Home About Pricing Help Sign in

Privacy Policy

Effective date: · Version: 2026-05-12

This Privacy Policy describes what information Accedo collects about you and your organization, how we use it, who we share it with, and how long we keep it. Accedo is a policy management and compliance tracking service provided to organizations (each a “Tenant”) and the individuals (“End Users”) the Tenant invites to use the platform.

1. Introduction

Accedo acts as the data controller for account-level personal data we collect directly from the Tenant’s administrators (contact information, billing details, sign-in activity). For policy content and acknowledgment records that a Tenant uploads or that End Users generate while using the platform, Accedo acts as a data processor and the Tenant is the controller of that data. Tenants are responsible for ensuring they have a lawful basis to collect and process information about their End Users through Accedo.

2. Information We Collect

We collect only the information needed to deliver the service:

  • Account information. When an administrator signs an organization up, we collect the organization name, the administrator’s name, work email address, and a chosen password (stored only as a one-way hash by our identity provider). When the administrator invites End Users, we collect each End User’s name, work email address, and any group membership the administrator assigns.
  • Policy content. Documents the Tenant uploads as policies (PDF, DOCX, or other supported formats), along with metadata such as title, version, recurrence settings, and the list of users or groups assigned to acknowledge each policy.
  • Acknowledgment records. When an End User signs a policy, we record who signed, which policy version they signed, the timestamp, and (for audit integrity) the IP address and user-agent string of the browser used to sign.
  • Audit log. For Tenants on tiers that include the audit log, we record administrative actions (user invitations, role changes, policy publication, assignment changes) along with the acting user, the affected resource, and a timestamp.
  • Sign-in data. Authentication tokens issued by our identity provider (Amazon Cognito) are stored as short-lived browser cookies and refresh tokens. We log the timestamp of each sign-in for security monitoring; we do not log passwords.
  • Billing information. When a Tenant subscribes to a paid tier, we and our payment processor collect billing contact details and the information needed to process payment. We do not store full payment-card numbers on Accedo’s servers; our payment processor handles that data.
  • Operational telemetry. Server-side logs that record API requests, error stack traces, and basic request metadata (path, status, latency) so we can keep the service running and diagnose issues. These logs do not include policy content or acknowledgment signatures.

3. How We Use Information

We use the information described above only to deliver the compliance-tracking service the Tenant signed up for. Specifically:

  • To authenticate users and authorize access to their Tenant’s data.
  • To present policies to End Users and record their acknowledgments.
  • To produce the compliance reports and dashboards available to administrators.
  • To send transactional email related to the service — account verification, policy assignments, reminders, password resets, and similar service messages.
  • To process payments and manage subscriptions.
  • To investigate suspected abuse, fraud, or violations of the Terms of Service.
  • To diagnose errors and improve the reliability of the platform.
  • To comply with our legal obligations and respond to lawful requests.

We do not sell personal data, and we do not use Tenant policy content or acknowledgment records to train any machine-learning model.

5. How Long We Keep Information

Retention of acknowledgment records, audit-log entries, and the documents attached to those records is set by the Tenant’s subscription tier:

  • Free: 1 year.
  • Standard: 7 years.
  • Premium: Configurable, with a default of 10 years.

Retention is measured per record — from the acknowledgedAt timestamp for signed assignments and from the createdAt timestamp for unsigned-then-canceled assignments. When the last acknowledgment referencing a document is purged, the document and its underlying object storage are cascade-deleted.

Operational data (users, groups, active policies, the Tenant record itself) persists while the Tenant’s account is active and is removed during the termination grace period described in the Terms of Service. Server-side operational logs are retained on a rolling basis (typically 30–90 days) and then purged. Backups are retained for a reasonable additional period for disaster-recovery purposes and are then purged.

6. Sharing and Sub-Processors

Accedo does not sell or rent personal data, and does not share personal data with third parties for their own marketing or analytics purposes. We rely on the following infrastructure and service sub-processors:

  • Amazon Web Services (AWS) — cloud hosting provider. All Accedo data (databases, object storage, logs, authentication state, email delivery via Amazon SES) lives within AWS regions in the United States. AWS acts as our cloud provider under its standard data-processing terms.
  • Stripe — payment processor. When a Tenant subscribes to a paid tier, Stripe processes payment information on our behalf under its data-processing terms. We do not store full payment-card numbers on Accedo’s servers.
  • Google Analytics 4 — website analytics. On our public marketing pages we use Google Analytics 4 to understand aggregate browsing and usage patterns. It sets cookies in your browser and collects data such as pages visited, approximate location, and device and browser type. Google Signals is disabled, so we do not enable cross-device tracking or advertising personalization. You can opt out using the Google Analytics Opt-out Browser Add-on or by managing cookies through your browser’s privacy controls.

We may also disclose information when required by law, valid legal process, or to protect the safety or rights of Accedo, a Tenant, or the public. If the list of sub-processors changes materially, we will update this Privacy Policy and notify Tenant administrators.

7. Security

We use reasonable technical and organizational measures to protect personal data, including:

  • TLS 1.2+ encryption for all data in transit.
  • Encryption at rest for databases, object storage, and backups using AWS-managed encryption keys.
  • Tenant data isolation enforced at the application, database, and IAM-policy layers.
  • Least-privilege access controls for Accedo personnel.
  • Audit logging of administrative access to production systems.
  • Documented incident-response procedures.

No service is perfectly secure. If we become aware of a breach affecting your personal data, we will notify the affected Tenant administrators without undue delay and consistent with applicable law.

8. Your Rights

Subject to the privacy frameworks that apply to you, you may have the right to access, correct, export, or delete the personal data we hold about you. In Accedo, those rights are exercised primarily through the in-app Settings area:

  • Export. Tenant administrators can export their organization’s policies, users, and acknowledgment records from Settings. End Users can export their own acknowledgment history.
  • Deletion. Tenant administrators can delete users (which removes operational data tied to the user, subject to the retention rules that apply to acknowledgment records as evidence of compliance) and can request full Tenant deletion from Settings, which kicks off the termination workflow described in the Terms of Service.
  • Correction. Names, email addresses, and group memberships can be edited directly in Settings by an administrator or by the user themselves for their own profile.

Where these in-app paths do not satisfy a specific statutory right, contact us at the address in the Contact section below and we will respond consistent with applicable law. If you are unable to resolve a concern with us, you may have the right to lodge a complaint with your local data protection authority.

9. Children

Accedo is a workplace compliance tool sold to organizations. It is not intended for, and we do not knowingly collect personal data from, children under 16. If you believe a child has provided personal data to Accedo, contact privacy@yesaccedo.com and we will delete it.

10. International Transfers

Accedo data is processed in AWS regions in the United States. If you access the service from outside the United States, you understand that your data will be transferred to and processed in the United States. Where applicable law requires a specific transfer mechanism for personal data leaving your country (for example, the EU/UK standard contractual clauses), we will put that mechanism in place on request.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will publish the new version on this page with a fresh version identifier and notify Tenant administrators by email. Continued use of the service after notice constitutes acceptance of the updated policy.

12. Contact

Privacy questions, deletion requests, or other rights requests can be sent to privacy@yesaccedo.com. We aim to respond within thirty (30) days.

13. Effective Date

The effective date of this version is . The version identifier is 2026-05-12. Each subsequent published revision will carry a new version string.