← Back to home

Privacy Policy

Last updated: 26 March 2026

This Privacy Policy explains how Acta ("we", "us", "our") collects, uses, shares, and protects your personal data when you use the Acta mobile application and website (collectively, the "Service"). By using the Service you agree to the practices described here.

Acta is operated by Nico Gregori, a sole trader registered in England.

1. Data We Collect

a) Account Data

When you register we collect your email address and, if you use Google Sign-In, your Google account identifier and display name. We store a hashed authentication token — we never see or store your Google password.

b) Profile & Preference Data

Topics you follow, audio briefing preferences, display-name, and notification settings.

c) Usage Data

Interactions with the Service such as articles read, briefings generated, chat messages sent, and feature-usage analytics. We collect device type, operating system version, app version, and approximate location (country/region derived from IP address — we do not collect precise GPS coordinates).

d) Subscription & Payment Data

Subscription status, plan tier, and purchase receipts provided by RevenueCat and the Apple App Store or Google Play Store. We never receive or store your full credit card number or payment instrument details — those are held solely by the platform store.

e) Chat Content

Messages you send to the Acta AI chat feature are transmitted to our AI provider (Google Gemini) for processing. We retain chat history to provide the Service and may use anonymised, aggregated chat data to improve quality.

2. How We Use Your Data

  • To provide, maintain, and improve the Service
  • To personalise your news feed, briefings, and podcast content
  • To process and manage subscriptions
  • To communicate with you about your account, service updates, and (where permitted) promotional offers
  • To detect and prevent fraud, abuse, or security incidents
  • To comply with legal obligations

3. Legal Bases for Processing (GDPR)

If you are in the UK or EEA, we rely on the following legal bases:

  • Contract: Processing necessary to deliver the Service you signed up for
  • Legitimate interests: Analytics, fraud prevention, and service improvement, balanced against your rights
  • Consent: Marketing communications and optional analytics (you may withdraw consent at any time)
  • Legal obligation: Tax, accounting, and regulatory requirements

4. Third-Party Service Providers

We share data only as needed to operate the Service:

  • Supabase (Supabase Inc.): Authentication, database hosting, and backend infrastructure — servers in the EU/US
  • RevenueCat (RevenueCat Inc.): Subscription management and receipt validation
  • Google Gemini (Google LLC): AI-powered news summarisation, briefing generation, and chat
  • Apple / Google: App distribution and in-app purchase processing
  • Expo (Expo Inc.): Over-the-air updates and push notifications

We do not sell your personal data. We do not share personal data with advertisers or data brokers.

5. International Transfers

Your data may be transferred to and processed in the United States and other countries where our service providers operate. Where data is transferred outside the UK/EEA, we ensure appropriate safeguards are in place — including Standard Contractual Clauses (SCCs) approved by the European Commission and the UK Information Commissioner's Office.

6. Data Retention

  • Account data is retained for as long as your account is active
  • Chat history is retained for up to 90 days from creation, then automatically deleted
  • Subscription receipts are retained for 7 years for tax and accounting purposes
  • Analytics data is aggregated and anonymised within 26 months

When you delete your account, we remove or anonymise your personal data within 30 days, except where retention is required by law.

7. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access a copy of your personal data
  • Rectify inaccurate or incomplete data
  • Erase your data ("right to be forgotten")
  • Restrict or object to processing
  • Data portability (receive your data in a machine-readable format)
  • Withdraw consent at any time
  • Lodge a complaint with your supervisory authority (in the UK: the Information Commissioner's Office at ico.org.uk)

US State Rights (CCPA / CPRA / State Laws)

If you are a California resident, you have the right to know what personal information we collect, request its deletion, and opt out of its sale (we do not sell personal data). Similar rights apply under the laws of Virginia, Colorado, Connecticut, and other US states with comprehensive privacy legislation.

Canadian Rights (PIPEDA)

Canadian users may request access to, correction of, or deletion of their personal information by contacting us at the address below.

8. Children's Privacy

The Service is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If we become aware that we have collected data from a child under 16, we will delete it promptly.

9. Security

We use industry-standard measures to protect your data, including encryption in transit (TLS) and at rest, row-level security on our database, and access controls. No system is 100% secure — if you discover a vulnerability, please report it to us responsibly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service at least 30 days before the changes take effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

11. Contact

For any privacy-related questions or to exercise your rights, contact us at:

Email: privacy@acta.fyi

← Back to home