Privacy Policy

Depending on how you interact with AC STUDIO, we act as either a Data Controller or a Data Processor under the General Data Protection Regulation (GDPR) and other global privacy frameworks:

• We act as a Data Controller for personal data related to your direct agency account, billing configurations, payment tokens, support requests, and platform telemetry.
• We act as a Data Processor for the business data, contacts, and communication content that you, your sub-accounts, and your end-users process through our active communication channels (including WhatsApp, Instagram, Messenger, Telegram, Email, web chat, and SMS).

For White-Label / Sub-Account End Users

If you are an end-user interacting with an agency's custom-branded white-label deployment of AC STUDIO, the Agency is the Data Controller for your personal data. We act strictly as the back-end technical Data Processor operating under the documentation and instructions provided by that specific Agency. End-users in these scenarios should consult the respective Agency's own privacy policy.

We do not sell your data, and we do not participate in cross-context behavioral advertising. We collect data across the following categories:

A. Information You Give Us Directly

• Account Configuration: Name, email address, phone number, company name, primary business role, billing address, and tax identifiers.
• Profile Customization: Logos, brand names, custom domain pairings, primary and accent colors, and transactional email signatures used to rebrand the dashboard.
• Workspace & Context Setup: Ingested client websites, scraped product listings, custom FAQs, custom function configurations, webhook targets, and manual bot instruction guidelines.
• Communications: Helpdesk tickets, emails sent to hello@agentiveconcepts.com, and any diagnostic screenshots or logs you explicitly share.

B. Business Data Processed Through the Services

• CRM & Contacts: Contact information automatically ingested or imported (names, phone numbers, emails, social profile IDs, and custom tags).
• Omnichannel Conversations: Full text strings, voice notes, static images, videos, and document attachments sent or received by your end-users across connected channels.
• Custom Function Inputs/Outputs: Transient payloads moving through our API endpoints or custom third-party platform functions.

C. Payment & Transactional Billing

When you purchase subscription tiers or top up automated message credits, all payment parameters are processed directly through our secure billing partner, Stripe. We never store raw credit card numbers on our physical servers. We maintain only secure reference tokens, card brand identification, the last four digits of the active card, and the associated billing history.

D. Third-Party OAuth & Connected Platform Data

• Google & Meta Authentication: Tokenized OAuth profile data used to verify identity, enable Calendar appointment bookings, or sync assets.
• Channel Meta-Data: Unique page identifiers, target phone numbers, or administrative configuration details supplied by Meta Platforms or Twilio when connecting live messaging environments.

E. Telemetry & Automated Log Collection

• Usage Telemetry: Active pages visited within the dashboard, UI actions triggered, error tracking logs, and performance statistics.
• Network & Device Context: IP addresses, browser engine configurations, operating system footprints, tracking referral URLs, and approximate geolocation data derived via IP analysis.

We process information strictly to execute core business features, honor contractual obligations, or maintain our legitimate security interests:

• Service Provisioning: Running, maintaining, metering, and enhancing the white-label AI sales agent ecosystem.
• AI Conversational Processing: Submitting text strings to advanced language models (Anthropic Claude) and processing rich multimedia files (voice note transcription, image screening, video analysis) using Google Gemini.
• Omnichannel Message Delivery: Formatting and routing messages across live production endpoints (WhatsApp Cloud API, Instagram Graph API, Messenger, Telegram API, SMTP Email relays, Web Chat gateways, and SMS infrastructure).
• Administrative Operations: Managing automated billing tiers, calculating custom credit markup distribution, and identifying systemic subscription fraud.
• Security Enforcement: Diagnosing rate-limit triggers, monitoring malicious workspace activity, and blocking coordinated bot attacks.

We reject the practice of treating user data as free R&D material. We do not use your Customer Data, your client accounts' configurations, or your end-users' private conversations to train AI models unless you explicitly request a custom enterprise fine-tuning workflow under a separate written agreement.

• Anthropic Claude & Google Gemini: Our platform hooks into these foundational models using verified enterprise API accounts. Under these strict enterprise parameters, both Anthropic and Google are legally barred from logging or utilizing our API request payloads to train their baseline commercial models.
• Bring Your Own Key (BYOK): If you configure your workspace to operate using your personal Anthropic API key, all AI pipeline requests are routed and billed directly under your standalone legal agreement with Anthropic.
• Human-in-the-Loop Safeguards: Our AI agents excel at autonomous call scheduling, lead qualification, and close management. However, they do not execute legally binding decisions on their own. We incorporate an optional Assist/Human Mode that allows human operators to seize manual control of any sub-account conversation thread instantly.

To deliver a scalable architecture, we partner with specialized sub-processors. Every technical sub-processor is bound to robust Data Protection Agreements (DPAs) meeting or exceeding GDPR Article 28 expectations.

While AC STUDIO's primary operations are managed within the European Economic Area (specifically utilizing dedicated infrastructure in the Netherlands and Germany), executing global messaging pipelines requires routing data to global sub-processors.

When data is transferred outside the European Economic Area (EEA) or the United Kingdom, we rely upon established compliance mechanisms:

1. 01.Standard Contractual Clauses (SCCs): We implement the European Commission's standard clauses (Decision 2021/914) with all non-EU infrastructure partners.
2. 02.UK International Data Transfer Addendum: Applied to ensure equivalent protections for records technical to the UK market.
3. 03.Adequacy Decisions: Utilized for data processing partners operating in recognized safe jurisdictions (such as Israel).

We clean up data according to clear schedules rather than hoarding records indefinitely:

• Active Platform Contexts: Account data, brand settings, and instruction sets remain active for the natural lifecycle of your active subscription.
• Conversations & Logs: Threads, message payloads, and interaction histories are retained for three (3) years from the date of the last contact interaction by default. Workspace administrators can adjust this to a shorter automated deletion timeframe directly inside the dashboard.
• Financial Records: Invoices, Stripe reference logs, and ledger items are legally archived for seven (7) years to satisfy Dutch tax and audit laws.
• System Backups: Production server snapshot backups are fully rotated and permanently overwritten within a rolling 90-day window.
• Account Termination: Following an explicit request to cancel your subscription, you are granted a 30-day export window to retrieve workspace configurations. Once that window closes, automated extraction and hard deletion scripts scrub the production databases.

No matter your geographic jurisdiction, we support comprehensive control over your personal data. If you are located in the EEA, UK, Switzerland, or California, you maintain the following actionable rights:

• Right of Access & Portability: Request a structured, machine-readable export of all direct personal data we store linked to your identity.
• Right of Rectification: Instantly update inaccurate, obsolete, or broken profile parameters inside your dashboard.
• Right of Deletion ("Right to be Forgotten"): Request the permanent erasure of direct account records, subject to overriding statutory tax archiving constraints.
• Right to Object & Restrict: Deny consent for processing built around our legitimate interests or restrict specific platform features.
• Right to Limit Sensitive Data: We do not process sensitive personal markers (health, political leanings, genetics) or track high-risk user profiles.

To trigger an official request regarding your rights, submit an email with verifiable identity parameters to: hello@agentiveconcepts.com. We review and process valid compliance requests within 30 days.

We secure data through modern, layered technical controls:

• Encryption in Transit: Every network payload, API call, and dashboard session is protected via TLS 1.2 or TLS 1.3 configurations.
• Encryption at Rest: Sensitive storage parameters, database fields, API configurations, and Meta/Anthropic integration tokens are encrypted using AES-256 standard protocols.
• Access Isolation: Internal platform administration relies on strict role-based access controls following the principle of least privilege.
• Incident Response Framework: In the event of a security anomaly or suspected data compromise, we execute a documented response protocol. If a breach poses a significant risk to user rights, we notify relevant supervisory authorities (such as the Dutch Autoriteit Persoonsgegevens) within 72 hours, alongside a direct disclosure to impacted account holders without undue delay.

We update this documentation to reflect changing regulatory requirements and infrastructure upgrades. If an amendment fundamentally impacts your processing rights, we will notify you via a direct system alert or dashboard notification at least 30 days before the updated policy takes effect. Non-material alignment updates are published here immediately with a revised date at the top of the page.

For any questions regarding this Privacy Policy, your data pathways, or model isolation workflows, please reach out to us:

Agentive Concepts (AC STUDIO)

Email: hello@agentiveconcepts.com

WhatsApp Contact: https://wa.me/31600000000