Privacy Policy

Last updated: 3 May 2026 · ICO Registration: pending · Acreonix Ltd, United Kingdom

Contents

Introduction 1. Who we are 2. Acreonix Tasks — data we collect 3. Acreonix AI — data we collect 3. Acreonix RMS — data we collect 4. How we use your data 5. Article 13 — lead & guest data 6. Who we share data with 7. Data retention 8. Cookies & local storage 9. Your rights under UK GDPR 10. Security 11. Changes to this policy 12. Contact us

This Privacy Policy explains how Acreonix Ltd ("Acreonix", "we", "us") collects, uses, stores, and protects personal data across our three products: Acreonix Tasks (an AI-powered task and productivity manager), Acreonix AI (an AI-powered lead agent platform for real estate agencies) and Acreonix RMS (a restaurant management system for independent venues). It applies to all users of both services.

We are committed to protecting personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).

Acreonix acts as both a Data Controller (for account and platform usage data) and a Data Processor (for third-party data entered by our clients — property leads via Acreonix AI, and restaurant staff and booking guest data via Acreonix RMS). Where we process data on behalf of a client, that client is the Data Controller and we operate under a Data Processing Agreement (DPA).

~~~PLACEHOLDER~~~"who">1. Who We Are

Data Controller: Acreonix Ltd

Address: Acreonix Ltd, United Kingdom

Privacy contact: privacy@acreonix.co.uk

We aim to respond to all data requests within 30 days. We may ask you to verify your identity before processing your request.

Acreonix Tasks — AI task manager

2. Acreonix Tasks — Data We Collect

Acreonix Tasks is an AI-powered task and productivity manager available on web (tasks.acreonix.co.uk) and as a mobile app for Android and iOS. We act as Data Controller for all personal data collected through Acreonix Tasks.

Account data

Email address — collected at sign-up, used for authentication and transactional emails (welcome email, password reset).
Name — first and last name, collected at sign-up, displayed within the app.
Authentication tokens — managed by Clerk (our authentication provider). We do not store passwords directly.
OAuth tokens — if you sign in with Google or Microsoft, we receive a token from that provider confirming your identity. We do not receive or store your Google or Microsoft password.

Task and productivity data

Tasks — titles, descriptions, deadlines, priorities, statuses, tags, and any notes you add.
Projects — project names, colours, icons, and associated tasks.
Calendar events — AI-generated and manually confirmed scheduling blocks.
Comments — any comments you add to tasks, including author name and timestamp.
Work preferences — working hours, working days, lunch break settings, and timezone. Used solely to generate your AI schedule.

AI processing data

AI extract input — text or voice transcripts you submit for task extraction are sent to Anthropic's API for processing. This data is used only to generate your task list and is not used to train Anthropic's models under our enterprise agreement.
Usage patterns — task completion rates, timing, and behaviour signals used to generate your weekly Insights score. This data is stored on our servers and not shared with third parties.

Device and technical data

Push notification token — collected when you enable notifications on mobile. Used only to send you overdue task reminders and your daily briefing.
Device type and OS — collected for crash reporting and compatibility. Not linked to your identity.
IP address — logged by our infrastructure provider (Vercel) for security and abuse prevention. Retained for 30 days.

No task data is sold or shared with advertisers, data brokers, or any third party for commercial purposes. Your tasks, projects, and productivity data are private to you and only accessible by Acreonix staff where required for support or legal compliance.

Sub-processors for Acreonix Tasks

Provider	Purpose	Data transferred	Location
Supabase	Database & real-time sync	Tasks, projects, events, preferences	EU (AWS Frankfurt)
Clerk	Authentication	Email, name, OAuth tokens	US (with EU adequacy)
Anthropic	AI task extraction	Text/voice input you submit	US (enterprise agreement)
Vercel	Web hosting & API	Request logs, IP address	EU edge / US origin
Stripe	Payment processing	Payment details (not stored by us)	US / EU
Resend	Transactional email	Email address, name	US
Expo / EAS	Mobile app delivery & push notifications	Device push token	US

Lawful basis

We process your Acreonix Tasks data under the following lawful bases:

Contract — processing your tasks, projects, and account data is necessary to provide the service you signed up for.
Legitimate interests — usage analytics and crash reporting help us improve the product. We balance this against your privacy rights.
Consent — push notifications are only sent if you explicitly grant permission on your device.

Acreonix AI — Property platform

3. Acreonix AI — Data We Collect

Agency clients (platform users)

Data	Purpose	Legal basis	Retention
Full name & email	Account creation and authentication	Contract (Art. 6(1)(b) UK GDPR)	3 years post closure
Agency name & market	Configuring the platform correctly	Contract	Duration of contract
Billing details (via Stripe — we never store card numbers)	Processing subscription payments	Contract	7 years (HMRC)
IP address & browser metadata	Security, fraud prevention, rate limiting	Legitimate interests	90 days
Usage data (pages visited, features used)	Improving the platform, debugging	Legitimate interests	12 months
Cookies (session + preference)	Authentication and user preferences	Legitimate interests / Consent	See Section 8

Property leads (processed on behalf of agency clients)

When an agency uses Acreonix, the platform processes data about their property leads. For this data, the agency is the Data Controller and Acreonix is the Data Processor.

Data	Purpose	Legal basis	Retention
WhatsApp phone number	Identifying the lead and routing messages to the AI agent	Legitimate interests of the agency	As directed by agency
Name	Personalising AI conversation	Legitimate interests	As directed by agency
Property intent, budget, area, bedroom preferences	AI qualification and lead scoring	Legitimate interests	As directed by agency
WhatsApp conversation messages	AI history, agent review, audit trail	Legitimate interests	As directed by agency
Email address (if provided)	Email re-engagement campaigns	Legitimate interests / Consent	As directed by agency
Lead status & activity timestamps	CRM, lead scoring, reporting	Legitimate interests	As directed by agency

Leads whose data is processed on behalf of an agency should direct data rights requests to the agency directly. The agency is their Data Controller. Acreonix will assist agencies in fulfilling their obligations promptly and at no extra charge.

Acreonix RMS — Restaurant platform

5. Acreonix RMS — Data We Collect

Restaurant operators (platform users)

Data	Purpose	Legal basis	Retention
Name & email address	Account creation and authentication	Contract (Art. 6(1)(b) UK GDPR)	3 years post closure
Restaurant name & details	Configuring the platform for your venue	Contract	Duration of contract
Billing details (via Stripe — we never store card numbers)	Processing subscription payments	Contract	7 years (HMRC)
IP address & browser metadata	Security, fraud prevention, rate limiting	Legitimate interests	90 days
Usage data (pages visited, features used)	Improving the platform, debugging	Legitimate interests	12 months

Restaurant staff (processed on behalf of restaurant operators)

When a restaurant uses Acreonix RMS to manage their team, the platform processes employee data. For this data, the restaurant operator is the Data Controller and Acreonix is the Data Processor.

Data	Purpose	Legal basis	Retention
Employee name & email	Account creation, rota display, platform login	Legitimate interests of operator	As directed by operator
Role, employment type, contracted hours	Rota generation, scheduling, wage calculation	Contract (employment)	As directed by operator
Hourly rate & wage data	Wage tracking, weekly summaries, payroll support	Contract / Legal obligation	As directed; financial records 7 years
Shift assignments & schedule data	Rota management, shift confirmation, wage actuals	Legitimate interests	As directed by operator
Time off requests & approvals	Absence management, coverage checking	Legitimate interests	As directed by operator
Confirmed shift start/finish times	Confirmed wage calculation	Contract	As directed by operator

Booking guests (processed on behalf of restaurant operators)

When a restaurant uses the bookings module, guest data is processed on their behalf. The restaurant operator is the Data Controller for this data.

Data	Purpose	Legal basis	Retention
Guest name	Booking identification	Legitimate interests of operator	As directed by operator
Phone number	Booking confirmation and contact	Legitimate interests	As directed by operator
Party size & booking date/time	Table allocation, cover tracking, analytics	Legitimate interests	As directed by operator
Dietary notes (if recorded)	Guest service and kitchen preparation	Legitimate interests / Explicit consent	As directed by operator
Booking status history	Operational records, analytics	Legitimate interests	As directed by operator

Staff and guests whose data is processed through Acreonix RMS on behalf of a restaurant should direct data rights requests to the restaurant operator directly. The operator is their Data Controller. Acreonix will assist operators in fulfilling their obligations promptly.

~~~PLACEHOLDER~~~"how-use">4. How We Use Your Data

We use personal data to:

Create and manage your Acreonix account (AI or RMS)
Provide, maintain, and improve both platforms
Process subscription payments via Stripe
Send transactional emails (account setup, invoices, security alerts)
Power AI features — rota generation, lead qualification, floor plan extraction, in-app guide — via Claude (Anthropic)
Detect and prevent fraud, abuse, and security threats
Comply with our legal obligations under UK law
Provide customer support

We do not use your data for automated decision-making that produces significant legal effects on you.

We do not sell personal data to third parties. Ever.

~~~PLACEHOLDER~~~"article13">5. Article 13 — Lead & Guest Data

Acreonix AI — property lead data

Purpose: Real estate lead qualification, property matching, viewing scheduling, and follow-up
Legal basis: Legitimate interests of the agency; consent or soft opt-in under PECR for email campaigns
Controller: The agency client who deployed the AI agent
Processor: Acreonix Ltd
Sub-processors: Anthropic (AI inference), Twilio (WhatsApp messaging), Supabase (database), Vercel (hosting), Resend (email delivery). All operate under appropriate UK transfer mechanisms.
Retention: Duration of the agency's subscription plus 30 days for closure processing.
Rights: Contact the agency directly.

Acreonix RMS — restaurant staff & guest data

Purpose: Staff scheduling, rota management, wage tracking, table booking management, and operational analytics
Legal basis: Legitimate interests of the restaurant operator; legal obligation for wage and payroll records; explicit consent where dietary or health data is recorded
Controller: The restaurant operator who uses Acreonix RMS
Processor: Acreonix Ltd
Sub-processors: Anthropic (AI rota generation, floor plan extraction, in-app guide), Supabase (database hosting), Vercel (frontend hosting), Railway (backend API hosting), Stripe (payments). All operate under appropriate UK transfer mechanisms.
Retention: Duration of the restaurant's subscription plus 30 days. Wage and financial records retained 7 years as required by HMRC.
Rights: Staff and guests should contact the restaurant operator directly.

~~~PLACEHOLDER~~~"sharing">6. Who We Share Data With

Acreonix AI sub-processors

Sub-processor	Purpose	Location & safeguard
Anthropic (Claude AI)	AI inference — conversation messages processed to generate responses	USA — DPA + SCCs
Twilio	WhatsApp message delivery and receipt	USA — DPA + SCCs
Supabase	Database hosting	USA/EU — DPA + SCCs
Vercel	Platform hosting and edge functions	USA/EU — DPA + SCCs
Resend	Transactional and campaign email delivery	USA — DPA + SCCs
Stripe	Payment processing	USA/EU — DPA + SCCs

Acreonix RMS sub-processors

Sub-processor	Purpose	Location & safeguard
Anthropic (Claude AI)	AI rota generation, floor plan extraction, in-app guide assistant	USA — DPA + SCCs
Supabase	Database hosting (staff, schedules, bookings, inventory)	USA/EU — DPA + SCCs
Vercel	Frontend hosting	USA/EU — DPA + SCCs
Railway	Backend API hosting	USA/EU — DPA + SCCs
Stripe	Payment processing	USA/EU — DPA + SCCs

We may also disclose data where required by UK law (e.g. a court order) or to protect the safety of users or the public.

~~~PLACEHOLDER~~~"retention">7. Data Retention

Active account data: Retained for the duration of your subscription
Closed account data: Deleted within 30 days of account closure, except where required by law
Lead / CRM data (Acreonix AI): Retained for the duration of the agency's subscription, then deleted within 30 days
Staff & booking data (Acreonix RMS): Retained for the duration of the restaurant's subscription, then deleted within 30 days
Wage & financial records (Acreonix RMS): 7 years as required by HMRC
Financial records — both products: 7 years as required by HMRC
Server / security logs: 90 days

~~~PLACEHOLDER~~~"cookies">8. Cookies & Local Storage

Both platforms use a small number of strictly necessary cookies and browser storage items. We do not use advertising, tracking, or analytics cookies.

Name	Platform	Purpose	Lifetime
sb-access-token	Acreonix AI	Authentication — keeps you logged in	Session
sb-refresh-token	Acreonix AI	Refreshes your login token	1 year
leads_from / leads_to	Acreonix AI	Remembers date filter preference (sessionStorage)	Session
acreonix-cookie-consent	Both	Records acceptance of cookie notice	1 year
rms_token	Acreonix RMS	Authentication token (localStorage)	Persistent until logout
rms-auth	Acreonix RMS	Auth & employee state via Zustand (localStorage)	Persistent until logout
rms-guide	Acreonix RMS	Guide conversation history (localStorage)	Persistent until cleared
acx_country	acreonix.co.uk	Currency preference on main website	Persistent

Because we only use strictly necessary cookies, we do not require your consent to set them under PECR. You can delete cookies and clear localStorage at any time through your browser settings. Doing so will log you out of the relevant platform.

~~~PLACEHOLDER~~~"rights">9. Your Rights Under UK GDPR

Right	What it means
Right of access (Art. 15)	Request a copy of all personal data we hold about you
Right to rectification (Art. 16)	Ask us to correct inaccurate or incomplete data
Right to erasure (Art. 17)	Ask us to delete your data ("right to be forgotten")
Right to restriction (Art. 18)	Ask us to restrict processing while a dispute is resolved
Right to portability (Art. 20)	Receive your data in a machine-readable format
Right to object (Art. 21)	Object to processing based on legitimate interests
Right to withdraw consent	Withdraw consent at any time without affecting prior processing

To exercise any right, email privacy@acreonix.co.uk. We will respond within 30 days.

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

~~~PLACEHOLDER~~~"security">10. Security

We implement appropriate technical and organisational measures to protect personal data, including:

Encryption at rest and in transit (TLS 1.2+)
Tenant isolation on all database tables — organisations cannot access each other's data
JWT-based authentication with short-lived tokens
Rate limiting on all public-facing API endpoints
Webhook signature verification where applicable
Access to production systems restricted to authorised Acreonix personnel only
Regular security reviews and dependency updates

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify you and the ICO within 72 hours of becoming aware.

~~~PLACEHOLDER~~~"changes">11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make significant changes, we will notify account holders by email and update the "Last updated" date above. Continued use of either service after notification constitutes acceptance of the updated policy.

13. Contact Us

For any privacy-related questions, data requests, or concerns:

Acreonix Ltd
United Kingdom
Privacy enquiries: privacy@acreonix.co.uk
General enquiries: hello@acreonix.co.uk