Privacy Policy
Last updated: May 2026. Effective: 1 June 2026.
This Privacy Policy explains how Aclamos, Inc. (“Aclamos”, “we”) collects, uses, and protects information across both the Aclamos awards-show platform and the Ballotis voting platform (the “Services”). We are a Florida corporation. Our role differs depending on who you are:
- If you are a Customer (an organization running an awards show or a vote), we are a processor for the personal data you bring into the Services. Your own privacy notice governs your relationship with your nominators, judges, and voters; the DPA governs ours with you.
- If you are a visitor or end-user of the Services (signing up, browsing, applying for the beta, sending feedback), Aclamos is the controller, and this Policy applies directly.
1. What we collect
We collect only what we need:
- Account data: name, email, password hash (argon2id), optional phone for 2FA, optional 2FA TOTP secret (encrypted at rest with AES-256-GCM).
- Submission data (Customer Data): nominator and nominee details that the Customer's own form collects, including any address (Google Places), file uploads, and video links.
- Vote data (Ballotis): the email and/or phone you used to vote, the SHA-256 hash of your IP, the User-Agent, and an optional anonymous device fingerprint. Raw IPs are never persisted.
- Activity data: page views and product events only after you opt in via the cookie banner.
- Payment data: handled by Stripe. We never see your card number.
- Diagnostics: when you submit feedback or a bug report, we attach the URL, your User-Agent, and your last few client-side events.
We do not collect special categories of personal data (race, religion, health, biometric, etc.) unless a Customer chooses to collect them through their own form, in which case the Customer is responsible for the lawful basis.
2. Why we process — lawful bases (GDPR Art 6)
| Purpose | Lawful basis |
|---|---|
| Provide and operate the Services | Performance of contract — Art 6(1)(b) |
| Send transactional email (sign-in, receipts) | Performance of contract — Art 6(1)(b) |
| Anti-fraud (rate limits, fingerprint, ML) | Legitimate interests — Art 6(1)(f) |
| Marketing email | Consent — Art 6(1)(a); withdraw any time |
| Cookies & analytics (non-essential) | Consent — Art 6(1)(a) + ePrivacy Art 5(3) |
| Comply with legal obligations | Legal obligation — Art 6(1)(c) |
| Defend legal claims, prevent harm | Legitimate interests — Art 6(1)(f) |
3. How long we keep it (retention)
- Account: while your account is active + 30 days after deletion (cryptographic erasure of file keys after).
- Audit logs: 7 years (or as required by your jurisdiction).
- Drafts: 90 days idle, then automatic deletion.
- Activity events: 18 months, then aggregated.
- Anti-fraud signals: 24 months.
- Backups: 30 days, then permanently deleted; cryptographic erasure if shorter is required.
- Tax / billing records: 7 years (US IRS / EU VAT).
4. Who we share with
Sub-processors (third-party services that process Customer Data on our behalf): see the always-current list at /subprocessors. Beyond sub-processors:
- Other end-users within your Customer org (e.g. judges seeing nominations).
- Law enforcement / courts when required by valid legal process. We notify the affected Customer when permitted by law.
- Acquirers in a merger or sale of substantially all assets, subject to the same protections.
We do not sell your personal information, and we do not “share” it for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA.
5. International transfers
Aclamos is headquartered in the United States and Customer Data may be processed in the US, EU (Frankfurt), or AU (Sydney) depending on the region your Customer org chose. Where we transfer EEA, UK, or Swiss personal data outside an adequate jurisdiction, we rely on the EU Standard Contractual Clauses (2021, Module 2), the UK Addendum, and the EU-US / Swiss-US Data Privacy Framework. Full text in the DPA.
6. Your rights
Depending on where you live, you have the right to:
- Access the personal data we hold about you.
- Correct inaccuracies.
- Delete your data (the “right to be forgotten”).
- Port your data to another service in a structured, machine-readable format.
- Restrict or object to certain processing.
- Withdraw consent at any time without affecting prior lawful processing.
- If you are a California resident: opt out of sale or sharing (we don't do either) and limit use of sensitive personal information. See /privacy/do-not-sell.
- If you are in the EU/UK: lodge a complaint with your supervisory authority. Our lead authority for the EU is the Irish DPC.
- If you are in Brazil (LGPD), Canada (PIPEDA), South Africa (POPIA), Japan (APPI), Australia (Privacy Act), Nigeria (NDPA), or another covered jurisdiction: equivalent rights as under that law.
To exercise any of these rights, submit a request at /privacy/request or email privacy@aclamos.app. We respond within 30 days (GDPR / UK GDPR / LGPD), 45 days (CCPA/CPRA), or sooner where required. Identity verification may be required.
7. Children's privacy
Aclamos and Ballotis are not directed at children under 13 in the U.S. (16 in the EEA / UK). We do not knowingly collect personal information from children below those ages. If a Customer runs a show that is intended for younger entrants, the Customer is responsible for COPPA / GDPR-K verifiable parental consent; contact privacy@aclamos.app and we will help you set up the consent flow.
8. California privacy notice
Categories of personal information collected, sources, business purposes, and disclosures are set out in this Policy. We do not sell or share personal information. Sensitive personal information (e.g. account credentials, 2FA secrets, precise geolocation if a producer's form requests it) is used only to provide the Service and detect fraud — California residents may limit its use. Verifiable consumer requests can be submitted at /privacy/request. Authorized agents may submit on your behalf with written authorization. We do not discriminate against you for exercising your rights.
9. Automated decision-making
We do not make decisions producing legal or similarly significant effects about you using AI alone. Where AI is used to assist humans (e.g. fraud signals, plagiarism flags), the decision-maker is always a person; you can request human review. See /legal/ai-disclosure.
10. Security
TLS 1.2+ in transit, AES-256 at rest, argon2id passwords, AES-256-GCM application-layer encryption for OAuth tokens and TOTP secrets, signed/expiring upload URLs, immutable audit log, daily encrypted Postgres backups, SOC 2 controls. Full controls list at /security.
11. Notice of breach
If we suffer a personal-data breach affecting your data, we will notify you and (where applicable) the relevant supervisory authority within 72 hours of becoming aware, with the information required by GDPR Art 33–34 and U.S. state breach laws.
12. Cookies & tracking
We use cookies as described in our Cookie Policy. Non-essential cookies are off until you opt in.
13. Changes
We may update this Policy. Material changes are communicated with at least 30 days' notice via email and an in-app banner before they take effect. Older versions are archived and available on request.
14. Contact us
- Privacy questions: privacy@aclamos.app
- Data Processing Addendum: dpa@aclamos.app
- EU representative under GDPR Art 27: contact eu-rep@aclamos.app
- UK representative under UK GDPR: contact uk-rep@aclamos.app
- Mailing address: Aclamos, Inc., [Florida principal office address — TBD], Tampa, FL [ZIP], USA