Privacy Policy

Arvane Holdings OÜ describes how it collects, uses, and safeguards personal data regarding our website, dashboard, APIs, and proxy services. We operate under GDPR and Estonian Personal Data Protection Act requirements, serving primarily B2B customers.

We act as data controller for account, billing, and support information. For network traffic routing, users/clients act as controllers while Atheris serves as processor—functioning as a "mere conduit" under EU law without monitoring payload content except for security and compliance purposes.

We do not intentionally collect special categories of personal data or information from children under 16.

Data originates from:

• Direct user submission (registration, payments, support)
• Automated systems (logs, security telemetry, cookies)
• Third parties (payment processors, sanctions screening, company registers)

• Service Delivery (GDPR Art. 6(1)(b)): Contract fulfillment
• Security & Abuse Prevention (Art. 6(1)(f)): Legitimate business interest
• Legal Compliance (Art. 6(1)(c)): Tax, accounting, sanctions obligations
• Analytics & Marketing (Art. 6(1)(a)): Consent-based, revocable anytime

We do not inspect or store payload content beyond transient technical processing. Minimal metadata is retained for billing, performance, and security. Automated systems may block or rate-limit abusive traffic. Enterprise clients can request custom retention controls via Data Processing Agreements.

Data may be shared with:

• Infrastructure providers (hosting, DDoS protection, network operators)
• Payment processors
• Support tools and ticketing platforms
• Regulatory bodies/law enforcement (when legally required)
• Corporate successors (merger/acquisition scenarios)

All third parties operate under GDPR-compliant contracts.

Transfers outside the EEA use Standard Contractual Clauses (SCCs) and additional safeguards per GDPR requirements.

Essential cookies operate continuously. Non-essential cookies require prior consent via banner. Users can modify preferences anytime via Cookie Settings.

• Account/Billing Data: Up to 7 years post-closure (legal requirement)
• Operational Logs: 30 days (longer if abuse investigations or legal obligations apply)
• Support Tickets: Up to 24 months

Data is deleted or anonymized when no longer needed.

We implement layered security, including encryption in transit, access control, key rotation, and monitoring. Personal data breach notifications go to affected users and the Estonian Data Protection Inspectorate without undue delay.

Under GDPR, you can:

• Access your personal data
• Correct inaccuracies
• Request erasure ("right to be forgotten")
• Restrict or object to processing
• Port data to other providers
• Withdraw consent for consent-based processing

Contact [email protected] to exercise rights; identity verification may be required.

We comply with EU/UN sanctions and prohibit use of the Service in violation of export controls or sanctions regimes. Flagged accounts may be suspended.

While B2B-focused, EU consumers may have 14-day withdrawal rights for distance contracts unless requesting immediate digital service activation (waiving this right afterward). We comply with the EU Consumer Rights Directive.

Updates are announced via dashboard and/or email. Continued service use following updates constitutes acceptance.