Diablo Tech LLC
Privacy Policy
Effective Date: June 30, 2026
Last Updated: June 30, 2026
This Privacy Policy ("Policy") describes how ACOCO, operated by Diablo Tech LLC ("ACOCO," "we," "us," or "our”), collects, uses, shares, and protects personal information in connection with our AI-powered business automation platform (the "Service"). This Policy applies to:
- Users ("you" or "your") — individuals who create accounts on ACOCO and configure AI-operated Merchants;
- End-Customers — individuals or businesses who interact with, purchase from, or communicate with Merchants operated on the ACOCO platform;
- Prospects — individuals whose publicly available information is collected by Agents for outbound marketing purposes; and
- Visitors — individuals who visit acoco.ai, Merchant subdomains (name.acoco.ai), or other ACOCO-operated web properties.
The Service lets a User launch and fund an AI-operated business (a “Merchant”) that is built and operated by autonomous Agents (each an “Agent”) on infrastructure we provision and control. A Merchant transacts with End-Customers and, as part of marketing, may contact Prospects sourced from publicly available information.
By using the Service, you acknowledge that you have read and understood this Policy. If you are a User operating a Merchant, you also acknowledge your independent obligations as a data controller with respect to your Merchant's End-Customers and Prospects (see Section 5).
This Policy, together with our Terms of Service, constitutes the agreement governing your use of the Service. These documents should be read together, and by using the Service you agree to all of them.
Geographic Scope. The Service is currently offered to users in the United States. The EEA/UK provisions of this Policy (including the GDPR legal bases and data subject rights described herein) apply only to the extent we process the personal data of individuals located in the European Economic Area or the United Kingdom, and are provided on a precautionary basis pending any future expansion of the Service into those regions.
1. Information We Collect
We collect information in the following categories:
1A. Information You Provide Directly
- Account registration information: name, email address, phone number, business name or concept.
- Billing information: saved payment method identifiers (stored by Stripe; we do not store full card numbers), transaction records, subscription charges, ad-spend charges, Stripe Connect account identifiers for withdrawals, and Merchant revenue balance records.
- Merchant configuration: business descriptions, product/service details, pricing, custom instructions to Agents, uploaded assets (logos, images, product photos).
- Communications: messages to our support team, feedback, survey responses, and any content you provide through in-product communication features.
- Connected account credentials: OAuth tokens or API keys for optional third-party service integrations (e.g., custom domains, analytics).
1B. Information Collected Automatically
- Device and browser information: IP address (captured at referral/trial attribution and stored; also processed transiently for payment fraud protection but not otherwise logged), browser type and version, operating system, device identifiers, screen resolution, device hash for attribution purposes.
- Usage data: pages visited, features used, click patterns, session duration, Merchant management actions, Agent configuration changes.
- Log data: server logs, error reports, performance metrics, API call records, Agent action logs.
- Cookie and tracking data: session cookies, authentication tokens, analytics identifiers, marketing attribution data (e.g., _fbp, _fbc, UTM parameters). See Section 15 (Cookies).
- Location data: approximate location inferred from IP address (we do not collect precise GPS data).
1C. Information Generated by Agents
When Agents operate your Merchant, they generate and process data including:
- AI-generated content: website copy, marketing materials, email campaigns, advertising creatives, product descriptions, social media posts, and business collateral.
- Prospect data: names, email addresses, business names, phone numbers, and other publicly available information scraped from sources such as Google Business listings, public directories, and social media profiles.
- Transaction data: order details, payment records (including buyer email for both one-time and recurring subscription purchases), fulfillment status, End-Customer communications, and refund/dispute records.
- Analytics and insights: campaign performance metrics, conversion data, revenue analytics, End-Customer behavior patterns, and AI decision logs.
- Outbound communications: email content sent on behalf of your Merchant, recipient engagement data (opens, clicks, replies, bounces, unsubscribes).
1D. Information from Third Parties
- Payment processors (Stripe): transaction confirmations, chargeback notifications, payout details, KYC verification status.
- Advertising platforms (Meta, Google): campaign performance data, audience insights, conversion tracking data, ad account status.
- Public data sources: business listings, public records, publicly available professional profiles (used for Prospect generation).
- Identity verification services: where required for regulatory compliance (e.g., Stripe Connect KYC for revenue withdrawals).
2. How We Use Information
We use collected information for the following purposes:
2A. Service Operation and Delivery
- Provisioning and operating AI-powered Merchants on your behalf.
- Executing autonomous Agent actions: sending emails, managing advertising campaigns, generating content, processing payments, and identifying Prospects.
- Processing transactions and managing billing (subscription fees, ad spend, revenue sharing).
- Providing End-Customer support and responding to inquiries.
- Maintaining and improving platform infrastructure, security, and reliability.
2B. AI Training and Improvement
(a) Platform Improvement. We use aggregated, anonymized, and de-identified data derived from platform operations to improve our AI models, algorithms, Agent decision-making, and overall Service quality. This includes analyzing patterns across Merchants to improve template effectiveness, campaign strategies, and content generation quality.
(b) No Third-Party Model Training. We do not sell or provide your personal data or Merchant-specific content to third-party AI model providers for the purpose of training their foundation models. However, data processed through third-party AI APIs (e.g., OpenAI, Anthropic, Google) is subject to those providers' respective data handling policies, which may include limited retention for safety monitoring and abuse prevention. ACOCO is not responsible for the data practices of these third-party AI providers beyond selecting providers that offer appropriate contractual commitments regarding data handling.
(c) Opt-Out. Users may opt out of aggregated data usage for platform improvement by contacting legal@acoco.ai. Opt-out does not apply to data necessary for service delivery or security.
2C. Communications
- Sending transactional communications: account verification, billing receipts, security alerts, service announcements.
- Sending marketing communications about ACOCO's own offerings (with opt-out).
- Sending outbound emails on behalf of your Merchant to Prospects and End-Customers (governed by your Merchant's configuration and applicable law).
2D. Safety, Security, and Legal Compliance
- Detecting and preventing fraud, abuse, and unauthorized access.
- Enforcing our Terms of Service.
- Complying with legal obligations, including responding to lawful requests from authorities.
- Protecting the rights, safety, and property of ACOCO, our Users, and the public.
2E. Analytics and Advertising
- Analyzing Service usage to improve features, user experience, and platform performance.
- Attributing User acquisition to marketing channels (e.g., Meta Pixel, Google Analytics).
- Measuring advertising effectiveness for ACOCO's own marketing efforts.
Displaying Merchant activity on public dashboards and subdomain pages where public visibility is enabled.
3. Legal Bases for Processing (GDPR)
Where the EU/UK General Data Protection Regulation (GDPR) applies, we process personal data on the following legal bases:
(a) Contract Performance (Art. 6(1)(b)). Processing necessary to perform our contract with you: operating your account, provisioning Merchants, processing payments, delivering the Service.
(b) Legitimate Interests (Art. 6(1)(f)). Processing necessary for our legitimate interests or those of third parties, where not overridden by your rights: platform security, fraud prevention, service improvement, analytics, direct marketing of our own offerings. Our legitimate interest assessment balances the processing against potential impact on data subjects.
(c) Consent (Art. 6(1)(a)). Where required: marketing communications to you (opt-in where required by law), cookie-based tracking beyond strictly necessary cookies, and certain data sharing with third parties.
(d) Legal Obligation (Art. 6(1)(c)). Processing required to comply with applicable law: tax reporting, anti-money laundering requirements, responding to lawful data requests from authorities.
(e) Legitimate Interests of Your Merchant. Where you (as User) direct AI Agents to process End-Customer or Prospect data, the applicable legal basis is determined by you as the data controller. Common bases include: contract performance (for End-Customer transactions), legitimate interests (for B2B Prospect generation), or consent (where required for marketing communications). You are responsible for ensuring a valid legal basis exists for your Merchant's data processing activities.
4. How We Share Information
We share personal information in the following circumstances:
4A. Service Providers and Sub-Processors
We share data with third-party service providers who process data on our behalf to deliver the Service:
- Payment processing: Stripe (payment processing, Connect payouts, KYC verification).
- Cloud infrastructure: Cloud hosting and storage providers (data storage, compute, CDN).
- AI model providers: Anthropic, OpenAI, Google (AI inference for content generation, Agent operations). Prompts and outputs are transmitted to these providers for processing; retention and handling is subject to their respective terms and data handling policies.
- Web search: Firecrawl, Exa (web search and scraping for onboarding profile enrichment and Prospect generation). Search queries may include User or Prospect identifiers.
- Email infrastructure: Email sending services (transactional and marketing email delivery on behalf of Merchants).
- Advertising platforms: Meta (Marketing API for campaign management at the platform level; Pixel/Conversions API on generated sites for conversion tracking), Google Ads (campaigns and conversion tracking). Hashed email, phone, IP, and user-agent data may be transmitted via the Conversions API on generated sites.
- Analytics: Usage analytics providers (aggregated platform metrics).
- Security: Fraud detection, DDoS protection, and monitoring services.
We require sub-processors to protect personal data and to limit its use to the purposes for which it was shared. A current list of sub-processors is available on request at legal@acoco.ai.
4B. On Your Instructions (User-Directed Sharing)
When you configure and operate a Merchant, you direct us to share or process data in ways inherent to the Service:
- Sending outbound emails to Prospects and End-Customers (sharing recipient data with email infrastructure providers).
- Publishing content on Merchant storefronts (making product information publicly accessible).
- Running advertising campaigns (sharing audience and conversion data with Meta/Google).
- Processing End-Customer payments (sharing transaction data with Stripe).
4C. Legal and Safety Disclosures
We may disclose personal information where we believe in good faith that disclosure is necessary to:
- Comply with applicable law, regulation, legal process, or governmental request.
- Enforce our Terms of Service or investigate potential violations.
- Detect, prevent, or address fraud, security issues, or technical problems.
- Protect the rights, property, or safety of ACOCO, our Users, or the public.
4D. Business Transfers
In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or substantially all of our assets, personal information may be transferred to the acquiring entity. We will notify affected parties before personal information becomes subject to a materially different privacy policy.
4E. Aggregated and De-Identified Data
We may share aggregated, de-identified, or anonymized data that cannot reasonably be used to identify any individual. This includes platform-wide performance benchmarks, industry statistics, and research insights.
4F. With Your Consent
We may share personal information with third parties when you have given explicit consent for such sharing.
5. Data Controller and Processor Roles
The ACOCO platform involves multiple parties processing personal data. The allocation of data protection responsibilities is as follows:
5A. ACOCO as Data Controller
ACOCO acts as an independent data controller for:
- Platform account data: your registration information, billing details, subscription history, and account activity.
- Platform operational data: system logs, performance metrics, security events, and infrastructure telemetry.
- Marketing data: information used to market ACOCO's own offerings to you and prospective users.
- Aggregated and anonymized data: derived from platform operations and used to improve the Service.
As controller, ACOCO determines the purposes and means of processing this data and is directly responsible for complying with applicable data protection law (including responding to your data subject rights requests regarding your account data).
5B. ACOCO as Data Processor
ACOCO acts as a data processor on behalf of you (the User) for:
- End-Customer personal data: collected through your Merchant's storefront, transactions, and communications.
- Prospect data: scraped or collected by your Merchant's Agents from publicly available sources.
- Outbound communication data: email content, recipient lists, and engagement metrics processed through your Merchant's email features.
- Merchant-specific analytics: End-Customer behavior data, conversion metrics, and transaction records specific to your Merchant.
In this capacity, ACOCO processes personal data only on your documented instructions (as configured through your Merchant settings, Agent configurations, and the Terms of Service). We will not process this data for our own purposes except as permitted by applicable law (e.g., to comply with legal obligations or for our own legitimate security interests).
5C. User as Data Controller
You act as the data controller with respect to your Merchant’s End-Customers and Prospects. This means you bear the following responsibilities:
- Providing appropriate privacy notices to End-Customers (auto-generated Merchant privacy policies are provided as a convenience but may not be sufficient).
- Obtaining required consents for data collection and marketing communications where applicable.
- Ensuring your Merchant's data collection and processing activities have a lawful basis under applicable data protection law.
- Responding to data subject access requests (DSARs) from your Merchant's End-Customers and Prospects. ACOCO will assist you in responding to such requests to the extent technically feasible, using available self-service tools. Assistance beyond standard platform capabilities may be subject to reasonable fees as set forth in our Terms of Service.
- Conducting data protection impact assessments (DPIAs) where required for your Merchant’s processing activities.
- Ensuring that AI Agent actions directed by your Merchant configuration do not result in unlawful data processing.
5D. Data Processing Chain
The complete data processing chain is:
ACOCO (Platform Operator) → acts as processor for Merchant data, controller for platform data
User → acts as controller for their Merchant's End-Customer and Prospect data
Merchant Storefront (AI-Operated) → collects End-Customer data under User's controllership
End-Customer (Data Subject) → interacts with the Merchant, provides personal data
Each party in this chain bears the data protection obligations appropriate to its role under applicable law.
6. Prospect Data Practices
ACOCO's Agents collect publicly available information about Prospects on behalf of your Merchant. This section describes how Prospect data is collected, used, and protected.
6A. Sources of Prospect Data
Agents collect Prospect data from publicly available sources, including:
- Google Business listings and Google Maps profiles.
- Public business directories and yellow pages.
- Publicly accessible social media profiles (LinkedIn company pages, Facebook business pages).
- Public government records and business registrations.
- Company websites with publicly displayed contact information.
Agents do not access password-protected content, private databases, or non-public information to generate Prospects.
6B. Types of Prospect Data Collected
- Business name, address, and phone number.
- Publicly listed email addresses (business contact emails).
- Business category, industry, and services offered.
- Public reviews, ratings, and business hours.
- Names and professional titles of individuals listed in public business profiles.
6C. Legal Basis for Prospect Scraping
(a) Legitimate Interests (GDPR). Where GDPR applies to B2B prospecting, the legal basis is the legitimate interest of the User (as controller) in marketing their Merchant's products or services to relevant businesses. We conduct a balancing test: the data is publicly available, the processing is limited to professional contact details, and the intrusion on Prospects' rights is minimal. Prospects can object to processing at any time.
(b) CCPA / Publicly Available Information. Under the California Consumer Privacy Act, publicly available information (as defined in Cal. Civ. Code §1798.140(v)(2)) is excluded from the definition of "personal information" for most CCPA purposes. However, we respect Prospects' right to opt out of sale/sharing where applicable.
(c) CAN-SPAM / CASL. Outbound emails sent to Prospects comply with CAN-SPAM (providing identification, physical address, and opt-out mechanism in every message). For Canadian recipients, messages rely on the implied consent exemption for published business email addresses (CASL §10(9)(b)) or are limited to inquiries that fall within the business-to-business exception. Recipients can unsubscribe from any message.
(d) Geographic Scope. At launch, automated Prospect scraping and cold outbound email are limited to the United States. If scraping or outreach captures EU/UK data subjects, additional obligations apply (GDPR, ePrivacy Directive, and potentially appointment of an Art. 27 EU representative).
6D. Prospect Rights
Prospects who receive communications from Merchants on the ACOCO platform may:
- Unsubscribe from future communications using the unsubscribe link in every email.
- Request deletion of their data by contacting the Merchant or ACOCO at privacy@acoco.ai.
- Object to processing of their data for direct marketing purposes.
- Request information about what data is held about them.
If a Prospect unsubscribes or asks not to be contacted, we will honor that request and stop sending further communications. We are working toward a platform-wide suppression list so that a Prospect who opts out of one Merchant is suppressed across all ACOCO-operated Merchants.
7. Multi-Tenancy and Data Isolation
ACOCO operates a multi-tenant platform where multiple Merchants share underlying infrastructure. This section describes our approach to data isolation and security in this architecture.
7A. Architecture Overview
The ACOCO platform uses a shared-infrastructure, logically-isolated architecture:
- Shared database infrastructure with tenant isolation enforced primarily at the application layer (tenant-scoped queries and access controls). Row-level security (“RLS”) at the database layer is being implemented but is not yet fully deployed across all data stores.
- Database-level RLS policies are being deployed to enforce data separation. Until RLS is fully enforced, tenant isolation relies on application-level access controls and scoped queries.
- Application-level authorization ensures that API requests, Agent actions, and User access are scoped to the authenticated tenant.
- Shared compute infrastructure with process-level isolation for Agent execution.
7B. Isolation Guarantees
(a) Data Separation. Your Merchant's data (End-Customer records, transaction history, Prospect lists, analytics, credentials, and configurations) is logically isolated from other Merchants' data through application-level access controls and tenant-scoped queries. No Merchant can access another Merchant's data through the platform's application layer under normal operation. We are implementing additional database-level RLS enforcement as a defense-in-depth measure.
(b) Credential Isolation. Credentials provisioned for your Merchant (database connection strings, API tokens, deployment keys) are encrypted using AES-256-GCM with per-tenant encryption keys and are accessible only to authorized Agents operating on behalf of your Merchant.
(c) Agent Isolation. Agents operating on behalf of your Merchant cannot access data, configurations, or resources belonging to other Merchants. Agent execution contexts are scoped to the authenticated tenant.
(d) No Cross-Tenant Data Sharing. We do not share identifiable data between Merchants unless explicitly directed by both parties. Aggregated, de-identified insights (e.g., platform-wide benchmarks) may be derived from multi-tenant data but cannot reasonably be used to re-identify any individual Merchant or their End-Customers.
7C. Limitations
Users should be aware of the following inherent characteristics of multi-tenant architecture:
- Shared infrastructure means that a security vulnerability in the platform layer could theoretically affect multiple tenants. We mitigate this through defense-in-depth security practices, regular penetration testing, and security monitoring.
- Platform administrators have technical access to all tenant data for operational purposes (e.g., debugging, support). Additionally, a self-hosted internal observability stack (monitoring infrastructure on our own servers, not a third-party cloud service) holds a read-only database role that can access certain tables, including End-Customer payment records (which contain buyer email) and referral records (which contain IP). This observability role does not access a User’s profile, inbound email, or outbound email tables. Administrative and observability access is logged, audited, and restricted by role.
- AI model providers (sub-processors) may process prompts from multiple tenants on shared infrastructure. We select providers with appropriate data handling commitments.
8. Data Retention
We retain personal data only as long as necessary for the purposes described in this Policy, unless a longer retention period is required by law.
8A. Retention Periods
(a) Account Data. We retain account data for as long as your account and associated Merchant remain active, and for a reasonable period afterward to allow for reactivation and to meet our legal, tax, accounting, dispute-resolution, and Terms of Service enforcement obligations. We do not currently apply fixed numeric retention periods; instead, we keep each category of data only for as long as necessary for the purposes described in this Policy or as required by law, after which it is deleted or anonymized.
(b) Merchant Data. Merchant deletion is currently a soft-delete: a deprovisioned Merchant is marked deleted and its external resources (per-company database, stored objects, repositories) are torn down, but the central database record is not immediately destroyed. A periodic hard-purge of soft-deleted records is planned but not yet built.
(c) End-Customer Transaction Data. Transaction records, order histories, and payment records are retained for as long as necessary to comply with tax, accounting, and anti-money laundering obligations, and are deleted or anonymized thereafter.
(d) Prospect Data. We retain Prospect data only for as long as necessary for the outreach purposes described in this Policy, and remove it when it is no longer needed or upon a valid deletion or suppression request.
(e) Communications Data. Unsubscribe and suppression entries are retained for as long as necessary to honor opt-out requests. Outbound email content and engagement metrics are retained only for as long as necessary for the purposes described in this Policy.
(f) Log and Security Data. System logs, security events, audit trails, and access logs are retained for as long as necessary for security, troubleshooting, and legal-compliance purposes, and are deleted or anonymized thereafter.
(g) AI-Generated Content. AI-generated content (websites, marketing materials, ad creatives) is retained for the life of the Merchant. Deleted content may persist in backups until overwritten.
8B. Deletion and Anonymization
When data is deleted or erased:
- A company-level erasure capability now exists. On request, it pseudonymizes the company’s identifying fields and removes User-generated content (chat history, artifacts, Agent activity and traces), while retaining financial records with personal fields cleared (for tax and accounting obligations). Each erasure is logged.
- Backups containing deleted data are overwritten on a rolling basis.
- Aggregated statistics derived from deleted data may be retained indefinitely (as they cannot identify individuals).
- Erasure Limitations: The current erasure capability operates at company granularity only, not at the level of an individual User or individual End-Customer. It is operator-triggered (manual) — there is no self-service “delete my data” request flow yet. The erasure routine clears the central database; End-Customer data held in a company’s per-company database and in object storage is removed by the separate deprovisioning process, not by this routine. Subject-level erasure, a self-service request flow, and automated retention-based purges remain to be implemented.
You may request deletion of your account and associated Merchant data by contacting privacy@acoco.ai. Because the current erasure capability is operator-triggered, requests will be processed manually. Self-service deletion is not yet available.
9. Security
ACOCO implements technical and organizational measures designed to protect personal data against unauthorized access, alteration, disclosure, or destruction.
9A. Technical Measures
- Encryption at rest: all data stored in databases and file systems is encrypted using AES-256.
- Encryption in transit: all data transmitted between clients, servers, and third-party services uses TLS 1.2 or higher.
- Credential encryption: stored credentials (API keys, tokens, connection strings) are encrypted with AES-256-GCM using per-tenant keys managed via a dedicated secrets management service.
- Access controls: role-based access control (RBAC) with least-privilege principles for all platform personnel.
- Network security: firewalls, intrusion detection, and DDoS protection on all production infrastructure.
- Monitoring and alerting: real-time security monitoring, anomaly detection, and automated incident alerting.
9B. Organizational Measures
- Personnel security: background checks and confidentiality agreements for all employees with access to production data.
- Security training: regular security awareness training for all personnel.
- Incident response: documented incident response procedures with defined escalation paths and notification timelines.
- Vendor assessment: security review of third-party sub-processors before engagement.
- Audit logging: all administrative access to production systems and tenant data is logged and periodically reviewed.
9C. Breach Notification
(a) To Users. In the event of a personal data breach affecting your Merchant’s data, we will notify you without undue delay (and in any event within 72 hours of becoming aware of the breach, where feasible) with details of the breach, affected data categories, likely consequences, and remedial measures taken.
(b) To Authorities. Where required by applicable law (e.g., GDPR Art. 33), we will notify the relevant supervisory authority of breaches likely to result in a risk to data subjects' rights and freedoms.
(c) To Data Subjects. Where a breach is likely to result in a high risk to data subjects' rights and freedoms, we will assist you (as controller) in communicating the breach to affected End-Customers as required by applicable law.
Despite our security measures, no system is completely secure. We cannot guarantee absolute security of personal data and are not liable for unauthorized access resulting from factors outside our reasonable control (see our Terms of Service for liability limitations).
10. Your Choices and Rights
Depending on your location and applicable law, you may have certain rights regarding your personal data:
10A. All Users
- Access: You can access and review your account information through your ACOCO dashboard at any time.
- Update: You can update your account information, Merchant configurations, and communication preferences through the platform.
- Delete: You can request deletion of your account and associated data by contacting privacy@acoco.ai. Deletion requests are currently processed manually at the company level; self-service and subject-level erasure are not yet available.
- Unsubscribe: You can opt out of marketing communications from ACOCO using the unsubscribe link in any marketing email.
- Export: There is currently no self-service data export. You can request a copy of your data by contacting privacy@acoco.ai; requests will be processed manually.
10B. EEA/UK Residents (GDPR Rights)
If you are located in the European Economic Area or the United Kingdom, you have the following additional rights:
- Right of access (Art. 15): Obtain confirmation of whether we process your data, and a copy of that data.
- Right to rectification (Art. 16): Correct inaccurate personal data.
- Right to erasure (Art. 17): Request deletion of your data. Currently, erasure operates at the company level and is operator-triggered; subject-level erasure and self-service flows are not yet available. Deletion is subject to legal retention obligations.
- Right to restriction (Art. 18): Restrict processing in certain circumstances.
- Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
- Right to object (Art. 21): Object to processing based on legitimate interests, including profiling and direct marketing.
- Right to withdraw consent (Art. 7(3)): Withdraw consent at any time where processing is based on consent.
- Right to lodge a complaint: File a complaint with your local data protection supervisory authority.
To exercise these rights, contact privacy@acoco.ai. We will respond within 30 days (extendable by 60 days for complex requests). We may verify your identity before processing requests.
11. U.S. State Privacy Rights
Residents of certain U.S. states have additional privacy rights under state law. This section addresses rights under the California Consumer Privacy Act (CCPA/CPRA), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), and other applicable state privacy laws.
11A. Categories of Personal Information (CCPA)
In the preceding 12 months, we have collected the following categories of personal information (as defined by Cal. Civ. Code §1798.140):
- Identifiers (name, email, IP address, account IDs).
- Commercial information (transaction records, billing history, subscription details).
- Internet/electronic activity (browsing history, usage data, log data).
- Professional information (business name, industry, role — where provided).
- Inferences drawn from the above (User preferences, Merchant performance insights).
11B. Sale and Sharing
(a) No Sale. ACOCO does not "sell" personal information as defined under CCPA (Cal. Civ. Code §1798.140(ad)) in exchange for monetary consideration.
(b) Sharing for Cross-Context Behavioral Advertising. We transmit hashed identifiers (email, user ID) and conversion events to Meta via the Conversions API for ACOCO’s own advertising attribution and optimization. This may constitute “sharing” of personal information for cross-context behavioral advertising as defined under CPRA (Cal. Civ. Code §1798.140(ah)). California residents may opt out of this sharing.
(c) Opt-Out. To opt out of sharing for cross-context behavioral advertising, contact privacy@acoco.ai or use the "Do Not Sell or Share My Personal Information" link on ACOCO.ai (once implemented). We honor Global Privacy Control (GPC) signals as a valid opt-out of sharing.
11C. California Resident Rights
California residents have the right to:
- Know what personal information we collect, use, disclose, and sell/share.
- Delete personal information (subject to exceptions).
- Correct inaccurate personal information.
- Opt out of sale/sharing of personal information.
- Limit use of sensitive personal information (we do not use sensitive personal information beyond what is necessary to provide the Service).
- Non-discrimination for exercising privacy rights.
To exercise these rights, contact privacy@acoco.ai. We will verify your identity using account credentials or, for non-account holders, through reasonable verification methods. Authorized agents may submit requests on your behalf with proper documentation.
11D. Other State Rights
Residents of Virginia, Colorado, Connecticut, and other states with comprehensive privacy laws may exercise similar rights (access, deletion, correction, opt-out of targeted advertising, opt-out of profiling) by contacting privacy@acoco.ai. We will process requests within the timeframes required by applicable state law (generally 45 days, extendable).
If we decline a request, you may appeal by contacting privacy@acoco.ai with "Appeal" in the subject line. We will respond to appeals within the timeframe required by applicable law.
12. International Data Transfers
ACOCO is based in the United States. If you access the Service from outside the United States, your personal data will be transferred to and processed in the United States, where data protection laws may differ from those in your jurisdiction.
13. Children's Privacy
The Service is not directed to children under the age of 16. We do not knowingly collect personal information from children under 16. If you are under 16, you may not use the Service.
If we become aware that we have collected personal information from a child under 16, we will take steps to delete such information promptly. If you believe we have collected information from a child under 16, please contact us at privacy@acoco.ai.
Merchants operated on the ACOCO platform must not be configured to target or knowingly collect data from children under 13 (under COPPA) or under 16 (under GDPR). Users who configure Merchants that knowingly target children violate our Terms of Service.
14. AI-Specific Data Practices
Given the central role of artificial intelligence in the ACOCO platform, this section describes data practices specific to AI operations.
14A. AI Model Inputs and Outputs
(a) Prompts. When Agents operate on behalf of your Merchant, prompts are constructed from: (i) your Merchant configuration and custom instructions; (ii) contextual data (End-Customer inquiries, transaction context, Prospect data); and (iii) platform system instructions. Prompts are transmitted to AI model providers (Anthropic, OpenAI, Google) for inference.
(b) Outputs. AI-generated outputs (content, decisions, communications) may contain or be derived from personal data. Outputs are stored on ACOCO's infrastructure and may be published (e.g., on storefronts) or transmitted (e.g., via email) as part of Merchant operations.
(c) Upstream Provider Data Handling. We select AI model providers that commit to not using inputs or outputs processed through the Service for model training. Specifically:
- Anthropic: API inputs/outputs are not used for training. Retention for safety: up to 30 days.
- OpenAI: API inputs/outputs (with data usage opt-out) are not used for training. Retention for abuse monitoring: up to 30 days.
- Google (Vertex AI): Data processed via Vertex AI is not used for training Google's foundation models.
Provider policies may change. We monitor upstream provider terms and will update this Policy if material changes affect data handling. Current provider terms and data handling documentation are available upon request.
14B. Automated Decision-Making
(a) Agent Decisions. Agents make autonomous decisions on behalf of your Merchant, including: which Prospects to contact, what content to generate, how to price products, which ad campaigns to run, and how to respond to End-Customer inquiries. These decisions are made without human review unless you configure specific approval gates.
(b) Platform Decisions. ACOCO uses automated processing for certain platform-level decisions, including: fraud detection, abuse prevention, account risk scoring, and content moderation. These decisions may affect your ability to use the Service.
(c) Right to Human Review. Where automated decision-making has legal or similarly significant effects on you (e.g., account suspension), you have the right to request human review by contacting support@acoco.ai. We will review such decisions within 5 business days.
14C. AI Transparency
(a) End-Customer Disclosure. Consistent with applicable law (including CA SB 1001 and the EU AI Act), ACOCO discloses to End-Customers that they are interacting with an AI-operated business. Disclosure methods include footer notices on Merchant storefronts, disclaimers in outbound communications, and checkout-page notices.
(b) Content Provenance. AI-generated content published on Merchant storefronts or sent via email is not individually labeled as AI-generated (as the Merchant is AI-operated in its entirety). The disclosure described in subsection (a) covers all Merchant content and communications.
(c) Decision Logging. Significant Agent decisions (e.g., campaign launches, pricing changes, large transactions) are logged with reasoning summaries. Users can review Agent decision logs through the platform dashboard.
15. Cookies and Similar Technologies
ACOCO uses cookies and similar technologies on ACOCO.ai and Merchant subdomains (name.acoco.ai). This section describes the types of cookies used and your choices.
15A. Types of Cookies
(a) Strictly Necessary Cookies. Required for core functionality: authentication, session management, security, and load balancing. These cookies cannot be disabled without breaking the Service.
(b) Functional Cookies. Remember your preferences and settings (e.g., language, dashboard layout). Disabling these may degrade user experience.
(c) Analytics Cookies. Help us understand how Users and Visitors interact with the Service: page views, feature usage, error tracking. We use first-party analytics where possible.
(d) Marketing and Attribution Cookies. Used for advertising attribution and conversion tracking on ACOCO.ai (Meta Pixel _fbp/_fbc, Google Analytics, UTM parameters). These help us measure the effectiveness of our own marketing.
(e) Merchant Storefront Cookies. Merchant storefronts (name.acoco.ai) may set cookies on End-Customer browsers for: session management, shopping cart functionality, conversion tracking (for Merchant advertising campaigns), and analytics. These cookies are set under the User's (as controller) direction.
15B. Managing Cookies
- Browser settings: You can manage or delete cookies through your browser settings. Note that disabling strictly necessary cookies will prevent the Service from functioning.
- GPC/DNT signals: We honor Global Privacy Control (GPC) signals. Do Not Track (DNT) signals are not uniformly defined and are not currently honored beyond GPC compliance.
- Opt-out of marketing cookies: Contact privacy@ACOCO.ai or use cookie preference controls on ACOCO.ai (where available).
15C. Third-Party Cookies
Some cookies are set by third parties (Meta, Google) when advertising pixels or analytics scripts load on ACOCO.ai or Merchant storefronts. These third parties may collect information about your browsing activities over time and across different websites. We do not control third-party cookies and recommend reviewing the privacy policies of Meta and Google for information about their data practices.
16. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:
- We will post the updated Policy on ACOCO.ai with a revised "Last Updated" date.
- We will notify you via email or in-product notification at least 15 days before material changes take effect.
- We will provide a summary of material changes for your convenience.
Your continued use of the Service after the effective date of a revised Policy constitutes your acceptance of the changes. If you do not agree with a revised Policy, you must stop using the Service and delete your account.
Non-material changes (e.g., formatting, clarifications that do not alter data practices) may be made without advance notice.
17. Contact Information
For questions about this Privacy Policy, to exercise your data protection rights, or to raise concerns about our data practices, contact us at:
Diablo Tech LLC
Attn: Privacy / Data Protection
Email: privacy@ACOCO.ai
Legal inquiries: legal@ACOCO.ai
Mailing address: 1201 Wilson Blvd, Floor 25, Arlington, VA 22209
For EEA/UK residents: If you are not satisfied with our response to your inquiry, you have the right to lodge a complaint with your local data protection supervisory authority.
Response times: We aim to respond to all privacy inquiries within 30 days. Complex requests may take up to 90 days, in which case we will notify you of the extension.