Privacy Policy

Last updated: January 2026

1. Introduction

Archivus ("we", "our", or "us") is operated by Ubiship Limited. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered document intelligence platform (the "Service").

Ubiship Limited operates under comprehensive accountability frameworks and maintains cyber insurance coverage to ensure the security and protection of your personal information and documents.

By using Archivus, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our policies and practices, please do not use our Service.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• Email address (required for account creation and communication)
• Name (required for account identification)
• Password (stored using industry-standard encryption and hashing)
• Organization/company name (optional, if provided)
• Subscription tier and billing information (for paid plans)

2.2 Documents and Content

We store documents you upload to the platform, including but not limited to PDFs, images, text files, and other supported file formats. These documents are:

• Stored securely in encrypted storage systems
• Processed by our AI systems to provide analysis, search, and organizational features
• Isolated by tenant using row-level security policies
• Never shared with other users or third parties except as necessary to provide the Service

2.3 Usage Data

We automatically collect technical and usage information, including:

• Log data (IP address, browser type and version, device information, access times)
• Feature usage statistics (which features you use and how often)
• AI interaction history (queries, responses, and document analysis requests)
• Error logs and performance metrics
• Session information and authentication tokens

2.4 Payment Information

For paid subscriptions, payment information is processed by Stripe, our payment processor. We do not store your full credit card details. Stripe handles all payment data in accordance with PCI DSS standards.

2.5 OAuth Information

If you choose to sign in using OAuth providers (Google, Apple, GitHub), we receive basic profile information (name, email) from the provider in accordance with your privacy settings with that provider.

3. Google User Data

Archivus integrates with Google services for authentication and optional document migration features. This section specifically describes our access to and use of Google user data in compliance with the Google API Services User Data Policy, including the Limited Use requirements.

3.1 Specific Types of Google User Data We Access

When you connect your Google account to Archivus, we request access to the following specific data types:

For Google Sign-In (Authentication):

• Email Address: Your primary Google account email address
• Full Name: Your display name as configured in your Google account
• Profile Picture URL: A link to your Google profile photo (if available)

For Google Drive Migration (Optional - Only When You Initiate):

If you choose to use our Google Drive Migration feature, we request the following OAuth scopes:

• drive.readonly (https://www.googleapis.com/auth/drive.readonly): Read-only access to view and download the content of files you select for migration
• drive.metadata.readonly (https://www.googleapis.com/auth/drive.metadata.readonly): Read-only access to file metadata (file names, sizes, creation dates, folder structure)

Important: We only access Google Drive data when you explicitly connect your Drive account and initiate a migration. We cannot modify, delete, or create files in your Google Drive - access is strictly read-only.

3.2 How We Use, Process, and Handle Google User Data

We use Google user data strictly for the following specific purposes and no others:

Authentication Data Usage:

• Account Creation: Your Google email and name are used to create your Archivus account when you sign in with Google for the first time
• Account Authentication: Your Google email is used to identify and authenticate you when you sign in to Archivus
• Account Display: Your name and profile picture are displayed within the Archivus interface to identify your account in the navigation and settings
• Account Communications: Your email address may be used to send you essential account notifications (password resets, security alerts, service updates)

Google Drive Data Usage:

• One-Time Document Import: When you explicitly initiate a Google Drive migration, we read your selected Drive files to copy them into your Archivus document library. This is a one-time import process initiated and controlled by you
• File Metadata Display: During the migration process, we display file names, sizes, and folder structure to help you select which files to import
• Document Processing: After import, migrated documents may be processed by Archivus features (AI analysis, search indexing, organization) - these are Archivus features that work on your copied documents, not ongoing access to Google Drive

We do NOT use Google user data for:

• Advertising, marketing, or promotional purposes
• Selling or renting to third parties
• Training machine learning models (except to provide you the Archivus service)
• Any purpose unrelated to providing the Archivus service

3.3 Data Sharing with Third Parties

We do not share, sell, rent, or transfer your Google user data to third parties except in the following limited circumstances necessary to provide the Archivus service:

AI Processing Services (Only for Migrated Documents, When You Request):

• Anthropic (Claude AI): When you request AI analysis, summarization, or Q&A on a document that was imported from Google Drive, the document content may be sent to Anthropic's Claude AI API for processing. This only occurs when you explicitly request an AI feature on a specific document.
• OpenAI: When you use semantic search features, document content may be processed by OpenAI's embedding API to generate search vectors. This enables intelligent document search within your Archivus library.

Important: AI processing is performed on documents you have already imported into Archivus, not through direct access to your Google Drive. You control which documents are analyzed by explicitly requesting AI features on specific documents.

Infrastructure Services:

• Supabase: Provides database and authentication infrastructure. Your Google profile data (name, email) is stored in our Supabase-hosted database.
• Cloud Storage: Migrated documents are stored in secure cloud storage (Supabase Storage or AWS S3, depending on your subscription tier).

We do NOT:

• Sell Google user data to data brokers, advertisers, or any third parties
• Share Google user data for advertising or marketing purposes
• Allow third parties to use Google user data for their own purposes
• Transfer Google user data to any parties not listed above

3.4 Data Storage and Protection Practices

We implement the following specific security measures to protect your Google user data:

Encryption:

• Data in Transit: All data transmitted between your browser and Archivus, and between Archivus and Google APIs, is encrypted using TLS 1.2 or higher
• Data at Rest: All stored data, including Google profile information and migrated documents, is encrypted using AES-256 encryption
• OAuth Tokens: Google OAuth refresh and access tokens are encrypted using AES-256-GCM encryption before storage. We never store your Google password.

Access Controls:

• Tenant Isolation: Your data is isolated from other users through PostgreSQL Row-Level Security (RLS) policies. Each query is scoped to your tenant, preventing unauthorized access.
• Role-Based Access: Internal access to systems containing Google user data is restricted to authorized personnel on a need-to-know basis
• Authentication: Access to your Archivus account requires authentication. We support multi-factor authentication for enhanced security.

Security Monitoring:

• Continuous monitoring for unauthorized access attempts
• Audit logging of access to sensitive data
• Regular security assessments and vulnerability scanning

3.5 Data Retention and Deletion

How Long We Retain Google User Data:

• Google Profile Data: Retained while your Archivus account is active
• Migrated Documents: Retained until you delete them or your account is terminated
• OAuth Tokens: Retained while your Google Drive connection is active. Tokens are deleted when you disconnect your Google account from Archivus.

How to Request Deletion of Your Google User Data:

You have multiple options to delete your Google-sourced data:

1. Delete Individual Documents: Navigate to your document library, select any imported documents, and click Delete. Deleted documents are permanently removed within 30 days.
2. Disconnect Google Drive: Go to Settings > Integrations > Google Drive and click "Disconnect". This immediately deletes your stored OAuth tokens and revokes Archivus's access to your Google Drive.
3. Delete Your Account: Go to Settings > Account > Delete Account. This permanently deletes all your data, including all Google-sourced data, within 30 days.
4. Contact Us: Email support@ubiship.io with "Google Data Deletion Request" in the subject line. Include your account email address. We will process your request within 30 days.

Upon any deletion request, all Google-sourced data (profile information, migrated documents, OAuth tokens) is permanently and irreversibly deleted from our systems within 30 days.

3.6 Limiting and Revoking Google Data Access

You can control Archivus's access to your Google data at any time:

• Revoke Access via Google: Visit your Google Account permissions page and remove Archivus. This immediately prevents any future access to your Google account. Note: This does not automatically delete data already imported to Archivus.
• Disconnect via Archivus: Go to Settings > Integrations > Google Drive and click "Disconnect" to revoke access and delete stored tokens.

3.7 Limited Use Disclosure

Archivus's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

4. How We Use Your Information

We use the collected information for the following purposes:

• Service Provision: To provide, maintain, and improve our services
• AI Processing: To process and analyze your documents using AI technologies (Claude AI, OpenAI)
• Communication: To send you account-related notifications, service updates, and support communications
• Security: To ensure security, prevent fraud, detect unauthorized access, and protect user data
• Analytics: To understand how users interact with our platform and improve user experience
• Billing: To process payments, manage subscriptions, and handle billing inquiries
• Legal Compliance: To comply with applicable laws, regulations, and legal processes
• Support: To provide customer support and respond to your inquiries

5. Legal Basis for Processing

We process your personal information based on:

• Contractual Necessity: To fulfill our contract with you and provide the Service
• Legitimate Interests: To improve our services, ensure security, and prevent fraud
• Consent: Where you have provided explicit consent for specific processing activities
• Legal Obligations: To comply with applicable laws and regulations

6. Third-Party Services and Data Sharing

We use the following third-party services to operate Archivus:

• Supabase: Authentication, database services, and storage infrastructure
• Anthropic (Claude AI): Document analysis, Q&A, summarization, and AI features
• OpenAI: Document embeddings for semantic search (text-embedding-3-small)
• Stripe: Payment processing and subscription management
• Cloud Storage Providers: Secure document storage (Supabase Storage, AWS S3, or customer-provided buckets)
• OAuth Providers: Google, Apple, GitHub (optional authentication methods)

Each third-party service has its own privacy policy governing the use of your information. We only share data necessary for these services to function, and we require all third-party service providers to maintain appropriate security measures.

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

7. Data Security

Ubiship Limited operates under comprehensive accountability frameworks and maintains cyber insurance coverage. We implement industry-standard security measures to protect your information:

• Encryption: All data is encrypted in transit (TLS/SSL) and at rest (AES-256)
• Access Controls: Multi-factor authentication, role-based access controls, and least-privilege principles
• Tenant Isolation: Row-level security policies ensure complete data isolation between tenants
• Security Audits: Regular security assessments, penetration testing, and vulnerability scanning
• Monitoring: Continuous monitoring for unauthorized access, anomalies, and security threats
• Backup and Recovery: Regular backups and disaster recovery procedures
• Employee Training: Security awareness training for all personnel with data access

However, no method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. You are responsible for maintaining the security of your account credentials.

8. Data Retention

We retain your data for as long as your account is active and as necessary to provide the Service. Specifically:

• Account Data: Retained while your account is active
• Documents: Retained until you delete them or your account is terminated
• Usage Data: Retained for up to 2 years for analytics and security purposes
• Billing Records: Retained as required by law (typically 7 years)

Upon account deletion, we will delete or anonymize your personal data within 30 days, except where we are required to retain it for legal, regulatory, or legitimate business purposes.

9. Your Rights and Choices

Depending on your location, you may have the following rights regarding your personal information:

• Access: Request access to your personal data and receive a copy
• Correction: Request correction of inaccurate or incomplete data
• Deletion: Request deletion of your personal data (subject to legal requirements)
• Export: Request export of your data in a portable format
• Objection: Object to certain processing activities
• Restriction: Request restriction of processing in certain circumstances
• Withdraw Consent: Withdraw consent where processing is based on consent
• Data Portability: Receive your data in a structured, commonly used format

To exercise these rights, please contact us at support@ubiship.io. We will respond to your request within 30 days, subject to verification of your identity.

You can also manage your data directly through the Service:

• Update account information in your account settings
• Delete documents through the document management interface
• Export your data using built-in export features
• Delete your account through account settings

10. Cookies and Tracking Technologies

We use essential cookies and similar technologies for:

• Authentication: To maintain your login session
• Security: To detect and prevent fraud
• Functionality: To remember your preferences and settings

We do not use third-party tracking cookies for advertising purposes. We do not engage in cross-site tracking or sell your data to advertisers.

You can control cookies through your browser settings, but disabling essential cookies may affect Service functionality.

11. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws that differ from those in your country. We ensure appropriate safeguards are in place, including:

• Standard contractual clauses approved by relevant data protection authorities
• Compliance with applicable data protection frameworks
• Appropriate security measures regardless of data location

12. Children's Privacy

Archivus is not intended for users under 16 years of age. We do not knowingly collect personal information from children under 16. If you believe we have collected information from a child under 16, please contact us immediately, and we will take steps to delete such information.

13. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to know what personal information is collected, used, and shared
• Right to delete personal information (subject to exceptions)
• Right to opt-out of the sale of personal information (we do not sell personal information)
• Right to non-discrimination for exercising your privacy rights

14. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA) or United Kingdom, you have rights under the General Data Protection Regulation (GDPR), including the rights listed in Section 9 above. Our legal basis for processing is outlined in Section 5.

You have the right to lodge a complaint with your local data protection authority if you believe we have violated your privacy rights.

15. Data Breach Notification

In the event of a data breach that may affect your personal information, we will:

• Investigate the breach immediately
• Notify affected users and relevant authorities as required by law
• Provide information about the nature of the breach and steps being taken
• Recommend actions you can take to protect yourself

Our cyber insurance coverage provides additional protection and resources in the event of a security incident.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

• Posting the updated Privacy Policy on this page
• Updating the "Last updated" date
• Sending an email notification for significant changes (where required)
• Displaying a notice in the Service for material changes

Your continued use of the Service after changes become effective constitutes acceptance of the updated Privacy Policy. If you do not agree to the changes, you should stop using the Service and delete your account.

17. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Ubiship Limited
Email: support@ubiship.io
Website: https://archivus.app

For data protection inquiries or to exercise your privacy rights, please include "Privacy Request" in your subject line and provide details about your request.

18. Data Protection Officer

For users in the EEA or UK, you may contact our Data Protection Officer (if applicable) at the contact information above.