Privacy Policy

How we collect, use, and protect your information

Last updated: March 26, 2026

01

Information We Collect

We collect information you provide directly to us.
By using our Services, you consent to the data practices described in this Privacy Policy. If you do not agree with our policies and practices, please do not use our Services.
02

Definitions

"Personal information" or "personal data" means any information relating to an identified or identifiable individual, as defined under applicable data protection statutes including Japan's Act on the Protection of Personal Information (APPI), the EU General Data Protection Regulation (GDPR), the UK GDPR, Thailand's Personal Data Protection Act B.E. 2562 (2019) ("Thailand PDPA"), Vietnam's Decree No. 13/2023/ND-CP on Personal Data Protection ("Vietnam PDPD"), and equivalent laws.
"Processing" means any operation or set of operations performed on personal data, including collection, recording, storage, use, disclosure, erasure, or destruction.
"Services" means all Acua SaaS products, APIs, applications, and professional or BPO services provided by Acua.
03

Data Collection Methods

We collect information you provide directly to us, including:
  • Account registration, profiles, and billing information
  • Expense receipts, invoices, and payroll records submitted through our platform
  • Responses to surveys, forms, and customer support requests
  • Communications via email, phone, or live chat, including call recordings
    • We automatically collect certain information when you use our Services:
  • Log files, device identifiers, and IP addresses
  • Browser type, operating system, and usage statistics
  • Cookies, web beacons, and telemetry data
    • We may also receive information from third parties, including:
  • Credit-card networks and banking partners
  • Identity-verification vendors and analytics providers
  • Advertising networks, public sources, and social media platforms
    • 04

    Processing Purposes

    We process your personal information for the following purposes:
  • Service delivery and account administration
  • Customer support and communications
  • Product improvement using aggregated or de-identified usage data
  • AI model training using customer content only where the applicable customer contract separately permits such use; by default, customer content is not used to train general-purpose AI models
  • Marketing communications and event invitations
  • Regulatory and contractual compliance, including KYC/AML, tax reporting, and sanctions screening
  • Security monitoring and incident prevention
  • Corporate transactions such as mergers or acquisitions
  • Other purposes with your consent or as otherwise permitted by law
    • 05

    Legal Bases (GDPR / UK GDPR)

    For individuals in the European Economic Area (EEA) or the United Kingdom, our processing of personal data relies on one or more of the following legal bases:
  • Contract performance: processing is necessary to fulfil a contract with you or to take steps at your request prior to entering into a contract
  • Legal obligation: processing is necessary to comply with a legal or regulatory requirement
  • Legitimate interests: processing is necessary for our legitimate business interests, provided those interests are not overridden by your rights
  • Consent: where required by law, we will obtain your prior explicit consent before processing
    • 06

    Data Sharing

    Acua does not sell your personal information. We may share your information with:
  • Service providers who assist us in operating our platform and delivering our services
  • Business partners with whom we offer co-branded or integrated services
  • Our affiliates and subsidiaries for the purposes described in this policy
  • Legal authorities where required by law, court order, or governmental regulation
  • Successors in connection with a merger, acquisition, or sale of assets
  • Other parties at your direction or with your consent
    • For a current list of the third-party subprocessors that process personal data on our behalf, please see our Subprocessors page.
    07

    International Transfers

    Acua operates globally and may transfer your personal information to countries outside your home country. Where required by applicable law, we implement appropriate safeguards for such transfers, including:
  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Intra-group data transfer agreements
  • Technical and organisational measures such as encryption, pseudonymisation, and access controls
    • Acua currently processes personal data in Japan, Thailand, and the United States, among other regions used by our subprocessors. Our live production application and primary database are hosted in Thailand; certain AI and document-processing services are hosted in the United States; and some storage and back-office processing takes place in Japan. A current breakdown of processing regions per subprocessor is available on our Subprocessors page.
    08

    Security Measures

    We maintain an information security program aligned with ISO 27001 and SOC 2 standards. Our technical and organisational safeguards include:
  • Role-based access controls and multi-factor authentication (MFA)
  • Encryption of data in transit and at rest
  • Network segmentation and intrusion detection systems
  • Regular security assessments and penetration testing
    • While we take reasonable steps to protect your information, no security system is impenetrable. Where a personal data breach is likely to result in a risk to individuals, we will notify the competent supervisory authority without undue delay and, where feasible, no later than 72 hours after becoming aware of it (consistent with GDPR Article 33 and UK GDPR). Where the breach is likely to result in a high risk to individuals, we will also notify the affected individuals without undue delay, subject to applicable law. Notifications under APPI, Thailand PDPA, Vietnam PDPD, and other applicable regimes will be made within the timeframes and to the authorities required by those regimes.
    09

    Data Retention

    We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, to comply with legal and tax requirements, or to resolve disputes. Once data is no longer needed, we securely delete or anonymise it in accordance with our data retention schedule.
    10

    Your Rights

    Subject to applicable law, you may have the following rights regarding your personal information:
  • Access: request a copy of the personal information we hold about you
  • Correction: request that we correct inaccurate or incomplete data
  • Deletion: request that we delete your personal information under certain circumstances
  • Restriction: request that we restrict the processing of your information
  • Objection: object to our processing of your information based on legitimate interests
  • Portability: request that we transfer your data to another service provider
  • Withdrawal of consent: withdraw your consent at any time where processing is based on consent
    • To exercise any of these rights, please contact us at privacy@acua.ai. We may request identity verification before responding to your request.
    11

    Regional Provisions

    This section supplements the rest of this Privacy Policy with jurisdiction-specific information. Where there is a conflict between this section and the rest of the Privacy Policy for a data subject located in a named jurisdiction, this section prevails for that data subject.
    Japan (APPI). The data controller is Acua Inc. (Japan). For inquiries under the Act on the Protection of Personal Information, please contact privacy@acua.ai. Data subjects may lodge a complaint with the Personal Information Protection Commission (PPC) of Japan.
    European Economic Area and United Kingdom (GDPR / UK GDPR). Data subjects in the EEA or UK have the rights of access, rectification, erasure, restriction, objection, portability, and withdrawal of consent described in this Privacy Policy. You also have the right to lodge a complaint with your local data protection supervisory authority.
    Thailand (PDPA). Acua processes personal data of individuals in Thailand as a data controller or processor, as applicable, under the Personal Data Protection Act B.E. 2562 (2019). Data subjects in Thailand have rights of access, rectification, erasure, restriction of processing, objection, data portability, and withdrawal of consent, subject to the conditions in the PDPA. To exercise these rights or to raise a concern, contact privacy@acua.ai. You may also lodge a complaint with the Personal Data Protection Committee (PDPC) of Thailand.
    Vietnam (PDPD). Acua processes personal data of individuals in Vietnam in accordance with Decree No. 13/2023/ND-CP on Personal Data Protection and related regulations. Data subjects in Vietnam have rights including consent, access, correction, deletion, restriction, objection, and withdrawal of consent, as provided by applicable law. To exercise these rights, contact privacy@acua.ai.
    California (CCPA / CPRA). California residents have the rights to know, delete, correct, opt out of sale or sharing, and limit use of sensitive personal information, as described in the California Consumer Privacy Act as amended by the California Privacy Rights Act. Acua does not sell personal information. To exercise your rights, contact privacy@acua.ai.
    12

    Cookies & Tracking

    We use cookies, pixel tags, and similar tracking technologies to operate and improve our website, remember your preferences, analyse traffic, and deliver relevant advertising. You can control cookie settings through your browser preferences. Disabling certain cookies may affect the functionality of our website.
    13

    Children's Privacy

    Our Services are not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal data from a child, we will take steps to delete it promptly.
    14

    Policy Updates

    We may update this Privacy Policy from time to time. When we make changes, we will revise the "Last Updated" date at the top of this page. For material changes, we will provide a more prominent notice, such as an in-product notification or email, or obtain your renewed consent where required by law.
    15

    Contact Information

    If you have questions or concerns about this Privacy Policy or our data practices, please contact our Privacy team:
    Privacy team — Acua Inc.
    MIEUX Shibuya Building 8F, 5-3 Maruyamachō, Shibuya-ku, Tokyo 150-0044, Japan
    Privacy inquiries: privacy@acua.ai
    General inquiries: contact@acua.ai
    If you are located in the EU or UK, you also have the right to lodge a complaint with your local data protection supervisory authority. Additional jurisdiction-specific contact information is set out in the Regional Provisions section above.