Privacy Policy

Effective Date: January 10, 2025

1. Introduction

Welcome to Acto! Your privacy is our priority. This Policy explains how we process your personal data when using Acto (website, applications, products). By using Acto, you agree to this Policy. Capitalized terms are defined in our Terms of Use.

As we continuously strive to enhance Acto, we may need to update this Privacy Policy periodically. When we make such changes, we will notify you through our website, email communication, or other suitable means. If you have chosen not to receive legal notice emails from us (or have not provided your email address), please note that these legal notices still apply to your use of Acto, and you are responsible for reviewing and understanding them. If you continue to use Acto after any changes to the Privacy Policy have been posted, you agree to accept all modifications.

What this Policy is about

This Privacy Policy addresses how we handle Personal Data collected when you access or use Acto. "Personal Data" refers to any information that identifies or pertains to a specific individual, including data referred to as "personally identifiable information" or "personal information" under applicable data privacy laws, rules, or regulations. Please note that this Privacy Policy does not cover the practices of companies we do not own or control or individuals we do not manage.

2. Categories of Data Collected

Categories of Personal Data We Collect

The following chart outlines the categories of Personal Data that we collect, both currently and over the preceding 12 months:

3. Data Sources

At Acto, we collect Personal Data from various sources, including:

- From you: During registration, service use, form submissions, emails

- Automatically: Via cookies (see Cookie Policy), device metadata.

- Third parties:

Vendors

Social networks (when connected);

Analytics partners;

By uploading third-party data (employees), you guarantee:

- Legal grounds for processing

- Сommit to having a lawful basis for providing employee data

- Data accuracy

4. Processing Purposes

At Acto, we collect and disclose Personal Data for various commercial or business purposes, including:

Providing, customizing, promoting Acto:  

- Creating and managing user accounts and profiles

- Processing orders, transactions, and billing

- Delivering requested products, services, or information

- Addressing user support and assistance requests related to Acto

- Enhancing Acto through testing, research, internal analytics, and product development

- Personalizing Acto, website content, and communications based on user preferences

- Ensuring fraud protection, security, and debugging

- Integrations (Google Calendar)

- Marketing and offering Acto's services

- Fulfilling other business purposes disclosed at the time of data collection or as required by applicable data privacy laws, such as EU GDPR (Data Protection Act), CCPA (California Consumer Privacy Act), CPRA (California Privacy Rights Act of 2020)

Communication with Users:

- Responding to user inquiries and messages

- Contacting users when necessary or upon request

- Sending information and updates related to Acto

- Sending emails and communications based on user preferences or content that aligns with user interests

Compliance with Legal Requirements and Enforcement of Legal Terms

- Meeting our legal obligations as mandated by applicable laws, regulations, court orders, or legal processes, including the prevention, detection, and investigation of security incidents and potential illegal or prohibited activities

- Safeguarding the rights, property, or safety of users, Acto, or other parties

- Enforcing agreements with users

- Responding to claims of content violations or third-party rights infringement

- Resolving disputes

We will not collect additional categories of Personal Data or use the collected Personal Data for materially different, unrelated, or incompatible purposes without providing notice to users.

5. Security Measures

We implement:

- Data encryption (AES-256);

- Multi-factor authentication;

- Daily backups;

- Annual penetration testing;

- Infrastructure certifications (ISO 27001).
Data stored in secured AWS centers (EU/US).

6. Data Sharing

How We Share Your Personal Data at Acto

Acto may disclose your Personal Data to various categories of service providers and other parties as outlined in this section. Depending on applicable laws, some of these disclosures may be considered a "sale" of Personal Data. For more details, please refer to the state-specific sections below.

Service Providers

These parties assist us in offering Acto and performing essential business functions, including:

- Hosting, technology, and communication providers

- Analytics providers

- Product fulfillment and delivery providers

- Payment processors

- International transfers: For EU users, we use Standard Contractual Clauses (SCCs).

Information may also be provided to law enforcement and other public bodies where such disclosure is mandatory and upon proper request, and the Service Provider shall immediately notify the User where permitted by law.

Parties Authorized, Accessed, or Authenticated by You

- Third parties you engage with or access through Acto. For example, when you join an Acto organization or forum and subsequently share your Personal Data with other members or administrators of that organization or forum.

- Social media services.

Google Applications

In addition to the standard privacy practices outlined above, please note the following restrictions when providing access to Google user data to Acto:

Google Calendar Data Restrictions:

- Accessed solely for integration functionality

- Shared only with subprocessors essential for API operations** (e.g., cloud infrastructure providers)

- Never used for advertising profiling

- Human access permitted only for:

  (i) Security incident investigation

  (ii) Compliance with legal obligations

  (iii) Internal operations (aggregated/anonymized)

Legal Obligations

Acto may share any collected Personal Data with third parties in alignment with the activities described under the "Meeting Legal Requirements and Enforcing Legal Terms" section in the "Our Commercial or Business Purposes for Collecting Personal Data" section above. Additionally, if you share Personal Data through an Acto organization, that organization may be allowed to share your Personal Data according to their litigation discovery policies.

Business Transfers

In the event of a merger, acquisition, bankruptcy, or other business transaction in which a third party assumes control of Acto (in whole or in part), all collected Personal Data may be transferred to that third party. We will make reasonable efforts to notify you before your data becomes subject to different privacy and security policies and practices in such instances.

Non-Personal Data

Acto may create aggregated, de-identified, or anonymized data from the Personal Data collected. This process involves removing information that identifies a specific user. Such aggregated, de-identified, or anonymized data may be used for lawful business purposes, including analysis, improvement of Acto, and business promotion. However, we will not share such data in a manner that could personally identify you.

7. Data Security

Acto implements physical, technical, organizational, and administrative security measures to protect your Personal Data from unauthorized access, use, and disclosure. These measures are tailored to the type of Personal Data collected and how it is processed.

You can further protect your data by selecting and safeguarding your password or sign-on mechanism, limiting access to your devices and browsers, and signing out after using your account. While we strive to secure your data, please be aware that no method of data transmission over the internet or data storage is entirely secure.

8. Data Retention

Acto retains Personal Data about you as necessary to provide our services or perform our business or commercial purposes related to data collection.

When determining retention periods for specific data categories, we consider factors such as the source of the data, the purpose of collection, and legal obligations. In some instances, we may retain Personal Data for longer periods, particularly if required by legal obligations, dispute resolution, fee collection, or as permitted or mandated by applicable laws, rules, or regulations. Additionally, we may retain information in a de-identified or aggregated form that does not personally identify you. If you have questions regarding data security or retention, please contact us at privacy@acto.do.

Examples of retention periods:

- Active accounts: Retained while account is active.

- Payments: 7 years (tax law requirements).

- Google Calendar: Deleted upon integration disablement.
Anonymized data retained indefinitely.

Personal Data of Children

As stated in our Terms of Use, we do not knowingly collect or solicit Personal Data from children under the age of 13. If you are under 13, please do not attempt to register for our services, provide Personal Data, or use our services. If we become aware of collecting Personal Data from a child under 13, we will promptly delete the information. If you believe a child under 13 may have provided Personal Data to us, please contact us at privacy@acto.do.

9. Your Rights

You have the right to request specific information about the collection and utilization of your Personal Data over the past 12 months. Upon request, we will provide you with the following details:

- Categories of Personal Data collected about you.

- Sources from which this Personal Data was obtained.

- Business or commercial purposes for collecting or selling your Personal Data.

- Categories of third parties with whom we have shared your Personal Data.

- Specific pieces of Personal Data collected about you.

If we have disclosed your Personal Data to third parties for business purposes in the past 12 months, we will identify the categories of Personal Data shared with each category of third-party recipient. If your Personal Data has been sold in the past 12 months, we will identify the categories of Personal Data sold to each category of third-party recipient.

Deletion

You can request the deletion of the Personal Data we have collected about you. However, under the CPRA(California), this right is subject to specific exceptions. For instance, we may need to retain your Personal Data to provide you with services, complete requested transactions, or if deletion involves disproportionate effort. In such cases, we may deny your deletion request.

Correction

You can request corrections to any inaccurate Personal Data we have collected about you. Nevertheless, under the CPRA, there are exceptions to this right. For example, if we determine, based on the totality of circumstances, that your data is correct, we may deny your request.

Exercising Your Rights

To exercise these rights, you or your Authorized Agent (defined below) must submit a request that (1) provides sufficient information to verify your identity and (2) describes your request in enough detail for us to understand and respond to it. Such requests meeting both criteria will be considered "Valid Requests." We may not respond to requests that do not meet these criteria. Personal Data obtained in a Valid Request will only be used to verify your identity and process your request. An account is not required to submit a Valid Request.

We aim to respond to Valid Requests within 45 days of receipt. We will not charge you unless your Valid Request(s) is considered excessive, repetitive, or manifestly unfounded. If we determine that a fee is warranted, we will inform you of the fee and provide an explanation before processing your request.

You can submit a Valid Request through the following methods:

Email us at: privacy@acto.do with subject "Data Rights Request".

You can also authorize an agent (an "Authorized Agent") to exercise these rights on your behalf.

10. Special User Categories

a. Children: We do not serve users under 13. If detected, data is deleted immediately.
b. California Residents:

- No sale/sharing of data in past 12 months;

- Non-discrimination for exercising rights (§1798.125 CCPA),except where permitted (e.g., loyalty programs requiring data sharing).
c. EU/UK Residents:

- Legal basis: Art. 6(1)(b) (contract performance), Art. 6(1)(f) ( legal interests) GDPR

11. Google API Integration

When connecting Google Calendar:

- We collect only event names, dates, and times;

- Data not used for advertising;

- Employee access restricted (anonymized data only).
Disable in account settings in "Integrations".

We use this information to:

- Synchronize your Google Calendar data in your Acto account (under the Calendar Tab)

We will only use this information for the specific reason for which it was provided to us.

Limited Use Policy

Our use and transfer of information received from Google APIs adheres to:

1. Google API Services User Data Policy  and

2. Its Limited Use requirements, including:

   - Use solely for integration functionality

   - No sale or licensing of Google-sourced data

   - No human access except for:

     (a) Security investigations

     (b) Compliance with laws

     (c) Internal operations (aggregated/anonymized only)

Acto's data handling practices strictly comply with Google API Services User Data Policy. We:

- Use Google API data exclusively for purposes specified in this Policy

- Restrict transfers to third parties in full compliance with Google's requirements

12. Policy Updates

We may update this Privacy Policy periodically. When material changes occur, we will notify users 30 days in advance via:

- Email (if you provided an email and haven’t opted out of legal notices);

- Posting updates on the website acto.do.
Users without email access or who opted out of email notices will be notified exclusively through in-product banners or website updates.
Continued use of Acto after changes take effect constitutes acceptance of the updated policy.

13. Contact Information

For any questions or comments regarding this Privacy Policy, the collection and usage of your Personal Data, or your rights and choices concerning such collection and usage, please feel free to contact us at:

privacy@acto.do