بيئة اختباريّة — Staging Environment · لا تستخدم بيانات حقيقيّة
← Back to homeالعربيّة

Privacy Policy

Privacy Policy — Acrovo

Version: 1.0 Effective Date: 2026-05-04 Last Updated: 2026-05-04 Issuer: Acrovo LLC — a limited liability company organized under the laws of Wyoming, United States of America.

Notice: This draft was prepared for legal review prior to publication. It must be reviewed by qualified counsel admitted in both the Kingdom of Saudi Arabia and the United States before adoption. The drafting follows industry best practices and addresses Saudi PDPL, U.S. CCPA/CPRA and equivalent state laws, EU GDPR, UK GDPR, Brazilian LGPD, and Chinese PIPL — but it is not a substitute for legal advice.

Table of Contents

  1. Introduction
  2. Who We Are — Identity of the Data Controller
  3. Scope of This Policy
  4. Definitions
  5. Data We Collect
  6. How We Collect Data
  7. Legal Basis for Processing
  8. How We Use Data
  9. With Whom We Share Data (Subprocessors)
  10. International Data Transfers
  11. Data Retention
  12. Data Security
  13. Data Subject Rights
  14. Rights of U.S. Users (CCPA/CPRA and Equivalent State Laws)
  15. Rights of EU/UK Users (GDPR / UK GDPR)
  16. Rights of Saudi Users (PDPL)
  17. Children
  18. Cookies and Tracking Technologies
  19. Marketing and Communications
  20. Automated Decision-Making and Profiling
  21. Data Breaches
  22. Changes to This Policy
  23. Contact Us
  24. Appendix — List of Subprocessors
  25. Appendix — Summary of the Data Processing Addendum (DPA)

1. Introduction

Acrovo LLC ("Acrovo," "we," "us," "our") respects your privacy. This Policy explains how we collect, use, protect, and share Personal Data when you use our platform and related services (collectively, the "Service").

We commit that we do not sell your Personal Data, do not share it for cross-context behavioral advertising, and do not use it to train artificial-intelligence models, whether ours or third parties'. This commitment is contractually binding.

Please read this Policy carefully. By using the Service, you acknowledge that you have read and understood it.

2. Who We Are — Identity of the Data Controller

Acrovo LLC is the Data Controller with respect to Customer account data and operational data of our website.

When you use our platform to enter data about your own customers (such as real-estate buyers or tenants), you — the business Customer — are the Data Controller for that data, and Acrovo is the Data Processor acting on your behalf. The details of this allocation are set out in the Data Processing Addendum (DPA) — see Appendix in Section 25.

Contact information:

  • Data Protection Officer (DPO): dpo@acrovo.co
  • Privacy matters: privacy@acrovo.co
  • Mailing address: 30 N Gould St, STE R, Sheridan, WY 82801, USA

3. Scope of This Policy

This Policy applies to:

  • Visitors to www.acrovo.co and www.crm-re.com.
  • Acrovo Customers, both individuals and businesses.
  • Employees of business Customers using the platform.
  • Any person who interacts with us via email, support, or social media.

This Policy does not apply to End Users — i.e., natural persons whose data the business Customer manages on our platform (e.g., a buyer registered with a developer that uses Acrovo). The business Customer must provide its own privacy notice to those individuals.

4. Definitions

  • "Personal Data" — any information relating to an identified or identifiable natural person.
  • "Sensitive Data" — data revealing racial origin, religion, health, sexual orientation, union membership, or criminal records. We do not request such data and do not recommend entering it into the platform.
  • "Data Controller" — the party determining the purposes and means of processing.
  • "Processor" — the party processing data on behalf of the Controller.
  • "Processing" — any operation performed on data (collection, storage, use, transfer, deletion).
  • "Consent" — the freely given, specific, informed, and unambiguous indication by the data subject of agreement to the processing.

5. Data We Collect

5.1 Account Data

When you create an account, we collect:

  • Full name (or company name).
  • Business email address.
  • Phone number.
  • Organization name, job role, organization size.
  • Country, city.
  • Preferred language.

5.2 Billing Data (managed via Stripe)

  • Cardholder name.
  • Last four digits of the card (we do not store the full card number).
  • Billing address.
  • Tax identifier (for taxable business Customers).

Important: Full card numbers, CVV codes, and expiration dates are processed and stored directly by Stripe under PCI-DSS Level 1. This data never traverses Acrovo's servers.

5.3 Usage and Technical Logs

  • IP address, browser type, operating system, device model.
  • Pages visited, buttons clicked, in-product search queries.
  • Login times, session duration, feature interactions.
  • Error logs, performance traces.

5.4 Geolocation Data

  • Approximate location inferred from IP (city/country) — for security and UI localization.
  • If a Customer enables the maps feature (Mapbox), we collect property coordinates the Customer enters.

5.5 Communications Data

  • Content of support tickets, contact forms, satisfaction ratings.
  • If a Customer uses the WhatsApp Business feature, message content is not persistently stored on Acrovo servers — only delivery metadata (timestamp, status, phone number) is retained. Message content remains on the WhatsApp provider's backend per its policy.

5.6 Customer Data (entered by the business Customer)

  • Contact records (name, email, phone, address).
  • Deals, units, and project records.
  • Notes, attachments, documents.
  • Marketing channel of origin for each lead.

We host and process this data as Processor on behalf of the business Customer.

5.7 Cookies

See Section 18.

6. How We Collect Data

We collect data in the following ways:

  1. Directly from you — when registering, entering data into the platform, or contacting us.
  2. Automatically when you use the Service — via cookies and technical logs.
  3. From third-party providers — such as Stripe (payment verification) or our email provider (address validation).
  4. From public sources — in very limited cases, such as verifying publicly published business information when fraud is suspected.

7. Legal Basis for Processing

We process your data based on one or more of the following bases under GDPR / PDPL / CCPA:

BasisWhen It Applies
Performance of a contractMost processing required to provide the Service (account creation, billing, hosting your data).
Legitimate interestFraud prevention, Service improvement, aggregated usage analytics.
Explicit consentMarketing communications, non-essential cookies, optional features.
Legal obligationRetaining tax and financial records, responding to lawful orders.
Vital interestIn rare emergencies.

You have the right to withdraw consent at any time, without affecting the lawfulness of processing performed before the withdrawal.

8. How We Use Data

We use your data only for the following purposes:

  1. Operating the Service — hosting your account data, executing platform features, synchronization, backups.
  2. Billing — processing payments, issuing invoices, collections, refunds.
  3. Support — responding to your inquiries, resolving issues, ticket tracking.
  4. Security — detecting and preventing fraud, unauthorized access, cyberattacks.
  5. Improvement — analyzing usage (aggregated, anonymized) to improve interfaces and features.
  6. Legal compliance — responding to lawful requests, complying with tax and regulatory obligations.
  7. Operational communications — invoice notices, security alerts, policy updates. (You cannot opt out of these.)
  8. Marketing — only with explicit consent, with the ability to opt out at any time.

We never use your data for:

  • Sale or rental to third parties.
  • Targeted advertising by third parties.
  • Training AI models, ours or third parties'.
  • Profiling for unlawful purposes.

9. With Whom We Share Data (Subprocessors)

We share your data with a limited number of service providers who are contractually bound by data-protection terms. The current list is in Section 24.

SubprocessorPurposeLocationCommitments
Stripe Inc.Payment processingUnited States + regional serversPCI-DSS L1, GDPR-compliant, DPA in force
Supabase Inc.Database and hostingap-south-1 (Mumbai, India)SOC 2 Type II, GDPR-compliant, DPA in force
Vercel Inc.Application hostingbom1 (Mumbai, India)SOC 2 Type II, DPA in force
Backblaze, Inc.Encrypted backupsUnited StatesDPA in force, AES-256 encryption
Mapbox, Inc.Maps (optional)United StatesDPA in force
WhatsApp Business API (official BSP)MessagingVaries per tenantDetermined per tenant
Resend, Inc.Transactional email (signup confirm, password reset)United States + EUDPA in force
Cloudflare, Inc.DNS, DDoS protection, network routingGlobal (anycast)DPA in force
GitHub, Inc. (Microsoft)Source control (no Customer Data sent here)United States

We do not share your data with:

  • Advertisers, ad networks, or data brokers.
  • Analytics companies that use the data for their own purposes.
  • AI providers for training purposes.

9.1 Legal Disclosure

We may disclose data when required by valid court order, or to protect our rights or user safety. We notify the affected Customer wherever lawful and permitted.

9.2 Mergers and Acquisitions

In the event of a merger, acquisition, or material asset sale, data may be transferred with at least thirty (30) days' notice to Customers.

10. International Data Transfers

Acrovo's current infrastructure hosts data in the South Asia region (Mumbai, India) via Supabase and Vercel. Encrypted backups are transferred to the United States via Backblaze. Payment processing occurs in the United States via Stripe.

10.1 Transfer Safeguards

  • For EU/UK users: We rely on the Standard Contractual Clauses (SCCs) issued by the European Commission (2021/914) with all subprocessors located outside the European Economic Area. The UK Addendum approved by the ICO is in force.
  • For Saudi users: We comply with Article 29 of PDPL — you expressly acknowledge transfer of your data outside the Kingdom for purposes of providing the Service. We comply with then-current SDAIA controls and adopt subsequent updates.
  • For U.S. users: No general federal restrictions apply; state-specific controls (CCPA, VCDPA, etc.) are observed.

10.2 Requesting a Copy of Transfer Safeguards

You may request a copy of the contractual safeguards (SCCs with subprocessors) at dpa@acrovo.co.

11. Data Retention

We retain data only as long as necessary for the purposes described, per the schedule below:

Data CategoryRetention PeriodBasis
Active account dataDuration of subscriptionContract performance
Customer Data (entered into platform)Duration of subscriptionContract performance
Post-cancellation — export window30 days (downloadable as CSV/JSON)Contract performance + legitimate interest
Post-cancellation — deletionWithin 15 days after the export windowCompliance
Audit logs — Solo and Small plans1 year after creationLegitimate interest (security)
Audit logs — Enterprise plan2 years after creationLegitimate interest + potential certification
Billing and tax records7 yearsLegal obligation (FATCA, ZATCA, IRS)
Encrypted backups90 days, rollingLegitimate interest (disaster recovery)
Support ticket records3 years post-closureLegitimate interest
Analytics cookies13 months maximumConsent
Marketing opt-out recordsRetained indefinitelyLegal obligation (proof of opt-out)

After each period expires, data is irreversibly deleted or anonymized.

12. Data Security

12.1 Technical Measures

  • Encryption in transit: HTTPS/TLS 1.3 for all communications.
  • Encryption at rest: AES-256 for database and backups.
  • Tenant isolation: Row-Level Security at the database layer.
  • Authentication: Passwords hashed with bcrypt/Argon2; optional MFA supported.
  • Security monitoring: Audit logs, alerting on anomalous access.
  • Penetration testing: Annual, by an independent third party (planned).
  • Vulnerability management: Periodic security updates, CVE monitoring.

12.2 Organizational Measures

  • Mandatory security training for staff.
  • Confidentiality (NDA) agreements for everyone with access.
  • Least-privilege access principle.
  • Administrator access logging for every production data access.

12.3 Incident Response Plan

We commit to:

  • Detecting a breach within 24 hours.
  • Notifying affected Customers within 72 hours (where GDPR / PDPL applies).
  • Full investigation, mitigation, and remediation.
  • Reporting to regulators where applicable.

12.4 No Absolute Security

Despite ongoing efforts, no digital system is 100% secure. You are responsible for protecting your login credentials and not sharing them.

13. Data Subject Rights

Under the laws applicable to you, you have the following rights:

13.1 Right of Access

Request a copy of the Personal Data we hold about you.

13.2 Right to Rectification

Correct inaccurate or incomplete data.

13.3 Right to Erasure ("Right to Be Forgotten")

Request deletion of your data, except where retention is required by law.

13.4 Right to Restriction

Restrict processing in certain circumstances.

13.5 Right to Portability

Receive your data in a structured, commonly used, machine-readable format (CSV / JSON).

13.6 Right to Object

Object to processing based on legitimate interest, including direct marketing.

13.7 Right to Withdraw Consent

Where processing is based on consent, you may withdraw it.

13.8 Right Not to Be Subject to Solely Automated Decisions

We do not make solely automated decisions producing legal or similarly significant effects on users.

13.9 Exercising These Rights

Send your request to privacy@acrovo.co. We will respond within:

  • 30 days as a general framework (extendable to 60 days for complex cases, with notice).
  • 15 days for urgent GDPR requests where applicable.

We will verify your identity before fulfilling the request — to prevent fraud.

14. Rights of U.S. Users (CCPA/CPRA and Equivalent State Laws)

This section applies to residents of U.S. states with privacy laws, including (California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Tennessee, and other states as enacted).

14.1 Additional Rights (CCPA/CPRA — California)

  • Right to Know: Categories of data collected, purposes, sources, and parties with whom data was shared.
  • Right to Delete.
  • Right to Correct.
  • Right to Opt-Out of Sale or Sharing: We do not sell or share Personal Data within the meaning of CCPA. As a precaution, however, a "Do Not Sell or Share My Personal Information" link appears in the website footer.
  • Right to Limit Use of Sensitive Personal Information.
  • Right to Non-Discrimination for exercising your rights.
  • Right to Appeal denial of a request.

14.2 Global Privacy Control (GPC) Signals

We honor GPC signals sent by the browser as a request to opt out of sale/sharing where applicable.

14.3 Annual Disclosures (CCPA)

In the preceding 12 months:

  • Categories collected: Identifiers (name, email, IP), commercial (subscription history), internet activity (in-product behavior), geolocation, professional (job role).
  • Sources: Directly from the user; automatically through use of the Service.
  • Business purposes: Operating the Service, security, billing, support.
  • Sold or shared for cross-context behavioral advertising: No.
  • Disclosed for business purposes: With the subprocessors listed in Section 9.

14.4 Exercising Rights

  • Email: privacy@acrovo.co
  • Web form: www.acrovo.co/privacy/request
  • Phone: No toll-free line currently provisioned

14.5 Authorized Agents

An Authorized Agent may exercise rights on your behalf, subject to a signed authorization and your verification.

14.6 No Discrimination

We will not discriminate against you for exercising your rights — we will not raise prices, suspend service, or reduce quality.

14.7 California "Shine the Light" Disclosure

We do not share Personal Information with third parties for their direct marketing purposes.

15. Rights of EU/UK Users (GDPR / UK GDPR)

In addition to Section 13:

15.1 EU Representative

Pursuant to Article 27 of GDPR, if our activities reach the threshold for designation, an EU Representative will be appointed and details published here.

15.2 Right to Lodge a Complaint

You have the right to lodge a complaint with your supervisory authority:

  • France: CNIL — cnil.fr
  • Germany: BfDI or relevant Land authority
  • Spain: AEPD
  • Italy: Garante
  • United Kingdom: ICO — ico.org.uk
  • Ireland (lead authority for many tech companies): DPC — dataprotection.ie

15.3 Lead Supervisory Authority

This will be determined based on Acrovo's main establishment in the EU upon reaching that threshold.

15.4 SCCs

The European Commission Standard Contractual Clauses (2021/914) along with the ICO-approved UK Addendum are in force. A copy is available upon request.

15.5 Data Protection Impact Assessments (DPIA)

Where applicable, we conduct DPIAs for high-risk processing activities.

16. Rights of Saudi Users (PDPL)

Processing of data of residents of the Kingdom is governed by the Personal Data Protection Law (PDPL) issued by Royal Decree M/19 and its Implementing Regulations issued by SDAIA.

16.1 Core Rights

  • The right to be informed of processing, access, rectification, destruction, transfer, and refusal of processing (per Articles 4 and 27 of PDPL).
  • The right to report violations to SDAIA.

16.2 Explicit Consent

We obtain your explicit consent in compliance with Saudi requirements before processing Sensitive Data, before transferring data outside the Kingdom, and before marketing use.

16.3 Cross-Border Transfer

Per Article 29 of PDPL, we transfer your data outside the Kingdom (to India and the United States) for the purposes you have explicitly consented to by accepting this Policy. We comply with then-current SDAIA controls and any subsequent updates.

16.4 Supervisory Authority

You may file a complaint with:

  • Saudi Data and AI Authority (SDAIA).
  • The official Personal Data Complaints Portal.

16.5 Data Protection Officer (DPO)

For our users in the Kingdom, the contact point is dpo@acrovo.co.

16.6 Transitional Period

We commit to keeping pace with any updates SDAIA issues to PDPL and will update this Policy as needed.

17. Children

The Service is not directed at persons under eighteen (18) years of age, and we do not knowingly collect their data. If we discover collection of a minor's data, we delete it immediately.

  • In the United States: We comply with COPPA — we do not collect data from persons under 13.
  • In the European Union: We do not process data of minors under 16 (or the age set by the relevant Member State).

If you believe a minor has provided data to us, notify us immediately at privacy@acrovo.co.

18. Cookies and Tracking Technologies

18.1 What Are Cookies

Small text files placed on your device to remember your preferences and improve your experience.

18.2 Types of Cookies We Use

TypePurposeBasisDuration
EssentialLogin, security, sessionContract performanceSession – 30 days
PreferencesLanguage, theme, UILegitimate interest12 months
Analytics (aggregated)Usage statisticsConsent13 months
MarketingWe do not use third-party advertising cookies

18.3 Managing Cookies

You can manage your preferences via the cookie banner on first visit, in your browser settings, or via www.acrovo.co/cookies.

18.4 Do Not Track (DNT) Signal

We honor DNT and GPC signals where applicable.

19. Marketing and Communications

19.1 Consent

We do not send marketing communications without your explicit consent. At signup, marketing consent is separated from acceptance of the Terms.

19.2 Opt-Out

Every marketing email contains a one-click "Unsubscribe" link. You can also opt out of marketing in your account settings.

19.3 Non-Optional Communications

Operational notifications (invoice, suspension, security alert, policy update) are necessary and cannot be opted out of while your account is active.

20. Automated Decision-Making and Profiling

We do not make legally or significantly affecting decisions about individuals on a solely automated basis. Analytics features (such as performance reports) assist human decisions; they do not replace them.

If we introduce a future automated-decision feature (e.g., automated lead-scoring), we will update this Policy and obtain your consent where required.

21. Data Breaches

In the event of a Personal Data breach:

  1. Assessment within 24 hours of detection.
  2. Notification within 72 hours to the competent supervisory authority (GDPR Art. 33 / PDPL).
  3. Notification to affected Customers within 72 hours where the breach is likely to result in high risk to their rights and freedoms.
  4. Full investigation, corrective actions, and public reporting where applicable.

22. Changes to This Policy

We reserve the right to update this Policy. Material changes will be notified at least fifteen (15) days in advance via:

  • Email to your registered address.
  • In-product notification.
  • Publication of the updated version on the website.

If you do not agree to the update, you may cancel before the effective date.

Prior versions are archived and available at www.acrovo.co/privacy/archive.

23. Contact Us

Acrovo LLC 30 N Gould St, STE R, Sheridan, WY 82801, USA Wyoming United States of America

PurposeEmail
General privacyprivacy@acrovo.co
Data Protection Officer (DPO)dpo@acrovo.co
Information security and breachessecurity@acrovo.co
Data Processing Addendum (DPA)dpa@acrovo.co
General legal inquirieslegal@acrovo.co

24. Appendix — List of Subprocessors

The current version is always available at www.acrovo.co/legal/subprocessors.

SubprocessorCategoryLocationReference DPA
Stripe Inc.Payment processingUnited Statesstripe.com/legal/dpa
Supabase Inc.Database hostingIndia (ap-south-1)supabase.com/legal/dpa
Vercel Inc.Application hostingIndia (bom1)vercel.com/legal/dpa
Backblaze, Inc.Encrypted backupsUnited Statesbackblaze.com/company/dpa.html
Mapbox, Inc.MapsUnited Statesmapbox.com/legal/dpa
WhatsApp / MetaMessaging (if Customer enables)Varies per tenantDetermined per tenant
Resend, Inc.Transactional email (signup confirm, password reset)United States + EUDPA in force

We notify Customers of any change to this list at least thirty (30) days in advance via email. The Customer may object to a new addition; if no resolution is reached, the Customer may cancel with a pro-rated refund.

25. Appendix — Summary of the Data Processing Addendum (DPA)

When a business Customer uses the platform to manage End User data, a "controller-processor" relationship arises between the Customer and Acrovo. This relationship is governed by a separate DPA, available at dpa@acrovo.co.

25.1 Key DPA Terms

  • Acrovo processes Customer Data only on the Customer's documented written instructions.
  • It maintains confidentiality among employees with access to the data.
  • It implements appropriate technical and organizational measures.
  • It engages subprocessors only with prior notice and a right of objection.
  • It assists the Customer in responding to data subject requests.
  • It notifies the Customer of any breach within 48 hours of detection.
  • It deletes or returns data at termination of the contract, at the Customer's choice.
  • It provides sufficient information to demonstrate compliance (audit rights).

25.2 SCCs and UK Addendum

The European Standard Contractual Clauses (2021/914) are incorporated into the DPA where applicable.

25.3 Signing the DPA

To execute a DPA, send a request to dpa@acrovo.co. For Customers on the Enterprise plan, a DPA is available by default but must be expressly signed.

End of Privacy Policy.

Note on the domain: The token co is to be replaced with the final TLD (acrovo.co or acrovo.io) before publication.