ClientLaunch

Privacy Policy

Effective date: 2026-05-25 · Version 1.0

This Privacy Policy describes how Arktos Marketing LLC (“we,” “us”) collects, uses, and shares information in connection with ClientLaunch (the “Service”).

Who this policy covers

  • Firm users — people who log in to ClientLaunch on behalf of an accounting, bookkeeping, tax, or advisory firm (the “Customer”). This policy applies to your interactions with the Service.
  • End Clients — people who complete an onboarding wizard at the request of a Customer firm. The Customer firm is the controller of your information; we are the processor. For privacy requests, contact the Customer firm directly. See our DPA at /legal/dpa.
  • Website visitors — people who visit our marketing pages without logging in.

Information we collect from firm users

  • Account information. Email, password (hashed), full name, role, firm affiliation. Created during signup and updated via the Team page.
  • Firm settings. Firm name, logo URL, accent color, support email, support phone. Created during signup, updated via Settings.
  • Integration credentials. GoHighLevel location ID, outbound webhook URL, and API key. API keys are encrypted at rest with AES-256-GCM before storage. Decryption happens only at request time, in memory.
  • Usage data. Pages visited, actions taken, IP address, browser user-agent, timestamps. Stored in our append-only audit_events table for security, troubleshooting, and to detect abuse.
  • AI usage and cost. Token counts, model, and per-call USD cost for every AI generation, stored in ai_generations. Used to enforce daily budget caps and bill (we currently absorb AI costs within the flat subscription).

Information about End Clients that we process

The Customer firm decides what to collect from its End Clients through the onboarding wizard. Typical fields include name, email, phone number, business information, uploaded documents (e.g., bank statements, prior-year tax returns, photo ID), and electronic signatures. We process this information solely on behalf of the Customer firm. We do not use End Client information to train AI models, to advertise, or to sell to third parties.

How we use information

  • To provide and operate the Service.
  • To authenticate firm users and authorize End Client access via tokenized magic links.
  • To send firm users transactional emails (password resets, invitations, security alerts) via our email provider.
  • To generate reminder, summary, and intake-draft content via large language models on behalf of the Customer firm. The Customer firm reviews this content before sending.
  • To detect, prevent, and respond to security incidents, fraud, and abuse.
  • To comply with legal obligations.

Sub-processors

We rely on the following sub-processors:

  • Cloudflare Inc. — application hosting (Workers), DNS, CDN. Data processed at the edge in many regions.
  • Supabase Inc. — managed Postgres, Auth, and Storage. Data resides in Supabase’s primary region (US-East by default).
  • Anthropic PBC — Claude API for AI generation. Anthropic does not use API inputs/outputs to train their models per their commercial terms.
  • Resend Inc. — transactional email delivery (password resets, invites).
  • Stripe Inc. — payment processing for subscription fees (Customer firm subscriptions to us). End Client payments at the wizard step, when enabled, are processed directly by Stripe under the Customer firm’s own Stripe account.
  • GoHighLevel — outbound SMS, email, and voice delivery on behalf of the Customer firm. GHL acts under the Customer firm’s account.

Updated sub-processor list available on request. Material changes will be communicated to firm Owners by email at least 14 days before the change takes effect.

How long we keep data

  • Account data: retained while your firm has an active subscription, plus 90 days.
  • Audit log: retained for 7 years to support compliance and dispute resolution.
  • AI generation log: retained for 13 months for cost reconciliation.
  • Backups: rolling 30-day window via Supabase managed backups.

Your rights

Subject to applicable law, you may request access to, correction of, or deletion of your personal information by emailing support@arktosmarketing.com. For End Client data, contact the Customer firm whose link you used — they are the controller.

California residents: see California Consumer Privacy Act (CCPA) rights at support@arktosmarketing.com. EU/UK residents: see GDPR/UK GDPR rights. We do not sell personal information.

Security

We use tenant isolation via PostgreSQL row-level security, encryption at rest for sensitive credentials, signed URLs for file downloads, HMAC-signed webhooks, IP rate limiting, constant-time secret comparisons, and an append-only audit log. No system is completely secure; if you believe an account has been compromised, email support@arktosmarketing.com immediately.

Children

The Service is not directed to anyone under 16. We do not knowingly collect personal information from children.

Changes

We may update this policy. Material changes will be communicated by email and/or in-app notice.

Contact

Arktos Marketing LLC · Mesa, Arizona, USA · privacy questions: support@arktosmarketing.com.