Data Protection Policy

1. Data Controller

Acquiral acts as the data controller for personal data collected through our website and in connection with service engagements. For questions about data processing, contact our data protection point of contact at legal@acquiral.io.

2. Principles of Data Processing

We process personal data in accordance with the following principles:

• Lawfulness: We process data only with a valid legal basis
• Purpose limitation: Data is collected for specified, explicit purposes
• Data minimization: We collect only what is necessary
• Accuracy: We maintain accurate and up-to-date records
• Storage limitation: Data is retained only as long as necessary
• Integrity and confidentiality: Data is secured against unauthorized access

3. Legal Bases for Processing

We process personal data under the following legal bases:

• Contract: When processing is necessary to perform a service engagement
• Legitimate interests: For analytics, security, and business operations
• Legal obligation: When required to comply with applicable laws
• Consent: For marketing communications, where required

4. Special Category Data

We do not knowingly collect or process special category personal data (such as health, political, or religious information) in connection with our services.

5. International Data Transfers

If we transfer personal data outside your jurisdiction, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses or equivalent mechanisms recognized by applicable law.

6. Data Subject Rights

Under applicable data protection law, you may have the right to:

• Access your personal data (Subject Access Request)
• Rectify inaccurate data
• Erase data in certain circumstances (“right to be forgotten”)
• Restrict processing
• Data portability
• Object to processing based on legitimate interests
• Withdraw consent at any time (where consent is the legal basis)

To exercise these rights, contact us at legal@acquiral.io. We will respond within 30 days.

7. Data Breach Procedures

In the event of a data breach that is likely to result in risk to individuals, we will notify relevant supervisory authorities within 72 hours of becoming aware, and affected individuals where required by law.

8. Data Protection by Design

We implement data protection principles from the design stage of any new service, system, or process that involves personal data.

9. Complaints

If you believe your data protection rights have been violated, you have the right to lodge a complaint with your national data protection supervisory authority.