Privacy Policy
Last updated: March 2026
1. Who We Are
Acuda AI ("we", "us", "our") operates the Acuda AI platform, an AI-powered persona and avatar service accessible through the following domains:
- acuda.ai — Consumer/Solo platform
- acuda.agency — Agency platform
- acuda.biz — Business platform
- acudaplay.com — Play platform
- acuda.health — Wellness platform
This Privacy Policy explains how we collect, use, store, and protect your personal data when you use any of our services.
Data Controller: Acuda AI
Contact: privacy@acuda.ai
2. What Personal Data We Collect
2.1 Account Information
When you create an account, we collect:
- Full name
- Email address
- Password (stored in hashed form — we never store plain text passwords)
- Profile information (optional)
- Billing address (for paid plans)
2.2 Payment Information
When you subscribe to a paid plan, we collect:
- Payment card details (processed and stored by Stripe — we do not store your full card number)
- Billing history and transaction records
- Subscription plan details
2.3 Usage Data
When you use our platform, we collect:
- Conversations with AI avatars (message content, timestamps)
- Avatar configurations and customisations you create
- Knowledge base documents you upload
- Session data (login times, feature usage, pages visited)
- Device information (browser type, operating system, screen resolution)
- IP address
2.4 Technical Data
We automatically collect log data, performance data, and cookie data (see our Cookie Policy).
2.5 Voice Data
If you use voice features, audio input is processed in real-time by ElevenLabs. See Sub-processors below.
2.6 Data You Provide Through Avatars
When you interact with AI avatars, the content of your conversations is processed to generate responses. This may include personal data you choose to share during those conversations.
2.7 Third-Party Integration Data
If you choose to connect external services through our Integrations feature (e.g., Google Calendar, Gmail, Google Drive, Slack, Notion), we may access and process data from those services on your behalf, including:
- Calendar events, availability, and scheduling data
- Email metadata, drafts, and message content
- Documents and file metadata
- Messaging and channel data
- Notes, pages, and database records
This data is accessed only when an AI avatar invokes a connected integration during a conversation, and only to the extent required to fulfil your request. We do not continuously sync or bulk-download your third-party data.
OAuth Credentials: When you connect a third-party service, we store encrypted OAuth access and refresh tokens using AES-256-GCM encryption at rest. We never store your third-party account passwords. You can revoke access at any time from your Account Settings, which permanently deletes the stored tokens.
3. How We Use Your Data
| Purpose | Legal Basis (GDPR Article 6) |
|---|---|
| Providing and operating the platform | Performance of contract (Art. 6(1)(b)) |
| Processing payments and managing subscriptions | Performance of contract (Art. 6(1)(b)) |
| Generating AI avatar responses to your messages | Performance of contract (Art. 6(1)(b)) |
| Sending transactional emails | Performance of contract (Art. 6(1)(b)) |
| Improving our services and fixing bugs | Legitimate interest (Art. 6(1)(f)) |
| Ensuring platform security and preventing fraud | Legitimate interest (Art. 6(1)(f)) |
| Analysing usage patterns to improve user experience | Legitimate interest (Art. 6(1)(f)) |
| Sending marketing communications (only with your consent) | Consent (Art. 6(1)(a)) |
| Accessing third-party services on your behalf via connected integrations | Consent (Art. 6(1)(a)) — you explicitly authorise each integration |
| Complying with legal obligations (tax, regulatory) | Legal obligation (Art. 6(1)(c)) |
4. How AI Processing Works
Acuda AI uses third-party large language models (LLMs) to power avatar conversations. When you send a message to an avatar:
- Your message is sent to our servers
- Your message, along with relevant context (avatar configuration, knowledge base content, conversation history), is sent to the AI model provider (primarily Anthropic's Claude API) for processing
- The AI model generates a response, which is returned to you
- If you have connected third-party integrations, the AI model may request data from those services (e.g., fetching your calendar events) or take actions on your behalf (e.g., creating a calendar event). These actions occur only when relevant to your conversation and are logged for transparency.
- Your conversation is stored on our servers for continuity and your reference
Important:
- We do not use your conversations to train AI models. Anthropic's API terms confirm that API inputs and outputs are not used for model training.
- Conversations are processed in real-time and are not retained by the AI model provider beyond the immediate API request.
- You can delete your conversation history at any time.
5. Who We Share Your Data With
We share your personal data only with the following sub-processors, and only to the extent necessary:
| Sub-processor | Purpose | Location |
|---|---|---|
| Anthropic (Claude API) | AI model processing — generates avatar responses | United States |
| OpenAI (ChatGPT API) | Supplementary AI processing for specific features | United States |
| Supabase | Database hosting and authentication | United States / EU |
| Vercel | Website hosting and serverless functions | Global (edge network) |
| Stripe | Payment processing | United States |
| Pinecone | Vector database for knowledge base document search | United States |
| ElevenLabs | Voice synthesis and processing | United States / EU |
| Resend | Transactional and marketing email delivery | United States |
5.2 User-Authorised Third-Party Integrations
When you connect a third-party service through our Integrations feature, data flows directly between Acuda AI and that service on your behalf. Unlike our core sub-processors, these integrations are optional and activated only by your explicit consent via OAuth authorisation. Current and planned integrations include:
| Service | Purpose | Data Accessed |
|---|---|---|
| Google Calendar | Scheduling — view events, check availability, create events | Calendar events, free/busy status |
| Gmail | Email — read, draft, and send emails | Email messages, contacts |
| Google Drive | Documents — access, create, and share files | File metadata, document content |
| Slack | Messaging — post messages, read channels | Channel messages, workspace info |
| Notion | Knowledge management — access and create pages | Pages, databases, content |
| Microsoft 365 | Productivity — calendar, email, documents | Calendar, email, file data |
You can view and manage your active integrations at any time from your Account Settings. Disconnecting an integration immediately revokes our access and permanently deletes the stored OAuth credentials. Data previously retrieved during conversations is retained as part of your conversation history and follows our standard retention policy.
We maintain Data Processing Agreements (DPAs) with all sub-processors. We do not sell your personal data to third parties.
6. International Data Transfers
Some of our sub-processors are located outside the EEA and the UK. We ensure adequate protection through:
- EU-US Data Privacy Framework (DPF) for transfers to certified US companies
- Standard Contractual Clauses (SCCs) approved by the EU Commission
- UK International Data Transfer Agreement (IDTA) for transfers from the UK
You can request a copy of the relevant transfer mechanism by contacting privacy@acuda.ai.
7. How Long We Keep Your Data
| Data Type | Retention Period |
|---|---|
| Account information | Duration of your account + 30 days after deletion |
| Conversation history | Duration of your account (you can delete at any time) |
| Payment records | 7 years (legal/tax obligation) |
| Usage and technical logs | 12 months |
| Knowledge base documents | Duration of your account + 30 days after deletion |
| Integration OAuth credentials | Until you disconnect the integration (deleted immediately upon disconnection) |
| Integration usage logs | 12 months |
| Marketing consent records | Duration of consent + 3 years |
8. Your Rights
Under the GDPR, UK GDPR, and applicable data protection laws, you have the following rights:
| Right | Description |
|---|---|
| Access | Request a copy of the personal data we hold about you |
| Rectification | Request correction of inaccurate or incomplete data |
| Erasure | Request deletion of your personal data |
| Restriction | Request that we limit how we process your data |
| Portability | Receive your data in a structured, machine-readable format |
| Objection | Object to processing based on legitimate interests or direct marketing |
| Withdraw consent | Withdraw consent at any time where processing is based on consent |
To exercise your rights, email privacy@acuda.ai or download and complete our Data Subject Rights Request Form (PDF). We will respond within 30 days.
9. Data Security
We implement appropriate technical and organisational measures to protect your personal data, including encryption in transit (TLS 1.2+) and at rest, access controls, multi-factor authentication, regular security assessments, and incident response procedures.
Third-party integration credentials (OAuth tokens) are encrypted at rest using AES-256-GCM with a dedicated encryption key, stored separately from your other account data. Tokens are automatically refreshed when they approach expiry and are permanently deleted when you disconnect an integration.
10. Children's Privacy
Our platform is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you become aware that a child has provided us with personal data, please contact privacy@acuda.ai.
11. Cookies
We use cookies and similar technologies. For detailed information, see our Cookie Policy.
12. Marketing Communications
We will only send marketing communications with your explicit consent. You can withdraw consent at any time by clicking "unsubscribe" in any marketing email, updating your account preferences, or emailing privacy@acuda.ai.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make significant changes, we will update the date at the top and notify you by email or through the platform.
14. Contact
If you have questions about this Privacy Policy: privacy@acuda.ai
15. Supervisory Authority
If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with a supervisory authority:
- Ireland: Data Protection Commission (DPC) — dataprotection.ie
- UK: Information Commissioner's Office (ICO) — ico.org.uk
- EU: Your local Data Protection Authority
We would appreciate the opportunity to address your concerns first — please contact us at privacy@acuda.ai.