Privacy Policy

Arcana Research is operated by Acta Diurna LLC (“Arcana,” “we,” “us”). We run a B2B enterprise AI research program — the Arcana AI Enterprise Pulse — and related research instruments, member portals, and benchmark deliverables. This policy applies to arcana-research.com and any sub-application operated under that domain.

We collect data from business contacts in their professional capacity. We do not knowingly collect information from consumers or anyone under 18.

We collect three categories of information:

• Account data. Name, work email, employer, job title, role within the research panel.
• Research responses. Answers to study questions, including spend, vendor, adoption, and impact data you provide on behalf of your employer.
• Technical data. IP address, user-agent string, session timestamps, and analytics events (page views, button clicks) collected by our analytics provider for product improvement and security.

We do not collect government IDs, financial account numbers, health information, biometric data, geolocation beyond IP-based country, or contents of files outside the research instrument itself.

• Operate the research panel. Authenticate you, route invitations, manage workspace membership, and deliver your personalized AI Vital Stats and benchmark reports.
• Produce aggregated research. Combine your responses with those of other respondents to produce reports, indices, and benchmarks. Individual responses are never attributed to you or your employer in published outputs.
• Communicate with you. Send invites, reminders, deliverables, and program updates related to studies you have joined.
• Security and abuse prevention. Detect fraudulent or unauthorized access, debug errors, and maintain audit logs.

Where European data protection law applies, we process personal data under the following bases:

• Contract — to provide the research services you have signed up for.
• Legitimate interests — to operate, secure, and improve the platform, where those interests are not overridden by your rights.
• Consent — for non-essential analytics cookies, where required.

We share information only as described below. We do not sell personal data.

• Subprocessors. We use third-party infrastructure providers to host, operate, and secure the platform. Each is bound by data-protection terms. The current list is published at arcana-research.com/security.
• Co-sponsored studies. Some studies are co-branded with research partners (e.g., NPI). Co-sponsors may receive aggregated, de-identified results. Individual responses are not shared with co-sponsors unless you explicitly opt in at the time of a specific deliverable.
• Legal compliance. Where required by law, court order, or to protect our rights and the safety of others.
• Business transfers. If Arcana is acquired or merged, your data may transfer subject to this policy.

• Account data — until you request deletion or 24 months of inactivity, whichever is sooner.
• Research responses — retained in identified form for 24 months to support follow-up waves and longitudinal benchmarks; thereafter retained only in aggregated, de-identified form.
• Analytics and security logs — 90 days, then deleted or anonymized.
• Email logs — retained per our email provider’s standard retention (typically 30 days) for deliverability diagnostics.

You may, at any time, request:

• Access to the personal data we hold about you.
• Correction of inaccurate or incomplete data.
• Deletion of your account and associated personal data.
• Export of your data in a portable format.
• Restriction of processing or objection to processing based on legitimate interests.
• Withdrawal of consent (where consent is the basis).

To exercise any right, email privacy@arcana-research.com. We respond within 30 days. California, Colorado, Virginia, and other US state residents have equivalent rights under their applicable laws and may exercise them through the same channel.

We host data in the United States. If you are located outside the US, your data is transferred to the US. Where required, transfers from the EEA, UK, or Switzerland are made under the European Commission’s Standard Contractual Clauses or equivalent safeguards. A copy of the relevant clauses is available on request.

We use a small number of cookies:

• Essential — session authentication, CSRF protection. Cannot be disabled.
• Analytics — first-party event tracking via PostHog (US-hosted) for product improvement. You may disable analytics in your browser or via the global Privacy Control (GPC) signal.

We do not use advertising cookies, third-party trackers, or cross-site tracking pixels.

We protect data in transit with TLS 1.2+ and at rest with provider-managed encryption. Passwords are hashed with bcrypt. Sessions are signed and rotated. Detailed security posture, subprocessor compliance, and incident-response practices are published at arcana-research.com/security.

The service is intended for business users. We do not knowingly collect data from anyone under 18. If you believe a minor has submitted information, contact us and we will delete it.

We will update this policy as the program evolves. Material changes will be communicated by email to active panel members at least 14 days before they take effect. The effective date at the top of this page reflects the current version.

Questions, requests, or complaints: privacy@arcana-research.com.

Acta Diurna LLC · United States. EU/UK residents may also lodge a complaint with their local supervisory authority.