Privacy Policy

Effective Date: May 1, 2026  |  Last Updated: May 1, 2026

Arcform Musical Instruments, LLP (“Arcform,” “we,” “us,” or “our”) respects your privacy. This Privacy Policy explains how we collect, use, share, and protect personal information when you visit arcformguitars.com, create an Arcform account, register or transfer an Arcform instrument, use the BE Authentic™ verification platform on or through our Services, participate in The BE Hive™ marketplace, or otherwise interact with us (collectively, the “Services”).

Arcform was built around a simple principle: an instrument should carry its own story without becoming a tracking device for the person playing it. We have designed our verification technology to prove what you choose to record — and nothing more. This Policy reflects that commitment.

By using the Services, you agree to this Privacy Policy. If you do not agree, please do not use the Services.

1. Who We Are and How to Reach Us

Arcform Musical Instruments, LLP is a Colorado limited liability partnership that designs and manufactures musical instruments and operates the Arcform Archive, Arcform Studio, and The BE Hive marketplace under the BE Authentic™ verification platform. Our intellectual property is held by Vector Normal, Ltd., a Colorado entity, and licensed to Arcform.

For privacy questions, requests, or complaints, contact us at:

  • Email: privacy@arcformguitars.com
  • Mail: Arcform Musical Instruments, LLP — Attn: Privacy, 3451 South Lafayette St, Englewood, CO 80113, USA

2. Scope of This Policy

This Policy applies to personal information processed by Arcform in connection with the Services. It covers data collected through:

  • The arcformguitars.com website and any subdomains we operate;
  • Arcform mobile applications and web applications, including any companion application that uses BE Authentic to verify Arcform instruments;
  • NFC verification taps performed on Arcform instruments;
  • Account registration, instrument claiming, instrument transfer, lending, practice tracking, recording certification, household and band features, The BE Hive marketplace, and customer support;
  • Email, SMS, push notifications, and other communications you receive from us; and
  • Events, demonstrations, and other in-person interactions where you provide information to us.

BE Authentic operates as a horizontal trust and verification layer used by Arcform and may, in the future, be used by other licensees on separate platforms. To the extent BE Authentic is used outside Arcform, that use is governed by the applicable BE Authentic platform privacy notice and the licensee’s own privacy policy.

3. Information We Collect

We collect three categories of information: information you provide, information generated through your use of the Services, and information we receive from third parties.

3.1 Information You Provide

  • Account information. Email address, password (stored as a salted hash), display name, and any optional profile details you choose to add (avatar, biography, city, state, country, phone number).
  • Identity verification information. Where you choose a higher identity-verification level (for example, to facilitate marketplace transactions or to elevate the trust signal on your provenance entries), we may collect government-issued identifiers, address verification information, or similar data through a vetted identity-verification provider.
  • Instrument information. Serial numbers, instrument names you assign, photos, written stories or notes, condition descriptions, maintenance records, and any other content you associate with an instrument in the Arcform Archive.
  • Marketplace information. Listing details, asking and offer prices, condition and shipping information, shipping and return addresses, messages exchanged with other users, reviews you write or receive, dispute submissions, and tracking numbers.
  • Payment information. Payment card or bank account details are collected and processed by our payment processors (currently Stripe, Inc.) and our marketplace escrow provider (currently Escrow.com). Arcform does not store full card numbers. We receive limited transaction metadata such as the last four digits, card brand, payment status, and processor identifiers.
  • Household, band, and lending information. If you create or join a household, band, or lending arrangement, we collect membership details, role assignments, and shared-instrument designations you choose.
  • Communications. Information you submit through contact forms, support tickets, surveys, event sign-ups, or correspondence with us.
  • User-attested metadata. Notes, descriptions, location names, occasion descriptions, or other context you choose to associate with verified interaction events (“Moments”). These are recorded as user-provided information and are not independently verified by us.

3.2 Information Generated by Your Use of the Services (BE Authentic Verification Data)

When you tap your phone or another NFC-enabled device against an Arcform instrument, the cryptographic authentication module embedded in the instrument generates a small data packet that includes:

  • A unique identifier (UID) for that specific instrument’s authentication module;
  • A monotonically increasing counter value; and
  • A cryptographic signature (CMAC) computed over the UID and counter.

When this packet reaches our verification server (in combination with your authenticated session), we record a verified interaction event consisting of: the instrument’s UID, the counter value, the timestamp the event was received, your authenticated user identifier, and any user-attested metadata you choose to add.

Across many interactions, these events accumulate into a provenance record for the instrument and a personal interaction history for you.

In addition, our systems may automatically collect:

  • Practice and session data. Session start and end times, duration, exercises completed, streak counts, points and badges earned, and (if you opt in to recording) audio you choose to capture during a session.
  • Device and technical information. Device type, operating system and version, browser type, IP address (used for fraud prevention, regional language and content selection, and security; not used to map your physical movements), approximate region derived from IP, app version, crash logs, and diagnostic information.
  • Usage data. Pages viewed, features used, links clicked, search queries within the Services, referral source, and timestamps of activity.
  • Cookies and similar technologies. See Section 11 (Cookies and Tracking Technologies).

What BE Authentic does not collect: BE Authentic does not use GPS, does not perform passive or ambient scanning, and does not include any battery or always-on radio. The cryptographic module is dormant until you intentionally tap it, in the same way an EMV credit card chip is dormant until presented to a reader. We do not collect continuous location, do not log your physical movements between taps, and do not infer patterns of life from interaction events.

What BE Authentic Is What BE Authentic Is Not
A certificate of authenticity inside the instrument A tracking device
Activated only when you tap Always-on monitoring
Proof of what is yours and what you have done Surveillance of where you have been
Your story, recorded under your control Data collection without your consent

3.3 Information We Receive from Third Parties

  • Payment processors and escrow providers (Stripe, Escrow.com) provide us with confirmation of payment, refund, chargeback, payout status, and limited identifying information necessary to reconcile transactions.
  • Identity verification providers provide pass/fail or scored results, and limited verified attributes (for example, name match, age over 18, jurisdiction).
  • Shipping carriers provide tracking events for marketplace shipments.
  • Authentication providers. If you sign in using a third-party identity provider, we receive the identifiers and basic profile information that provider sends, subject to your settings with that provider.
  • Service providers and analytics. Our hosting, analytics, customer support, email-delivery, and push-notification providers share aggregated and event-level data necessary to operate the Services.

4. How We Use Your Information

We use personal information to:

  • Provide, maintain, and improve the Services, including processing instrument registration, ownership transfers, lending, practice tracking, marketplace listings and transactions, household and band features, and customer support;
  • Operate the BE Authentic verification system, including validating cryptographic signatures, validating counter sequences, recording verified interaction events, and maintaining provenance records;
  • Authenticate you, secure your account, and detect, prevent, and respond to fraud, abuse, theft, and other prohibited activity;
  • Calculate points, levels, badges, streaks, and other gamification features;
  • Process payments, payouts, escrow, refunds, and disputes;
  • Communicate with you about your account, your instruments, marketplace activity, security, product updates, and (with your consent where required) marketing;
  • Personalize the Services, including non-sensitive content selection and recommendations;
  • Conduct research, perform analytics on aggregated and de-identified data, and develop new features and products;
  • Comply with legal obligations, enforce our Terms of Service, and protect our rights, your rights, and the rights of others; and
  • With your express, per-request consent, share or generate verified credentials about your physical experience with instruments to third parties such as employers, educators, or insurers (see Section 5).

5. How We Share Information

We share personal information only as described below.

5.1 With Other Users

Certain features are inherently social and require sharing of information with other users:

  • Public profile information you choose to make visible (display name, avatar, member since, level, badges, marketplace rating);
  • Marketplace listings, including listing photos, condition descriptions, ship-from city/state, and seller rating;
  • Messages you send through marketplace messaging or band/household features;
  • Provenance entries on instruments you have owned or interacted with, which become part of that instrument’s history and remain visible to subsequent owners (you control whether your real name or only your display name appears, in accordance with your settings);
  • Reviews you write or receive.

You can adjust visibility for many of these elements in your account settings (for example, leaderboard visibility may be set to public, semi-private, or private).

5.2 With Service Providers

We share personal information with vendors that perform services on our behalf, including hosting, infrastructure, payment processing, escrow, identity verification, shipping, customer support, email delivery, push-notification delivery, analytics, security and fraud prevention, and data backup. These vendors are bound by contractual obligations to use personal information only as necessary to provide their services to us.

5.3 With Your Consent (Verified Credentials)

BE Authentic supports user-authorized verification of your physical experience with instruments to third parties such as employers, educators, and insurers. We will not release credential data to a third party without your affirmative, per-request consent. We log all third-party verification requests in an audit trail accessible to you, and you can revoke third-party access to credential data at any time.

5.4 With Affiliates and Licensees

We may share information with our affiliated entities (including Vector Normal, Ltd. for IP, security, and infrastructure purposes) and with BE Authentic licensees only as necessary to operate the platform. Licensees are contractually required to honor BE Authentic’s privacy-by-design principles described in this Policy.

5.5 In Business Transactions

If Arcform is involved in a merger, acquisition, financing, reorganization, bankruptcy, sale of all or part of our assets, or similar transaction, personal information may be transferred as part of that transaction, subject to commercially reasonable efforts to ensure the recipient honors this Policy or provides equivalent protections.

5.6 For Legal and Safety Reasons

We may disclose personal information if we believe in good faith that disclosure is necessary to: (a) comply with applicable law, regulation, legal process, or enforceable governmental request; (b) enforce our agreements; (c) detect, prevent, or address fraud, security, or technical issues; or (d) protect the rights, property, or safety of Arcform, our users, or the public.

5.7 What We Do Not Do

We do not sell your personal information for monetary consideration. We do not use BE Authentic data to enable any party (including ourselves, advertisers, defense or law-enforcement entities, or any commercial partner) to perform retroactive surveillance — that is, we do not provide a mechanism to answer the question “show me everywhere a person has been.” Our system is designed to support forward verification only: “was this person here, for this specific interaction.”

We do not engage in cross-context behavioral advertising and we do not share your personal information with third parties for their own independent advertising or profiling purposes.

6. Your Privacy Rights and Choices

6.1 Account Controls

You can review, update, or delete much of your information directly through your account settings, including profile fields, notification preferences, leaderboard visibility, and instrument metadata you have authored.

6.2 Statutory Rights (Subject to Applicable Law)

Depending on where you live, you may have some or all of the following rights with respect to your personal information:

  • Right to know / access. Request confirmation of whether we process your personal information and a copy of that information.
  • Right to correct. Request correction of inaccurate personal information.
  • Right to delete. Request deletion of personal information, subject to legal exceptions (for example, completed transactions, anti-fraud requirements, and the integrity of provenance records associated with instruments you no longer own).
  • Right to portability. Request a copy of personal information you provided to us in a structured, commonly used, machine-readable format.
  • Right to opt out. Opt out of “sale” or “sharing” of personal information, targeted advertising, and certain profiling, where applicable. As described in Section 5.7, we do not sell personal information or engage in cross-context behavioral advertising.
  • Right to restrict or object to processing. Request restriction of, or object to, certain processing under the EU/UK GDPR or similar laws.
  • Right to withdraw consent. Where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of prior processing.
  • Right to non-discrimination. Receive equal service and pricing even if you exercise your privacy rights.
  • Right to lodge a complaint. Residents of the EU/UK and certain other jurisdictions may lodge a complaint with their supervisory authority. Colorado residents may contact the Colorado Attorney General. California residents may contact the California Privacy Protection Agency.

6.3 How to Exercise Your Rights

Submit requests to privacy@arcformguitars.com from the email address associated with your account, or through the in-app privacy controls. We will verify your identity using account-based authentication, and where necessary, additional verification proportionate to the sensitivity of the request. You may use an authorized agent where permitted by law; we will require written proof of authorization.

We will respond within the time period required by applicable law (typically 45 days under U.S. state laws, with one extension where reasonably necessary; one month under the GDPR, with extensions where permitted).

6.4 Limits Specific to Provenance

Provenance records are designed to be cumulative and durable so that future owners can rely on them. If you delete your Arcform account, we will remove or de-identify your personal account information; however, the verified interaction events you contributed during your ownership of an instrument may remain associated with that instrument as part of its provenance record (for example, as “Previous Owner” rather than your name), unless retention of identifying details is required by law or by the legitimate interests of subsequent owners and we balance those interests in your favor on request. We will explain the result of any specific deletion request when we respond to it.

7. Data Retention

We retain personal information for as long as needed to provide the Services and for the additional periods required by our legal, accounting, dispute-resolution, fraud-prevention, and provenance-integrity needs. Examples:

  • NFC verification events: retained for at least two years in primary storage and archived for the life of the instrument as part of its provenance record.
  • Practice sessions and recordings: session metadata is retained as part of your skill credential history; practice audio recordings are retained for one year by default and may be archived or deleted thereafter, subject to your deletion requests.
  • Marketplace transactions, transfers, points and rewards transactions: retained as long as legally and operationally necessary for tax, accounting, dispute-handling, and reward-program-integrity purposes.
  • Marketplace messages: retained for at least two years in primary storage, then archived.
  • Account information: retained for as long as your account is active, then deleted or de-identified within a commercially reasonable period after deletion, subject to legal-hold and provenance-record requirements.
  • Backup copies: retained for a limited period beyond active deletion to maintain disaster-recovery integrity.

8. Children’s Privacy

The Services are not directed to children under the age of 13 (or the equivalent minimum age in your jurisdiction), and we do not knowingly collect personal information from children under that age without verifiable parental consent.

Arcform supports household accounts that may include minors at the discretion of the household’s primary account holder. Where a minor uses a household account, the primary account holder is responsible for the minor’s use of the Services and represents that they have the authority to consent to our collection and use of the minor’s personal information for the household’s purposes. We provide reduced-data settings for household members designated as minors.

If you believe a child has provided personal information to us without proper consent, please contact privacy@arcformguitars.com and we will take appropriate steps to delete it.

9. International Users and Data Transfers

Arcform is based in the United States and processes personal information primarily in the United States. If you access the Services from outside the United States, your personal information may be transferred to and processed in the United States and other countries with data-protection laws different from those of your country.

Where we transfer personal information out of the European Economic Area, the United Kingdom, or Switzerland, we rely on appropriate safeguards permitted by applicable law (for example, the European Commission’s Standard Contractual Clauses and the UK Addendum). You may request a copy of the safeguards by writing to privacy@arcformguitars.com.

10. Security

We use administrative, technical, and physical safeguards designed to protect personal information, including:

  • Encryption in transit (TLS 1.2 or higher) for communication between your device, the Arcform mobile app, and our servers;
  • Encryption at rest for sensitive data;
  • Salted password hashing using industry-standard algorithms;
  • Cryptographic verification (CMAC) of every NFC interaction event, with monotonic counter checks to prevent replay or fabrication;
  • Hardware-backed key storage on supported mobile devices (Apple Secure Enclave, Android Keystore) for credentials such as refresh tokens;
  • On-device biometric authentication (for example, Face ID, Touch ID, fingerprint) used only locally to unlock cached credentials — your biometric data never leaves your device and is not stored or transmitted to Arcform;
  • Role-based access controls, least-privilege practices, and audit logging on production systems;
  • Separation of payment-card data through PCI-compliant processors so that we do not store full payment card numbers.

No system is perfectly secure. If we become aware of a security incident affecting your personal information, we will notify you and applicable authorities as required by law.

11. Cookies and Tracking Technologies

We use cookies, web storage, software development kits in our mobile apps, and similar technologies to operate the Services and remember your preferences. We use:

  • Strictly necessary cookies for authentication, session management, security, fraud prevention, and load balancing. These cannot be disabled through our cookie controls.
  • Functional cookies to remember settings such as language, theme, and notification preferences.
  • Analytics cookies to understand how the Services are used in aggregate. We configure analytics providers to use IP-address truncation and to disable cross-site tracking where the provider supports it.

We do not use cookies for cross-context behavioral advertising or for selling personal information. You can control cookies through your browser settings and through any cookie preference center we offer in the Services. Browser “Do Not Track” signals and Global Privacy Control (GPC) signals are honored to the extent required by applicable law; we treat a GPC signal as an opt-out of “sale” and “sharing” of personal information for users in jurisdictions where that signal carries that legal effect.

12. Notices for Specific Jurisdictions

12.1 California Residents (CCPA/CPRA)

Categories of personal information we collect, the sources, business purposes, and categories of recipients are described in Sections 3 through 5. We do not knowingly sell or share personal information of consumers under the age of 16. California residents have the rights described in Section 6 and may designate an authorized agent. To exercise rights, contact privacy@arcformguitars.com or use the in-app privacy controls. We will not discriminate against you for exercising your rights.

12.2 Colorado Residents (CPA)

Colorado residents have the rights to access, correct, delete, port, and opt out of targeted advertising, sale, and certain profiling, as described in Section 6. You may appeal a refusal of a privacy request by replying to our response or writing to privacy@arcformguitars.com. If you remain dissatisfied, you may contact the Colorado Attorney General.

12.3 Other U.S. State Residents

Residents of Connecticut, Virginia, Utah, Texas, Oregon, Montana, and other states with comprehensive privacy laws have rights similar to those described above, subject to each state’s requirements and exceptions.

12.4 EEA, UK, and Switzerland Residents (GDPR)

Where the GDPR applies, Arcform acts as the controller of your personal information unless otherwise specified. Our legal bases for processing are: (a) performance of a contract with you; (b) compliance with legal obligations; (c) our legitimate interests in operating, securing, improving, and marketing the Services in a manner consistent with your reasonable expectations; and (d) your consent, where required (for example, for certain marketing communications and for any release of credential data to third parties). You may object to processing based on legitimate interests, withdraw consent at any time, and lodge a complaint with your supervisory authority.

13. Third-Party Links and Services

The Services may contain links to third-party websites and services, and may incorporate features provided by third parties (such as payment, escrow, shipping, identity verification, and authentication providers). This Policy does not govern those third parties. We encourage you to review their privacy policies before providing them with personal information.

14. Automated Decision-Making and AI Features

Some Arcform features use machine-learning or AI components, including a future on-device LLM in our companion application that helps you interpret your own interaction history and instrument data. Where these features run on your device, your inputs and intermediate results are not transmitted to our servers; only the outputs you choose to save are recorded against your account.

Where AI is used to assess your skill level for credentialing purposes, the resulting assessment is treated as user-attested or AI-assessed metadata (clearly distinguished from cryptographically verified metrics in your User Skill Credential). You may request human review of any AI-generated assessment that produces a legal or similarly significant effect.

15. BE Authentic Architectural Commitments

Several privacy commitments are designed into the BE Authentic protocol itself, not just into our policies. These include:

  • User-initiated only. Verification requires a deliberate physical tap. The cryptographic module is dormant and cannot be passively scanned.
  • Data sovereignty. You can view, export, and delete your interaction history through standard account controls.
  • No retroactive surveillance. Our database structure is designed to answer “was this user present at this interaction?” and is not designed to answer “where has this user been?”
  • Minimization by design. We capture the minimum data necessary to prove an interaction. We do not perform metadata harvesting, behavioral analytics for surveillance purposes, or pattern-of-life inference.
  • Auditable implementation. As we publish portions of the BE Authentic protocol specification, the privacy architecture becomes externally inspectable.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. The “Last Updated” date at the top reflects the most recent revision. If we make material changes, we will notify you by email, in-app notice, or other reasonable means before the change takes effect. Your continued use of the Services after the effective date of an updated Policy constitutes acceptance of the updated Policy.

17. Contact Us

If you have questions about this Privacy Policy or our privacy practices, please contact:

Arcform Musical Instruments, LLP
Attn: Privacy
Email: privacy@arcformguitars.com
Mailing address: 3451 South Lafayette St, Englewood, CO 80113, USA

Shopping Cart