Privacy Policy

How we collect, use, and protect your information

Last updated: March 26, 2026

01

Information We Collect

We collect information you provide directly to us.
By using our Services, you consent to the data practices described in this Privacy Policy. If you do not agree with our policies and practices, please do not use our Services.
02

Definitions

"Personal information" or "personal data" means any information relating to an identified or identifiable individual, as defined under applicable data protection statutes including Japan's Act on the Protection of Personal Information (APPI), the EU General Data Protection Regulation (GDPR), and equivalent laws.
"Processing" means any operation or set of operations performed on personal data, including collection, recording, storage, use, disclosure, erasure, or destruction.
"Services" means all Acua SaaS products, APIs, applications, and professional or BPO services provided by Acua.
03

Data Collection Methods

We collect information you provide directly to us, including:
  • Account registration, profiles, and billing information
  • Expense receipts, invoices, and payroll records submitted through our platform
  • Responses to surveys, forms, and customer support requests
  • Communications via email, phone, or live chat, including call recordings
    • We automatically collect certain information when you use our Services:
  • Log files, device identifiers, and IP addresses
  • Browser type, operating system, and usage statistics
  • Cookies, web beacons, and telemetry data
    • We may also receive information from third parties, including:
  • Credit-card networks and banking partners
  • Identity-verification vendors and analytics providers
  • Advertising networks, public sources, and social media platforms
    • 04

    Processing Purposes

    We process your personal information for the following purposes:
  • Service delivery and account administration
  • Customer support and communications
  • Product improvement and AI model training
  • Marketing communications and event invitations
  • Regulatory and contractual compliance, including KYC/AML, tax reporting, and sanctions screening
  • Security monitoring and incident prevention
  • Corporate transactions such as mergers or acquisitions
  • Other purposes with your consent or as otherwise permitted by law
    • 05

    Legal Bases (GDPR / UK GDPR)

    For individuals in the European Economic Area (EEA) or the United Kingdom, our processing of personal data relies on one or more of the following legal bases:
  • Contract performance: processing is necessary to fulfil a contract with you or to take steps at your request prior to entering into a contract
  • Legal obligation: processing is necessary to comply with a legal or regulatory requirement
  • Legitimate interests: processing is necessary for our legitimate business interests, provided those interests are not overridden by your rights
  • Consent: where required by law, we will obtain your prior explicit consent before processing
    • 06

    Data Sharing

    Acua does not sell your personal information. We may share your information with:
  • Service providers who assist us in operating our platform and delivering our services
  • Business partners with whom we offer co-branded or integrated services
  • Our affiliates and subsidiaries for the purposes described in this policy
  • Legal authorities where required by law, court order, or governmental regulation
  • Successors in connection with a merger, acquisition, or sale of assets
  • Other parties at your direction or with your consent
    • 07

    International Transfers

    Acua operates globally and may transfer your personal information to countries outside your home country. Where required by applicable law, we implement appropriate safeguards for such transfers, including:
  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Intra-group data transfer agreements
  • Technical and organisational measures such as encryption, pseudonymisation, and access controls
    • 08

    Security Measures

    We maintain an information security program aligned with ISO 27001 and SOC 2 standards. Our technical and organisational safeguards include:
  • Role-based access controls and multi-factor authentication (MFA)
  • Encryption of data in transit and at rest
  • Network segmentation and intrusion detection systems
  • Regular security assessments and penetration testing
    • While we take reasonable steps to protect your information, no security system is impenetrable. In the event of a data breach, we will notify affected individuals and relevant authorities as required by applicable law.
    09

    Data Retention

    We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, to comply with legal and tax requirements, or to resolve disputes. Once data is no longer needed, we securely delete or anonymise it in accordance with our data retention schedule.
    10

    Your Rights

    Subject to applicable law, you may have the following rights regarding your personal information:
  • Access: request a copy of the personal information we hold about you
  • Correction: request that we correct inaccurate or incomplete data
  • Deletion: request that we delete your personal information under certain circumstances
  • Restriction: request that we restrict the processing of your information
  • Objection: object to our processing of your information based on legitimate interests
  • Portability: request that we transfer your data to another service provider
  • Withdrawal of consent: withdraw your consent at any time where processing is based on consent
    • To exercise any of these rights, please contact us at contact@acua.ai. We may request identity verification before responding to your request.
    11

    Cookies & Tracking

    We use cookies, pixel tags, and similar tracking technologies to operate and improve our website, remember your preferences, analyse traffic, and deliver relevant advertising. You can control cookie settings through your browser preferences. Disabling certain cookies may affect the functionality of our website.
    12

    Children's Privacy

    Our Services are not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal data from a child, we will take steps to delete it promptly.
    13

    Policy Updates

    We may update this Privacy Policy from time to time. When we make changes, we will revise the "Last Updated" date at the top of this page. For material changes, we will provide a more prominent notice, such as an in-product notification or email, or obtain your renewed consent where required by law.
    14

    Contact Information

    If you have questions or concerns about this Privacy Policy or our data practices, please contact our Data Protection Office:
    Data Protection Office — Acua Inc.
    MIEUX Shibuya Building 8F, 5-3 Maruyamachō, Shibuya-ku, Tokyo 150-0044, Japan
    Email: contact@acua.ai
    If you are located in the EU or UK, you also have the right to lodge a complaint with your local data protection supervisory authority.