Privacy Policy

Last updated: 20 June 2026

1. Who we are

Aciutap (operated by Yamato Fujishima, based in Klaipėda, Lithuania) provides an AI-assisted Google review management tool for small businesses. In this policy, "we", "us", and "Aciutap" refer to the service operator. For privacy questions, contact support@aciutap.com.

2. What data we collect

We collect only what's necessary to operate the service:

Account data: email address and password (stored as a hash). Provided by you at signup.
Business data: business name, industry, service list, Google Place ID, public Google review URL. Provided by you in settings.
Customer-facing reviews: when an end customer scans your QR code, we record their answers to your review questions, the language they selected, and the AI-generated draft. We do not ask for customer names, emails, phone numbers, or any other PII.
Billing data: subscription status and Stripe customer/subscription IDs. Card numbers are never stored on our servers — Stripe handles payment.
Technical data: standard server logs (IP address, browser, timestamps) retained for up to 30 days for security and debugging.

3. How we use your data

Operate the service (authentication, your dashboard, generating drafts).
Personalize AI-generated questions and replies for your business.
Process subscription payments via Stripe.
Respond to support requests.
Comply with legal obligations (e.g. tax invoicing).

We do not sell your data. We do not show third-party advertising.

4. Third-party services we use

We rely on the following processors. Each handles your data only on our instructions and under their own privacy terms:

Supabase — database and authentication (EU region).
Vercel — application hosting.
Cloudflare — DNS.
Stripe — payment processing.
Anthropic Claude API — AI text generation. Prompts may contain your business name and the review answers you've gathered. Anthropic does not train models on API data.
Google Places API — to look up public business profile data you ask us to fetch.

5. Legal basis for processing (GDPR)

We process your data on the following bases:

Contract: processing needed to deliver the service you signed up for.
Legitimate interest: securing the service, preventing abuse, improving quality.
Legal obligation: tax and accounting records.
Consent: where required (e.g. optional analytics).

6. Data retention

Account and business data: retained while your account is active.
After account deletion: removed within 30 days, except where law requires longer retention (invoicing records).
Server logs: up to 30 days.

7. Your rights (GDPR)

If you are in the EU/EEA you have the right to:

Access the personal data we hold about you.
Correct inaccurate data.
Request deletion ("right to be forgotten").
Export your data (data portability).
Object to or restrict processing.
Withdraw consent at any time (where applicable).
Lodge a complaint with the Lithuanian State Data Protection Inspectorate (VDAI) at vdai.lrv.lt.

To exercise any of these rights, email support@aciutap.com. We respond within 30 days.

8. Data transfers outside the EU

Some processors (e.g. Anthropic, Stripe) are based in the United States. Transfers are protected by Standard Contractual Clauses approved by the European Commission.

9. Children

Aciutap is a B2B tool for business owners. It is not directed at children under 16 and we do not knowingly collect data from them.

10. Security

We use HTTPS for all traffic, row-level security on the database, hashed passwords, and isolate API keys via server-only environment variables. No system is 100% secure, but we follow current best practices.

11. Changes to this policy

We may update this policy. Material changes will be notified via email or a dashboard notice at least 14 days before they take effect. The "Last updated" date at the top reflects the most recent revision.

12. Contact

For any privacy questions or to exercise your rights:

Yamato Fujishima
Klaipėda, Lithuania
support@aciutap.com