Arzana Log in →

Privacy policy

Last updated: 28 April 2026

About this policy

Arzana respects your privacy. This policy explains what personal information we collect, how we use it, who we share it with, and the choices you have. It is written to comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

"Arzana" refers to Arzana Cloud (ABN 84 677 439 253), an Australian business operating arzana.cloud and app.arzana.cloud .

What we collect

When you sign in to the Arzana app, we collect:

  • Your email address and username, provided by your identity provider (GitHub) during OAuth sign-in.
  • A stable identifier from the identity provider so we can recognise you across sessions.

We also collect a small amount of operational data that is not tied to your identity — server logs kept for short periods for security and debugging.

We do not run analytics or advertising trackers on this marketing site or in the app.

Cookies

Arzana uses cookies only to keep you signed in. We do not set analytics, advertising, or third-party tracking cookies, and we do not use browser storage (localStorage or sessionStorage) to hold your data.

The Arzana app sets two cookies, both first-party:

  • arzana_session — identifies your session after you sign in with GitHub. Lasts up to 30 days, or until you sign out. Marked HttpOnly , Secure , and SameSite=Lax so it cannot be read by JavaScript and is only sent over HTTPS.
  • arzana_oauth_state — a short-lived token (10 minutes) used during the GitHub sign-in handshake to protect against cross-site request forgery. Cleared automatically as soon as sign-in completes. Same security attributes as above and signed with a server secret.

Both cookies are strictly necessary for the service — without them you cannot sign in or stay signed in. Under EU ePrivacy rules and the EDPB's guidance, strictly-necessary cookies do not require a consent banner, so we do not show one. Australian privacy law does not require cookie consent either; we list the cookies here for transparency under APP 1.

You can clear cookies in your browser at any time. If you clear Arzana's cookies you will be signed out and asked to sign in again.

If we ever introduce non-essential cookies (for example, with future billing through Stripe), we will update this section and notify existing users before that change takes effect.

What we may collect in the future

When we introduce paid plans, we expect to also collect the information necessary to bill and support those plans:

  • Billing details — billing name, billing address, country, and (for GST purposes) ABN if you are an Australian business.
  • Payment information — handled by our payment processor, Stripe. We do not store full card numbers; Stripe holds them and we only receive a token and the last 4 digits.
  • Subscription and invoice records — plan level, start and end dates, amounts charged, and tax receipts. We keep these to comply with Australian tax and record-keeping obligations.
  • Product usage metrics — aggregate numbers (projects, deploys, services) we need to enforce plan limits and show you what you're using.

When these changes go live we will update this policy and notify existing users before the new collection begins.

How we use your information

We use the information we collect to:

  • Authenticate you and keep your account secure.
  • Provide the Arzana service — reading your repositories you connect, proposing blueprints, provisioning the infrastructure you approve, and showing you what is running.
  • Contact you about the service — security notices, material changes to this policy, or support requests you initiate.
  • Diagnose errors and keep the service running.
  • In the future, to bill for paid plans and meet our tax and accounting obligations.

We do not sell your personal information, and we do not use it for advertising.

Who we share it with

We share personal information only with service providers that help us run Arzana, and only to the extent they need it:

  • Our cloud infrastructure provider — hosts Arzana's data within Australia.
  • GitHub — provides OAuth sign-in; we receive your email, username, and identifier from GitHub when you authorise the app.
  • Your own cloud account — when you link a cloud subscription, Arzana acts in that account with the permissions you grant. We do not copy your cloud resources out; we operate on them in place.
  • When paid plans launch, Stripe will process payments and issue tax receipts on our behalf.

We will disclose personal information if required by Australian law, a court order, or to protect the safety of our users or the public.

Overseas disclosure

The personal information Arzana holds about you is stored in Australia. Some service providers we use process information outside Australia:

  • GitHub (United States) — for OAuth sign-in.
  • Stripe (United States, Ireland) — for billing.

Under APP 8 we take reasonable steps to ensure overseas recipients handle your information consistently with the APPs.

How long we keep it

We keep your account information while your account is active. If you ask us to delete your account, we will delete or de-identify your personal information within a reasonable period, except where we are required to retain it — for example, Australian tax law generally requires us to keep financial records for seven years.

Server logs are kept for a short period (typically 30 days) and then deleted automatically.

Security

We take reasonable steps to protect personal information from misuse, loss, unauthorised access, modification, and disclosure. This includes encryption in transit and at rest, scoped access controls, and limiting who on our team can access account data to those who need it for a specific task.

No system is perfectly secure. If we become aware of a data breach that is likely to cause serious harm, we will notify affected users and the Office of the Australian Information Commissioner (OAIC) as required under the Notifiable Data Breaches scheme.

Your rights

Under Australian privacy law you can ask us to:

  • Access the personal information we hold about you (APP 12).
  • Correct information that is inaccurate, out of date, or incomplete (APP 13).
  • Delete your account and the personal information tied to it, subject to any legal retention requirements.

Email us at privacy@arzana.cloud and we'll respond within a reasonable period (usually under 30 days).

Children

Arzana is a tool for software teams and is not intended for children under 16. We do not knowingly collect information from children. If you believe a child has provided us information, contact us and we will delete it.

Changes to this policy

We may update this policy from time to time. When we make material changes — for example, when we launch paid plans — we will update the "last updated" date above and notify existing users by email before the changes take effect.

How to contact us or complain

For privacy questions, access or correction requests, or complaints about how we handle your information, email privacy@arzana.cloud .

If you are not satisfied with our response, you can contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au .