participant and workspace data at the controller's direction (contract with the controller — Art. 7, V).

Store UI preferences in cookies/local storage when you consent (consent — Art. 7, I).

Respond to data subject requests and comply with law (legal obligation — Art. 7, II).

4. Sub-processors

Supabase — authentication, database hosting, and transactional email.

Google — OAuth sign-in (identity provider) when you choose Google authentication.

GitHub — OAuth sign-in (identity provider) when you choose GitHub authentication.

External avatar image hosts when profile or participant photos use third-party URLs.

We require subprocessors to implement appropriate security measures. International transfers may occur depending on infrastructure regions; we rely on contractual safeguards where applicable (LGPD Art. 33).

Workspace owners may share read access to their workspace with other registered users. Shared data may include projects, tasks, participants, and assessments.

We do not sell personal data. We disclose data to subprocessors only as needed to operate the service or when required by law.

6. Retention

Account data is retained while your account is active and as needed to comply with legal obligations.

Participant data is retained according to your organization's use of the product until deleted by authorized users or upon account deletion where cascade rules apply.

Consent records are retained to demonstrate compliance.

You may request account deletion as described in Section 8.

7. Security

We use row-level security, server-side credential handling, HTTP-only session cookies, and access controls to protect personal data.

No method of transmission or storage is completely secure; please use strong passwords and limit workspace sharing appropriately.

8. Your rights (LGPD Art. 18)

You may request confirmation of processing, access, correction, anonymization, portability, deletion, and information about sharing.

Use the Privacy & Data section in your profile to export account data, manage cookie preferences, or delete your account.

For participant data controlled by your employer or organization, contact your organization first; Arqueosfera will assist the controller as required.

You may also contact privacy@archsphere.app. We respond within applicable legal deadlines (typically 15 days under LGPD).

9. Children

Arqueosfera is intended for professional and organizational use. We do not knowingly collect data from children under 18.

10. Changes

We may update this policy. Material changes will be reflected with a new "Last updated" date (current version: 2026-06-21). Continued use after notice may constitute acceptance where permitted by law.