Privacy Policy

Last updated: May 20, 2026. Effective: June 1, 2026.

Controller of record: Toronado Entertainment, LLC, a Florida limited liability company.

Data Protection Officer: legal@aclamos.app

EU representative (Article 27 GDPR): not yet formally designated; EU residents may direct all data-protection inquiries to legal@aclamos.app. We will appoint a formal representative service (such as Prighter or VeraSafe) once our EU/UK resident user base reaches a supervisory-authority-engagement threshold.

UK representative (UK GDPR Article 27): same posture — contact legal@aclamos.app.

This Privacy Policy explains how Toronado Entertainment, LLC, doing business as Aclamos (“Aclamos”, “we”) collects, uses, and protects information across both the Aclamos awards-show platform and the Ballotis voting platform (the “Services”). Our role differs depending on who you are:

If you are a Customer (an organization running an awards show or a vote), we are a processor for the personal data you bring into the Services. Your own privacy notice governs your relationship with your nominators, judges, and voters; the DPA governs ours with you.
If you are a visitor or end-user of the Services (signing up, browsing, applying for the beta, sending feedback), Aclamos is the controller, and this Policy applies directly.

1. What we collect

We collect only what we need:

Account data: name, email, password hash (argon2id), optional phone for 2FA, optional 2FA TOTP secret (encrypted at rest with AES-256-GCM).
Submission data (Customer Data): nominator and nominee details that the Customer's own form collects, including any address (Google Places), file uploads, and video links.
Vote data (Ballotis): the email and/or phone you used to vote, the SHA-256 hash of your IP, the User-Agent, and an optional anonymous device fingerprint. Raw IPs are never persisted.
Activity data: page views and product events only after you opt in via the cookie banner.
Payment data: handled by Stripe. We never see your card number.
Diagnostics: when you submit feedback or a bug report, we attach the URL, your User-Agent, and your last few client-side events.

We do not collect special categories of personal data (race, religion, health, biometric, etc.) unless a Customer chooses to collect them through their own form, in which case the Customer is responsible for the lawful basis.

2. Why we process — lawful bases (GDPR Art 6)

Purpose	Lawful basis
Provide and operate the Services	Performance of contract — Art 6(1)(b)
Send transactional email (sign-in, receipts)	Performance of contract — Art 6(1)(b)
Anti-fraud (rate limits, fingerprint, ML)	Legitimate interests — Art 6(1)(f)
Marketing email	Consent — Art 6(1)(a); withdraw any time
Cookies & analytics (non-essential)	Consent — Art 6(1)(a) + ePrivacy Art 5(3)
Comply with legal obligations	Legal obligation — Art 6(1)(c)
Defend legal claims, prevent harm	Legitimate interests — Art 6(1)(f)

3. How long we keep it (retention)

Account: while your account is active + 30 days after deletion (cryptographic erasure of file keys after).
Audit logs: 7 years (or as required by your jurisdiction).
Drafts: 90 days idle, then automatic deletion.
Activity events: 18 months, then aggregated.
Anti-fraud signals: 24 months.
Backups: 30 days, then permanently deleted; cryptographic erasure if shorter is required.
Tax / billing records: 7 years (US IRS / EU VAT).

4. Who we share with

Sub-processors (third-party services that process Customer Data on our behalf): see the always-current list at /subprocessors. Beyond sub-processors:

Other end-users within your Customer org (e.g. judges seeing nominations).
Law enforcement / courts when required by valid legal process. We notify the affected Customer when permitted by law.
Acquirers in a merger or sale of substantially all assets, subject to the same protections.

We do not sell your personal information, and we do not “share” it for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA.

5. International transfers

Aclamos is headquartered in the United States and Customer Data may be processed in the US, EU (Frankfurt), or AU (Sydney) depending on the region your Customer org chose. Where we transfer EEA, UK, or Swiss personal data outside an adequate jurisdiction, we rely on the EU Standard Contractual Clauses (2021, Module 2), the UK Addendum, and the EU-US / Swiss-US Data Privacy Framework. Full text in the DPA.

6. Your rights

Depending on where you live, you have the right to:

Access the personal data we hold about you.
Correct inaccuracies.
Delete your data (the “right to be forgotten”).
Port your data to another service in a structured, machine-readable format.
Restrict or object to certain processing.
Withdraw consent at any time without affecting prior lawful processing.
If you are a California resident: opt out of sale or sharing (we don't do either) and limit use of sensitive personal information. See /privacy/do-not-sell.
If you are in the EU/UK: lodge a complaint with your supervisory authority. Our lead authority for the EU is the Irish DPC.
If you are in Brazil (LGPD), Canada (PIPEDA), South Africa (POPIA), Japan (APPI), Australia (Privacy Act), Nigeria (NDPA), or another covered jurisdiction: equivalent rights as under that law.

To exercise any of these rights, submit a request at /privacy/request or email privacy@aclamos.app. We respond within 30 days (GDPR / UK GDPR / LGPD), 45 days (CCPA/CPRA), or sooner where required. Identity verification may be required.

7. Children's privacy

Aclamos and Ballotis are not directed at children under 13 in the U.S. (16 in the EEA / UK). We do not knowingly collect personal information from children below those ages. If a Customer runs a show that is intended for younger entrants, the Customer is responsible for COPPA / GDPR-K verifiable parental consent; contact privacy@aclamos.app and we will help you set up the consent flow.

8. California privacy notice

Categories of personal information collected, sources, business purposes, and disclosures are set out in this Policy. We do not sell or share personal information. Sensitive personal information (e.g. account credentials, 2FA secrets, precise geolocation if a producer's form requests it) is used only to provide the Service and detect fraud — California residents may limit its use. Verifiable consumer requests can be submitted at /privacy/request. Authorized agents may submit on your behalf with written authorization. We do not discriminate against you for exercising your rights.

8A. Florida privacy notice (Florida Digital Bill of Rights — FDBR)

Because Toronado Entertainment, LLC is a Florida limited liability company with principal office in Florida, we extend the Florida Digital Bill of Rights (Fla. Stat. §§ 501.701 et seq., effective July 1, 2024) substantive consumer rights to all Florida residents regardless of whether we cross the statute's $1B revenue / qualified-controller thresholds. You have the right to:

Access the personal data we process about you.
Correct inaccuracies in your personal data.
Delete your personal data, subject to legal retention exceptions disclosed in §3 (Retention).
Obtain a portable copy of your data in a commonly used machine-readable format.
Opt out of the sale of personal data, targeted advertising, and profiling in furtherance of decisions that produce legal or similarly significant effects.
Opt out of the processing of sensitive data (precise geolocation, biometric data, data of known children).
Appeal a denial of any of these requests. If we deny your request we will explain the reason and your appeal right in the same response; appeals are decided by a different reviewer within 45 days. If we deny the appeal, you may submit a complaint to the Florida Attorney General at myfloridalegal.com.

To exercise any FDBR right, use /privacy/request or email privacy@aclamos.app.

8B. Other US state privacy laws

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Iowa (ICDPA), Indiana (INCDPA), Tennessee (TIPA), Montana (MCDPA), Oregon (OCPA), Delaware (DPDPA), New Hampshire, New Jersey, Minnesota, Maryland, and Rhode Island retain analogous access, deletion, correction, portability, opt-out (targeted advertising / sale / profiling), and (where applicable) appeal rights under their state law. We honor the Global Privacy Control (GPC) signal as a valid opt-out from “sale” / “share” / targeted advertising under every applicable US state law that recognizes universal opt-out mechanisms.

9. Automated decision-making

We do not make decisions producing legal or similarly significant effects about you using AI alone. Where AI is used to assist humans (e.g. fraud signals, plagiarism flags), the decision-maker is always a person; you can request human review. See /legal/ai-disclosure.

10. Security

TLS 1.2+ in transit, AES-256 at rest, argon2id passwords, AES-256-GCM application-layer encryption for OAuth tokens and TOTP secrets, signed/expiring upload URLs, immutable audit log, daily encrypted Postgres backups, SOC 2 controls. Full controls list at /security.

11. Notice of breach

If we suffer a personal-data breach affecting your data, we will notify you and (where applicable) the relevant supervisory authority within 72 hours of becoming aware, with the information required by GDPR Art 33–34 and U.S. state breach laws.

12. Cookies & tracking

We use cookies as described in our Cookie Policy. Non-essential cookies are off until you opt in.

13. Changes

We may update this Policy. Material changes are communicated with at least 30 days' notice via email and an in-app banner before they take effect. Older versions are archived and available on request.

14. Contact us

Privacy questions: privacy@aclamos.app
Data Processing Addendum: dpa@aclamos.app
EU representative under GDPR Art 27: contact eu-rep@aclamos.app
UK representative under UK GDPR: contact uk-rep@aclamos.app
Mailing address: Toronado Entertainment, LLC, 1634 Cadorette Dr, The Villages, FL 34762, USA