Privacy Policy
This policy explains what personal data The AC Group collects, why we collect it, who we share it with, how long we keep it, and the rights you have over it. We have written it in plain language and stated the lawful basis for every purpose, because a privacy policy that hides its meaning in jargon is not really informing anyone.
contents
- 1 Who we are
- 2 What this policy covers
- 3 What we collect, and how
- 4 Why we use it, and our lawful basis
- 5 Who we share it with
- 6 International transfers
- 7 How long we keep it
- 8 How we protect it
- 9 Your rights under the GDPR
- 10 Your rights under California law
- 11 Cookies and similar technologies
- 12 Children
- 13 Changes to this policy
- 14 How to reach us about privacy
1. Who we are
The AC Group (“we”, “us”, “our”) operates this website and is the data controller responsible for the personal data described in this policy. We have run as an authority and citations practice for 27 years.
For data protection purposes, the controller is:
- Legal entity: The AC Group
- Registered address: 885 West Georgia Street, Suite 1950, Vancouver, BC V6C 3E8, Canada
- Privacy contact: [email protected]
If we are required to appoint an EU representative or a Data Protection Officer, their details will appear here. If you are unsure who to contact about your data, use the privacy contact above and we will route your request correctly.
2. What this policy covers
This policy applies to personal data we process when you visit this website, when you ask us for a visibility audit or any other service, and when you contact us by email or other means. It does not cover third-party websites we link to, which have their own policies, nor the internal data practices of clients who engage us under a separate services agreement, which are governed by that agreement.
We do not knowingly collect special categories of data (such as health, political, or biometric data), and our site is not directed at children. If you choose to send us such information in free-text — for example in the body of an email — please do not, since we have no reason to process it and would rather you did not share it.
3. What we collect, and how
We keep collection deliberately narrow. In practice there are three sources:
Information you give us
When you request a free audit, the form asks for two things: a work email address and a domain. That is the whole form. If you instead contact us directly, we receive whatever you choose to put in your message — typically your name, your email address, and the substance of your enquiry. We do not ask for, and do not want, more than we need to answer you.
Information collected automatically
Like almost any web server, ours records basic technical information when a page is requested: the IP address of the device, the browser and operating system reported, the page requested, and the date and time. These server logs exist to keep the site running, secure, and free of abuse. We do not use them to build a profile of you.
Cookies and similar technologies
We keep cookies to a minimum and explain them in full in our Cookie Policy and in section 11 below. Our fonts are self-hosted on our own domain, so simply loading a page does not hand your IP address to a third-party font provider, and we do not load third-party analytics or advertising scripts by default.
4. Why we use it, and our lawful basis
Under the GDPR we must have a lawful basis for each purpose, and we must tell you what it is. Here is each purpose with its basis:
- To answer your audit request or enquiry. We use the email, domain, and message you send to prepare and deliver what you asked for. Lawful basis: steps taken at your request before entering a contract, and our legitimate interest in responding to people who approach us.
- To run, secure, and improve the website. We use server logs and minimal technical data to keep the site available and to detect and prevent abuse. Lawful basis: our legitimate interest in operating a secure, working service.
- To follow up about work you have asked about. If you have approached us about a service, we may contact you about it. Lawful basis: our legitimate interest in pursuing an enquiry you started, or your consent where we ask for it. You can tell us to stop at any time.
- To meet legal and accounting obligations. Where the law requires us to keep records — for example for tax or to defend a legal claim — we do. Lawful basis: compliance with a legal obligation, and our legitimate interest in establishing or defending claims.
Where we rely on legitimate interest, we have weighed our interest against your rights and concluded the processing is limited and expected. You can object to it — see section 9 — and we will stop unless we have a compelling reason that overrides your objection.
6. International transfers
We operate across Panama, the United States, and Europe, and some of our providers may process data outside the European Economic Area. When personal data leaves the EEA, we rely on a lawful transfer mechanism: an adequacy decision by the European Commission where one exists, the EU–U.S. Data Privacy Framework for certified U.S. providers, or the Commission’s Standard Contractual Clauses with appropriate safeguards. You can ask us which mechanism applies to a given provider and request a copy of the relevant safeguards using the contact in section 14.
7. How long we keep it
We keep personal data only as long as the purpose needs, then delete or anonymise it. Where we cannot give an exact period in advance, we use clear criteria:
- Audit and enquiry data — kept while we are in contact about your request and for a reasonable period afterwards in case you return, then deleted.
- Client records — kept for the duration of the engagement and for as long as a legal or accounting obligation requires afterwards.
- Server logs — kept for a short operational and security window, then rotated out.
8. How we protect it
We apply technical and organisational measures appropriate to the modest amount of data we hold: encryption in transit, access limited to people who need it, and providers chosen partly for their own security posture. No system is perfectly secure, and we do not claim otherwise; if a breach ever affected your rights, we would notify you and the relevant authority as the law requires.
9. Your rights under the GDPR
If your data is covered by the GDPR, you have the following rights, and we will not charge you or treat you differently for using them:
- Access — to know whether we hold data about you and to receive a copy.
- Rectification — to have inaccurate data corrected and incomplete data completed.
- Erasure — to have your data deleted where there is no overriding reason to keep it.
- Restriction — to have processing paused while a question about your data is resolved.
- Portability — to receive data you gave us in a portable format, or have it sent onward.
- Objection — to object to processing based on legitimate interest, including any direct marketing, which we will always stop.
- Automated decisions — we do not make decisions about you by automated means alone, so this right is not engaged, but you may always ask.
- Withdraw consent — where we rely on consent, to withdraw it at any time, without affecting what was lawful beforehand.
To use any of these, contact us at the address in section 14. We will respond within one month, and will tell you if a complex request needs longer. You also have the right to lodge a complaint with your data protection supervisory authority — in the EU, that is the authority in your country of residence — though we would appreciate the chance to resolve the matter with you first.
10. Your rights under California law
If you are a California resident, the CCPA, as amended by the CPRA, gives you specific rights over your personal information. In our case several of them are simple to state because of how little we do with data:
- Right to know — what personal information we have collected about you, where it came from, why, and who we shared it with.
- Right to delete — to request deletion of personal information we hold, subject to legal exceptions.
- Right to correct — to have inaccurate personal information corrected.
- Right to opt out of sale or sharing — we do not sell or share your personal information in the sense those terms have under California law, so there is nothing to opt out of and no “Do Not Sell or Share” link is required. We honour Global Privacy Control signals regardless.
- Right to limit sensitive personal information — we do not collect sensitive personal information as defined by the CPRA; if that ever changes, this section will be updated and a control provided.
- Right to non-discrimination — we will not deny you service or treat you worse for exercising any of these rights.
To exercise a California right, use the contact in section 14 and tell us you are making a California request.
11. Cookies and similar technologies
We use only the cookies we need to run the site and, where the law requires consent, we ask for it before setting anything non-essential. Because our fonts are self-hosted and we do not load third-party analytics or advertising by default, there is far less to consent to here than on most sites. The full detail — what each cookie is, why it exists, and how long it lasts — is in our Cookie Policy.
12. Children
This is a business service aimed at companies, and it is not directed at children. We do not knowingly collect personal data from anyone under 16. If you believe a child has given us data, contact us and we will delete it.
13. Changes to this policy
We may update this policy as our practices or the law change. When we do, we will revise the “last updated” date at the top, and for a material change we will take reasonable steps to bring it to your attention. The version in force is always the one published here.
14. How to reach us about privacy
For any privacy question or to exercise a right, contact us at [email protected], or by post at 885 West Georgia Street, Suite 1950, Vancouver, BC V6C 3E8, Canada. You can also use our contact page. We read these messages ourselves and aim to reply quickly.
The AC Group · authority & citations since 1999