Privacy Policy
Last updated: April 16, 2026
This Privacy Policy explains how [Acta Legal Entity] ("[Company]", "we", "us") collects, uses, and protects information when you use the Acta platform ("Service"). We are committed to protecting your privacy and processing data in compliance with the General Data Protection Regulation (GDPR) and applicable data protection laws.
1. Data controller
The data controller for information collected through the Acta website (acta.ink) and dashboard (app.acta.ink) is:
- [Acta Legal Entity]
- [Registered address]
- Email: privacy@acta.ink
- Data Protection Officer: dpo@acta.ink
2. What data we collect
2.1 Account data
When you create an account, we collect:
- Name, work email address, company name
- Password (stored as a salted hash — we never store plaintext passwords)
- Team size (selected during signup)
- Billing information (processed by Stripe — we do not store card details)
Legal basis: Performance of contract (Art. 6(1)(b) GDPR).
2.2 Usage metadata from the browser extension
The Acta Chrome extension sends the following metadata to our servers:
- Timestamps of AI tool interactions
- Which AI tool was used (e.g., ChatGPT, Claude, Gemini)
- Policy outcomes (allowed, blocked, redacted) and the reason
- PII detection results: entity types detected (e.g., "email", "health_data") and count — not the actual data
- Hashed user and session identifiers
- Token usage counts (for billing)
Legal basis: Performance of contract (Art. 6(1)(b)) and legitimate interest in providing the Service (Art. 6(1)(f)).
2.3 What we do NOT collect
We never receive, store, or process:
- The content of your AI prompts or conversations
- The actual personal data detected by the scanner (names, emails, health records, etc.)
- Screenshots, clipboard contents, or keystrokes
- Browsing activity on non-AI websites
All prompt scanning happens locally in your browser. The extension analyses text before it is sent to the AI provider. Detected PII is redacted or blocked locally — only the detection outcome (type and count) is reported to our servers.
2.4 Website analytics
We use Plausible Analytics on acta.ink. Plausible is a privacy-first, EU-hosted analytics service that does not use cookies, does not collect personal data, and does not track individual visitors. No consent banner is required.
2.5 Transactional emails
We use Resend to send transactional emails (signup confirmation, account notifications, billing receipts). Your email address is shared with Resend solely for email delivery. Resend's privacy policy applies to their processing.
3. How we use your data
We use collected data to:
- Provide and operate the Service (dashboard, reporting, billing)
- Generate compliance reports and audit logs for your organisation
- Calculate and bill token usage
- Send transactional communications (account, billing, security alerts)
- Improve the Service (aggregated, anonymised usage patterns only)
- Respond to support requests
We do not sell, rent, or share your personal data with third parties for marketing purposes.
4. Sub-processors
We use the following sub-processors to deliver the Service:
| Sub-processor | Purpose | Location |
|---|---|---|
| Stripe | Payment processing, subscriptions, invoicing | EU (with US entity, EU SCCs in place) |
| Firebase / Google Cloud | Authentication, database (Firestore) | EU (europe-west1 / europe-west3) |
| Resend | Transactional email delivery | EU |
| Plausible Analytics | Website analytics (cookieless) | EU |
| Sentry | Error tracking and monitoring | EU |
| Cloudflare | DNS, CDN, DDoS protection | Global (EU data processing) |
We will notify you of changes to sub-processors at least 30 days before they take effect. A current list is maintained in our Data Processing Agreement.
5. Data storage and security
- Location: All customer data is stored in EU data centres (Firebase EU region, EU-hosted infrastructure).
- Encryption: Data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
- Access control: Access to production systems is restricted to authorised personnel with multi-factor authentication.
- Audit logging: Acta's own audit log uses a tamper-evident hash chain (SHA-256) to ensure integrity.
6. Data retention
| Data type | Retention period |
|---|---|
| Account data | Duration of subscription + 30 days after cancellation |
| Usage metadata and audit logs | Configurable by Customer (default: 90 days). Maximum: 2 years. |
| Billing records | 7 years (legal requirement for tax/accounting) |
| Support correspondence | 2 years after ticket resolution |
| Website analytics | Aggregated, no personal data retained |
Upon account deletion, all associated data is permanently deleted within 30 days, except where retention is required by law.
7. Your rights
Under the GDPR, you have the right to:
- Access — request a copy of the personal data we hold about you
- Rectification — correct inaccurate personal data
- Erasure — request deletion of your personal data ("right to be forgotten")
- Restriction — restrict processing of your personal data in certain circumstances
- Portability — receive your data in a structured, machine-readable format (JSON export available in dashboard)
- Object — object to processing based on legitimate interest
- Withdraw consent — where processing is based on consent, withdraw at any time
To exercise any of these rights, contact us at privacy@acta.ink. We will respond within 30 days.
8. Cookies
acta.ink does not use cookies. We do not use tracking pixels, fingerprinting, or any other cross-site tracking technology. Plausible Analytics is cookieless by design.
The Acta dashboard (app.acta.ink) uses a session token stored in your browser's local storage for authentication. This is not a cookie and is not shared with any third party.
9. International transfers
We store and process all customer data within the EU. Where a sub-processor transfers data outside the EU (e.g., Stripe's US entity), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.
10. Children
The Service is not directed at individuals under 16 years of age. We do not knowingly collect personal data from children.
11. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email to account holders at least 30 days before they take effect. The "last updated" date at the top reflects the most recent revision.
12. Supervisory authority
If you believe we have not handled your data in accordance with applicable law, you have the right to lodge a complaint with your local data protection authority. In Germany, this is the relevant state data protection authority (Landesdatenschutzbehörde).
13. Contact
For privacy-related questions or to exercise your rights:
Email: privacy@acta.ink
DPO: dpo@acta.ink
Post: [Acta Legal Entity], [Registered address]