Effective date: March 2, 2026
Acta AI ("Service", "we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains what information we collect, how we use it, and your rights regarding your data.
We collect the following types of information: Account Information: When you register, we collect your name, email address, and password (stored in hashed form). You may also set a timezone preference. If you choose Google sign-in, we also store your Google account subject identifier to link your login method. Connected Site Credentials: When you connect a publishing platform (e.g., WordPress), we store the API credentials you provide (such as usernames, application passwords, or API keys) to enable content publishing on your behalf. Content Data: We store prompt templates, experience interviews, schedule configurations, topic lists, and generated blog posts that you create through the Service. Session Data: When you sign in, we record your IP address and browser user-agent string alongside each authentication session. This data is used to identify your active sessions (shown as device labels and masked IP addresses on your Settings page) and to detect unauthorized access. Usage Data: We track AI generation execution history, including token usage, success/failure status, and estimated costs associated with your account. Feedback: If you submit feedback through the Service, we store the content and category of your submission.
We use your information to: • Provide, operate, and maintain the Service • Generate and publish AI-powered blog content on your behalf • Authenticate your identity and secure your account • Connect to your third-party publishing platforms • Track usage and costs associated with AI generation • Respond to your feedback and support inquiries • Send critical service notifications (e.g., failed scheduled runs) • Improve the Service based on aggregate usage patterns
The Service relies on third-party service providers to operate. These include: • AI Service Providers -- Your content data (templates, topics, experience notes, and generated text) is transmitted to third-party AI providers, including OpenAI and Anthropic, for content generation, image creation, data extraction, and quality scoring. Each provider's privacy policy governs their handling of data they receive • Payment Processor -- Subscription and billing data is handled by Shopify for Shopify App Store merchants and by Stripe for non-Shopify channels in this rollout. We do not directly store payment card information • Email Delivery Provider -- Your email address is shared with a third-party email service for transactional messages (account verification, password resets, trial notifications) • Authentication Providers -- If you choose Google Sign-In, authentication is handled through Google's OAuth service • Search Analytics -- If you connect Google Search Console, search performance data for your sites is retrieved through Google's API • Stock Photography Provider -- When enabled, article topics may be sent to a stock photography API to source featured images Publishing Platforms: Generated content, including text and images, is transmitted to your connected platforms (WordPress, Shopify, etc.) for publication using the credentials you provide. Each provider's own privacy policy governs their handling of data received from the Service. We do not sell, rent, or trade your personal information to third parties for marketing purposes.
Your data is stored in a PostgreSQL database. We implement the following security measures: • Password hashing using bcrypt • JWT-based authentication with token expiration • httpOnly secure cookies for authentication sessions • Encryption at rest for third-party platform credentials (Fernet symmetric encryption) • HTTPS encryption for data in transit • Role-based access controls • Per-endpoint authentication rate limiting We continuously review and improve our security practices. While we take reasonable measures to protect your data, no method of electronic storage or transmission is 100% secure. You are responsible for maintaining the confidentiality of your account credentials.
We retain your data for as long as your account is active. When you delete your account: • All personal information, templates, schedules, posts, execution history, notifications, and feedback are permanently deleted • Deletion cascades across all associated records • This process is irreversible • Anonymized billing records (external billing identifiers and event metadata) are retained for financial and legal compliance, but are no longer linked to your account Content that has already been published to your connected third-party platforms (e.g., WordPress) is not removed by us upon account deletion. You are responsible for managing content on those platforms directly.
Depending on your jurisdiction, you may have the following rights regarding your personal data: Right to Access: You can export a complete copy of all your data at any time from your account Settings page. Right to Rectification: You can update your profile information (name, email, timezone) at any time through Settings. Right to Deletion: You can permanently delete your account and all associated data from Settings. This action is irreversible. Right to Data Portability: The data export feature provides your information in a standard JSON format that can be read by other systems. Right to Object: You can stop AI processing by deactivating your schedules or deleting your account. To exercise any of these rights, use the features in your account Settings or contact us at maximus@withacta.com.
The Service uses first-party cookies and browser storage to operate. We use: Cookies (httpOnly, secure): • An access-token cookie for API authentication • A refresh-token cookie for session renewal Browser Local Storage: • UI preference flags (e.g., collapsed/expanded state of dashboard cards) Browser Session Storage: • One-time flags for first-visit experiences (e.g., welcome modal after registration), cleared when you close the tab Analytics: We use Google Analytics 4 (GA4) to understand how visitors interact with our public pages. GA4 collects anonymized usage data such as page views and traffic sources. We do not use advertising cookies or cross-site tracking. We do not track your activity outside of the Acta AI platform. None of the data stored in browser storage contains personal information.
The Service is not intended for users under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 18, we will take steps to delete that information promptly.
Your data may be processed in countries other than your own, including the United States, where our third-party service providers operate. By using the Service, you consent to the transfer of your information to these countries, which may have different data protection laws than your jurisdiction.
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the Service with a new effective date. Your continued use of the Service after changes constitutes acceptance of the updated policy.
If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at maximus@withacta.com.