Skip to content
SEC API

Legal

Privacy Policy

A privacy policy for a product that runs on accounts, API traffic, telemetry, billing workflows, and support operations. It explains what data we collect, why we collect it, and how we handle it.

Terms of ServiceStatus
Version 1.0 · Effective June 19, 2026
Focused on account, API, telemetry, and support data
No sale of personal data

Overview

This policy explains what personal data we collect, how we use it, and how we handle it across secapi.ai.

Arcade Group, Inc. (operating as secapi.ai), a company based in Wyoming, United States, is the controller responsible for personal data processed through secapi.ai. This Privacy Policy applies to secapi.ai, api.secapi.ai, docs.secapi.ai, SEC API, related SDKs, hosted tools, support interactions, and other services that link to this policy. It covers personal data we collect directly from you, automatically from your use of the service, and from service providers or business partners that help us operate the platform.

  • Version 1.0 · Effective June 19, 2026.
  • This policy is designed for a product that operates through web traffic, API requests, account usage, and support workflows.
  • If a separate agreement or a product-specific notice applies to a service, that agreement or notice may supplement this policy.

What we collect

We collect account details, billing details, usage telemetry, device data, and support information needed to run the service.

The exact data we collect depends on how you use secapi.ai, but it generally falls into a few categories tied to account administration, service delivery, security, analytics, and support.

  • Account and contact data, such as your name, email address, organization, plan details, and account preferences.
  • Billing and transaction data, such as subscription status, invoices, payment status, and limited payment-related metadata from billing processors.
  • API and product usage data, such as request timestamps, endpoints, query parameters, response sizes, trace or request IDs, error logs, rate-limit activity, and feature usage.
  • Device, browser, and network data, such as IP address, user agent, approximate location inferred from IP, cookies, local storage, and performance diagnostics.
  • Support and communications data, such as emails, chat transcripts, bug reports, attachments, and feedback you send us.

How we use data

We use personal data to deliver the product, secure it, improve it, and communicate with you about it.

We use personal data to create and manage accounts, authenticate users, process payments, respond to support requests, analyze performance, detect abuse, investigate incidents, improve reliability, and communicate about service updates, legal notices, and relevant product information.

  • Service delivery, including authentication, billing, rate limiting, API access, and customer support.
  • Security, fraud prevention, abuse detection, incident response, and enforcement of our terms and usage restrictions.
  • Product analytics, debugging, capacity planning, and performance monitoring.
  • Communications about onboarding, account activity, support, renewals, changes to the service, and other operational notices.

Legal bases

Where the GDPR or similar laws apply, each purpose maps to a specific legal basis.

Depending on your location and the context, we rely on one or more of the following legal bases under the GDPR and equivalent laws, matched to the purpose of processing.

  • Contract (Art. 6(1)(b)): to create and manage your account, authenticate access, deliver the API and dashboard, process payments, and provide support.
  • Legitimate interests (Art. 6(1)(f)): to secure the platform, prevent abuse and fraud, debug and improve reliability, analyze usage in aggregate, and send operational notices — balanced against your rights and interests.
  • Legal obligation (Art. 6(1)(c)): to meet tax, accounting, and other legal requirements and to respond to lawful requests.
  • Consent (Art. 6(1)(a)): for non-essential cookies and analytics and certain marketing communications. You may withdraw consent at any time without affecting processing already carried out.
  • Some uses of the service may not be possible if key data is withheld or deleted while the account remains active.

Sharing

We share personal data only with service providers, affiliates, legal authorities, and transaction counterparties when necessary.

We do not sell personal data, and we do not share it for cross-context behavioral advertising. We may share personal data with subprocessors and service providers that help us operate the platform, including providers for hosting, infrastructure, observability, analytics, billing, communications, and support. We may also disclose data when required by law, to protect rights and safety, or in connection with a merger, financing, acquisition, reorganization, or sale of assets.

  • Our current subprocessors are published, with their purpose and region, on the Trust page, and we give advance notice before adding a new one.
  • Service providers may process personal data only on our instructions and for the services they provide to us, subject to appropriate contractual safeguards.
  • If we disclose data for legal or compliance reasons, we do so only when we reasonably believe the disclosure is required or appropriate.
  • If ownership of the service changes, personal data may transfer as part of that transaction, subject to this policy or a replacement notice.
Current sub-processorsData Processing Agreement

AI, MCP, and model data

We do not train general-purpose AI models on your inputs or outputs, and we do not sell your tool data.

secapi.ai exposes data through an API, MCP tools, SDKs, and an optional chat experience. When you send queries or receive results through these surfaces, we use that content only to provide the requested functionality, operate and secure the service, and support you.

  • We do not use your queries, prompts, tool inputs, or outputs to train general-purpose or foundation AI models, and we do not sell that content.
  • Some optional features call third-party model providers (for example, to answer documentation questions or run enrichment you enable); those providers process the content only to return a result and under contractual confidentiality and data-protection terms.
  • Aggregated or de-identified usage that no longer identifies you may be used to monitor quality and improve the service.

International transfers

Your data may be processed in countries other than the one where you live, with safeguards where required.

secapi.ai is operated from the United States and uses service providers and infrastructure in multiple countries. For transfers of personal data out of the European Economic Area, the United Kingdom, or Switzerland, we rely on the European Commission's Standard Contractual Clauses (2021/914), the UK International Data Transfer Addendum, and the Swiss adaptations, together with additional technical and organizational safeguards — consistent with our Data Processing Agreement.

  • By using the service, you understand that your data may be processed in jurisdictions that have different data-protection rules than your home jurisdiction.
  • Where required, we use the transfer mechanisms above and additional safeguards to protect personal data during international processing.

Retention

We keep personal data only as long as we need it, with concrete windows by data type.

Retention depends on the type of data and why we collected it. The periods below are our general defaults; we may keep data longer where a law requires it or where it is needed to resolve a dispute or enforce our agreements, and shorter where the data is no longer needed.

  • Account and profile data: for as long as your account is active, then up to 24 months after closure (longer where tax, accounting, or other law requires).
  • Billing and transaction records: up to 7 years after the transaction, to meet tax and accounting obligations.
  • API, MCP, and product usage logs: up to 24 months, then deleted or de-identified.
  • Support communications: up to 3 years after the interaction.
  • Security and audit logs: up to 24 months for abuse prevention, incident response, and integrity.
  • Acceptance records (Terms / Privacy): retained for the life of the account and a reasonable period afterward as legal evidence of consent.
  • Backups: residual copies are overwritten on our normal backup-rotation cycle (typically within 90 days) after deletion from active systems, consistent with our Data Processing Agreement. We may retain de-identified or aggregated data that no longer identifies you.

Cookies and similar technologies

We use essential cookies to run the service and non-essential cookies only with your consent.

secapi.ai uses cookies and similar technologies to keep you signed in, secure sessions, and remember preferences (essential), and — only where you consent — to measure usage and improve the product (analytics). Our Cookie Policy describes the categories and the specific technologies we use, and you can change your choice at any time.

  • Essential cookies are always on because the service cannot function without them; analytics cookies load only after you opt in.
  • You can manage non-essential cookies through our consent control and through your browser settings; blocking some technologies may degrade certain features.
Cookie Policy

Your rights (EEA, UK, Switzerland, Brazil)

If you are in the EEA, UK, Switzerland, or Brazil, you have data-subject rights you can exercise with us.

Subject to applicable law, you may request access to the personal data we hold about you; ask that it be corrected, deleted, or restricted; object to certain processing; withdraw consent; and request a portable copy of certain data. Send requests to security@secapi.ai; we respond within the time required by law.

  • We may need to verify your identity before fulfilling a request, and you may use an authorized agent (with proof of authorization) to act on your behalf.
  • If we decline a request, you may appeal by replying to our response, and you may also lodge a complaint with your local supervisory authority.
  • Some data may need to be retained for security, legal, billing, or contractual reasons even if you request deletion.
  • You may opt out of non-essential marketing at any time using the unsubscribe link or your account preferences.

U.S. state privacy rights

If you are a U.S. resident, you have rights under California and other state privacy laws.

Residents of California, Colorado, Connecticut, Utah, Virginia, and other states with comprehensive privacy laws have rights to know and access the personal information we collect, to correct or delete it, to obtain a portable copy, and to opt out of the sale or sharing of personal information and certain profiling. We do not sell personal information and do not share it for cross-context behavioral advertising, so there is nothing to opt out of in that regard — but you may still exercise your other rights.

  • Categories we collect, the purposes, and the parties we disclose to for business purposes are described in the "What we collect," "How we use data," and "Sharing" sections above.
  • To exercise a right, email security@secapi.ai or use your account controls; we will verify your request and may allow an authorized agent to submit it.
  • We will not discriminate against you for exercising your rights. If we deny a request, you may appeal by replying to our decision.
  • California "Shine the Light": we do not disclose personal information to third parties for their own direct marketing.
  • Nevada residents may opt out of any future sale of covered information by contacting us, although we do not sell such information.

Security and children

We use reasonable safeguards, but no system is perfectly secure, and the service is not directed to children.

We use administrative, technical, and organizational measures designed to protect personal data, but no method of transmission or storage is completely secure. secapi.ai is not directed to children, and we do not knowingly collect personal data from children in connection with the service.

  • If you believe your account or personal data has been exposed, contact us promptly through the support channels listed on secapi.ai.
  • If we learn that we have collected personal data from a child in violation of applicable law, we will take steps to delete it.

Changes and contact

We may update this policy, and privacy questions should come through the contact channels on secapi.ai.

We may update this Privacy Policy from time to time to reflect changes in the service, legal requirements, or our data practices. If we make a material change, we will update the effective date on this page and may provide additional notice where appropriate.

  • Continued use of the service after an updated policy becomes effective means the updated policy applies to your ongoing use, subject to applicable law.
  • Privacy questions and data-subject requests can be sent to security@secapi.ai; general account questions go to support@secapi.ai.