Privacy Policy
Last updated: March 2026
1. Who We Are
Acuda AI ("we", "us", "our") operates the Acuda AI platform, an AI-powered persona and avatar service accessible through the following domains:
- acuda.ai — Consumer/Solo platform
- acuda.agency — Agency platform
- acuda.biz — Business platform
- acudaplay.com — Play platform
- acuda.health — Wellness platform
This Privacy Policy explains how we collect, use, store, and protect your personal data when you use any of our services.
Data Controller: Acuda AI
Contact: privacy@acuda.ai
2. What Personal Data We Collect
2.1 Account Information
When you create an account, we collect:
- Full name
- Email address
- Password (stored in hashed form — we never store plain text passwords)
- Profile information (optional)
- Billing address (for paid plans)
2.2 Payment Information
When you subscribe to a paid plan, we collect:
- Payment card details (processed and stored by Stripe — we do not store your full card number)
- Billing history and transaction records
- Subscription plan details
2.3 Usage Data
When you use our platform, we collect:
- Conversations with AI avatars (message content, timestamps)
- Avatar configurations and customisations you create
- Knowledge base documents you upload
- Session data (login times, feature usage, pages visited)
- Device information (browser type, operating system, screen resolution)
- IP address
2.4 Technical Data
We automatically collect log data, performance data, and cookie data (see our Cookie Policy).
2.5 Voice Data
If you use voice features, audio input is processed in real-time by ElevenLabs. See Sub-processors below.
2.6 Data You Provide Through Avatars
When you interact with AI avatars, the content of your conversations is processed to generate responses. This may include personal data you choose to share during those conversations.
3. How We Use Your Data
| Purpose | Legal Basis (GDPR Article 6) |
|---|---|
| Providing and operating the platform | Performance of contract (Art. 6(1)(b)) |
| Processing payments and managing subscriptions | Performance of contract (Art. 6(1)(b)) |
| Generating AI avatar responses to your messages | Performance of contract (Art. 6(1)(b)) |
| Sending transactional emails | Performance of contract (Art. 6(1)(b)) |
| Improving our services and fixing bugs | Legitimate interest (Art. 6(1)(f)) |
| Ensuring platform security and preventing fraud | Legitimate interest (Art. 6(1)(f)) |
| Analysing usage patterns to improve user experience | Legitimate interest (Art. 6(1)(f)) |
| Sending marketing communications (only with your consent) | Consent (Art. 6(1)(a)) |
| Complying with legal obligations (tax, regulatory) | Legal obligation (Art. 6(1)(c)) |
4. How AI Processing Works
Acuda AI uses third-party large language models (LLMs) to power avatar conversations. When you send a message to an avatar:
- Your message is sent to our servers
- Your message, along with relevant context (avatar configuration, knowledge base content, conversation history), is sent to the AI model provider (primarily Anthropic's Claude API) for processing
- The AI model generates a response, which is returned to you
- Your conversation is stored on our servers for continuity and your reference
Important:
- We do not use your conversations to train AI models. Anthropic's API terms confirm that API inputs and outputs are not used for model training.
- Conversations are processed in real-time and are not retained by the AI model provider beyond the immediate API request.
- You can delete your conversation history at any time.
5. Who We Share Your Data With
We share your personal data only with the following sub-processors, and only to the extent necessary:
| Sub-processor | Purpose | Location |
|---|---|---|
| Anthropic (Claude API) | AI model processing — generates avatar responses | United States |
| OpenAI (ChatGPT API) | Supplementary AI processing for specific features | United States |
| Supabase | Database hosting and authentication | United States / EU |
| Vercel | Website hosting and serverless functions | Global (edge network) |
| Stripe | Payment processing | United States |
| Pinecone | Vector database for knowledge base document search | United States |
| ElevenLabs | Voice synthesis and processing | United States / EU |
| Resend | Transactional and marketing email delivery | United States |
We maintain Data Processing Agreements (DPAs) with all sub-processors. We do not sell your personal data to third parties.
6. International Data Transfers
Some of our sub-processors are located outside the EEA and the UK. We ensure adequate protection through:
- EU-US Data Privacy Framework (DPF) for transfers to certified US companies
- Standard Contractual Clauses (SCCs) approved by the EU Commission
- UK International Data Transfer Agreement (IDTA) for transfers from the UK
You can request a copy of the relevant transfer mechanism by contacting privacy@acuda.ai.
7. How Long We Keep Your Data
| Data Type | Retention Period |
|---|---|
| Account information | Duration of your account + 30 days after deletion |
| Conversation history | Duration of your account (you can delete at any time) |
| Payment records | 7 years (legal/tax obligation) |
| Usage and technical logs | 12 months |
| Knowledge base documents | Duration of your account + 30 days after deletion |
| Marketing consent records | Duration of consent + 3 years |
8. Your Rights
Under the GDPR, UK GDPR, and applicable data protection laws, you have the following rights:
| Right | Description |
|---|---|
| Access | Request a copy of the personal data we hold about you |
| Rectification | Request correction of inaccurate or incomplete data |
| Erasure | Request deletion of your personal data |
| Restriction | Request that we limit how we process your data |
| Portability | Receive your data in a structured, machine-readable format |
| Objection | Object to processing based on legitimate interests or direct marketing |
| Withdraw consent | Withdraw consent at any time where processing is based on consent |
To exercise your rights, email privacy@acuda.ai or download and complete our Data Subject Rights Request Form (PDF). We will respond within 30 days.
9. Data Security
We implement appropriate technical and organisational measures to protect your personal data, including encryption in transit (TLS 1.2+) and at rest, access controls, multi-factor authentication, regular security assessments, and incident response procedures.
10. Children's Privacy
Our platform is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you become aware that a child has provided us with personal data, please contact privacy@acuda.ai.
11. Cookies
We use cookies and similar technologies. For detailed information, see our Cookie Policy.
12. Marketing Communications
We will only send marketing communications with your explicit consent. You can withdraw consent at any time by clicking "unsubscribe" in any marketing email, updating your account preferences, or emailing privacy@acuda.ai.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make significant changes, we will update the date at the top and notify you by email or through the platform.
14. Contact
If you have questions about this Privacy Policy: privacy@acuda.ai
15. Supervisory Authority
If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with a supervisory authority:
- Ireland: Data Protection Commission (DPC) — dataprotection.ie
- UK: Information Commissioner's Office (ICO) — ico.org.uk
- EU: Your local Data Protection Authority
We would appreciate the opportunity to address your concerns first — please contact us at privacy@acuda.ai.