1. Who is responsible
Dominik Swiniarski, trading as Acta is the controller for Acta account, service-administration, security, support and product-analytics information.
Postal address: 124 Shepherds Lane, Bracknell, RG42 2DF, United Kingdom
Privacy contact: support@actahq.co.uk
Where an organisation uses Acta to process forwarded email for its staff, clients or correspondents, that organisation will usually be the controller and Acta will act as its processor. Requests about that content may need to be referred to the relevant organisation.
2. Information we process and where it comes from
- Account data: name or email address, role, workspace membership and password sign-in records, supplied by you or your organisation.
- Email and attachment data: senders, recipients, subjects, message text, dates, identifiers, links, attachment metadata and extracted text, obtained from a connected mailbox or forwarded intake message.
- Profile and workflow data: client profiles, priorities, keywords, notes, rankings, summaries, handling decisions, feedback, follow-ups and exported briefs, supplied or generated through use of Acta.
- Technical and usage data: request routes, timestamps, security events, referral and campaign values, browser data and hashed account, IP and user-agent identifiers.
- Support and rights data: contact details, request content, identity-verification status, correspondence and outcomes.
Forwarded email often concerns people who do not use Acta directly. It may be supplied by an Acta user, their employer or client, or another sender in the relevant conversation.
A customer that acts as controller is responsible for giving its staff, clients and correspondents an appropriate privacy notice. Acta provides this public notice and reasonable assistance, but the customer must assess whether and how UK GDPR Article 14 applies to its own use.
3. Purposes and lawful bases
- Provide accounts, forwarded-email triage, briefs and follow-ups: necessary to perform our contract with the account holder, or processed on the controller customer's documented instructions.
- Authenticate users, secure Acta, prevent misuse and diagnose failures: legitimate interests in providing a secure and reliable service and, where applicable, compliance with legal obligations.
- Remember workspace priorities and improve recommendations for that workspace: performance of the service contract and legitimate interests in making the requested service useful and consistent.
- Measure service use and acquisition: legitimate interests in understanding and improving Acta, balanced against users through data minimisation, hashing and the right to object.
- Handle support, rights requests, complaints, disputes and legal claims: legal obligations and legitimate interests in resolving requests and establishing, exercising or defending legal claims.
Where we ask for consent for a specific optional activity, you may withdraw it at any time without affecting processing already carried out. We do not rely on consent where the service can only be provided under a contract or legal obligation.
4. Sensitive information
Inbox material may incidentally contain special-category information, such as health, political, religious, trade-union or sexual-life information, or criminal-offence information. Acta does not intentionally use that information to infer sensitive traits or make decisions about people. When Acta is a processor, the customer controller must identify an Article 9 condition and any Data Protection Act 2018 condition before supplying such information. Where Acta is controller, it will process such information only where a specific legal condition applies, including explicit consent where appropriate or the establishment, exercise or defence of legal claims; otherwise it should not be supplied.
Acta is intended for business users aged 18 or over and is not directed at children.
5. AI processing, profiling and human review
Acta uses OpenAI models to summarise supplied content, score urgency, identify risks and deadlines, suggest handling, generate draft text and assist with optical character recognition. Relevant message text, selected link context, saved priorities and extracted attachment text may be sent to OpenAI. Input size is limited.
These outputs are recommendations. Acta does not send or delete email and does not make a decision intended to produce legal or similarly significant effects without meaningful human involvement. Users can inspect, change, dismiss and give feedback on recommendations and may request human review through the support page.
Private mode replaces direct identifiers with broader relationship labels, redacts many sensitive details, skips attachments and stores less detail. It reduces disclosure but cannot guarantee anonymity.
6. Recipients and service providers
Access is limited to authorised Acta personnel, authorised members of the relevant workspace and suppliers needed to operate the service. These may include OpenAI for AI processing, Postmark for inbound email delivery, malware-scanning infrastructure, and Acta's hosting and backup providers. We may also disclose information to professional advisers, regulators, courts, law enforcement, a buyer of the business, or another person where lawfully required.
Processors must act under contractual confidentiality, security, deletion and data-protection obligations. Acta does not sell inbox content or disclose it for third-party advertising.
7. International transfers
Some suppliers may process information outside the United Kingdom. Before making a restricted transfer, Acta uses an applicable UK adequacy regulation or appropriate safeguards such as the UK International Data Transfer Agreement, the UK Addendum to approved standard contractual clauses, or another lawful Article 46 mechanism. Where required, Acta carries out a transfer risk assessment and applies supplementary security measures. Contact the privacy address or submit an access request for information about the safeguard relevant to your data and how to obtain a copy.
8. Retention
- Rich saved action-card details are minimised after 30 days by default. Limited identifiers and dates may remain to prevent repeat processing until the account is deleted or the bounded history is overwritten.
- Ranking history is limited by item count. Workflow, learning and workspace configuration remain while the account is active, until overwritten, removed by the user or no longer needed for the service.
- Quarantined inbound messages are retained only while security review or an incident requires them, then deleted under the customer retention schedule.
- Draft reply content expires after 30 days.
- Account and linked identifiable analytics data are removed when the user completes account deletion, subject to records that must be retained for security, disputes or law.
- Privacy complaint and rights records may be kept for up to six years after closure to demonstrate compliance and manage legal claims.
Supplier copies and backups may remain briefly under the relevant supplier's deletion cycle. Acta reviews retention when purposes, risk or legal requirements change.
9. Security
Acta uses an encrypted transactional state database, role separation, password re-verification for privileged administration, secure session settings, same-origin checks, security headers, request limits, authenticated inbound webhooks, sender controls, attachment quarantine, encrypted backups and data minimisation. Only intentionally forwarded email is processed. No internet service can guarantee absolute security. Suspected personal-data incidents should be reported promptly through Support.
10. Your data-protection rights
Depending on the circumstances, you may ask for access to your personal information, correction, erasure, restriction, portability, or object to processing based on legitimate interests. You may withdraw consent and ask for human review of a qualifying automated decision. These rights are not absolute; exemptions may apply and portability applies only to certain electronically processed information.
Submit a request through the privacy requests section. We may request proportionate identity information and will not ask for more than necessary. The applicable period is normally one calendar month from the latest relevant event under Article 12A, including receipt of reasonably requested identity information or a lawful fee. A clarification pause may apply to an access request. We will explain any lawful extension, refusal or fee.
11. Complaints
You may complain directly to Acta using the electronic form on the Support page. We provide an immediate reference and receipt confirmation, investigate without undue delay, keep you informed of progress and tell you the outcome. In accordance with section 164A of the Data Protection Act 2018, a complaint will be acknowledged within 30 days.
You may also raise a concern with the Information Commissioner's Office at ico.org.uk/make-a-complaint, telephone 0303 123 1113, or write to Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. We ask that you contact Acta first so we have an opportunity to resolve the concern.
12. Cookies, local storage and analytics
Acta uses a signed session cookie for authentication, security and workspace continuity. It also uses the session to collect limited first-party statistics about how Acta is used, solely to understand and improve the service. These statistics are not shared except with a provider assisting Acta to operate or improve the service. The interface may use local storage to remember dismissals and display preferences. Acta does not use third-party advertising cookies.
The service and security parts of the session are strictly necessary. For optional first-party statistics, Acta relies on the statistical-purpose exception in Schedule A1 paragraph 5 of the Privacy and Electronic Communications Regulations. You can object simply and free of charge below. Turning analytics off removes the anonymous analytics events linked to the current browser session and prevents further optional event collection in that session. Browser controls can also remove stored information, although blocking the session cookie will prevent sign-in.
13. Required and optional information
An email address and necessary authentication information are required to create and secure an account. Forwarded message, profile and attachment information is optional, but Acta cannot provide the relevant feature without it. Failure to provide identity information reasonably required for a rights request may prevent us from disclosing or changing personal information.
14. Changes to this notice
We will update the effective date and provide an appropriate notice when material processing changes. Previous versions may be requested through Support.