Privacy Policy.

1 — Data Controller

The data controller responsible for the processing of personal data described in this Policy is:

ADVANCED CREATIVE AI TECHNOLOGY — FZCO
(trading as "ACAI" or "ACAI Technology")
IFZA Business Park, DDP
PO Box 342001, Dubai, United Arab Emirates
Licence No. 6255
Email: info@acai-technology.com

Where ACAI processes Customer Data on behalf of an enterprise Customer, ACAI acts as a data processor under a Data Processing Addendum (DPA) and the Customer is the controller for that data. ACAI complies with the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL) and aligns its practices with the EU GDPR / UK GDPR by way of contractual commitment to customers established in those jurisdictions.

2 — Scope

This Policy applies to (a) visitors of acai-technology.com, (b) prospects and beta applicants, (c) authorised users of the ACAI Layer dashboards and APIs, and (d) personal data contained within Customer Data submitted to the Services.

3 — Categories of Data We Process

4 — Purposes and Lawful Bases (Art. 6 GDPR)

• Contract performance — operating the Services, account management, support, and billing.
• Legitimate interests — platform security, abuse prevention, product analytics, B2B prospecting limited to corporate contacts.
• Legal obligation — tax, accounting, audit retention, responding to lawful authority requests.
• Consent — non-essential cookies, marketing communications, voluntary research participation.

5 — Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law:

• Account data: for the duration of the contract plus 90 days post-termination, then deleted or anonymised.
• Telemetry & access logs: typically 13 months, security-relevant logs up to 24 months.
• Billing records: retained for the period required by applicable tax law (typically 7–10 years).
• Customer Data: retained per Customer instructions in the DPA; deleted within 60 days of termination unless legal hold applies.

6 — Recipients and Sub-processors

ACAI engages a small set of vetted sub-processors for hosting, observability, analytics, billing, and support. A current list is available at the sub-processors registry and will be provided to enterprise Customers upon request via info@acai-technology.com. All sub-processors are bound by data protection terms equivalent to those in our DPA.

7 — International Data Transfers

ACAI is engineered for EU data residency by default. Where personal data must be transferred outside the EEA, we rely on appropriate safeguards including the European Commission's Standard Contractual Clauses (SCCs), supplementary technical measures, and, where applicable, adequacy decisions. Customers may select EU-only deployment regions via Order Form configuration.

8 — Your Rights

Under GDPR and equivalent regimes, you have the right to:

• access the personal data we hold about you;
• request rectification of inaccurate or incomplete data;
• request erasure of your data ("right to be forgotten");
• restrict or object to processing in defined circumstances;
• request portability of your data in a structured, machine-readable format;
• withdraw consent at any time where processing is based on consent;
• lodge a complaint with your local data protection supervisory authority.

To exercise any of these rights, contact info@acai-technology.com with the subject prefix [PRIVACY]. We will respond within thirty (30) days. Where ACAI is processor rather than controller, we will route the request to the relevant Customer.

9 — Security

ACAI maintains a defence-in-depth security program including SOC 2 Type II controls, ISO 27001 alignment, encryption in transit (TLS 1.2+) and at rest (AES-256), least-privilege access enforced by SSO and MFA, continuous vulnerability scanning, and an incident response plan with defined notification timelines. Bring-your-own-key (BYOK) encryption is available to enterprise tenants.

10 — Cookies and Similar Technologies

acai-technology.com uses a minimal set of cookies: strictly necessary cookies for session integrity and security, and, where consented, analytics cookies to understand aggregate usage. We do not deploy advertising or cross-site tracking cookies. You can manage your preferences via the cookie banner or your browser settings.

11 — Children

The Services are not directed to individuals under the age of 16, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact info@acai-technology.com and we will delete it without undue delay.

12 — Changes to This Policy

We may update this Policy to reflect changes to our practices, technologies, or legal requirements. Material changes will be communicated via email to enterprise customers and via in-product notice with at least thirty (30) days advance notice where feasible. The "Effective" date at the top of this page reflects the latest revision.

13 — Contact & Data Protection Officer

For privacy enquiries, data subject rights requests, or to reach our Data Protection Officer, write to:

ADVANCED CREATIVE AI TECHNOLOGY — FZCO
Attn: Privacy / Data Protection
IFZA Business Park, DDP
PO Box 342001, Dubai, United Arab Emirates
Licence No. 6255
info@acai-technology.com
Subject prefix: [PRIVACY]

You may also lodge a complaint with the supervisory authority of your habitual residence, place of work, or place of the alleged infringement.

Document version 2026.04 · Supersedes all prior versions effective 27 April 2026.