Privacy Notice

2.1 Data you provide

• Account and profile data: name, work email address, job title, organisation, department/team (if provided), and user preferences.
• Authentication data: login credentials (stored as hashed passwords where applicable), single sign-on identifiers or tokens where you sign in via Microsoft or Google, multi-factor authentication factors (if enabled), and account recovery information.
• Billing and subscription data: billing contact details, billing address, subscription plan, invoices, payments and transaction records (payment card details are processed by our payment provider, not stored by Acompli).
• Support and communications: information you provide when you contact us (support tickets, demos, feedback, email correspondence, and related attachments).
• Customer Content (processor data): data entered or uploaded into the platform by you or your organisation, including DPIA content, risks, tasks, ROPA entries, third-party risk assessments, policies, evidence documents, diagrams, and metadata linked to those records.

2.2 Data we collect automatically

• Usage data: feature usage, page views, clicks, workflow stage changes, timestamps, and interactions within the platform.
• Technical and device data: IP address, browser type/version, device identifiers, operating system, language settings, approximate location derived from IP (country/region), and application diagnostics.
• Security and audit logs: login events, session activity, administrative actions, access to records, and system events used to maintain platform security, integrity, and auditability.

2.3 Special category data

Acompli does not require special category data to provide the platform. However, Customer Content may include special category data if a customer chooses to include it (for example, within a DPIA). Where Acompli processes such data within Customer Content, it does so as processor on the customer's documented instructions and subject to the customer's configured access controls.

We process personal data for the following purposes:

• Platform delivery and operations: to provide, maintain, secure, and improve the platform and its modules.
• Account administration: user provisioning, authentication, access control, role management, and user support.
• Billing and subscription management: invoicing, payment administration, fraud prevention, and accounting.
• Customer support and service communications: responding to enquiries, troubleshooting, and sending transactional messages (verification, password reset, security notifications, and service updates).
• AI-powered features (where enabled): drafting assistance, response enhancement, entity extraction, risk identification, summarisation, and report generation.
• Analytics and product improvement: understanding platform usage and performance, diagnosing issues, and improving user experience.
• Security and abuse prevention: monitoring, logging, access control enforcement, vulnerability management, and incident response.
• Legal and compliance: meeting legal obligations and enforcing our agreements.

Acompli provides optional AI-enabled features. When you (or your organisation) use these features, relevant inputs (which may include extracts of Customer Content) may be processed by our AI service providers, which may include OpenAI (and/or equivalent enterprise AI providers, depending on configuration).

Acompli's approach is privacy-centric:

• No model training by Acompli on Customer Content. We do not use Customer Content to train our own general-purpose models.
• Provider training controls. Where we use OpenAI's business offerings (for example, via API), those services state that customer business data is not used to train models by default unless explicitly opted in.
• Minimisation. We design AI features to send only the information needed to perform the requested task.
• Access controls. Acompli personnel do not routinely access Customer Content. Access is restricted and permitted only where necessary for support, security, or legal reasons, and typically only with customer authorisation and appropriate controls.

Where Acompli acts as controller, we rely on the following legal bases (as applicable):

• Contract: to provide the platform and related services to customers and authorised users.
• Legitimate interests: to operate our business, secure the platform, prevent fraud/abuse, and improve services (balanced against individual rights).
• Consent: where we ask you to opt in to optional processing (for example, certain marketing communications or non-essential cookies).
• Legal obligation: to comply with applicable laws (for example, tax, accounting, and regulatory requirements).

Where Acompli acts as processor, the customer organisation determines the lawful basis for the processing of Customer Content.

We do not sell personal data.

We may share personal data with:

• Service providers and sub-processors supporting hosting, infrastructure, monitoring, customer support tooling, email delivery, analytics, and AI processing (where enabled), bound by contractual confidentiality and security obligations.
• Payment providers to process subscription payments (Acompli does not store full card details).
• Professional advisers (lawyers, auditors, insurers) where necessary for advice and compliance.
• Authorities and regulators where required by law or to protect rights, safety, and security.
• Corporate transactions (restructuring, merger, acquisition, sale) where permitted by law, with appropriate safeguards.

Personal data may be processed in the EEA/UK and, depending on customer configuration and sub-processors used (including AI processing), may be processed in other jurisdictions (which can include the United States).

Where international transfers occur, we use appropriate safeguards, such as adequacy decisions and/or Standard Contractual Clauses with supplementary measures where required.

We implement technical and organisational measures designed to protect personal data, including:

• encryption in transit and, where applicable, at rest;
• role-based access controls and least-privilege permissions;
• audit logging and monitoring;
• tenant and organisational segregation controls; and
• secure development practices and vulnerability management.

We retain personal data only for as long as needed for the purposes described above, unless a longer retention period is required by law.

Typical retention (which may vary by customer configuration and contractual terms):

• Account and profile data: for the duration of the account and a reasonable period thereafter for reactivation, support, and legal purposes.
• Customer Content: retained in accordance with the customer's subscription and configuration. Deleted items may remain recoverable for a limited period (for example, backup/restore windows), subject to platform settings.
• Billing records: typically retained for 7 years to meet tax and accounting obligations.
• Security and audit logs: retained for up to 12 months (or longer where required for investigations or compliance).
• Sales and support communications: typically retained for up to 2 years, or longer where they form part of an active customer relationship or are required for legal reasons.

Where Acompli acts as controller, you may have rights to access, rectification, erasure, restriction, objection, portability (where applicable), and withdrawal of consent (where processing is based on consent).

Where Acompli acts as processor for Customer Content, requests should generally be directed to the customer organisation that controls the content, though Acompli can assist the customer where appropriate.

To exercise rights, contact: privacy@acompli.ie.

We use cookies and similar technologies for essential functionality (for example, authentication and session management). Where optional analytics or marketing cookies are used, we provide choices via our cookie controls.

For more information, see our Cookie Policy.

You may lodge a complaint with your local supervisory authority. Key contacts include:

Ireland – Data Protection Commission (DPC)

Website: dataprotection.ie
Email: info@dataprotection.ie
Telephone: (01) 765 0100 or 1800 437 437
Postal address: 6 Pembroke Row, Dublin 2, D02 X963, Ireland

United Kingdom – Information Commissioner's Office (ICO)

Website: ico.org.uk
Telephone: 0303 123 1113
Postal address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom

We may update this notice from time to time. Where changes are material, we will notify customers and/or users through the platform and/or by email. Continued use of the platform after an update means the updated notice applies.