Privacy Policy - Reliquary Beta

Effective Date: October 25, 2025

THIS PRIVACY POLICY APPLIES ONLY TO THE BETA TESTING PERIOD AND WILL BE SUPERSEDED UPON ANY COMMERCIAL LAUNCH

1. INTRODUCTION AND SCOPE

This Beta Privacy Policy ("Privacy Policy") describes how ACM Concepts LLC ("Reliquary," "Company," "we," "us," or "our") collects, uses, discloses, and protects information from beta testers ("you," "your," or "Beta Tester") of the Reliquary beta platform and related services (the "Beta Service").

This Privacy Policy applies only to information collected during the beta testing period through your use of the Beta Service. It does not apply to information collected through other channels, such as our marketing website, or to any future commercial version of the service.

By accessing or using the Beta Service, you acknowledge that you have read, understood, and agree to our collection, use, and disclosure of your information as described in this Privacy Policy. If you do not agree with our practices, do not use the Beta Service.

2. INFORMATION WE COLLECT

2.1 Information You Provide Directly

• Account Information: Name, email address, phone number (optional), organization name, job title, and professional credentials
• Authentication Information: Username, password (encrypted), and security question responses
• Google Account Data: When you authenticate using Google OAuth, we collect your Google profile information, including name, email address, profile picture, and unique Google ID
• Payment Information: If applicable during beta, credit card information, billing address, and transaction history (processed through Stripe)
• Communications: Contents of emails, support tickets, feedback forms, survey responses, and other correspondence with us
• Beta Feedback: Bug reports, feature requests, usability feedback, performance observations, and suggestions for improvement

2.2 Information Collected Automatically

• Usage Data: Features accessed, actions taken, time spent, click patterns, search queries, error logs, and interaction patterns within the Beta Service
• Device Information: Device type, operating system, browser type and version, screen resolution, device identifiers, and mobile network information
• Network Information: IP address, ISP, referring/exit pages, clickstream data, and approximate geographic location based on IP address
• Performance Data: Page load times, API response times, error rates, crash reports, and system resource utilization
• Cookies and Tracking Technologies: Session cookies, persistent cookies, web beacons, and similar technologies to maintain sessions and analyze usage

2.3 Content and Files

• User Content: Digital preservation files, documents, images, metadata, and any other content you upload to or create within the Beta Service
• File Metadata: File names, sizes, types, creation dates, modification dates, checksums, and preservation-specific metadata
• Processing Information: Logs of file processing activities, validation results, and preservation actions taken

3. LEGAL BASIS FOR PROCESSING (GDPR)

For users in the European Economic Area (EEA), United Kingdom, and Switzerland, we process your personal data based on the following legal grounds:

• Consent: Where you have given explicit consent for processing, particularly for beta participation and feedback collection
• Contract Performance: To fulfill our obligations under the Beta Terms and Conditions
• Legitimate Interests: For improving our services, ensuring security, preventing fraud, and conducting analytics
• Legal Obligation: To comply with applicable laws, regulations, legal processes, or governmental requests

4. HOW WE USE YOUR INFORMATION

4.1 Service Provision and Improvement

• Provide, operate, and maintain the Beta Service
• Authenticate your identity and manage your account
• Process and store your digital preservation files
• Analyze usage patterns to improve features and user experience
• Debug issues, fix bugs, and enhance performance
• Develop new features and services based on beta feedback
• Conduct research and analytics on service usage

4.2 Communication

• Send service-related announcements and updates
• Request and collect feedback about the Beta Service
• Respond to your inquiries and support requests
• Notify you of changes to our terms or policies
• Send technical notices, security alerts, and administrative messages

4.3 Safety and Security

• Detect, prevent, and address technical issues
• Monitor for fraudulent activity and security breaches
• Enforce our Beta Terms and Conditions
• Protect against harmful or illegal activity
• Maintain the integrity and security of our systems

4.4 Legal Compliance

• Comply with applicable laws and regulations
• Respond to legal requests and prevent harm
• Protect our rights, privacy, safety, and property
• Enforce our terms and protect against legal liability

5. GOOGLE DATA USE RESTRICTIONS

We access and use data from Google APIs in accordance with Google's API Services User Data Policy. Our use of information received from Google APIs adheres to the following restrictions:

• Limited Use: We use Google user data only to provide and improve user-facing features of the Beta Service that are directly relevant to your interaction with our service
• No Sale: We do not sell Google user data to third parties
• No Advertising: We do not use Google user data for advertising purposes
• No Credit Assessment: We do not use Google user data to determine creditworthiness or for lending purposes
• No AI Training: We do not use Google user data to train AI or machine learning models without your explicit consent
• Human Review: We only allow human review of Google user data when necessary for security purposes, to comply with law, or with your explicit consent

You may revoke our access to your Google data at any time through your Google Account settings at https://myaccount.google.com/permissions.

6. THIRD-PARTY SERVICE PROVIDERS

We use third-party service providers to operate the Beta Service. These providers have access to your information only to perform specific tasks on our behalf and are obligated to protect your information consistent with this Privacy Policy.

6.1 Infrastructure and Hosting

Google Cloud Platform: We use Google Cloud Platform for hosting, data storage, and computing services. Google Cloud processes your data according to our instructions as a data processor. Google Cloud is certified under multiple compliance frameworks including ISO 27001, SOC 2/3, and participates in the EU-U.S. Data Privacy Framework. Google Cloud Privacy Notice

6.2 Authentication

Google OAuth 2.0: We use Google OAuth for secure authentication. When you sign in with Google, we receive your basic profile information (name, email, profile picture) and a unique identifier. We do not receive or store your Google password. Google Privacy Policy

6.3 Payment Processing

Stripe: We use Stripe for payment processing when applicable. Stripe collects and processes payment card information, billing addresses, and transaction data directly. Stripe also collects device information and IP addresses for fraud prevention through Stripe Radar. We do not store or have access to your complete payment card numbers. Stripe is PCI DSS Level 1 certified and uses advanced encryption and security measures. Stripe does not sell personal information. Stripe Privacy Policy

6.4 Email Services

Mailchimp: We use Mailchimp for email newsletters and marketing communications. Mailchimp processes email addresses, engagement metrics (opens, clicks), and subscriber preferences. You can unsubscribe from marketing emails at any time using the link in any email. Mailchimp is certified under the EU-U.S. Data Privacy Framework. Mailchimp Privacy Policy

Mailgun: We use Mailgun for transactional emails such as password resets, account notifications, and service alerts. Mailgun processes email addresses, message content, and delivery data. Each email sent through Mailgun includes a link to this Privacy Policy in compliance with Mailgun's requirements. Mailgun Privacy Policy

6.5 Content Delivery and Security

Cloudflare: We use Cloudflare for content delivery network (CDN) services, DDoS protection, and web application firewall. Cloudflare may process visitor IP addresses, HTTP request data, and security event information. Cloudflare acts as a data processor and does not sell or use personal information for its own purposes. Cloudflare is certified under ISO 27001 and SOC 2 Type II. Cloudflare Privacy Policy

6.6 Analytics

Google Analytics: We may use Google Analytics to analyze usage patterns. Google Analytics collects information through cookies and similar technologies about your device and usage patterns. You can opt-out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on. Google Privacy Policy

7. INFORMATION SHARING AND DISCLOSURE

We do not sell, rent, or trade your personal information. We share your information only in the following circumstances:

• Service Providers: With third-party service providers who perform services on our behalf, subject to confidentiality obligations
• Legal Requirements: When required by law, subpoena, court order, or governmental request
• Safety and Rights: To protect the rights, property, or safety of ACM Concepts LLC, our users, or the public
• Business Transfers: In connection with a merger, acquisition, reorganization, or sale of assets, subject to the acquirer accepting this Privacy Policy
• Consent: With your explicit consent or at your direction
• Aggregated Information: We may share aggregated or de-identified information that cannot reasonably identify you

8. DATA SECURITY

We implement appropriate technical and organizational measures to protect your information against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit using TLS 1.2 or higher
• Encryption of data at rest using AES-256 encryption

However, no method of electronic transmission or storage is 100% secure, and we cannot guarantee absolute security. The Beta Service may contain security vulnerabilities that have not yet been discovered or addressed. You acknowledge the inherent risks of using pre-release software.

9. DATA RETENTION

We retain your personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. Specifically:

• Account Information: Retained for the duration of the beta period plus 30 days after termination
• Beta Feedback: May be retained indefinitely in anonymized form for product development
• Usage Analytics: Retained for up to 24 months in aggregated form
• Communications: Retained for up to 3 years for legal and support purposes
• User Content: Deleted within 30 days after beta termination unless you export it
• Legal Compliance Data: Retained as required by applicable laws and regulations

You may request deletion of your personal information at any time by contacting us at legal@myreliquary.com, subject to legal retention requirements.

10. YOUR PRIVACY RIGHTS

10.1 Rights Under GDPR (European Users)

If you are located in the EEA, UK, or Switzerland, you have the following rights:

• Access: Request access to your personal data and receive a copy
• Rectification: Request correction of inaccurate or incomplete data
• Erasure: Request deletion of your personal data ("right to be forgotten")
• Restriction: Request restriction of processing in certain circumstances
• Portability: Receive your data in a structured, machine-readable format
• Objection: Object to processing based on legitimate interests
• Automated Decision-Making: Not be subject to solely automated decision-making
• Withdraw Consent: Withdraw consent where processing is based on consent
• Lodge a Complaint: File a complaint with your local data protection authority

10.2 Rights Under CCPA/CPRA (California Users)

If you are a California resident, you have the following rights:

• Right to Know: Request disclosure of personal information collected, used, and shared
• Right to Delete: Request deletion of personal information
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out: Opt-out of the sale or sharing of personal information (we do not sell personal information)
• Right to Limit Use: Limit use of sensitive personal information
• Right to Non-Discrimination: Not receive discriminatory treatment for exercising privacy rights

Categories of Information: We collect identifiers, commercial information, internet activity, professional information, and inferences. We do not sell personal information or share it for cross-context behavioral advertising.

10.3 Exercising Your Rights

To exercise any of these rights, please contact us at legal@myreliquary.com or 56 Broad St STE 14227 Boston, MA 02109. We will respond to verified requests within 30 days (45 days for CCPA requests). We may require additional information to verify your identity before processing your request.

11. INTERNATIONAL DATA TRANSFERS

Your information may be transferred to and processed in the United States and other countries where our service providers operate. These countries may have different data protection laws than your country of residence.

For transfers from the EEA, UK, or Switzerland to the United States, we rely on:

• Standard Contractual Clauses approved by the European Commission
• EU-U.S. Data Privacy Framework certification of our service providers
• UK International Data Transfer Agreement (IDTA) where applicable
• Appropriate safeguards as required under Article 46 of the GDPR

You may request a copy of the relevant data transfer mechanisms by contacting us at legal@myreliquary.com.

12. COOKIES AND TRACKING TECHNOLOGIES

12.1 Types of Cookies We Use

• Essential Cookies: Required for authentication, security, and basic functionality
• Performance Cookies: Collect information about how you use the Beta Service
• Analytics Cookies: Help us understand usage patterns and improve the service
• Preference Cookies: Remember your settings and preferences

12.2 Third-Party Cookies

Third-party service providers may set their own cookies as described in their privacy policies. These include cookies from Google (authentication and analytics), Stripe (fraud prevention), and Cloudflare (security and performance).

12.3 Managing Cookies

You can manage cookies through your browser settings. Disabling certain cookies may limit functionality of the Beta Service. For more information about cookies, visit www.allaboutcookies.org.

13. CHILDREN'S PRIVACY

The Beta Service is not intended for users under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe we have collected information from a child under 18, please contact us immediately at legal@myreliquary.com.

14. DO NOT TRACK SIGNALS

Some browsers transmit "Do Not Track" (DNT) signals to websites. Because there is no common understanding of how to interpret DNT signals, our Beta Service does not currently respond to browser DNT signals. We do, however, provide you with the ability to manage cookies and tracking as described in Section 12.

15. DATA PROTECTION OFFICER

For questions about our privacy practices or to exercise your rights, you may contact our designated privacy officer at:

Privacy Officer

ACM Concepts LLC
Attention: Privacy Officer
Email: legal@myreliquary.com
Address: 56 Broad St STE 14227 Boston, MA 02109

16. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy during the beta period to reflect changes in our practices or for legal, operational, or regulatory reasons. We will notify you of material changes by:

• Posting the updated Privacy Policy with a new "Effective Date"

Your continued use of the Beta Service after notification of changes constitutes acceptance of the updated Privacy Policy.

17. PRIVACY POLICY FOR OTHER JURISDICTIONS

17.1 Canada: Canadian users have similar rights to EU users under PIPEDA. We comply with Canadian anti-spam legislation (CASL) for commercial electronic messages.

17.2 Australia: We comply with the Australian Privacy Principles under the Privacy Act 1988. Australian users may file complaints with the OAIC.

17.3 Brazil: Brazilian users have rights under LGPD similar to GDPR rights. We process data based on legal bases recognized under LGPD.

17.4 Other Jurisdictions: We strive to comply with applicable data protection laws in all jurisdictions where we have users.

18. CONTACT INFORMATION

For privacy-related questions, concerns, or requests, please contact us at:

ACM Concepts LLC
Attention: Privacy Officer
Email: legal@myreliquary.com
Address: 56 Broad St STE 14227 Boston, MA 02109

For data protection authority contacts:

• EU: You may contact your local supervisory authority. A list is available at https://edpb.europa.eu/about-edpb/board/members_en
• UK: Information Commissioner's Office at https://ico.org.uk
• California: California Privacy Protection Agency at https://cppa.ca.gov

Last Updated: October 25, 2025

Version: 1.0 (Beta)