Privacy Policy

Our policy regarding the protection of personal information

Last updated: January 8, 2025

01

Effective June 8, 2025

Acua Inc. ("Acua," "we," "our," or "the Company") respects your privacy. This Privacy Policy explains how we collect, use, disclose, and protect personal information when you:
  • •visit or interact with our corporate website (acua.ai) and any sub-domains;
  • •use any Acua products or services, including—but not limited to—our spend-management platform (corporate cards, expense, and accounts-payable automation), Acua Invoice Flow, payroll solutions, and AI-enabled BPO services;
  • •communicate or engage with us in marketing, sales, events, or support channels; or
  • •otherwise provide personal information to us.
    • Except where a separate product-specific notice is presented, this Policy applies company-wide.
    02

    1. Definitions

    Personal information / personal data: Information relating to an identified or identifiable natural person, as defined by applicable laws such as Japan's Act on the Protection of Personal Information ("APPI"), the EU/UK General Data Protection Regulation ("GDPR"), and other data-protection statutes.
    Processing: Any operation performed on personal data, whether or not by automated means.
    Services: All Acua SaaS products, APIs, mobile or desktop apps, and professional/BPO services.
    03

    2. How We Collect Personal Information

    Information you provide directly: Account-registration data, profile details, billing information, expense receipts, invoices, payroll records, survey responses, emails, help-desk tickets, call recordings.
    Automatically collected: Log files, device identifiers, IP address, browser type, usage statistics, cookies and similar technologies, in-app telemetry.
    From third parties: Credit-card networks, banking partners, identity-verification vendors, analytics providers, advertising networks, publicly available sources, social-media platforms (where permitted).
    04

    3. Purposes of Processing

    We process personal information only where lawful and for the purposes below:
    Service delivery & account administration (create and manage accounts, issue cards, process payments, automate invoices, run payroll, detect fraud).
    Customer support & communications (respond to inquiries, send service notices, conduct in-app or email updates).
    Product improvement & AI model training (debug, develop new features, refine AI/ML models, conduct analytics).
    Marketing & events (send newsletters or promotional materials, measure campaign effectiveness, invite you to webinars or surveys; you may opt out at any time).
    Regulatory & contractual compliance (KYC/AML checks, tax and accounting obligations, sanctions screening).
    Security & incident prevention (monitor, investigate, and mitigate suspicious or malicious activity).
    Corporate transactions (mergers, acquisitions, financing, or asset transfers).
    Other purposes with your consent or as otherwise permitted by law.
    05

    4. Legal Bases (GDPR / UK GDPR)

    Where the GDPR applies, our processing relies on one or more of these grounds:
  • •Performance of a contract (Art. 6 (1)(b))
  • •Compliance with a legal obligation (Art. 6 (1)(c))
  • •Legitimate interests (Art. 6 (1)(f)), e.g., to secure our Services or improve user experience—balanced against your rights and freedoms
  • •Consent (Art. 6 (1)(a)) for certain marketing, cookies, or optional data you choose to provide
    • 06

    5. Sharing & Disclosure

    We do not sell personal information, but we may share it with:
    Service providers & subprocessors: Cloud hosting, payment processors, KYC vendors, customer-support platforms—bound by contractual confidentiality and security obligations.
    Business partners: Card networks, banking partners, integrations you authorize.
    Affiliates & subsidiaries: For internal administration and centralized service provisioning.
    Legal or governmental authorities: When required by law, court order, or to protect rights, safety, or property.
    Successors: In connection with mergers, acquisitions, or corporate restructuring.
    Others with your direction or consent: e.g., when you link a third-party accounting tool.
    07

    6. International Transfers

    Acua is headquartered in Japan and operates globally. Where personal data is transferred outside the country of origin, we implement appropriate safeguards such as:
  • •Standard Contractual Clauses approved by the European Commission,
  • •intra-group data-transfer agreements, and
  • •additional technical and organizational measures (encryption, access controls).
    • 08

    7. Security Measures

    We maintain an information-security program aligned with industry standards (ISO 27001 / SOC 2). Measures include:
  • •Role-based access controls, multi-factor authentication
  • •Encryption in transit and at rest for sensitive data
  • •Network segmentation, intrusion detection, and continuous monitoring
  • •Regular vulnerability assessments, penetration testing, and staff training
    • 09

    8. Data Retention

    We keep personal information only as long as necessary to:
  • •fulfill the purposes described in Section 3,
  • •comply with legal, tax, and accounting requirements, or
  • •resolve disputes and enforce agreements.
    • After those periods, data is securely deleted or anonymized.
    10

    9. Your Rights

    Subject to applicable law, you may:
  • •Access the personal data we hold about you
  • •Correct inaccurate or incomplete data
  • •Delete / erase data in specific circumstances
  • •Restrict or object to certain processing
  • •Data portability (receive data in a machine-readable format)
  • •Withdraw consent at any time (without affecting prior lawful processing)
    • To exercise these rights, email us at contact@acua.ai. We may need to verify your identity before proceeding.
    11

    10. Cookies & Tracking Technologies

    We use cookies, pixel tags, and similar tools to operate our website, remember preferences, analyze traffic, and deliver advertising. You can control cookies through your browser settings or, where required, through our cookie-consent banner.
    12

    11. Children's Privacy

    Our Services are not directed to children under 16. We do not knowingly collect personal information from children. If you believe we have done so, please contact us; we will delete the data promptly.
    13

    12. Updates to This Policy

    We may revise this Policy periodically. Any changes will be posted on this page with an updated "Effective" date. If a revision materially affects your rights, we will provide prominent notice or seek your consent where required.
    14

    13. Contact Us

    Data Protection Office – Acua Inc.
    MIEUX Shibuya Building 8F, 5-3 MaruyamachĹŤ, Shibuya-ku, Tokyo 150-0044, Japan
    E-mail: contact@acua.ai
    For EU/UK residents, you may also lodge a complaint with your local data-protection authority.