Privacy Policy coco January 3, 2026
Privacy Policy

*Last updated: February 2026*

1. Who Are We

    Acci.cloud is an all-in-one business management and automated bookkeeping platform designed for small businesses, freelancers, and accounting professionals. The platform is developed and operated by Kullabut Kaewka in Samutprakarn, Thailand. Acci.cloud provides a high-performance, unified suite that integrates Accounting, Inventory, Sales & Purchasing, Payroll, Expense Tracking, and Project Management into a single, seamless environment. Operating on a distributed “siloed” infrastructure across Los Angeles, Dallas, and New York, we deliver enterprise-grade speed and data isolation for your entire business operation.

2. Data We Collect

  • Account Information: We collect your name and billing address for the sole purpose of generating valid invoices and receipts. Your email address serves as your unique User ID for login and is used to send you essential communications, such as support tickets, security alerts, and billing updates.
  • Payment Information: We do not collect, process, or store your credit card number or sensitive payment details on our servers. All payments are handled securely by our Payment Processor, Dodo Payments or Creem.
    • Note: When you reach the checkout page, you will be interacting directly with Dodo Payments or Creem’s secure interface. They may ask for your credit card information and billing details to process your subscription. This data is governed by Dodo Payments or Creem Privacy Policy.
  • Financial & Business Data: In addition to your own personal data (such as your name and login credentials), we hold financial data that you enter into Acci.cloud to make use of our services.
    • Ownership:
      • You retain full ownership of all financial data you enter, upload, or import into the system We claim no intellectual property rights over your Business Data.
  • Standard Business Data:
    • This includes your organization’s invoices, expenses, payroll details, project details, inventory records, and bank statements or credit card statements uploaded via CSV files.
    • We never ask for, and you should never enter, your full 16-digit credit card number within the Acci. For reconciliation purposes, you should only use the last 4 digits of a card to represent the account name or card name (like “Visa – 1234”).
  • ACH and Payment Origination Data:
    • To provide the ACH File Generation service, we collect and store sensitive business and financial information, including:
      • Business Identifiers: Your Employer Identification Number (EIN) or Tax ID (used as the “Immediate Origin Number”).
      • Banking Details: Bank Name, ABA Routing Number, Bank Account Type and Bank Account Number.
    • Purpose of Processing: This data is collected solely for the purpose of generating standardized ACH files (NACHA format) as requested by you. This data is used to populate the file headers and entry records required by your financial institution to process electronic payments.
      • Security of Sensitive Data: All sensitive financial identifiers, including bank account numbers and EINs, are encrypted at rest using industry-standard AES-256 encryption. Access to this data is strictly limited to the automated processes required to generate your files. We do not share this data with any third parties; it remains within your private Acci.cloud database.
  • Employee Records & Payroll Data:
    • To provide tax calculation and payroll reporting services, we process information about your employees as directed by you. This includes:
      • Employee Data: Name, home address, personal phone number, marital status, and number of dependents (required for accurate tax withholding calculations).
      • ACH & Direct Deposit Data: To facilitate electronic payments, we collect the employee’s Bank Name, Name on Bank Account, Bank Account Number, and Routing Number.
      • Sensitive Identifiers: Social Security Numbers (SSN), Taxpayer Identification Numbers.
      • Employment Details: Salary, hours worked, and job titles.
    • Purpose: This data is used solely to calculate payroll taxes, generate pay stubs, prepare tax filings on behalf of the Employer, and allow the Employer to maintain accurate personnel records.
    • Social Security Numbers (SSN), Bank Account Numbers, Routing Numbers, Name on Bank Account, and Compensation/Salary details are subject to enhanced security measures. These fields are encrypted at rest using AES-256 encryption. Within the application, SSNs are partially masked by default (e.g., XXX-XX-1234) to minimize exposure. Access to view the full unmasked SSN is strictly limited to authorized users with specific administrative or payroll permission.
  • Business Data Ownership: You retain full ownership of all financial data you enter, upload, or import into the system, including but not limited to: invoices, expenses, payroll details, project details, inventory records, and bank statements or credit card statements uploaded via CSV files (“Business Data”). We claim no intellectual property rights over your Business Data.
  • Limited Permission: By using the Service, you grant Acci.cloud a limited, non-exclusive license to host, transmit, and display your Business Data solely to provide the Services to you. We will never sell your Business Data to third parties or use it for any purpose other than providing and improving the Service for your account.
  • System Security Logs (Our Responsibility)
    • For the protection of all users on the Acci.cloud platform, we collect metadata related to system security:
      • What we collect: IP addresses, browser types, and login attempt metadata.
        • Purpose: This data is used specifically by our security tools to detect and block malicious attacks, such as brute-force logins or automated “scraping.” This helps ensure the platform remains available and secure for everyone.
  • User Audit Logs (Your Feature)
    • As part of your Business Data, Acci.cloud automatically generates an internal Audit Log within your isolated database.
    • Our system automatically records significant internal activities, such as when records are created, modified, or deleted. This log is stored within your Isolated Database for your internal oversight and accountability.

3. How We Use and Access Your Data

   We process your personal and business data based on following specific legal frameworks to ensure transparency and security.:

Contractual Necessity

        We process your personal and business data to perform our contract with you. This processing is essential for the service to function and includes:

  • Platform Administration
    • Account Management: Using your email and name to create your Isolated Workspace and manage your login credentials.
      • Subscription & Billing: Coordinating with Dodo Payments or Creem to manage your subscription, process payments, and ensure global tax compliance.
      • Customer Support: Using your contact information to respond to your help requests, resolve technical discrepancies, or provide advice on using the service.
      • Service Communications: Sending mandatory messages regarding system updates, security alerts, or changes to our legal terms.
    • Business Operations (Executing Your Instructions)
      • Full-Cycle Sales & Purchasing: Managing quotes, orders, invoices and recurring invoices, alongside purchase orders and bill payments.
      • Inventory & Logistics: Tracking stock levels, shipments, and received goods across multiple warehouses, including support for SKUs and bundle/composite items.
      • Workforce & Payroll: Processing timesheets, commissions, and expense claims (including mileage and reimbursements) to execute pay runs.
      • Project Management: Organizing tasks and milestones (Gantt/Kanban) and generate project invoice base on completed task / milestone, timesheet and all billable expenses.
      • Financial & ACH Operations: Consolidating all data for tax calculations, financial reporting, bank / credit card reconciliation and generating ACH (NACHA) files for payments, collections, and direct deposits.

            Note: Providing this information is a requirement to use Acci.cloud. If you choose not to provide mandatory data, we will be unable to provide the Service to you.

    Legal Obligation

              As a provider of financial and payroll software, Acci.cloud is subject to certain legal and regulatory requirements. We may process and disclose your data when necessary to comply with the law, including:

              – Fraud & Crime Prevention: Monitoring login metadata and system patterns to detect and prevent money laundering, fraud, or unauthorized access to financial data.

              – Government Compliance: Sharing the minimum required information with tax authorities (such as the Revenue Department), law enforcement, or other government agencies when we are served with a legally binding court order or production notice.

              – Audit & Reporting: Evidencing our own business accounts, revenue, and tax filings to our auditors and regulators.

              – Anti-Corruption & Sanctions: Performing necessary checks to ensure the service is not being used in violation of international or local trade sanctions, anti-bribery, or anti-corruption laws.

              Note: We do not proactively “hand over” data. We only share information when we have a verified legal obligation to do so, and we always aim to disclose only the bare minimum required by the specific legal request.

      Legitimate Interests

             We may process your data when it is in our legitimate business interests to do so, provided these interests do not override your fundamental rights. This includes:

      • Human Support: If you open a support ticket, we may access your account metadata to troubleshoot. We will typically ask for your express permission before accessing sensitive business data.
      • Fixing Critical Errors: On rare occasions, if an automated process fails, we may look at the minimum amount of data necessary to fix the root cause and restart the process.
      • Customer Engagement: Sending you updates about new features, tips on using the software, or asking for your feedback via surveys so we can improve the service.
      • Platform Security: Monitoring for cyber-attacks, unauthorized use of the system, and ensuring business continuity through secure backups.
      • Business Operations: Using aggregate data (non-identifiable) for internal budgeting, service performance reporting, and professional advice from our own legal or accounting teams.
      • Data Optimization & Infrastructure: We may use aggregated, non-identifiable location data (such as City and Country) from your business profile to determine the placement of future server nodes. This ensures we continue to provide high-speed, low-latency access as our community grows.
      • Protecting Our Rights: Taking action to defend our legal rights if the service is misused or if there is a breach of our Terms of Service.
      • Data Privacy Commitment
        • No Data Selling: We do not—and will never—sell, rent, or trade your personal or business data to third parties for marketing or advertising.
        • Minimal Disclosure: We only share the bare minimum data required if compelled by a legally binding government order or for a mandatory tax audit of our own
        • No Data Mining: We do not use your financial data or User Audit Logs to build profiles for third-party business intelligence.

        4. Third-Party Services

            We use a small number of trusted partners to help run Acci.cloud. Each partner is carefully chosen for their security standards:

        • Infrastructure: We use professional Cloud Hosting Providers (such as Vultr or similar) to host our servers and databases. These providers maintain high physical and digital security standards.
        • Payments: We do not store or see your full credit card number; that is handled entirely by the payment processor. Currently, our primary Payment Processor is Dodo Payments or  Creem (creem.io). Your payment data is handled according to their Privacy Policy and terms.
        • Payment Collection (Stripe): When your customers use the “Pay Now” feature, their payment data (credit card numbers, billing addresses) is collected and processed directly by Stripe. Acci.cloud does not see or store full credit card numbers or sensitive PCI-regulated data. We only receive a “Token” or status notification (e.g., “Paid”) from Stripe to update your invoice records within the app.
        • Email: We use specialized email delivery services to send account notifications and support updates.

        5. Cookies and Security Tracking

            Acci.cloud uses cookies and similar technologies to manage your identity session and ensure the security of your data.

        • Authentication & Session Management: We use Keycloak, an industry-standard identity management system, to handle your login. Keycloak stores encrypted session cookies on your device to keep you authenticated as you navigate through the platform. These cookies do not contain your password.
        • Security Protection: Some cookies are used specifically to prevent security attacks (such as CSRF). These are essential for the protection of your business data.
        • Functional Preferences: We may use local storage or cookies to remember your UI preferences, such as your sidebar position or active project filters.
        • Managing Cookies: You can disable cookies in your browser; however, since our cookies are required for identity verification and security via Keycloak, you will not be able to log in or use the service without them enabled.

        6. Data Residency & Infrastructure

            Acci.cloud is hosted on high-performance infrastructure distributed across the United States (Los Angeles, Dallas, and New York). This strategic geographic coverage ensures low-latency access and localized performance for businesses across the country.

        • Physical Security: Our servers are located in world-class data centers that meet the highest industry standards, including ISO 27001 and SOC 2 Type II certifications, ensuring rigorous independent audits of their security protocols.
        • Network Protection: We utilize the high-speed HostHatch 40 GbE network, featuring localized peering and DDoS protection to ensure your business data remains available and secure from external threats.
        • Logical Isolation: Even though we use Virtual Private Servers (VPS), we maintain your data in an Isolated Database architecture. This means your business records are logically separated from all other users, ensuring no cross-contamination of data.

        7. Security & Architecture

            Acci.cloud is built as a “hard target” for data breaches:

        • Encryption in Transit (HTTPS/TLS): All data transmitted between your device and our servers is encrypted using Industry-Standard TLS (Transport Layer Security). This ensures that sensitive information, such as financial records and payroll data, cannot be intercepted or read by unauthorized third parties during transmission. We enforce HTTPS-only connections across all our services.
        • Identity Management (Keycloak): We utilize Keycloak, a premier open-source identity and access management solution, to handle all user authentication.
          • Password Protection: Your passwords are never stored in plain text; they are hashed and salted using robust cryptographic algorithms within the Keycloak environment.
          • Session Security: Keycloak manages secure, encrypted session tokens that protect your account from unauthorized access and session hijacking.
        • Isolated Databases: Your business data is stored in a dedicated, isolated database instance. Acci.cloud ensures your data is logically and architecturally separated from other users, providing an extra layer of privacy and security.
        • Granular Role-Based Access: Access is governed by specific permissions. You can assign multiple roles to a single user (e.g., combining “Accountant” and “Payroll” roles) to match their specific responsibilities. This ensures that users only have access to the data modules necessary for their work.
        • Field-Level Encryption: High-sensitivity data (EIN, SSN, Bank Account Number, Bank Routing Number, and Pay Rates) is encrypted at rest using AES-256.Even in the unlikely event of unauthorized database access, this sensitive information remains unreadable.
        • Data Masking: To prevent “over-the-shoulder” exposure, sensitive identifiers remain masked on the screen until an authorized user chooses to reveal them.

        8. User Responsibilities

        While Acci.cloud provides a high-security environment for your data, the security of your account also depends on your actions.

        • Safeguarding Credentials: It is your responsibility to safeguard your login information and control third-party account access. We recommend using unique, complex passwords and rotating them regularly.
        • Legal Consent: You are responsible for ensuring you have made suitable disclosures and obtained all necessary consents (such as from employees, suppliers, or clients) before uploading their personal or financial data to Acci.cloud. You agree that you are the Data Controller for such information under applicable privacy laws (including the PDPA).
        • Managing Permissions: You are responsible for the roles and permissions you grant to others (e.g., your accountant or payroll staff). You can revoke or change these permissions at any time within your account settings.
        • Manual Data Handling: Acci.cloud does not connect directly to your bank accounts. You are responsible for the security of the bank statement files (CSV) you export from your banking institution. Once uploaded, these files are stored in your Isolated Database, but you remain responsible for deleting the local copies from your own computer or device to prevent unauthorized access.

        9. Export Data

            We believe your data belongs to you. You have the right to export a copy of your business records at any time during an active subscription.

        • Data Export (CSV): Our export functionality allows you to download your data in CSV format, including financial transactions, account balances, stock balances, chart of accounts, and records for items, customers, vendors, and employees. You may also export project, phase, and task records; inventory, sales, purchase, and payment transactions; and employee expenses, advances, reimbursements, and payroll records.
        • Image Files: Please note that uploaded files — such as employee/customer photos or images of bills and expense receipts—are not included in the bulk CSV export. These files remain available for manual download via the application interface throughout your active subscription period.
        • Our Recommendation: To ensure you meet your local legal and tax obligations (such as the 5–10 year retention requirement), we strongly recommend that you use the Export Functionality regularly to maintain a local backup of your data.
        • Final Export: Before canceling your subscription or requesting account deletion, please ensure you have performed a final export. Once the 60-day purge window has passed, we will be unable to recover or provide copies of any data.

        10. Data Retention & Deletion

            We believe that you should have full control over your business data. Our retention policy is designed to balance your right to be forgotten with the practicalities of business continuity.

        • Account Cancellation: If you cancel your subscription, your data will remain accessible until the end of your current billing cycle. After this period, your account will enter a “Deactivated” state for 30 days to allow for easy reactivation should you change your mind.
        • Permanent Deletion: If you choose to manually delete your account or request a permanent purge, your data will be flagged for removal and permanently deleted from our active production databases within 60 days.

        11. Non-Payment and Account Suspension

            Acci.cloud is a subscription-based service. To ensure the continuity of your business records, we handle non-payment as follows:

        • Grace Period: In the event of a failed subscription payment, we provide a 7-day grace period during which your service remains fully active to allow for billing updates.
        • Suspension: If an account remains unpaid after the grace period, access to the application will be suspended. Your data will remain securely stored and isolated, but you will not be able to access your documents or reports until the balance is settled.
        • Automatic Deletion for Non-Payment: Accounts that remain in a suspended or unpaid status for more than 60 consecutive days will be considered abandoned. At this point, the account and all associated data (including the isolated database) will be flagged for permanent removal and purged from our systems as part of our data minimization and security protocols.
        • Final Notification: We will attempt to notify you via your registered email address before the final 60-day purge occurs. Once the 60-day period has passed and the purge is complete, data cannot be recovered.

        Scroll