Privacy Policy

1. Introduction

Applied Research & Computing, Corp. ("we", "us", or "our") operates the Carbon platform ("the Service"). This Privacy Policy explains how we collect, use, and protect your personal information when you use the Service.

2. Information We Collect

Account Information

When you create an account, we collect your name, email address, and profile picture through our identity provider (Zitadel). We do not store your password.

Usage Data

We collect information about how you use the Service, including AI token usage, compute hours, storage consumption, and feature interactions. This data is used for billing, rate limiting, and improving the Service.

Content

We store files, reports, analyses, and other content you create within the Service. This content is associated with your team and is accessible to team members based on their roles and permissions.

Payment Information

Payment processing is handled by Stripe. We do not store credit card numbers or bank account details on our servers. We retain Stripe customer and subscription identifiers to manage your billing.

3. How We Use Your Information

• Providing, maintaining, and improving the Service
• Authenticating your identity and managing access
• Processing payments and tracking usage for billing
• Sending transactional communications (e.g., billing receipts, security alerts)
• Monitoring for abuse, fraud, and security threats
• Complying with legal obligations

4. Cookies and Local Storage

We use the following cookies and browser storage, all of which are essential for the Service to function:

• Session cookie — Maintains your authenticated session (NextAuth)
• Team selection cookie — Remembers your active team for navigation
• Theme preference — Stores your light/dark mode choice
• Local storage — Persists UI state such as active team selection

We do not use third-party tracking or advertising cookies.

5. Error Monitoring

We use Sentry to capture application errors and performance data. This may include technical information such as browser type, operating system, stack traces, and request metadata. No personally identifiable content is intentionally sent to Sentry.

6. Data Sharing

We do not sell your personal information. We may share data with:

• Service providers — Stripe (payments), AWS (infrastructure), Sentry (error monitoring), and our identity provider for authentication
• Your team members — Content and activity within a team is visible to other members based on their permissions
• Legal requirements — When required by law, subpoena, or to protect our rights

7. Data Retention

We retain your account data for as long as your account is active. Usage events are retained for billing and audit purposes. If you delete your account or team, we will delete associated data within 30 days, except where retention is required by law or for legitimate business purposes.

8. Data Security

We use industry-standard security measures to protect your data, including encryption in transit (TLS), encryption at rest, and role-based access controls. Authentication is handled through a dedicated identity provider with OIDC. However, no method of transmission or storage is 100% secure.

9. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your data
• Export your data in a portable format
• Object to or restrict certain processing

To exercise these rights, contact us at the address below.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the Service or by email. Your continued use of the Service after changes constitutes acceptance.

11. Contact

If you have questions about this Privacy Policy, contact us at support@appliedrnc.com.