Acquilens — Privacy Policy
Version 1.0 — 16 April 2026
This Privacy Policy explains how Acquilens Pty Ltd (ABN [ACQUILENS ABN]) of [REGISTERED ADDRESS] (Acquilens, we, us, our) handles personal information in connection with the Acquilens platform (the Platform).
This Policy is written to comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Where you are located outside Australia, additional rights may apply to you under local law; where so, we apply the stricter of the applicable standards.
This Policy forms part of our Terms of Service.
1. About this Policy
This Policy covers personal information we collect about:
- Users of the Platform — the people who sign in and use Acquilens.
- Individuals described in Customer Content — people referenced in documents uploaded to Acquilens by our customers (for example, employees or counterparties in a target company's data room).
- Visitors to our website — people who visit
acquilens.aior related sites. - Prospective customers and other contacts — people who contact us, attend our events, or enquire about the Platform.
If you disagree with anything in this Policy, do not use the Platform.
2. Who we are and how to contact us
We are Acquilens Pty Ltd, an Australian company.
- Privacy enquiries and requests:
privacy@acquilens.ai - Postal:
[REGISTERED ADDRESS] - Privacy officer:
[PRIVACY OFFICER NAME AND ROLE — to be nominated]
3. What personal information we collect
We collect the following categories of personal information:
3.1 Account information (from Users)
- Name, email address, job title, employer/organisation
- Login credentials and authentication tokens (managed through our authentication provider)
- Role within your organisation's tenant (for example, administrator)
- Preferences and settings
3.2 Usage information (from Users)
- Log data, including IP address, browser type and version, device identifiers, operating system, referring URLs, pages visited, and timestamps
- Actions taken within the Platform (for example, deals created, documents uploaded, agents run, feedback provided)
- Error and diagnostic information
3.3 Customer Content (as hosted for our customers)
When you upload documents or other material to the Platform, that material may contain personal information about you or about third parties (for example, employees, directors, counterparties, or others named in due-diligence documents). We handle this personal information as a data processor on behalf of our customer.
Before Customer Content is sent to our AI processing sub-processor, we run it through a privacy pipeline that attempts to remove personally identifiable information. The pipeline is based on industry tooling (currently Microsoft Presidio) and is designed to identify and pseudonymise names, emails, phone numbers, identifiers, addresses, and similar categories of personal information. Pseudonymisation is not a guarantee of complete de-identification. See clause 8 for detail.
3.4 Billing information
If we introduce fees, we may collect billing and payment information (for example, name, billing address, ABN, and payment-method details). Payment-card data, if relevant, is handled by our payment provider, not stored directly by us.
3.5 Communications
We collect information you provide when you contact us (email, web form, support ticket), including its contents and any attachments.
3.6 Website visitors
We collect log data about visitors to our website (similar to clause 3.2). We may also collect information through cookies and web analytics — see clause 11.
4. How we collect personal information
We collect personal information:
- Directly from you when you create an account, use the Platform, upload Customer Content, or communicate with us;
- Automatically through the operation of the Platform (usage logs, diagnostic data);
- From your organisation if your employer or client onboards you as a User under its tenant;
- From our service providers where they process information on our behalf (for example, authentication tokens from our identity provider); and
- From public sources where lawful and relevant to our operations.
If it is reasonable and practicable, we collect personal information directly from the individual it concerns. Where we collect personal information about individuals named in Customer Content, we do so from our customers who have warranted their authority to provide it to us (see Terms of Service, clause 10).
5. Why we collect and how we use personal information
We collect and use personal information to:
- (a) provide, operate, maintain, and improve the Platform and its features;
- (b) create and administer your account, authenticate you, and enforce our Terms of Service;
- (c) generate Outputs for you from Customer Content you upload;
- (d) communicate with you about your account, service notices, security alerts, and changes to the Platform or to legal documents;
- (e) respond to support enquiries;
- (f) bill, invoice, and collect fees where applicable;
- (g) secure the Platform against misuse, fraud, and unauthorised access, and investigate and respond to incidents;
- (h) produce aggregated or de-identified analytics for product and business improvement (see clause 8.2); and
- (i) comply with applicable laws, regulatory requirements, and lawful requests from authorities.
We do not use your Customer Content to train or improve AI models, or to benchmark or provide services to any other customer. See clause 8.
We will not use your personal information for a secondary purpose that is unrelated to the primary purpose for which we collected it, unless you would reasonably expect that use, you have consented, or we are otherwise permitted under the APPs.
6. Direct marketing
We may send you information about new features, events, or updates relevant to your use of the Platform. You can opt out at any time by using the unsubscribe link in any marketing email or by contacting privacy@acquilens.ai. We will not send you marketing communications if you have opted out.
7. To whom we disclose personal information
7.1 Within Acquilens
We disclose personal information to our employees and contractors who need it to perform their duties and who are bound by confidentiality obligations.
7.2 Sub-processors
We engage third-party service providers (sub-processors) to process personal information on our behalf. We remain responsible for personal information we disclose to a sub-processor. Our current sub-processors are listed at acquilens.ai/legal/sub-processors and include:
| Sub-processor | Purpose | Location |
|---|---|---|
| Anthropic, PBC | AI model processing (Claude Messages API) — see clause 8 | United States |
| Supabase, Inc. | Database hosting (Postgres + pgvector + Supabase Auth) | Australia (ap-southeast-2, Sydney) |
| [BACKEND HOSTING PROVIDER] | API / backend service hosting, privacy pipeline hosting | [REGION — confirm pre-pilot] |
| [FRONTEND HOSTING PROVIDER] | Dashboard and website hosting, CDN | [REGION — confirm pre-pilot] |
| [TRANSACTIONAL EMAIL PROVIDER] | Sign-in emails, password resets, notifications | [REGION — confirm pre-pilot; may be "same as database hosting" if using built-in auth email] |
| [ERROR TRACKING PROVIDER, IF USED] | Error and diagnostic telemetry | [REGION — or remove if not used] |
| [WEB ANALYTICS PROVIDER, IF USED] | Aggregate website/product analytics | [REGION — or remove if not used] |
Pre-pilot note: the bracketed entries are confirmed and finalised before the Platform is offered to external customers. The Sub-processors page is updated when new sub-processors are added and material changes are notified under the Terms of Service.
7.3 Other disclosures
We may also disclose personal information:
- (a) to professional advisers (lawyers, accountants, insurers) bound by confidentiality;
- (b) to law-enforcement, regulatory, or government authorities where we are legally required to, or where we reasonably believe disclosure is necessary to prevent harm or investigate fraud or abuse;
- (c) to courts or parties to legal proceedings in response to a valid subpoena or order;
- (d) to a purchaser or successor in connection with a merger, acquisition, investment, or sale of all or part of our business, subject to appropriate confidentiality arrangements; and
- (e) with your consent or as you direct.
7.4 Cross-border disclosures (APP 8)
Some of our sub-processors are located outside Australia, principally in the United States. Before disclosing personal information to an overseas recipient, we take reasonable steps to ensure the recipient does not breach the APPs in relation to the information. This is achieved through contractual commitments in our sub-processor agreements.
Where we disclose personal information to an overseas recipient, we do so in reliance on APP 8.2(a) (reasonable steps taken) and, where you consent to the disclosure by accepting these Terms and this Policy, APP 8.2(b).
8. AI processing — specific information
This clause explains what happens when your Customer Content is sent to our AI processing sub-processor to generate Outputs.
8.1 Privacy pipeline
Before Customer Content is transmitted to our AI processing sub-processor, we run it through a privacy pipeline (currently Microsoft Presidio) that attempts to identify and pseudonymise personally identifiable information, including names, email addresses, phone numbers, identifiers, and addresses. Pseudonymisation is imperfect, is not a guarantee of complete de-identification, and does not remove all privacy risk.
8.2 Anthropic (Claude Messages API)
We use Anthropic's Claude Messages API to generate Outputs. Based on Anthropic's published terms and documentation at the date of this Policy:
- No training. Anthropic contractually commits not to use Customer Content (including prompts and Claude's outputs) to train its models. This commitment applies to all commercial API customers by default and does not require an opt-in.
- No content retention on the Messages API. Anthropic does not retain the content of your prompts or AI responses after the API response is returned when using the standard Messages API that we use. Operational metadata (such as request logs that do not include content) is retained by Anthropic for up to approximately seven days for operational purposes.
- Safety and legal exception. Where Anthropic's safety classifiers flag content as a suspected Usage Policy violation, or where retention is required by law, Anthropic may retain inputs and outputs for up to 2 years for investigation. This exception applies to every API customer, including those under Zero Data Retention arrangements.
- Cross-border transfer. Anthropic processes Customer Content in the United States.
The Anthropic links that govern the above are set out at the end of this Policy. If we change AI processing sub-processor, or if Anthropic's terms change materially, we will update this Policy and, where required, notify you under the Terms of Service.
8.3 No training or reuse by us
We do not use your Customer Content to train or improve AI models, to benchmark the Platform, to fine-tune prompts for other customers, or for any cross-customer purpose. Aggregated, de-identified telemetry (for example, "median agent runtime", "number of documents processed this month") may be retained and used internally for product improvement. Telemetry never includes the content of your documents, Outputs, or other Customer Content.
9. How we store and retain personal information
9.1 Where we store
Personal information is stored with the sub-processors listed in clause 7.2. Backups and disaster-recovery copies may be held in additional regions operated by those sub-processors.
9.2 Retention
We retain personal information for as long as is necessary to provide the Platform and to meet the purposes set out in clause 5. Specifically:
- Customer Content and deal data: retained while your account is active. On termination of your account, Customer Content is deleted within 30 days of the later of termination or completion of any lawful export request, except where retention is required by law or where your Order Form specifies a different retention period.
- Backups: purged on their usual rotation, typically within 30 to 90 days.
- Account and billing records: retained for up to 7 years after account closure, or longer where required by Australian tax, corporate, or anti-money-laundering laws.
- Support and legal communications: retained as long as reasonably necessary for the purpose they were created and for our legitimate record-keeping.
- Audit and security logs: retained for up to 12 months unless a longer retention is required for investigating a specific incident.
9.3 Enterprise retention configuration
Customers on an enterprise Order Form may agree a different retention period for Customer Content (for example, a shorter period for higher-sensitivity workloads or a longer period for regulatory alignment). Where so agreed, that period applies in place of the default.
9.4 Deletion
On deletion, we take reasonable steps to remove personal information from live systems. Some residual copies may persist temporarily in backups and in disaster-recovery systems until their scheduled expiry.
10. Security
We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, and disclosure, including:
- Encryption in transit (TLS) and at rest for data stored in our database;
- Role-based access controls and least-privilege principles for internal access;
- Tenant isolation so that Customer Content from one tenant is not accessible to Users of another tenant;
- Privacy pipeline pseudonymisation before AI processing (see clause 8.1);
- Audit logging of access to sensitive operations;
- Vendor reviews of key sub-processors; and
- Incident-response procedures for suspected security incidents.
No method of transmission or storage is perfectly secure. We cannot guarantee the security of information transmitted to or from the Platform, and you are responsible for the security of your own credentials and devices.
11. Cookies and analytics
[CONFIRM PRE-PILOT: describe website and Platform cookie and analytics usage. If no analytics or cookies are used on the Platform itself (other than session cookies), say so. If the marketing site uses a provider, name it — for example Plausible, Fathom, or Google Analytics — and describe the categories of data collected. Include how users may opt out.]
Placeholder language pending confirmation:
We use strictly necessary cookies and similar technologies on the Platform to keep you signed in and to remember basic preferences. Our marketing website
[may or may not]use[PROVIDER]for aggregate analytics. Details, including how to opt out, are set out in our Cookie Notice atacquilens.ai/legal/cookies[create this page if analytics are used; remove this reference if not].
12. Your rights and choices
12.1 Access and correction (APP 12, 13)
You may ask us for access to the personal information we hold about you, and ask us to correct information that is inaccurate, out of date, incomplete, irrelevant, or misleading. We will respond within a reasonable time, usually within 30 days. In limited circumstances we may decline a request; if we do, we will give reasons in writing.
12.2 Account self-service
Users can update most account information directly in the Platform (for example, name, email, password). Account administrators can manage Users and tenant-level settings.
12.3 Deletion
You can request deletion of personal information we hold about you. Where the information is Customer Content hosted on behalf of another customer, we will direct the request to that customer and assist them to respond in line with clause 9.2.
12.4 Requests from individuals described in Customer Content
If you believe your personal information appears in Customer Content held by us on behalf of one of our customers and you want access, correction, or deletion, contact us at privacy@acquilens.ai and we will route your request to the relevant customer.
12.5 Marketing opt-out
See clause 6.
12.6 Complaints (APP compliance)
If you believe we have handled your personal information in a way that breaches the APPs or this Policy, please contact privacy@acquilens.ai. We will investigate and respond within a reasonable time. If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner (OAIC):
- Website: oaic.gov.au
- Phone: 1300 363 992
- Postal: GPO Box 5218, Sydney NSW 2001
13. Children
The Platform is not intended for children under 18, and we do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us and we will delete it.
14. Changes to this Policy
We may update this Policy from time to time. Where a change is material, we will notify Users by email or through the Platform at least 30 days before the change takes effect (or such shorter period as is required by applicable law), and where required re-prompt you to accept the updated version. Your continued use of the Platform after a change takes effect constitutes acceptance of the updated Policy.
15. Contact us
If you have any questions about this Policy or how we handle personal information:
- Email:
privacy@acquilens.ai - Post: Privacy Officer, Acquilens Pty Ltd,
[REGISTERED ADDRESS]
References
Policies of our AI processing sub-processor referenced in clause 8:
- Anthropic Commercial Terms: https://www.anthropic.com/legal/commercial-terms
- Anthropic API and Data Retention: https://platform.claude.com/docs/en/build-with-claude/api-and-data-retention
- Anthropic Privacy Policy: https://www.anthropic.com/legal/privacy
This Privacy Policy is Version 1.0, dated 16 April 2026. For questions, contact privacy@acquilens.ai.