Legal · last updated April 19, 2026
Privacy Policy.
This Privacy Policy explains how Acilox LLP (“Acilox,” “we,” “our,” or “us”) processes personal data when you visit acilox.com, use our products and services, or otherwise interact with us. Our headquarters are in India. We operate four divisions: Studio (digital products), Labs (SaaS), Arcade (games and consumer apps), and Reads (publishing and research). Division-specific notices supplement this policy where processing differs by product line.
Who this policy covers
This policy applies to visitors, customers, trial users, newsletter subscribers, and business contacts. If you use a product offered by a specific division, we also encourage you to read that division’s privacy notice (linked from our legal hub).
Personal data we collect
We collect personal data in the categories below. Not every category applies to every user.
Account and identity
Name, email address, organization name, role, authentication identifiers, and similar details you provide when you create an account, join a workspace, or sign in through an identity provider.
Billing and payments
Billing contact details, billing address where required, transaction references, and payment-related metadata. Payment card data is handled by our payment processors; we generally receive tokens or limited billing information rather than full card numbers.
Usage, product telemetry, and diagnostics
Product usage events, performance metrics, error logs, feature interactions, and similar technical data needed to operate, secure, and improve our services. Where we offer optional analytics, we describe it in product settings and applicable notices.
Support and communications
Information you send when you contact us (including attachments), support ticket content, call or chat transcripts where recorded with notice, and metadata such as priority and category.
Cookies and similar technologies
Cookies, local storage, pixels, and similar technologies as described in our Cookie Policy. We use privacy-respecting analytics (Plausible) by default on many web properties and do not use third-party advertising cookies on our core sites.
Marketing
Preferences, campaign engagement, and subscription status where you have opted in or where applicable law permits us to send commercial messages.
Legal bases for processing
We process personal data only where we have a lawful basis.
- India — Digital Personal Data Protection Act, 2023 (DPDP Act). We process personal data for specified purposes consistent with Sections 4–7 of the DPDP Act, including where necessary to provide services you request, comply with law, protect safety and security, and pursue legitimate interests that are not overridden by your rights.
- EU/UK — GDPR / UK GDPR. Where Article 6 applies, we rely on contract performance, legitimate interests (for example, securing our services and understanding aggregate usage), consent where required, and legal obligations.
- California — CCPA/CPRA. We describe California rights separately below. We do not “sell” personal information as defined by CPRA, and we do not “share” personal information for cross-context behavioral advertising in connection with the activities described in this policy unless we present a separate opt-out mechanism where required.
How we use personal data
We use personal data to:
- Provide, operate, maintain, and improve our websites, products, and APIs;
- Authenticate users, prevent fraud, and protect the security and integrity of our systems;
- Communicate about transactions, service updates, and (where permitted) marketing;
- Provide customer support and respond to inquiries;
- Comply with law, enforce our terms, and defend our legal rights;
- Conduct analytics in a privacy-respecting manner, including aggregated or de-identified reporting where appropriate.
Sharing and sub-processors
We share personal data with service providers that process data on our instructions (for example, hosting, email delivery, payment processing, and security monitoring). A current list of sub-processors for relevant services is published at /trust/sub-processors. We may also disclose information if required by law, to protect rights and safety, or in connection with a merger, acquisition, or asset sale subject to appropriate safeguards.
International transfers
Acilox is based in India. Where we transfer personal data across borders, we use mechanisms permitted by applicable law, including standard contractual clauses where appropriate for EU/UK transfers and India-permitted transfer routes where the DPDP framework contemplates them. We assess supplementary measures when needed based on the nature of processing and risk.
Retention
We retain personal data for as long as necessary to fulfill the purposes described in this policy, unless a longer period is required or permitted by law. The table below summarizes typical retention drivers.
| Category | Typical retention |
|---|---|
| Account records | For the life of the account plus a limited period for legal, tax, and security purposes |
| Billing and tax records | As required by applicable accounting and tax law (often multiple years) |
| Support tickets | Long enough to resolve issues and maintain service quality, then archived or deleted on a rolling basis |
| Security logs | A shorter rolling window appropriate for threat detection and incident response |
| Marketing preferences | Until you unsubscribe or object, plus a short period to evidence consent and suppression |
Your rights
India — DPDP Act
Under India’s DPDP Act, you may have rights to access, correction, erasure, grievance redress, and nomination, subject to conditions in the law and our ability to verify your request. You may contact us using the details below.
EU/UK — GDPR / UK GDPR
If you are in the EU or UK, you may have the right to access, rectify, erase, restrict processing, object to certain processing, and data portability, and to withdraw consent where processing is consent-based. You may lodge a complaint with your local supervisory authority.
California — CCPA/CPRA
California residents have the additional right to know what personal information we collect, delete personal information subject to exceptions, correct inaccurate personal information, and opt out of certain sharing for cross-context behavioral advertising where applicable. You may designate an authorized agent under CPRA rules. We will not discriminate against you for exercising these rights.
Cookies
See our Cookie Policy for categories, vendors, durations, and controls. Where we deploy a consent management experience, your choices are stored per that tool’s settings.
Children
Our services are not directed to children under 18. We do not knowingly collect personal data from children without appropriate parental consent where required. Arcade titles may apply an age gate and additional rules; see the Arcade privacy notice for game-specific practices.
Complaints
You may contact us first so we can try to resolve your concern. Depending on your location, you may also have the right to complain to:
- The Data Protection Board of India or other regulator with jurisdiction under the DPDP Act, where applicable;
- An EU supervisory authority or the UK Information Commissioner’s Office;
- The California Attorney General or other US state regulator where provided by law.
Changes
We may update this policy from time to time. We will post the revised version on this page and update the “last updated” date in the header. If changes are material, we will provide additional notice as required by law.
Effective date: April 19, 2026.
Contact us
For privacy questions and requests: privacy@acilox.com. For Data Protection Officer inquiries: dpo@acilox.com.