Privacy Policy

Effective Date: April 14, 2026
Last Updated: May 18, 2026

Disclaimer: This Privacy Policy is provided for informational purposes and should not be construed as legal advice. For specific legal guidance regarding data privacy and regulations applicable to your organization, please consult with qualified legal counsel.

1. Introduction

Welcome to acipta.ai, operated by Idea Forge Technologies LLC ("we," "us," "our," or "Company"). We are committed to protecting your privacy and ensuring transparency about how we collect, use, store, and protect your information.

This Privacy Policy explains our data practices for our agent-based defensibility platform (the "Service") and any related websites, applications, and services that link to this policy. By accessing or using acipta.ai, you agree to the terms of this Privacy Policy. If you do not agree with our practices, please do not use our Service.

2. Information We Collect

We collect various types of information to provide, maintain, and improve our Service:

Account Information

When you create an account, we collect:

Full name and business email address
Company name and industry
Job title and department
Phone number (optional)
Password (encrypted)
Company address and legal entity information
Payment and billing information (processed securely through third-party providers)

Usage and Compliance Data

We automatically collect information about your interactions with our Service:

Compliance scans initiated and results generated
Documents uploaded and analyzed
Features accessed and time spent in the platform
Reports downloaded or generated
Search queries and filters applied
API calls and integrations used
Configuration changes and settings modifications

Technical Data

We collect technical information automatically:

IP address and geolocation
Device type, operating system, and browser information
Session identifiers and usage logs
Performance metrics and error logs
Unique device identifiers
HTTP request headers and referral sources

Communication Data

When you contact us, we collect:

Email messages and support tickets
Chat conversations and feedback forms
Event attendance and registration information
Survey responses and user interviews

Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience. See Section 7 for details on cookie types and management.

3. How We Use Your Information

We process your information for legitimate business purposes:

Service Delivery

Creating and managing your account
Processing compliance scans and generating reports
Providing customer support and technical assistance
Processing payments and managing subscriptions
Delivering the features and functionality you request

Service Improvement

Analyzing usage patterns to optimize platform performance
Identifying and fixing bugs and technical issues
Developing new features and functionality
Conducting user research and usability testing
Improving algorithm accuracy and detection capabilities

Communications

Sending transactional emails (account confirmations, billing notifications)
Delivering product updates and feature announcements
Providing compliance alerts and important notifications
Marketing communications (with your consent)
Responding to inquiries and support requests

Security and Legal Compliance

Protecting against fraud and unauthorized access
Preventing illegal activity and enforcing our terms
Complying with legal obligations and court orders
Maintaining compliance with SOC 2, HIPAA, GDPR, and other regulations
Conducting security audits and vulnerability assessments

4. Data Storage and Security

We implement comprehensive security measures to protect your data:

Encryption

Data at Rest: All sensitive data is encrypted using AES-256 encryption standards
Data in Transit: All communications use TLS 1.2 or higher for secure transmission
End-to-End Encryption: Sensitive documents and compliance scan data are encrypted end-to-end

Infrastructure Security

Hosted on Google Cloud Platform (GCP) with enterprise-grade security
Multi-region data replication for redundancy and disaster recovery
Firewall protection and DDoS mitigation
Regular security patches and updates
Network segmentation and access controls

Compliance Certifications

SOC 2 Type 2 (August 23, 2026): Audited operating effectiveness of security, availability, and confidentiality controls
HIPAA Compliance: Covered entity agreements and Business Associate Agreements (BAAs) available
GDPR Compliance: Data Processing Agreements (DPAs) with Standard Contractual Clauses
CCPA Compliance: California Consumer Privacy Act obligations met
Regular third-party security audits and penetration testing

Data Residency

Your data is stored in GCP data centers located in the region you specify during account setup. For U.S.-based customers, data is primarily stored in the United States. For European customers, we maintain compliance with GDPR data residency requirements. Data may be backed up to secondary locations for disaster recovery purposes.

Access Controls

Role-based access control (RBAC) for all data
Multi-factor authentication (MFA) required for all accounts
Regular access reviews and principle of least privilege
Audit logging of all data access and modifications
Employee training on data security and privacy

5. Third-Party Services

We use carefully selected third-party services to enhance our offerings:

Analytics

We use analytics services to understand how users interact with our platform, including tools that may track usage patterns, page visits, and feature adoption. Analytics data is anonymized where possible and used only for service improvement.

Payment Processing

Payment information is processed by PCI-DSS compliant payment processors. We do not store full credit card details; processing is handled securely by third parties. Your billing information is encrypted and access is restricted.

Cloud Infrastructure

Our Service runs on Google Cloud Platform (GCP), which provides secure hosting, compute, storage, and networking infrastructure. GCP maintains SOC 2 and ISO 27001 certifications. Data is processed and stored according to GCP's security standards and our data protection agreements.

Communication Services

We may use third-party email and communication services to deliver notifications, support, and marketing communications. These services are bound by data protection agreements.

Data Processor Agreements: We maintain written Data Processing Agreements (DPAs) with all third-party services that handle personal data. These agreements ensure third parties process data only as directed and maintain appropriate security measures.

6. Your Rights

Depending on your location, you may have certain rights regarding your personal data:

Right to Access

You have the right to request and download a copy of the personal data we hold about you. Submit requests to [email protected] with subject line "Data Access Request."

Right to Correction

You may request that we correct inaccurate, incomplete, or outdated personal data. Many updates can be made directly in your account settings or by contacting support.

Right to Deletion

You may request deletion of your personal data, subject to legal and contractual retention obligations. Upon deletion, we will remove your data from active systems within 30 days, though backups may be retained for up to 90 days.

Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, machine-readable format (such as CSV or JSON) and to transmit it to another service provider.

Right to Opt-Out

You may opt out of non-essential communications, including marketing emails and analytics. Opt-out links are included in all marketing communications. You may also manage preferences in your account settings.

Right to Withdraw Consent

Where we rely on your consent to process data, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before the withdrawal.

GDPR Rights (EU/EEA Users)

If you are located in the European Union or European Economic Area, you have additional rights including the right to object to processing, restrict processing, and lodge a complaint with your local data protection authority.

CCPA Rights (California Users)

California residents have the right to know what personal information is collected, used, and shared; the right to delete personal information; the right to opt-out of the sale of personal information; and the right to non-discrimination for exercising these rights.

To Exercise Your Rights: Contact us at [email protected] with your request and relevant details. We will respond within 30 days (or as required by applicable law) and may request verification of your identity to protect your privacy.

7. Cookies

We use cookies and similar tracking technologies to enhance your experience and understand how you use our Service.

Cookie Types

Essential Cookies: Required for authentication, security, and core functionality (cannot be disabled)
Preference Cookies: Remember your choices (theme, language, display settings)
Performance Cookies: Collect anonymized data about how you use the Service
Marketing Cookies: Used for targeted advertising and promotional communications

Managing Cookies

You can control cookie preferences through your browser settings or our cookie consent tool. Note that disabling certain cookies may impact Service functionality. Most browsers allow you to refuse cookies or alert you when a cookie is being sent. Consult your browser's help documentation for specific instructions.

Do Not Track

If your browser includes a "Do Not Track" feature, our Service respects this preference for non-essential tracking. However, essential cookies required for authentication and security will continue to function.

Third-Party Data Partners and Marketing Communications

When you visit or log in to our website, cookies and similar technologies may be used by our online data partners or vendors to associate these activities with other personal information they or others have about you, including by association with your email. We (or service providers on our behalf) may then send communications and marketing to these email addresses. You may opt out of receiving this advertising by visiting https://app.retention.com/optout.

8. Data Retention

We retain your personal data only as long as necessary to provide the Service and comply with legal obligations:

Active Account Data

Account information: Retained while your account is active
Compliance scan results: Retained for the duration of your subscription
Usage logs: Retained for 12 months for security and performance analysis
Backups: Retained for up to 90 days after deletion for disaster recovery

After Account Deletion

Personal identifying information: Deleted within 30 days
Anonymized usage data: May be retained indefinitely for aggregated analytics
Legal/compliance records: Retained as required by law (typically 3-7 years)
Backup copies: Removed within 90 days

Communication Data

Transactional emails: Retained for 6 years for compliance audits
Support tickets: Retained for 3 years for service improvement
Marketing communications: Retained until you unsubscribe or delete your account

We may retain aggregated, anonymized data indefinitely as it cannot be used to identify you. If legal obligations require longer retention, we will preserve data accordingly.

9. Children's Privacy

Our Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from minors. If we become aware that we have collected data from someone under 18, we will delete such information promptly.

If you are a parent or guardian and believe we have collected information about your child, please contact us immediately at [email protected].

10. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

Notify you via email at least 30 days before the changes take effect
Post the updated policy on our website with a new "Last Updated" date
Require your explicit consent if changes materially affect how we use your data

Your continued use of the Service after changes become effective constitutes your acceptance of the updated Privacy Policy. We encourage you to review this policy periodically to stay informed about how we protect your information.

11. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: [email protected]
Company: Idea Forge Technologies LLC
Service: acipta.ai

We will respond to your inquiry within 15 business days. If you are located in the EU/EEA and are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.