Privacy Policy

Last updated: March 19, 2026

Welcome to Actem's privacy policy. This policy helps you understand what data we collect, why we collect it, and what your rights are regarding your data.

1. Data Controller

Fabrizio Vaccaro (Actem), independent developer based in Rende (CS), Italy
Controller contact email: support@actem.app

2. Types of Data Collected

Among the types of Personal Data that this Application collects, by itself or through third parties, there are:

Trackers and Usage Data: collected automatically when using the Application (e.g., IP addresses, browsing activity).
Account access data: provided voluntarily upon registration.
Audio files and text: provided voluntarily to use the transcription and Action Items generation service.

3. Purpose of Processing

The User's Data is collected to allow the Owner to provide its Service, and in particular for the following purposes:

Hosting and backend infrastructure: via services like Supabase and Vercel.
Registration and authentication: to allow secure access to user data via Supabase Auth.
AI Processing and Automation: via third-party API providers (e.g., OpenAI) to generate transcriptions and action items from uploaded audio files.
Behavioral analytics and product improvement: via PostHog (anonymous events, no consent required) and Microsoft Clarity (session recordings and heatmaps, consent required), to understand how Users interact with the Application and improve its usability.

4. Methods and Place of Processing

Methods of processing: The Owner takes appropriate security measures to prevent unauthorized access, disclosure, modification, or unauthorized destruction of the Data. The Data processing is carried out using computers and/or IT enabled tools.

Place: The Data is processed at the Owner's operating offices and in any other places where the parties involved in the processing are located. Data may be transferred outside the EU (e.g., to servers in the USA) only through adequate legal guarantees. Actem uses Standard Contractual Clauses (SCCs) and Data Processing Addenda (DPAs) provided by third-party processors (e.g., OpenAI, Supabase) to ensure that international transfers comply with GDPR and offer equivalent data protections.

Retention time: Uploaded audio/video files are stored to allow replay and review by the User until manual deletion from the dashboard or, to protect privacy, they are automatically and permanently deleted after 60 days from the upload. The User may manually delete them at any time. Deletion (both manual and automatic) is irreversible, except for temporary traces in system logs or legal retention obligations. Other data (text, action items, transcripts) is retained for as long as necessary to provide the service or until account deletion.

Privacy roles: For uploaded content (e.g., meeting audio), Actem acts as a technical platform provider (Data Processor), while the User uploading such content acts as Data Controller and remains responsible for the legal basis of processing and data-subject rights compliance.

5. Details on Third-Party Providers

OpenAI: Artificial intelligence service. Location: United States. Data processed: Usage Data, voluntarily sent audio files and transcripts. Actem uses OpenAI's APIs (not free ChatGPT), so data sent is not used for training OpenAI's models and benefits from protections in OpenAI's Data Processing Addendum which includes Standard Contractual Clauses.
Anthropic (when enabled): Artificial intelligence service. Location: United States. Data processed: text/audio content needed for processing.
Supabase: Database and authentication service. Location: primarily EU region depending on project configuration (with compliant transfers where applicable). Data processed: credentials, personal data, application data.
Cloudflare R2: Cloud storage service used for temporary and permanent (max 60 days) storage of audio and video files. Location: primarily EU / Global. Data processed: audio and video files.
Vercel: Hosting service. Location: United States/Global. Data processed: Usage and diagnostic data.
Lemon Squeezy: Payment provider and Merchant of Record. Data processed: billing data, transactions, and subscription status.
Resend: Transactional email service (e.g., recaps and follow-ups). Location: United States. Data processed: email addresses, user name, AI-generated content sent via email.
Microsoft Clarity: Behavioral analytics service (consent required). Location: United States (transfer guaranteed via Standard Contractual Clauses). Data processed: session recordings, mouse movements, clicks, heatmaps. Consent can be withdrawn at any time via the cookie banner.
PostHog: Event analytics service (anonymous in-memory events without consent; persistent mode with consent). Location: European Union (eu.i.posthog.com). Data processed: anonymous aggregated usage events; with consent, a persistent session identifier stored in localStorage.

6. Technical Security

Data is protected through appropriate technical and organizational measures, including encryption in transit and at rest, strict access controls, and access segregation policies.

For application data on Supabase, Actem applies Row Level Security (RLS)-based access rules to ensure that, by application design, only authorized users can access their own content.

7. User Rights (GDPR and other regulations)

Users may exercise certain rights regarding their Data processed by the Owner, in particular:

Withdraw consent at any time.
Object to processing of their Data.
Access their Data and obtain a copy.
Verify and seek rectification.
Have their Personal Data deleted or otherwise removed.
Receive their Data and have it transferred to another controller.

To exercise their rights, Users can send a request to the Owner's contact details provided in this document. Requests are free of charge and will be addressed by the Owner as early as possible and always within one month.

8. Changes to this Privacy Policy

The Owner reserves the right to make changes to this privacy policy at any time by notifying its Users on this page.