Privacy Policy

This Privacy Policy describes how ACP collects, uses, stores, and protects personal and professional data in the course of delivering services to our clients and operating as an organisation.

1. Scope

This policy applies to all personal data and confidential information processed by ACP, including:

- Data belonging to our clients and their end users

- Data relating to ACP employees, contractors, and interns

- Data processed through internal tools, cloud infrastructure, and communication platforms

2. Data We Collect

ACP may collect and process the following categories of data in the course of normal business operations:

- Client Data: Architecture designs, infrastructure configurations, business logic, and any data shared by clients in the context of a project engagement.

- Employee & Contractor Data: Contact details, employment records, access credentials, and system activity logs for operational and security purposes.

- Operational Data: Logs, metrics, and telemetry generated by cloud infrastructure and internal tooling.

- Communication Data: Messages and files shared over approved communication platforms in the course of work.

ACP does not collect data beyond what is necessary for the stated purpose of a given engagement or operational need.

3. How We Use Data

Data collected by ACP is used solely for the following purposes:

- Delivering contracted services to clients

- Ensuring the security and integrity of our systems and client environments

- Meeting legal, regulatory, and contractual obligations

- Internal operations including HR, finance, and compliance

- Security monitoring, incident response, and audit trail maintenance

Data will not be used for marketing, profiling, or any purpose not directly related to the above without explicit consent.

4. Data Classification

All data handled by ACP is classified according to our 4-level Data Classification Model. In summary:

- Public: Freely shareable with no restrictions.

- Internal: For ACP use only; not for external distribution.

- Confidential: Restricted to authorised personnel on a need-to-know basis.

- Highly Confidential: Subject to the strictest access controls; includes PII, credentials, and regulated data.

All team members are responsible for applying the correct classification to data they create or handle.

5. Data Storage & Retention

- Client data must only be stored in client-approved environments or ACP-approved platforms. It must never be stored on personal devices, unapproved cloud storage, or local machines beyond what is strictly necessary for active work.

- ACP employee and operational data is stored in secure, access-controlled systems.

- Data is retained only for as long as necessary to fulfil the purpose for which it was collected, or as required by law or contract.

- When a project concludes, all client data stored in ACP-controlled environments must be securely deleted or returned to the client as agreed.

6. Data Sharing & Third Parties

ACP does not sell or trade personal or client data. Data may be shared in the following limited circumstances:

- With client personnel who have a legitimate need in the context of a project

- With approved third-party tools and platforms

- With legal or regulatory authorities where required by law

- With subcontractors or partners only under a formal confidentiality agreement and with client consent where applicable

Any sharing of data beyond these cases requires prior written approval from the CTO or COO.

7. AI Tools & Data Privacy

The use of AI tools introduces specific privacy risks. The following rules apply:

- Personally Identifiable Information (PII) must never be entered into any AI tool, whether approved or not.

- Client-specific logic, confidential data, or proprietary information must not be used as input to AI tools.

- Any data processed through an approved AI tool is automatically treated as **Highly Confidential**.

8. Individual Rights

Where applicable under relevant data protection legislation (e.g., GDPR), individuals have the right to:

- Access personal data held about them

- Rectify inaccurate or incomplete data

- Request erasure of personal data, subject to legal or contractual obligations

- Object to processing of their data in certain circumstances

- Data portability, where technically feasible

Requests relating to individual rights should be directed to the Security Lead or COO.

Version 1.0 — Effective date: March 2026