This document supplements the main Privacy Policy of Arc Reader — the mobile web-novel reader operated by Not A Simple Studio — and applies only to data we obtain through Google’s OAuth APIs when you choose to Sign in with Google. If you never sign in with Google, this addendum does not apply to you and nothing in it is collected about you.
01Who this policy is from
The application requesting Google user data is:
- Application — Arc Reader (iOS & Android).
- Developer — Not A Simple Studio.
- Contact — contacts.simplestudio@gmail.com.
- Website — https://arcreaders.app/.
- App Store — id6762717697.
- Google Play — com.notasimplestudio.arcreaders.
02What Google user data we access
When you authenticate with Google, Arc Reader requests three non-sensitive OAuth scopes only:
| Scope | What Google returns to us |
|---|---|
openid |
A stable, pseudonymous Google account identifier (the sub claim) so we can recognise you across sign-ins. |
https://www.googleapis.com/auth/userinfo.email |
Your primary Google account email address and whether Google has verified it. |
https://www.googleapis.com/auth/userinfo.profile |
Your public profile display name, locale, and profile picture URL. |
We do not request access to Gmail, Drive, Calendar, Contacts, Photos, YouTube, Tasks, or any other Google service. We do not request any sensitive or restricted scope. The OAuth consent screen presented to you by Google is the complete list of what we receive.
03How we use that data
We use the data above for one purpose only: to operate the Sign in with Google feature inside Arc Reader. Concretely:
| Data | Use |
|---|---|
Google account ID (sub) |
Recognise you on future sign-ins and link your library, progress, and subscription to the right account. |
| Email address | Identify your account, send transactional messages about it (sign-in alerts, account changes, support replies), and let you reach support from the right address. |
| Display name & profile picture | Show your name and avatar inside the app UI so you can confirm which account you are signed in to. We do not republish these anywhere. |
| Locale | Choose a sensible default app language on first sign-in. You can change it any time. |
That is the complete list. We do not derive new categories of data from it, and we do not feed it into anything other than the user-facing features described above.
04Limited Use commitment
Arc Reader’s use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. This means:
- We use Google user data only to provide or improve user-facing features that are prominent in the Arc Reader experience.
- We do not transfer Google user data to third parties except as necessary to provide or improve those features, or to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users.
- We do not use Google user data for serving advertisements, including retargeted, personalised, or interest-based advertising.
- We do not allow humans to read Google user data unless we have your affirmative agreement for specific messages, it is necessary for security purposes (such as investigating abuse), to comply with applicable law, or the data has been aggregated and anonymised for internal operations.
05Sharing & transfer
The only third parties who handle the Google user data described above are infrastructure providers acting strictly on our instructions:
| Processor | Role | What they see |
|---|---|---|
| Supabase | Authentication and database for the Arc Reader account that the Google sign-in is attached to. | Your Google sub, email, display name, profile picture URL, and the library/progress rows attached to your account. |
| Cloudflare | CDN and DDoS protection in front of our authentication endpoints. | Request IP and metadata. Sign-in payloads are TLS-encrypted in transit. |
| RevenueCat | Subscription receipt validation. Receives only an opaque pseudonym derived from your Arc Reader account — not your Google email or profile. | Pseudonymous user ID, store receipt, subscription events. |
We do not sell, rent, or trade Google user data. We do not transfer it to advertising networks, data brokers, credit bureaus, AI training providers, or any party not listed above. If we ever need to change the list of processors, we will update this page first.
06How we protect it
- All traffic between your device, Google’s servers, and ours is encrypted with TLS 1.3.
- Google user data stored in our database is encrypted at rest.
- Access to the database is gated by row-level security — your row is readable only by your authenticated session.
- Only a small number of engineers can reach production data, on a least-privilege basis, with audit logging. No human reads your sign-in data routinely; access is reserved for security investigations or your own support requests.
- We rotate signing keys, monitor for anomalous sign-in patterns, and follow standard secure-development practice for our authentication code paths.
- If we ever become aware of a breach affecting Google user data, we will notify affected users and the relevant authorities within the timeframes required by law.
07Retention & deletion
We keep Google user data only for as long as your Arc Reader account exists.
| Item | Kept for |
|---|---|
| Google account ID, email, display name, picture URL | Until you delete your account or revoke access. |
| OAuth tokens (access & refresh) | Cached only as long as needed to keep your session alive; refresh tokens are revoked at the Google end on sign-out. |
| Sign-in event logs (timestamp, IP) | 30 days, then deleted or anonymised. |
When you delete your Arc Reader account — from Settings → Account → Delete account, via arcreaders.app/delete-account, or by emailing contacts.simplestudio@gmail.com — we delete the Google user data associated with your account within 30 days, except where retention is required by law (for example, billing receipts kept for tax purposes, which are stored separately and not used operationally).
08How to revoke access
You can disconnect Arc Reader from your Google account at any time, with or without deleting your Arc Reader account:
- Inside Arc Reader — Settings → Account → Sign out or Disconnect Google.
- From your Google account — visit myaccount.google.com/permissions, find Arc Reader, and choose Remove access. Google will revoke our tokens immediately.
Revoking access ends future data flow from Google to Arc Reader. It does not by itself delete the Arc Reader account that was linked — if you also want your account and any synced library removed, follow the deletion route above.
09What we never do
For clarity, and consistent with the Google API Services User Data Policy, Arc Reader does not use Google user data to:
- serve targeted, personalised, retargeted, or interest-based advertising of any kind;
- sell, rent, or share with data brokers or information resellers;
- determine creditworthiness or for any lending or underwriting purpose;
- train, fine-tune, or otherwise develop artificial-intelligence or machine-learning models, whether ours or a third party’s;
- build databases, profiles, or analytics products that are unrelated to operating Arc Reader as you experience it;
- allow human review of the data except as described in section 04.
These exclusions apply both to data we receive directly from Google and to anything derived from it.
10Changes
When we change this addendum in a way that materially affects how we treat Google user data, we will update the “Effective” date above and, where reasonably possible, notify signed-in users in-app or by email at least 14 days before the change applies. Prior versions are available from contacts.simplestudio@gmail.com on request.
11Contact
Questions, access requests, complaints related specifically to Google user data:
Arc Reader — Privacy · Not A Simple Studio
Email — contacts.simplestudio@gmail.com
Website — https://arcreaders.app/
Main privacy policy — arcreaders.app/privacy.html
Sign-in is a handshake, not a hand-over.