Privacy Policy
Last updated: March 2026
This policy explains how ACTly Limited collects and processes personal data in connection with the ACTly compliance platform.
1. Who We Are
ACTly Limited is the data controller for personal data processed through the ACTly platform. We are incorporated in Ireland.
Contact: privacy@actly.eu | actly.eu
This Privacy Policy applies to all users of the ACTly platform, visitors to actly.eu, and anyone who contacts us. If you are using ACTly on behalf of an organisation, your organisation is also a data controller for the data it uploads to the platform.
2. What We Collect
Account Data
When you create an account or are invited by your organisation, we collect: your full name, work email address, password (hashed, never stored in plain text), and your role within your organisation.
Organisation Data
To set up your compliance workspace we collect: organisation name, industry sector, country of operation, number and type of AI systems, and DPO status.
Uploaded Documents
Documents you upload for compliance analysis may contain personal data. We process these documents solely to deliver the ACTly service. We do not read, review, or use the contents of your documents for any purpose other than running your compliance analysis.
Usage Data
We collect standard server logs and product analytics including: pages visited, features used, analysis runs triggered, timestamps, and IP address. This helps us improve the platform and diagnose technical issues.
Communications
If you contact us by email or through the platform, we retain the content of that communication and your contact details in order to respond.
3. Why We Process It
We process your personal data on the following legal bases under GDPR Article 6:
| Basis | What It Covers |
|---|---|
| Art. 6(1)(b) — Contract | Providing the ACTly service, processing your documents, generating compliance reports, managing your account. |
| Art. 6(1)(f) — Legitimate interest | Product analytics, security monitoring, improving the platform, communicating service updates. |
| Art. 6(1)(c) — Legal obligation | Retaining records as required by Irish company law and tax regulations. |
4. Sub-processors
We use trusted third-party service providers (sub-processors) to operate the ACTly platform. All sub-processors are bound by data processing agreements and handle your data only as instructed by us.
| Provider | Location | Transfer Basis | Purpose |
|---|---|---|---|
| Supabase | EU — Ireland | EU-based | Database and authentication |
| Vercel | Edge, EU-routed | EU-based | Web application hosting |
| Railway | EU — Frankfurt | EU-based | Backend worker infrastructure |
| Resend | EU | EU-based | Transactional email delivery |
| Stripe | US | SCCs in place | Payment processing |
| Analysis service providers | US | SCCs in place | Compliance analysis processing |
A full sub-processor list including specific provider names and their DPA references is available to enterprise clients on request. Contact privacy@actly.eu. Client data is never used for model training.
5. Data Retention
- Account and organisation data: retained for the duration of your subscription plus 30 days after account deletion.
- Uploaded documents and analysis outputs: deleted within 30 days of account closure or on request.
- Usage logs and analytics: retained for 12 months on a rolling basis.
- Financial records: retained for 7 years as required by Irish Revenue regulations.
- Support communications: retained for 2 years.
6. Your Rights
Under GDPR you have the following rights regarding your personal data:
Right of access (Art. 15) — Request a copy of the personal data we hold about you.
Right to rectification (Art. 16) — Ask us to correct inaccurate or incomplete data.
Right to erasure (Art. 17) — Request deletion of your personal data. We will action within 30 days.
Right to portability (Art. 20) — Receive your data in a structured, machine-readable format.
Right to restrict processing (Art. 18) — Ask us to limit how we use your data in certain circumstances.
Right to object (Art. 21) — Object to processing based on legitimate interest.
To exercise any of these rights, contact privacy@actly.eu. We will respond within 30 days. You also have the right to lodge a complaint with the Irish Data Protection Commission at dataprotection.ie.
7. Security
- All data encrypted in transit using TLS 1.3.
- All data encrypted at rest using AES-256.
- Sensitive fields use field-level encryption in addition to database-level encryption.
- Role-based access control with row-level security on all data tables.
- Complete audit logging of all data access and processing activities.
- All client data stored and processed within the EU (Ireland and Germany).
- No client data is used for model training.
8. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes we will notify you by email and update the "Last updated" date at the top of this document. Your continued use of ACTly after notification constitutes acceptance of the updated policy.
ACTly Limited · actly.eu · privacy@actly.eu