Privacy Policy

Last updated: January 15, 2026

Privacy Policy

Document owner: Chief Privacy Officer (CPO) Version: 3.0 Effective date: January 1, 2026 Last updated: January 15, 2026 Classification: Public — Trust Center Review cadence: Quarterly, and upon material changes to data processing activities or applicable law Company: Acme Cloud, Inc. Address: 1200 Market Street, Suite 400, San Francisco, CA 94103, USA Primary contacts: trust@acmecloud.com | security@acmecloud.com | privacy@acmecloud.com

Definitions

Term	Definition
CCPA	California Consumer Privacy Act, as amended by the CPRA
Controller	Entity determining purposes and means of personal data processing
CPRA	California Privacy Rights Act, amending the CCPA
Data Subject	Individual whose personal data is processed
DPA	Data Processing Agreement governing processor activities
DSR	Data Subject Request, a request to exercise privacy rights
DPIA	Data Protection Impact Assessment
EEA	European Economic Area (EU member states plus Iceland, Liechtenstein, Norway)
GDPR	General Data Protection Regulation (EU) 2016/679
LGPD	Lei Geral de Proteção de Dados (Brazil General Data Protection Law)
PDPA	Personal Data Protection Act (Singapore, Thailand)
Personal Data	Information relating to an identified or identifiable natural person
PIPL	Personal Information Protection Law (China)
Processor	Entity processing personal data on behalf of a Controller
SCCs	Standard Contractual Clauses for international data transfers
Sensitive Personal Data	Special categories including health, biometric, racial origin, religious beliefs
Subprocessor	Third party engaged by a Processor to process Personal Data
UK GDPR	United Kingdom General Data Protection Regulation

Scope and Applicability

1.1 Organizational Scope

This Privacy Policy applies to Acme Cloud, Inc. ("Acme Cloud," "we," "us," or "our"), a company incorporated in Delaware, USA, with principal offices at 1200 Market Street, Suite 400, San Francisco, CA 94103, USA. This policy governs the collection, use, storage, disclosure, and protection of Personal Data by Acme Cloud across all business operations, products, services, and corporate activities.

1.2 Service Scope

This Privacy Policy covers Personal Data processing activities related to:

Service Category	Scope Description	Primary Data Subjects
Acme Cloud SaaS Platform	Cloud-based compliance management software	Customer end users, customer employees
Customer Support	Help desk, technical support, professional services	Customer administrators, end users
Sales and Marketing	Lead generation, communications, events	Prospects, website visitors, event attendees
Corporate Website	acmecloud.com and subdomains	Website visitors, job applicants
Employment	HR operations, benefits administration	Employees, contractors, candidates
Vendor Management	Procurement, partner relationships	Vendor contacts, partners

1.3 Geographic Applicability

This Privacy Policy is designed to comply with privacy regulations across jurisdictions where Acme Cloud operates or processes Personal Data:

Jurisdiction	Applicable Law	Supervisory Authority	Local Representative
European Union	GDPR	Lead: Irish Data Protection Commission	Acme Cloud EU Ltd., Dublin, Ireland
United Kingdom	UK GDPR, Data Protection Act 2018	Information Commissioner's Office	Acme Cloud UK Ltd., London
United States (California)	CCPA/CPRA	California Privacy Protection Agency	N/A (domestic)
United States (Other states)	State privacy laws (Virginia, Colorado, etc.)	State AG offices	N/A (domestic)
Brazil	LGPD	ANPD	Acme Cloud Brasil Ltda., São Paulo
Canada	PIPEDA, provincial laws	Office of the Privacy Commissioner	Acme Cloud Canada Inc., Toronto
Australia	Privacy Act 1988	OAIC	Acme Cloud Australia Pty Ltd., Sydney
Singapore	PDPA	PDPC	Acme Cloud Singapore Pte. Ltd.

1.4 Data Subject Categories

Category	Relationship	Example Data Collected
Customers	Business relationship	Account information, usage data, billing
End Users	Use customer's Acme Cloud instance	Authentication, activity logs
Prospects	Marketing engagement	Contact information, interaction history
Website Visitors	Browse our websites	Device information, analytics
Job Applicants	Apply for employment	Resume, application materials
Employees	Employment relationship	HR data, payroll, benefits
Vendors	Business relationship	Contact information, payment details

Data Controller and Processor Roles

2.1 Role Determination Matrix

Processing Activity	Acme Cloud Role	Customer Role	Legal Basis
Customer account management	Controller	N/A	Contract performance
Platform usage by end users	Processor	Controller	DPA terms
Customer support interactions	Joint Controller	Joint Controller	Legitimate interest
Marketing to customers	Controller	N/A	Consent or legitimate interest
Analytics on platform usage	Controller (aggregated)	Controller (individual)	Legitimate interest
Billing and payment	Controller	N/A	Contract performance
Security monitoring	Processor/Controller	Controller	Legal obligation, legitimate interest

2.2 Controller Responsibilities

When acting as a Data Controller, Acme Cloud:

1.1. Determines purposes and means of processing Personal Data 1.2. Establishes lawful basis for each processing activity 1.3. Provides privacy notices to Data Subjects 1.4. Responds to Data Subject rights requests 1.5. Conducts Data Protection Impact Assessments where required 1.6. Maintains records of processing activities 1.7. Implements appropriate technical and organizational security measures 1.8. Reports personal data breaches to supervisory authorities and affected individuals 1.9. Ensures lawful international data transfers

2.3 Processor Responsibilities

When acting as a Data Processor on behalf of Customers, Acme Cloud:

2.1. Processes Personal Data only on documented Customer instructions 2.2. Ensures persons authorized to process Personal Data are bound by confidentiality 2.3. Implements technical and organizational security measures per the DPA 2.4. Engages Subprocessors only with Customer authorization 2.5. Assists Customer in responding to Data Subject requests 2.6. Assists Customer with security, breach notification, and DPIAs 2.7. Deletes or returns Personal Data upon service termination 2.8. Makes available information demonstrating compliance 2.9. Permits and contributes to audits conducted by Customer or auditors

Personal Data Collection

3.1 Categories of Personal Data Collected

Data Category	Specific Data Elements	Collection Source	Retention Default
Identity Data	Name, username, employee ID	Registration, SSO	Account lifetime + 30 days
Contact Data	Email, phone, mailing address	Registration, CRM	Account lifetime + 30 days
Account Data	Login credentials, MFA devices	Registration	Account lifetime
Professional Data	Job title, company, department	Registration, enrichment	Account lifetime
Transaction Data	Subscription, payments, invoices	Payment processor	7 years (legal)
Technical Data	IP address, device ID, browser	Automatic collection	90 days (logs)
Usage Data	Features used, actions taken, session data	Platform analytics	2 years (aggregated indefinite)
Profile Data	Preferences, settings, configurations	User input	Account lifetime
Communication Data	Support tickets, emails, chat	Support interactions	3 years
Marketing Data	Preferences, campaign interactions	Marketing systems	Until opt-out + 30 days

3.2 Collection Methods

Method	Data Categories	Notice Provided	Opt-Out Available
Account registration	Identity, Contact, Account	Registration form	N/A (required)
Website forms	Contact, Professional, Marketing	Form disclosure	Yes
Cookies and tracking	Technical, Usage	Cookie banner	Yes (non-essential)
Customer uploads	Customer-determined	DPA terms	Per customer policy
Third-party integrations	Technical, Usage	Integration setup	Yes
Support interactions	Communication	Support terms	N/A
Email campaigns	Marketing, Technical	Unsubscribe link	Yes
Events and webinars	Contact, Professional	Registration form	Yes

3.3 Data Minimization Practices

Acme Cloud collects only Personal Data necessary for specified purposes:

Principle	Implementation	Verification
Purpose limitation	Data fields mapped to specific purposes	Annual privacy review
Collection minimization	Optional fields clearly marked	Form design review
Storage limitation	Retention schedules enforced	Automated deletion
Access minimization	Role-based access controls	Quarterly access review
Accuracy	Correction mechanisms provided	User self-service

Lawful Basis for Processing

4.1 Legal Basis by Processing Activity

Processing Activity	Primary Legal Basis	Alternative Basis	Documentation
Account provisioning	Contract performance	N/A	Terms of Service
Service delivery	Contract performance	N/A	Terms of Service
Customer support	Contract performance	Legitimate interest	Support terms
Billing and collections	Contract performance	Legal obligation	Terms of Service
Security monitoring	Legitimate interest	Legal obligation	Privacy Policy
Fraud prevention	Legitimate interest	Legal obligation	Privacy Policy
Product improvement	Legitimate interest	Consent	Privacy Policy
Marketing communications	Consent (where required)	Legitimate interest	Consent records
Legal compliance	Legal obligation	N/A	Regulatory requirements
Employment	Contract + legal obligation	Legitimate interest	Employee privacy notice

4.2 Legitimate Interest Assessments

For processing based on legitimate interest, Acme Cloud conducts balancing tests:

Purpose	Acme Cloud Interest	Data Subject Impact	Safeguards	Balance Outcome
Security monitoring	Protect platform, customers	Minimal (security logs)	Retention limits, access controls	Legitimate interest upheld
Analytics	Improve services	Minimal (pseudonymized)	Aggregation, opt-out	Legitimate interest upheld
B2B marketing	Business development	Low (professional context)	Opt-out, preference center	Legitimate interest upheld
Fraud detection	Prevent abuse	Minimal (automated review)	Human review for adverse decisions	Legitimate interest upheld

4.3 Consent Management

Where consent is the legal basis:

Consent Type	Mechanism	Withdrawal Method	Record Keeping
Marketing emails	Double opt-in checkbox	Unsubscribe link, preference center	Consent timestamp, version
Non-essential cookies	Cookie consent banner	Cookie settings, browser controls	Consent string (TCF)
Research participation	Explicit consent form	Withdrawal request	Signed consent form
Testimonial use	Written authorization	Written revocation	Authorization document

Data Processing Purposes

5.1 Primary Service Purposes

Purpose	Description	Data Used	Retention
Account management	Creating and managing customer accounts	Identity, Contact, Account	Account lifetime
Service provision	Delivering the SaaS platform functionality	All platform data	Per service agreement
Authentication	Verifying user identity	Account, Technical	Session + 90 days logs
Authorization	Enforcing access controls	Account, Usage	Session + 90 days logs
Support delivery	Responding to customer inquiries	Communication, Account	3 years
Billing	Processing payments, invoicing	Transaction, Contact	7 years
Usage metering	Tracking consumption for billing	Usage, Technical	2 years

5.2 Security and Compliance Purposes

Purpose	Description	Data Used	Retention
Security monitoring	Detecting threats and anomalies	Technical, Usage	90 days hot, 1 year archive
Fraud prevention	Identifying fraudulent activity	Technical, Account, Transaction	2 years
Incident investigation	Responding to security incidents	All relevant data	7 years
Audit logging	Maintaining compliance records	Usage, Technical	7 years
Vulnerability management	Securing the platform	Technical	3 years
Access auditing	Reviewing access patterns	Usage, Account	7 years

5.3 Business Operations Purposes

Purpose	Description	Data Used	Retention
Analytics	Understanding usage patterns	Usage (aggregated)	Indefinite (aggregated)
Product development	Improving services	Usage (pseudonymized)	2 years
Marketing	Communicating about products	Contact, Marketing	Until opt-out
Research	Industry research, benchmarks	Usage (anonymized)	Indefinite (anonymized)
Legal compliance	Meeting regulatory obligations	As required	Per regulation

Data Sharing and Disclosure

6.1 Categories of Recipients

Recipient Category	Purpose	Data Shared	Safeguards
Subprocessors	Service delivery support	As necessary	DPA, security review
Payment processors	Billing operations	Transaction, minimal Identity	PCI DSS compliance
Analytics providers	Usage analysis	Pseudonymized Technical	Aggregation, contracts
Security vendors	Threat detection	Technical	Security assessment
Professional advisors	Legal, audit, consulting	As necessary	Professional obligations
Regulators	Legal compliance	As required	Legal process
Acquirers	Business transaction	All (with notice)	Successor obligations

6.2 Subprocessor Engagement

Acme Cloud engages Subprocessors under the following controls:

Control	Requirement	Verification
Contractual	DPA with equivalent protections	Legal review
Security	Security assessment pre-engagement	Questionnaire, SOC 2
Notification	30-day advance notice to customers	Email notification
Objection	Customer objection process	Contract terms
Monitoring	Annual reassessment	Compliance review

Current subprocessor list: /subprocessor-list

6.3 Law Enforcement and Government Requests

Acme Cloud handles government requests according to these principles:

Principle	Implementation
Legal validity	Requests must be legally valid in relevant jurisdiction
Narrow scope	Requests challenged if overbroad
Customer notice	Customers notified unless legally prohibited
Transparency	Aggregate statistics published annually
Pushback	Novel or concerning requests challenged legally

Request Type	Review Process	Customer Notice	Escalation
Subpoena	Legal review for validity	Yes, unless prohibited	General Counsel
Court order	Legal review for validity	Per order terms	General Counsel
Search warrant	Legal review, compliance required	Per warrant terms	General Counsel + CPO
National security letter	Legal review	Prohibited by law	General Counsel + CEO
Emergency request	Urgency verification, legal review	After resolution	General Counsel

International Data Transfers

7.1 Transfer Mechanisms

Acme Cloud employs the following mechanisms for international transfers:

Transfer Route	Mechanism	Supplementary Measures
EEA to US	EU-US Data Privacy Framework	TIA, encryption
EEA to UK	UK Adequacy Decision	Standard protections
EEA to other third countries	Standard Contractual Clauses (2021)	TIA, encryption
UK to US	UK Extension to DPF	TIA, encryption
UK to other third countries	International Data Transfer Agreement	TIA, encryption
Other jurisdictions	Local mechanisms + SCCs as applicable	TIA, encryption

7.2 Transfer Impact Assessment (TIA)

For transfers requiring Transfer Impact Assessments:

Assessment Factor	Evaluation Criteria	Documentation
Legal framework	Surveillance laws, access rights	Legal memo
Enforcement practices	Actual access history, published data	Research summary
Transfer circumstances	Data types, volume, purposes	Data mapping
Supplementary measures	Encryption, access controls	Technical measures
Contractual protections	SCCs, additional clauses	Contract terms

7.3 Data Privacy Framework Certification

Acme Cloud maintains certification under the EU-US Data Privacy Framework:

Framework Component	Status	Verification
EU-US DPF	Certified	Commerce Dept. list
UK Extension	Certified	Commerce Dept. list
Swiss-US DPF	Certified	Commerce Dept. list
Annual recertification	Compliant	Certification records
Independent recourse	JAMS	Arbitration agreement

Data Subject Rights

8.1 Rights Overview by Jurisdiction

Right	GDPR	CCPA/CPRA	LGPD	UK GDPR	Applicability
Access	Yes	Yes (Know)	Yes	Yes	All jurisdictions
Rectification	Yes	Yes (Correct)	Yes	Yes	All jurisdictions
Erasure	Yes	Yes (Delete)	Yes	Yes	All jurisdictions
Portability	Yes	Yes	Yes	Yes	All jurisdictions
Restriction	Yes	Limited	Yes	Yes	GDPR jurisdictions
Objection	Yes	Yes (Opt-out)	Yes	Yes	All jurisdictions
Automated decisions	Yes	Yes (Profiling)	Yes	Yes	All jurisdictions
Non-discrimination	N/A	Yes	Yes	N/A	CCPA jurisdictions
Opt-out of sale	N/A	Yes	N/A	N/A	CCPA only
Limit sensitive use	N/A	Yes	Yes	N/A	CPRA jurisdictions

8.2 Rights Exercise Process

Step 1: Request Submission 1.1. Data Subject submits request via privacy@acmecloud.com, in-app form, or postal mail 1.2. Request logged in DSR management system with timestamp 1.3. Acknowledgment sent within 3 business days

Step 2: Identity Verification 2.1. Verify Data Subject identity to prevent unauthorized disclosure 2.2. For account holders: verify via authenticated session or account recovery 2.3. For non-account holders: verify via identifying information match 2.4. Additional verification for sensitive requests

Step 3: Request Processing 3.1. Determine applicable jurisdiction and rights 3.2. Locate all Personal Data in scope 3.3. Evaluate exemptions (e.g., legal hold, other legal obligations) 3.4. Process request according to type

Step 4: Response 4.1. Provide response within statutory timeframe 4.2. Document completion in DSR management system 4.3. Retain record for compliance

8.3 Response Timeframes and Extensions

Jurisdiction	Initial Response	Extension Available	Extension Conditions
GDPR (EU)	30 days	+60 days	Complex or numerous requests
UK GDPR	30 days	+60 days	Complex or numerous requests
CCPA/CPRA	45 days	+45 days	Reasonably necessary
LGPD	15 days	None specified	N/A
PIPEDA	30 days	+30 days	Extensions permitted

8.4 Request Handling by Type

Request Type	Acme Cloud as Controller	Acme Cloud as Processor
Access	Provide copy of Personal Data	Forward to Customer
Rectification	Correct inaccurate data	Forward to Customer
Erasure	Delete data (subject to exceptions)	Forward to Customer
Portability	Provide machine-readable export	Forward to Customer
Restriction	Flag data, limit processing	Forward to Customer
Objection	Cease processing (assess grounds)	Forward to Customer
Opt-out of sale	N/A (we don't sell data)	N/A

Data Retention and Deletion

9.1 Retention Schedule

Data Category	Retention Period	Legal Basis	Deletion Method
Active account data	Account lifetime	Contract	N/A until termination
Terminated account data	30 days post-termination	Contract, litigation hold	Automated deletion
Transaction records	7 years	Legal (tax, audit)	Secure deletion
Security logs	90 days hot, 1 year cold	Legitimate interest	Automated rotation
Support tickets	3 years	Legitimate interest	Automated deletion
Marketing data	Until opt-out + 30 days	Consent/legitimate interest	Automated deletion
Audit logs	7 years	Legal (compliance)	Secure deletion
Employment records	7 years post-termination	Legal (labor law)	Secure deletion
Cookie data	Per cookie type	Consent	Browser expiration

9.2 Customer Data Deletion Process

Upon service termination:

Timeline	Action	Verification
Day 0	Service access disabled	System confirmation
Day 1-7	Deletion grace period (customer retrieval)	N/A
Day 8-14	Data deletion from production	Deletion confirmation
Day 15-30	Purge from backups	Backup cycle completion
Day 30+	Certificate of destruction available	Upon request

9.3 Backup and Archive Retention

Backup Type	Retention	Encryption	Geographic Location
Database snapshots	90 days rolling	AES-256	Primary + DR region
Transaction logs	90 days	AES-256	Primary region
Object storage versions	90 days	AES-256	Per data residency
Disaster recovery	Synchronized	AES-256	DR region
Long-term archive	Per retention schedule	AES-256	Per data residency

Cookies and Tracking Technologies

10.1 Cookie Categories

Category	Purpose	Consent Required	Duration
Strictly necessary	Essential functionality	No	Session to 1 year
Functional	Preferences, settings	Yes (GDPR), No (CCPA)	1 year
Performance	Analytics, optimization	Yes	2 years
Targeting	Advertising, remarketing	Yes	2 years

10.2 Cookie Inventory

Cookie Name	Category	Purpose	Duration	Third Party
session_id	Necessary	Session management	Session	No
csrf_token	Necessary	Security	Session	No
locale	Functional	Language preference	1 year	No
_ga	Performance	Google Analytics	2 years	Google
_gid	Performance	Google Analytics	24 hours	Google
_fbp	Targeting	Facebook Pixel	90 days	Meta
hubspotutk	Targeting	HubSpot tracking	13 months	HubSpot

10.3 Consent Management

Jurisdiction	Consent Mechanism	Default State	Opt-Out Method
EU/EEA	Cookie consent banner (TCF 2.0)	All non-essential off	Banner or settings
UK	Cookie consent banner	All non-essential off	Banner or settings
California	CCPA notice + opt-out	Functional on, targeting off	"Do Not Sell" link
Other US	Notice only	All on	Browser settings
Brazil	Consent banner	All non-essential off	Banner or settings

Full cookie policy: /cookie-policy

Children's Privacy

11.1 Age Restrictions

Acme Cloud services are designed for business use and are not directed at children:

Jurisdiction	Minimum Age	Verification	Exceptions
United States	16 (COPPA: 13)	Terms acceptance	None
European Union	16 (or member state minimum)	Terms acceptance	None
United Kingdom	13	Terms acceptance	None
Brazil	18 (or parental consent)	Terms acceptance	None

11.2 Response to Underage Data Discovery

If Acme Cloud discovers it has collected Personal Data from a child under applicable age thresholds:

1.1. Immediately cease processing the child's Personal Data 1.2. Notify parent/guardian if identifiable and required by law 1.3. Delete the child's Personal Data within 48 hours 1.4. Document the incident and remediation 1.5. Review controls to prevent recurrence

Privacy by Design and Default

12.1 Privacy Engineering Principles

Principle	Implementation	Verification
Data minimization	Collect only necessary data	Design review checklist
Purpose limitation	Purpose documented before collection	Privacy review
Storage limitation	Automated retention enforcement	Technical controls
Accuracy	Correction mechanisms	Self-service + support
Security	Encryption, access controls	Security review
Accountability	Documentation, auditing	Privacy assessments

12.2 Privacy Impact Assessment Process

DPIAs required for:

New processing activities involving sensitive data
Large-scale profiling or monitoring
New technology with privacy implications
Changes to high-risk existing processing

DPIA Phase	Activities	Documentation
Initiation	Screening questionnaire, threshold assessment	Screening record
Assessment	Data mapping, risk identification, consultation	DPIA report
Review	Privacy team review, recommendations	Review memo
Approval	CPO approval for acceptable residual risk	Approval record
Implementation	Control implementation, monitoring	Implementation plan

12.3 Privacy Review in Product Development

Development Phase	Privacy Activity	Deliverable
Planning	Privacy screening	Go/no-go recommendation
Design	Privacy review	Design recommendations
Development	Privacy testing	Test results
Launch	Final privacy approval	Launch authorization
Post-launch	Privacy monitoring	Ongoing compliance

Breach Notification

13.1 Breach Classification

Classification	Definition	Example	Notification Required
Category 1	High risk to individuals	Exfiltrated sensitive PII	Regulators + individuals
Category 2	Risk to individuals	Lost unencrypted device	Regulators
Category 3	Low risk	Encrypted data lost	Documentation only
Category 4	No risk	Misdirected internal email	Documentation only

13.2 Notification Timelines

Jurisdiction	Regulator Notification	Individual Notification	Customer Notification (Processor)
GDPR (EU)	72 hours	Without undue delay	Without undue delay
UK GDPR	72 hours	Without undue delay	Without undue delay
CCPA/CPRA	Expeditious	Expeditious	Per contract
LGPD	Reasonable timeframe	Reasonable timeframe	Per contract
US state laws	Per state (typically 30-60 days)	Per state	Per contract

13.3 Notification Content

Element	Regulator Notice	Individual Notice	Customer Notice
Nature of breach	Yes	Yes	Yes
Categories of data	Yes	Yes	Yes
Approximate subjects affected	Yes	Yes	Yes
Likely consequences	Yes	Yes	Yes
Measures taken/proposed	Yes	Yes	Yes
DPO contact	Yes	Yes	N/A
Recommendations for individuals	N/A	Yes	N/A

Privacy Governance

14.1 Privacy Organization

Role	Responsibilities	Reports To
Chief Privacy Officer	Privacy program leadership, regulatory liaison	General Counsel
Data Protection Officer (EU/UK)	Independence, supervisory authority contact	CPO (functionally independent)
Privacy Engineering Manager	Privacy by design implementation	CPO + CTO
Privacy Analysts (3)	DSR processing, assessments, training	CPO
Privacy Champions (per team)	Embedded privacy guidance	Functional + CPO dotted

14.2 Privacy Governance Bodies

Body	Members	Meeting Cadence	Responsibilities
Privacy Steering Committee	CPO, CLO, CISO, CTO	Quarterly	Strategy, major decisions
Privacy Operations	CPO, Privacy Analysts, Legal	Weekly	Operational issues, DSRs
Privacy Review Board	CPO, Privacy Eng, Security, Legal	As needed	DPIA approval, exception review

14.3 Privacy Training

Training Type	Audience	Frequency	Content
General awareness	All employees	Annual + onboarding	Privacy principles, policies
Role-specific	Engineering, Support, Sales	Annual	Job-relevant privacy practices
Advanced privacy	Privacy team, Legal	Continuous	Regulatory updates, case studies
Incident response	IR team	Annual	Privacy breach procedures

Framework Mapping Appendix

GDPR Article Compliance Mapping

GDPR Article	Requirement	Acme Cloud Implementation	Evidence
Art. 5	Processing principles	Data minimization, purpose limitation	Privacy assessments
Art. 6	Lawful basis	Documented basis per activity	Processing records
Art. 7	Consent conditions	Consent management platform	Consent records
Art. 12-14	Transparency	Privacy policy, notices	Published policies
Art. 15-22	Data subject rights	DSR procedures	Response records
Art. 24	Controller obligations	Privacy program	Documentation
Art. 25	Privacy by design	DPIA process	Assessment records
Art. 28	Processor requirements	DPA template, subprocessor management	Contracts
Art. 30	Records of processing	Processing inventory	ROPA
Art. 32	Security	Technical measures	Security documentation
Art. 33-34	Breach notification	Incident procedures	IR records
Art. 35	DPIA	Assessment process	DPIA records
Art. 37-39	DPO	Appointed DPO	Appointment records
Art. 44-49	International transfers	Transfer mechanisms	SCCs, TIAs

CCPA/CPRA Compliance Mapping

CCPA/CPRA Section	Requirement	Acme Cloud Implementation	Evidence
1798.100	Right to know	Access request procedures	Response records
1798.105	Right to delete	Deletion procedures	Deletion confirmations
1798.106	Right to correct	Correction procedures	Response records
1798.110	Categories disclosure	Privacy policy	Published policy
1798.115	Right to opt-out	N/A (no sale)	Policy statement
1798.120	Opt-out of sale	N/A (no sale)	Policy statement
1798.121	Sensitive PI	Limit use option	Consent mechanisms
1798.125	Non-discrimination	Equal service	Policy statement
1798.130	Service provider contracts	DPA terms	Contracts
1798.135	Privacy links	Website footer	Site implementation
1798.140	Definitions	Policy alignment	Policy language

Document revision history

Version	Date	Author	Summary of changes
1.0	2024-06-01	Legal & Compliance	Initial Trust Center publication
2.0	2025-03-15	GRC Program	SOC 2 Type II alignment refresh; expanded subprocessors
2.5	2025-09-01	Security Engineering	Encryption standards update; ISO 27001 mapping
3.0	2026-01-15	Trust Center Program	Full procurement-grade expansion; 34-document set

Contact

Acme Cloud, Inc. 1200 Market Street, Suite 400 San Francisco, CA 94103, USA

Channel	Email	Use case
Trust & procurement	trust@acmecloud.com	Security questionnaires, trust reviews
Security	security@acmecloud.com	Incidents, vulnerabilities, control questions
Privacy	privacy@acmecloud.com	DSRs, privacy assessments
Legal	legal@acmecloud.com	Contractual, DPA, legal notices

Privacy Policy

Definitions

Scope and Applicability

1.1 Organizational Scope

1.2 Service Scope

1.3 Geographic Applicability

1.4 Data Subject Categories

Data Controller and Processor Roles

2.1 Role Determination Matrix

2.2 Controller Responsibilities

2.3 Processor Responsibilities

Personal Data Collection

3.1 Categories of Personal Data Collected

3.2 Collection Methods

3.3 Data Minimization Practices

Lawful Basis for Processing

4.1 Legal Basis by Processing Activity

4.2 Legitimate Interest Assessments

4.3 Consent Management

Data Processing Purposes

5.1 Primary Service Purposes

5.2 Security and Compliance Purposes

5.3 Business Operations Purposes

Data Sharing and Disclosure

6.1 Categories of Recipients

6.2 Subprocessor Engagement

6.3 Law Enforcement and Government Requests

International Data Transfers

7.1 Transfer Mechanisms

7.2 Transfer Impact Assessment (TIA)

7.3 Data Privacy Framework Certification

Data Subject Rights

8.1 Rights Overview by Jurisdiction

8.2 Rights Exercise Process

8.3 Response Timeframes and Extensions

8.4 Request Handling by Type

Data Retention and Deletion

9.1 Retention Schedule

9.2 Customer Data Deletion Process

9.3 Backup and Archive Retention

Cookies and Tracking Technologies

10.1 Cookie Categories

10.2 Cookie Inventory

10.3 Consent Management

Children's Privacy

11.1 Age Restrictions

11.2 Response to Underage Data Discovery

Privacy by Design and Default

12.1 Privacy Engineering Principles

12.2 Privacy Impact Assessment Process

12.3 Privacy Review in Product Development

Breach Notification

13.1 Breach Classification

13.2 Notification Timelines

13.3 Notification Content

Privacy Governance

14.1 Privacy Organization

14.2 Privacy Governance Bodies

14.3 Privacy Training

Framework Mapping Appendix

GDPR Article Compliance Mapping

CCPA/CPRA Compliance Mapping

Related Trust Center documents

Document revision history

Contact