Privacy Policy

1. Introduction

Arcadia Age API ("A3," "we," "us," or "our"), operated by Digital Arcadia LLC, 522 W Riverside Ave Ste N, Spokane, WA 99201, United States, provides high-performance, privacy-first age assurance infrastructure for developers. We operate as a technical service provider, helping our customers comply with age-gating requirements within the United States while minimizing the collection of personally identifiable information (PII).

2. Data Collection & Processing

Our data practices differ based on whether you are visiting our documentation site or integrating our API.

A. Documentation Site (www.a3api.io)

Our documentation site is built with Next.js 15 and hosted on AWS Amplify.

• Contact Form: When you use our contact form, we collect your name, email address, subject, and message. This data is processed by Formspree, is used solely to respond to your inquiries, and is retained only as long as necessary to do so.
• Font Delivery: We use Google Fonts to deliver a consistent visual experience. Google may log your IP address and request headers for font delivery purposes.
• Analytics: Our documentation site does not use tracking cookies or third-party behavioral analytics scripts.

B. Developer Portal (portal.a3api.io)

When you create a developer account to obtain API keys, we collect:

• Account Information: Your name, email address, and authentication credentials. This data is used to manage your API keys, subscription, and billing.
• Usage Metadata: We track API key usage counts for rate limiting, quota enforcement, and billing purposes. This metadata is associated with your API key, not with your end users.

C. Arcadia Age API

The A3 API is designed for stateless, zero-data-retention processing.

• Processed Signals: The API receives age-related signals from our customers, including OS age brackets (per CA AB 1043), device contextual data, and numeric age-estimation results from third-party providers.
• Zero Retention: We do not store, log, or persist request payloads. Once a verification request is processed and a signed receipt (HMAC-SHA256) is returned, the original request data is immediately purged from system memory.
• No Biometrics: We do not process or store raw biometric data, such as selfie images. We only receive numeric estimation results.

3. Aggregated Analytics & Logs

To maintain service health and security, we emit structured JSON logs to AWS CloudWatch. These logs are strictly de-identified and use k-anonymity principles:

• Timestamps: Truncated to the hour to prevent session tracking.
• Data Points: We only log high-level metadata such as event type, regional location, verdict, and signal category counts.
• Exclusions: We explicitly exclude session IDs, user country codes, or any behavioral values that could be used to reconstruct a user's identity.
• Analytics Retention: Aggregated CloudWatch analytics logs are retained for 90 days for operational monitoring and then automatically deleted.
• Billing Ledger Retention: A separate, physically isolated billing ledger records only a one-way SHA-256 hash of your API key, request status, timestamp, and region. This ledger contains no assessment data, behavioral metrics, or user information. Billing records are retained for 7 years in compliance with IRS record-keeping requirements and are encrypted at rest using AES-256 via AWS KMS.

4. Third-Party Service Providers

We utilize the following subprocessors to maintain our infrastructure:

• AWS (Amazon Web Services): Hosting (Amplify), compute (Lambda), and logging (CloudWatch) in the us-west-2 region.
• Zuplo: API Gateway management for rate limiting and authentication.
• Stripe: Payment processing, subscription management, and usage-based billing. Stripe processes your payment information (card details, billing address) directly and is governed by Stripe's Privacy Policy.
• Formspree: Contact form processing and management.
• Google: Delivery of system fonts.

5. Security

A3 is built on a foundation of "Security by Design." Our technical stack includes:

• API Authentication: All API requests are authenticated via cryptographic API keys validated with timing-safe comparison to prevent credential-based attacks.
• Encryption: All data in transit is secured via TLS 1.3, and any operational secrets are encrypted at rest using AES-256 via AWS KMS.
• Isolation: Our API environment is isolated within Lambda Function URLs, minimizing the attack surface.

6. Geographic Availability

The A3 API is available exclusively within the United States and its territories. We do not offer the Service in the European Economic Area (EEA), the United Kingdom, or any other jurisdiction subject to the EU General Data Protection Regulation (GDPR) or the UK Data Protection Act 2018. API requests originating from EU/EEA/UK country codes are automatically rejected.

7. Regulatory Compliance (2026)

• California AB 1043: A3 is architected to facilitate compliance with the Digital Age Assurance Act by acting as a verifiable receiver of device-based age signals.
• CCPA: Our "Zero Data Retention" model naturally aligns with Data Minimization and Storage Limitation mandates.

8. Your Rights Under CCPA

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

• Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you.
• Right to Delete: You may request that we delete any personal information we have collected from you, subject to certain exceptions.
• Right to Correct: You may request correction of inaccurate personal information that we maintain about you.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.
• Do Not Sell or Share: We do not sell, share, or rent your personal information to third parties for monetary or other valuable consideration. We have never sold personal information and have no plans to do so.

To exercise any of these rights, contact us at [email protected]. We will respond to verifiable requests within 45 days.

9. Children's Privacy

A3 is a B2B developer tool. Our Service is not directed at children under the age of 13, and we do not knowingly collect personal information from children. Our API processes age-related signals on behalf of our customers but does not directly interact with end users. If you believe a child has provided us with personal information, please contact us at [email protected] and we will promptly delete such information.

10. Data Breach Notification

In the unlikely event of a data breach that affects your personal information, we will notify affected users via email within 72 hours of becoming aware of the breach, in accordance with applicable state and federal notification requirements. We will also notify relevant supervisory authorities as required by law.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. Material changes will be posted to this page with an updated "Last Updated" date. Where practicable, we will notify you via the email address associated with your developer account at least 30 days before significant changes take effect. Your continued use of the Service after the updated policy becomes effective constitutes your acceptance of the changes.

12. Related Documents

This Privacy Policy is part of and subject to our Terms of Service. Please review both documents to understand your rights and obligations when using A3.

13. Contact Us

For any privacy inquiries or to exercise your rights, please contact:

Digital Arcadia LLC
522 W Riverside Ave Ste N
Spokane, WA 99201, United States

Email: [email protected]