Arcorapay

Legal

Privacy Policy

Arcorapay is a testnet beta operated as an Arcora Labs product. We process very little data, and this page lists all of it in plain language — no accounts with emails, no analytics, no trackers.

What we process

The hosted service at arcorapay.xyz processes the following, and nothing more:

  • Public wallet addresses. Merchants sign in with their wallet (Sign-In with Ethereum), and payers’ addresses appear in invoices and settlements. Wallet addresses are already public on-chain; we store them to associate invoices with merchants and payments with payers.
  • Merchant-provided configuration. What you enter in the dashboard: webhook URLs, allowed redirect origins, and payout preferences (which stablecoin you settle in). We store this to run your checkout.
  • One session cookie. Merchant login uses a single encrypted, HTTP-only iron-session cookie that stores your merchant wallet address — nothing else. No cross-site or advertising cookies are set.
  • Theme preference in your browser. Your light/dark choice is kept in your browser’s localStorage and never sent to us. The checkout page may also keep transient payment-resume state in localStorage on your own device.
  • IP addresses, transiently. IPs appear in server logs and in short-lived rate-limit windows used to protect the API from abuse. They are not used to build profiles.

We do not collect names, email addresses, phone numbers, or any other contact or identity information. There is nowhere in the product to enter them.

What we never do

  • No analytics or advertising trackers. The site ships no third-party analytics, pixels, or ad scripts.
  • No sale or sharing of data for marketing. We do not sell data, and we do not share it with anyone for marketing purposes.

On-chain data

Payments settle on Arc Testnet. Anything written to the chain — addresses, amounts, transaction hashes — is public and permanent by design, and is outside our control once broadcast. This is testnet data involving valueless test assets, but it is still public.

How long we keep data

  • Database data (invoices, merchant configuration, rate-limit counters) lives until the next testnet reset. As a beta, the service may be reset at any time, which clears this data.
  • Server logs (which can include IP addresses) rotate on our hosting provider’s standard schedule and are not archived long-term.

Third parties that process data for us

  • Vercel — hosts the application and serves requests, so it sees standard request metadata (IP, headers) as any host does.
  • Circle App Kit — executes FX quotes and swaps during settlement; it sees the on-chain details of those swaps (token amounts and addresses).
  • Public RPC providers — the service reads chain state through public Arc Testnet RPC endpoints, which see the addresses being queried.

Each of these processes data to operate the service — not for marketing — and is governed by its own privacy policy.

Your choices

If you are a merchant and want your configuration and invoices removed, open an issue at github.com/arcoralabs/arcorapay/issues and include a message signed with the merchant wallet (the same wallet you sign in with) so we can verify ownership — we will then delete the database records we hold for it. Note that on-chain testnet data cannot be deleted by anyone. You can clear the session cookie and localStorage entries in your browser at any time.

Changes to this policy

If what we process changes, we will update this page and the “last updated” date below. Since the service is a beta, expect this page to evolve with it.

Last updated 2026-06-10