Privacy Policy
Effective date: May 26, 2026
This Privacy Policy describes how Arch ("Arch," "we," "us") collects, uses, shares, and protects information about you when you use the Arch mobile application (the "Service").
By using Arch you agree to the practices described here. If you do not agree, do not use the Service.
1. Who we are
The Arch service is operated from a mailing address of 2 Pond Road, Rumson, NJ 07760. You can reach us at support@arch.college for any privacy-related question or request.
2. Who can use Arch
Arch is exclusively for current undergraduate and graduate college students in the United States who are 18 years of age or older. You must verify your eligibility with:
- a working
.eduemail address issued by an accredited US college or university; and - a date of birth showing you are 18 or older.
We do not knowingly collect personal information from anyone under 18. If you believe a minor has created an account, email us at support@arch.college and we will delete that account and all associated data within seven (7) business days.
3. Information we collect
3.1 Information you provide directly
When you create an account and use Arch, you provide us with:
| Data | Why | Where it lives |
|---|---|---|
.edu email address |
Verifying eligibility, account login, sending the 6-digit signup code. | Our database (Supabase) and our transactional-email provider (Resend). |
| First and last name | Displayed on your profile and events you host. | Our database. |
| Date of birth | Verifying you are 18+. We do not show this to other users. | Our database. |
| Profile photos | Shown to other users on your profile and events you host. | Cloudflare R2 (storage) and our database (URL references). |
| Pronouns, bio, year, major, interests, prompt answers | Displayed on your profile. | Our database. |
| Events you create (title, description, location, time, etc.) | Displayed in the events feed to users at your campus and selected guest campuses. | Our database. |
| Messages you send to other matched users | Delivered to the recipient. | Our database. |
| Reports and blocks | Used to enforce our Terms of Service. | Our database. |
3.2 Information collected automatically
When you use Arch we automatically collect:
| Data | Why | How long we keep it |
|---|---|---|
| Device push notification token | Sending you push notifications for matches, messages, RSVPs, and event reminders. | Until you sign out or revoke it. |
| Approximate location (for matching to campuses) | Determining which campuses are "in play" near you, and pinning events you host on the map. | Stored only as the coordinates of events you create. We do not maintain a continuous location history. |
| Server-side logs (IP address, request timestamp, user-agent string) | Security, abuse prevention, debugging. | 30 days, then deleted. |
| Crash and error reports | Diagnosing and fixing bugs. | 90 days, then deleted. |
3.3 Information we do not collect
We do not collect:
- Contacts from your phone.
- Continuous background location.
- Photos other than the ones you explicitly upload.
- Microphone audio.
- Browsing or app-usage history outside Arch.
- Advertising identifiers (IDFA / GAID).
- Anything for advertising or tracking purposes. Arch shows no ads and does not participate in any advertising network.
4. How we use your information
We use the information described above only to:
- Operate, maintain, and improve the Service.
- Verify your eligibility (
.edu+ 18+). - Match you with relevant events and other students.
- Send transactional communications (signup code, match notifications, RSVP reminders, security alerts).
- Enforce our Terms of Service, including review of reports and enforcement of bans.
- Comply with legal obligations.
We do not use your information to:
- Sell or rent it to third parties.
- Build advertising or marketing profiles.
- Train artificial-intelligence models on the contents of your messages, photos, or profile.
5. How we share your information
We share information only as follows:
5.1 With other Arch users
Your profile (name, photos, pronouns, bio, year, major, interests, prompts), the events you host, and the messages you send to a matched user are visible to other Arch users in the contexts you would expect. Your date of birth, email address, and exact device location are not visible to other users.
5.2 With service providers
We use the following service providers to operate Arch. Each is contractually bound to use your data only to provide service to us:
| Provider | Purpose | Data |
|---|---|---|
| Supabase | Database hosting | All persistent user data |
| Resend | Transactional email delivery | Email address, signup codes |
| Cloudflare R2 | Photo storage | Uploaded profile and event photos |
| Expo Push Notifications + Apple Push Notification Service | Delivering push notifications to your device | Push token, notification text |
| Stripe | Payment processing for paid events | Payment information you provide directly to Stripe — Arch never sees your full card details |
| Railway | Application hosting | Server logs |
5.3 For legal reasons
We may disclose information if we believe in good faith that disclosure is necessary to:
- Comply with applicable law, regulation, legal process, or government request.
- Enforce our Terms of Service, including investigation of potential violations.
- Detect, prevent, or address fraud, security, or technical issues.
- Protect against harm to the rights, property, or safety of Arch, our users, or the public, as required or permitted by law.
5.4 Business transfers
If Arch is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you (by email and a prominent in-app notice) before your information becomes subject to a different privacy policy.
6. Your rights and choices
6.1 Access, correction, and deletion
You can:
- View the personal information we have about you by emailing support@arch.college.
- Correct your profile information at any time by editing your profile in the app.
- Delete your account and all associated data at any time by using the "Delete my account" button in Profile → Account → Delete account, or by emailing support@arch.college. We complete deletions within 30 days, except where we are required by law to retain certain information (e.g., transaction records for tax purposes).
6.2 Push notifications
You can disable push notifications at any time in your device's Settings → Notifications → Arch.
6.3 Location
You can revoke location access in your device's Settings → Privacy & Security → Location Services → Arch. Without location access, Arch cannot match you to nearby campuses or auto-pin events you host. You can still use the app.
6.4 California residents (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act:
- The right to know what personal information we collect about you.
- The right to delete personal information we have collected.
- The right to correct inaccurate personal information.
- The right to opt out of "sale" or "sharing" of personal information — we do not sell or share personal information for cross-context behavioral advertising, so there is nothing to opt out of.
- The right to non-discrimination for exercising your CCPA rights.
To exercise any of these rights, email support@arch.college.
6.5 EEA, UK, and Swiss residents (GDPR)
If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have additional rights under the GDPR and similar laws, including the right to access, rectify, erase, restrict, or port your personal data, and to object to processing. Our lawful bases for processing are: performance of a contract (operating the Service for you), legitimate interests (security, fraud prevention), and consent (for optional features). To exercise any of these rights, email support@arch.college.
7. Security
We use industry-standard safeguards to protect your information, including TLS encryption for data in transit, password hashing (bcrypt) for credentials, and access controls on our database (row-level security). No system is perfectly secure; we cannot guarantee absolute security but we work to mitigate risks continuously.
If we ever experience a security breach affecting your personal information, we will notify affected users without undue delay and in accordance with applicable law.
8. Children's privacy
Arch is not directed to children under 18. We do not knowingly collect personal information from anyone under 18. See Section 2 for our verification process and Section 6.1 for how to request deletion if a minor's data was collected in error.
9. International data transfers
Arch is operated from the United States. If you access Arch from outside the US, your information will be transferred to, stored in, and processed in the US. By using Arch you consent to this transfer.
10. Changes to this policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you in-app and update the "Effective date" at the top. Continued use of the Service after a change means you accept the new policy.
11. Contact us
Questions, requests, or complaints regarding this Privacy Policy or your personal information should be directed to:
Arch · 2 Pond Road, Rumson, NJ 07760 Email: support@arch.college