Privacy notice.

Aculeus (“we,” “our,” or “us”) reads the moves an organization tracks and tells it what each one means: the second-order consequence, the case against the call, and the signal to watch, with the source path attached to every claim and delivered to organizational customers.

When you visit aculeus.ai or interact with our marketing channels, Aculeus is the controller of any personal data we collect about you. When you use the Aculeus workbench as part of a paid or evaluation subscription, your organization is the controller of the workbench content (including any personal data inside that content) and Aculeus acts as a processor under the terms of the applicable order form, master subscription agreement, and data processing addendum (“DPA”).

Aculeus is incorporated in the United States. Workbench infrastructure is operated in multiple regions; regional data-residency arrangements are available on request under a signed DPA, subject to a compatible provider. See “International transfers” below.

We collect personal data in three categories.

Information you provide directly. When you create an account, request access, fill out a contact form, or correspond with us, we collect identifiers such as name, work email, organization name, role, country, and any message you send. If you join the workbench, we additionally store a hashed password (or your single sign-on identifier) and any preferences you configure (notification settings, display preferences, region selection).

Workbench content. Documents, feeds, records, notes, and other source material that you or your organization connect to or upload to the workbench, together with the readings, scores, annotations, and review states generated against that material. Aculeus processes this content on behalf of your organization under the DPA and uses it only to operate the service.

Information collected automatically. When you visit aculeus.ai or use the workbench, we automatically collect technical and usage information such as IP address, device and browser characteristics, timestamps, the pages or workbench surfaces you accessed, request and error logs, and aggregate session metrics. We use first-party cookies and similar storage to operate authenticated sessions and remember preferences; we do not deploy advertising cookies and do not run third-party trackers on aculeus.ai.

We use personal data to:

• operate, secure, monitor, debug, and improve aculeus.ai and the workbench;
• authenticate users, provision tenants, and enforce access controls;
• respond to support requests, contract negotiations, and other communications you initiate;
• send service announcements, security notices, and (where permitted) product updates;
• generate aggregate, de-identified analytics to understand usage patterns and improve the product;
• detect, investigate, and prevent abuse, fraud, and security incidents; and
• comply with legal obligations and enforce our agreements.

Aculeus does not train machine-learning models — its own or shared — on workbench content. To produce a read, workbench content is sent to third-party model providers (our AI sub-processors), which process it under their own terms; those terms, and the regions in which each provider operates, are described in our sub-processor list. We do not sell personal data and do not share it with data brokers or advertisers. We do not access workbench content to generate marketing material. Support engineers may access workbench content only with explicit, time-limited authorization from your organization's administrator, only to resolve a ticket you have opened, and only through audited tooling.

Where the General Data Protection Regulation, the UK GDPR, or equivalent law applies, the legal bases on which we rely are:

• Performance of a contract — to provide the workbench, authenticate users, deliver outputs, and respond to requests you make.
• Legitimate interests — to secure and improve the service, prevent abuse, communicate about features and releases, and run our business. Where we rely on legitimate interests, we balance them against your rights and you can object as described below.
• Consent — where required, for example for optional marketing emails to individuals at addresses we did not obtain through a business contract.
• Legal obligation — to comply with applicable law, regulatory requests, court orders, or audit obligations.

We disclose personal data in the following limited circumstances.

Sub-processors. We rely on third-party providers to host infrastructure, deliver email, monitor performance, and provide customer support tooling, and the AI and research providers that process content to produce readings. Each sub-processor is bound by a written contract that imposes confidentiality, security, and processing restrictions consistent with applicable law. The current sub-processor list is maintained at aculeus.ai/security and updated when material changes occur.

Within your organization. Workbench content and account activity are visible to other users in your organization's tenant according to the roles your administrator assigns.

Legal and protective. We may disclose information when we believe in good faith that disclosure is required by law, regulation, or legal process; to enforce our agreements; or to protect the rights, property, or safety of Aculeus, our customers, or others. Where lawful, we notify the affected customer before disclosing workbench content in response to a government request.

Corporate transactions. If we are involved in a merger, acquisition, financing due diligence, or sale of assets, we may share personal data subject to confidentiality protections and continued application of this notice (or one materially similar).

We retain account data for as long as your account is active and for a limited period afterward to comply with legal obligations, resolve disputes, and enforce agreements. Workbench content is retained according to your subscription terms and the deletion controls available to your organization's administrator. On termination of a subscription, workbench content is available for export for thirty (30) days and then deleted from production systems within ninety (90) days, with residual copies removed from encrypted backups according to our backup rotation schedule.

Server logs and aggregate analytics are retained for up to thirteen (13) months and then deleted or de-identified.

We implement administrative, technical, and physical safeguards designed to protect personal data, including encryption in transit (TLS 1.2 or higher) and at rest (AES-256), single sign-on with multi-factor authentication for administrators, role-based access controls inside the workbench, tenant isolation, audit logging, and a documented incident-response program. Our full security posture is described at aculeus.ai/security. No system is impenetrable; we ask that you keep your authentication credentials confidential and notify us immediately if you suspect unauthorized access.

Aculeus is operated from the United States and uses sub-processors located in multiple jurisdictions. Where we transfer personal data out of the EEA, the UK, or Switzerland, we rely on appropriate safeguards including the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, and (where applicable) certified frameworks. The Aculeus DPA, available on request, sets out the transfer mechanism applicable to workbench content.

Depending on your jurisdiction, you may have the right to access, correct, delete, restrict, or object to our processing of your personal data, and the right to data portability. To exercise these rights with respect to information Aculeus controls (for example, your aculeus.ai account or marketing-channel interactions), email privacy@aculeus.ai. We will verify your identity and respond within the time required by applicable law, typically within thirty (30) days.

If your personal data sits inside workbench content uploaded by an organizational customer, please direct your request to that organization's administrator. Aculeus will support the customer in responding consistent with our DPA.

You may lodge a complaint with your local data-protection authority. In the EEA your supervisory authority is determined by your country of residence; in the UK it is the Information Commissioner's Office.

Aculeus is a business-to-business service and is not directed to children under sixteen (16). We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, please contact us and we will delete it.

We may update this notice from time to time. When changes are material we will provide reasonable advance notice through the workbench and update the “Last updated” date. Continued use of aculeus.ai or the workbench after the effective date of an updated notice constitutes acceptance of the changes.

Address privacy questions, rights requests, and complaints to privacy@aculeus.ai. For workbench security incidents specifically, contact security@aculeus.ai.

This notice is provided in good faith and reflects Aculeus's current data practices. It is not legal advice. Customers in regulated industries should have counsel review this notice and the associated DPA before relying on either.