Effective Date: 14 March 2026 · Last Updated: 18 April 2026 · Version 2.0
This Privacy Policy ("Policy") describes how Arbel Live Technologies, its successors and affiliates (together "Arbel," "we," "us," "our") collect, use, disclose, retain, and protect personal data when you access or use the Arbel website, web application, generator, builder, deployment tools, APIs, administrative endpoints, marketing pages, and any related services (collectively, the "Service") at arbel.live and any sub-domain or successor URL.
This Policy is intended to comply with, and be enforceable under, the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK Data Protection Act 2018 and UK GDPR, the California Consumer Privacy Act as amended by the CPRA ("CCPA/CPRA"), Brazil’s LGPD, Canada’s PIPEDA, India’s Digital Personal Data Protection Act 2023, and other applicable data-protection laws. Where a term is undefined, it has the meaning given by the GDPR.
The data controller for the Service is Arbel Live Technologies (the "Controller"). For all privacy, data-subject, security, and abuse enquiries:
[PRIVACY], [DATA REQUEST], [SECURITY], [DMCA], or [ABUSE] for fastest routing.We are a small team and do not maintain a postal address for routine enquiries. Where local law requires a postal point of contact (e.g. for legal service of process), we will provide one on written request to the email above.
| Category | Examples | Where it lives |
|---|---|---|
| Authentication credentials | GitHub OAuth code, GitHub Personal Access Token (PAT) | Browser sessionStorage (PAT) and transient memory; never sent to Arbel servers except the one-time OAuth code exchange (see §7). |
| Third-party API keys | Groq API key, Google Gemini API key | Browser IndexedDB on your device only. |
| Generated content | Site copy, prompts, images, layouts | Browser memory and your own GitHub repository when you click Deploy. |
| Preferences | Cookie-banner choice, dev-unlock parameter, UI preferences | Browser localStorage. |
When your browser fetches the Service, your IP address, user-agent, request headers, and timing are visible to our hosting providers (GitHub Pages and Cloudflare) at the network layer. We do not log or persist this data ourselves; it is governed by the providers’ own privacy notices (see §8).
The only data Arbel itself records is the salted hash described in §4 ("Anonymous Usage Analytics"). We do not collect names, email addresses, telephone numbers, postal addresses, payment data, government identifiers, biometrics, location coordinates, or any other directly identifying information.
We affirm in writing that we do not, in the ordinary operation of the Service:
To keep the Service reliable and to make capacity-planning decisions we operate a minimal first-party telemetry endpoint (arbel-admin.realskullmusic.workers.dev/api/track). Each visit may produce one POST request containing:
| Field | Source | Purpose | Retention |
|---|---|---|---|
| Two-letter ISO country code | Cloudflare network-level geolocation; we never see the IP | Country-level aggregate statistics | Indefinite as aggregate counters; never per-visit |
| UTC date | Server clock | Daily totals | Indefinite as aggregate counters |
| Salted SHA-256 hash of (date | IP | user-agent | secret salt), truncated to 16 hex chars | Computed inside the Worker; raw inputs are discarded immediately | Approximate unique-visitor count within a rolling 48-hour window | 48 hours — the key auto-expires from Cloudflare KV |
| Active-session marker (same hash) | As above | "Active now" gauge on admin dashboard | 5 minutes — auto-expires |
Path of page (e.g. /generator/) | Browser request body | Tell apart marketing pages vs. generator | Aggregate per day only |
| Referrer hostname only (never full URL or query string) | Browser request body | Inbound traffic source rollup | Aggregate only; not stored per-visit |
| Dev-tools flag (boolean) | Set when ?unlock=… active | Excludes our internal usage from public counters | Aggregate counter only |
Why we believe this is not "personal data" in the everyday sense: the hash is salted with a server-only secret and truncated to 16 hex characters, which makes it computationally impractical to reverse to an IP or user-agent and yet sufficient to dedupe a visitor for 48 hours. After 48 hours the key is irretrievably purged. We hold no other data that could re-identify the same person.
Regulatory note. Even though we believe this telemetry falls outside the strict definition of "personal data" under most regimes, we have nonetheless chosen to apply data-protection safeguards to it as if it did, on a precautionary basis.
Complete list of every key the Service writes on your device. None of this data ever leaves your browser unless you explicitly trigger an action that requires it.
| Storage | Key | Purpose | Lifetime |
|---|---|---|---|
| sessionStorage | arbel_gh_token | GitHub access token (OAuth or PAT) | Cleared on tab close |
| sessionStorage | arbel_oauth_state | CSRF state for OAuth flow | Cleared on tab close or on completion |
| localStorage | arbel_consent (or similar) | Records your acceptance of these legal documents | Until you clear browser data |
| localStorage | arbel_prefs_* | UI preferences (theme, last-used template, etc.) | Until you clear browser data |
IndexedDB (database arbel-keys) | AI provider keys | Calling Groq / Gemini directly from your browser | Until you delete or browser purges |
| HTTP cookie (admin only) | arbel_sess | Authenticated admin session for our internal dashboard. Set only after we authenticate at /admin; never set for ordinary visitors. | 12 hours, HttpOnly, Secure, SameSite=Strict |
You can inspect, export, or delete any of the above at any time using your browser’s developer tools or by clearing site data for arbel.live.
| Processing activity | Lawful basis |
|---|---|
| Serving the Service over the network | Legitimate interests — making a website you requested available (Art. 6(1)(f)). |
| One-time GitHub OAuth code exchange | Performance of a contract you initiated by clicking "Sign in with GitHub" (Art. 6(1)(b)). |
| Anonymous usage analytics (§4) | Legitimate interests — keeping the Service reliable and right-sizing capacity, balanced against minimal-impact, hashed, expiring data (Art. 6(1)(f)). DNT respected. |
| Storing your preferences in your own browser | You provide functional consent by interacting with the Service (Art. 6(1)(a)) and we never read this data on the server side. |
| Responding to data-subject requests, abuse reports, legal demands | Compliance with a legal obligation (Art. 6(1)(c)) and legitimate interests in defending claims (Art. 6(1)(f)). |
| Activity | Data flow | Where data is sent |
|---|---|---|
| GitHub Sign-in (OAuth) | Browser sends a one-time OAuth code to our worker, which exchanges it with GitHub and immediately discards the code. | arbel-auth.ltdb.workers.dev (Arbel) → github.com |
| Deploying generated sites | Browser sends generated files directly to GitHub using your token. | api.github.com |
| AI generation | Browser sends prompts and your provider key directly to the AI provider you chose. | api.groq.com or generativelanguage.googleapis.com |
| Usage analytics | Browser sends a small anonymous payload (see §4) to our analytics worker. | arbel-admin.realskullmusic.workers.dev (Arbel) |
| Loading fonts | Browser fetches stylesheets and font files from Google Fonts CDN. | fonts.googleapis.com, fonts.gstatic.com |
Except for the OAuth-code exchange and the analytics payload above, no application data passes through Arbel infrastructure. Arbel is not an intermediary or proxy for your tokens, AI keys, or content.
| Sub-processor | Role | Data category | Privacy link |
|---|---|---|---|
| Cloudflare, Inc. | Worker execution, KV storage of analytics counters, edge geolocation, DDoS protection | IP (transient at edge), country code, hashed visitor ID, aggregate counters | cloudflare.com/privacypolicy |
| GitHub, Inc. / Microsoft Corporation | OAuth provider, repository hosting, GitHub Pages CDN | OAuth identifiers, request logs at network edge | github.com privacy |
| Google LLC | Google Fonts (font delivery), optional Gemini AI provider | Browser request data; AI prompts when you use Gemini | policies.google.com |
| Groq, Inc. | Optional AI provider | AI prompts when you use Groq | groq.com/privacy-policy |
Arbel has no contractual data-sharing arrangements with any other third party. We do not receive remuneration from any sub-processor for routing your traffic to them.
Cloudflare and GitHub operate global edge networks; your traffic is normally served from the geographically nearest point of presence. The Worker that handles OAuth and analytics is deployed worldwide on Cloudflare’s edge. AI providers may process prompts in the United States or other countries.
Where data originating in the European Economic Area, the United Kingdom, or Switzerland is processed outside that region, we and our sub-processors rely on the European Commission’s Standard Contractual Clauses (2021/914), the UK International Data Transfer Addendum, supplementary technical measures (encryption in transit, hashing, minimisation), and, for Cloudflare, its publicly published Data Processing Addendum.
arbeltechnologies@gmail.com — retained for as long as needed to handle the matter and meet legal-hold requirements, normally not exceeding 24 months.preload.connect-src allow-list limits the domains the Generator can call.HttpOnly, Secure, SameSite=Strict cookie with a 12-hour absolute expiry; constant-time token comparison.X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Referrer-Policy: no-referrer, Permissions-Policy locks down sensors and microphone.If you are in the EEA or the UK you have the following rights, free of charge, exercisable by emailing arbeltechnologies@gmail.com with the subject [DATA REQUEST]:
We will respond within 30 calendar days. Where a request is manifestly unfounded, excessive, or repetitive we may charge a reasonable fee or refuse to act, in accordance with Art. 12(5). To prove your identity for sensitive requests we may ask you to confirm a hashed token or repeat the request from the same authenticated browser session.
If you are a California resident, the CCPA / CPRA additionally grants you:
You may exercise these rights yourself or through an authorised agent by emailing arbeltechnologies@gmail.com. We will verify the request through email confirmation and, where appropriate, possession of an authenticated browser session. We do not use a "Do Not Sell My Personal Information" link because there is no sale.
Residents of Brazil have analogous rights under the LGPD; residents of Canada under PIPEDA; residents of India under the Digital Personal Data Protection Act 2023; residents of Australia under the Privacy Act 1988; and residents of South Africa under POPIA. We will honour valid requests from any such resident on the same terms set out above.
The Service is not directed to and not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children. If you are under 16, please do not use the Service or provide any data through it. If you become aware that a child has provided data to the Service, contact us at arbeltechnologies@gmail.com and we will take prompt steps to delete it.
Arbel does not use advertising cookies, analytics cookies, social-media cookies, or third-party tracking cookies of any kind. The only cookie we set is arbel_sess, a strictly-necessary, first-party, session cookie placed only when an administrator logs in to the internal dashboard at /admin. Ordinary visitors are never issued a cookie.
For storage we instead use localStorage, sessionStorage, and IndexedDB on your device only, as inventoried in §5.
If your browser sends a DNT: 1 header or sets navigator.doNotTrack === '1', the analytics ping in §4 is suppressed for that session. You may also opt out at any time by:
arbel-admin.realskullmusic.workers.dev/api/track at the browser, extension, or network level;The Generator remains fully functional with analytics blocked.
When you choose to use AI features, your prompts and any context you supply are sent directly from your browser to the AI provider you select (Groq or Google Gemini), using your own API key. Arbel does not see, store, train on, or relay these prompts. The provider’s own privacy policy governs how it handles the data and whether it may use it for model improvement; please review their policy before sharing sensitive content.
AI outputs may be inaccurate, biased, or non-novel. You are solely responsible for reviewing, validating, and ensuring you have the necessary rights to use any AI output before publication.
Because we hold almost no data about individuals, there is rarely anything to disclose. If we receive a valid, properly-issued legal demand from a court of competent jurisdiction, we will comply only to the minimum extent required by law and only with data we actually possess at that moment. Where lawful, we will notify the affected user before responding.
In the unlikely event of a personal-data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the competent supervisory authority within 72 hours of becoming aware of the breach (per GDPR Art. 33) and, where the breach is likely to result in a high risk, the affected individuals without undue delay (per GDPR Art. 34). Equivalent obligations under CCPA/CPRA, LGPD, and other applicable laws will be observed.
We do not engage in any solely automated decision-making or profiling that produces legal effects or similarly significant effects on you (GDPR Art. 22). Rate-limiting and brute-force lock-out are technical safeguards based on hashed identifiers and cannot affect rights or obligations.
We may amend this Policy from time to time. The current version is always posted at this URL with an updated "Last Updated" date and a version number. Material changes that meaningfully reduce your rights will be highlighted in a banner on the Generator for at least 30 days before they take effect. Continued use of the Service after a change becomes effective constitutes acceptance.
If you believe our processing of your personal data infringes data-protection law, we encourage you to contact us first at arbeltechnologies@gmail.com so we can investigate. You also have the right to lodge a complaint with a supervisory authority, in particular in the EU/EEA member state of your habitual residence, place of work, or place of the alleged infringement (GDPR Art. 77). In the United Kingdom this is the Information Commissioner’s Office; in California, the California Privacy Protection Agency; in India, the Data Protection Board of India.
This Policy is governed by the laws of India, without regard to conflict-of-law principles. The courts of Bengaluru, Karnataka, India shall have exclusive jurisdiction over any dispute arising out of or relating to this Policy, save that nothing in this clause affects (i) mandatory consumer-protection rights you may have in your country of residence or (ii) your right to lodge a complaint with the supervisory authority of your habitual residence.
Together with the Terms of Service, this document forms the entire privacy agreement between you and Arbel Live Technologies.