Effective Date: October 8, 2025
Last Updated: October 8, 2025
Version 1.1
1. About AcudocX
AcudocX USA, Inc. (“AcudocX USA,” “we,” “us,” or “our”) is a Delaware corporation headquartered in Colorado with affiliated operations in Australia.
We provide certified translation and document-processing services for businesses that assist consumers across the United States and world.
Our work often involves highly sensitive personal information, including identification, immigration, educational, and medical records.
This Policy describes how we collect, use, disclose, protect, and retain personal information, and how individuals may exercise their rights under applicable privacy laws.
2. Scope and Applicability
This Policy applies to all personal information we process through:
-
Websites: acudocx.com, acudocx.com.au, immitranslatingservice.com.au, trustedvisatranslations.com, certifiedimmigrationtranslations.com
-
Online forms, document-upload portals, chat, scheduling, and account creation tools
-
Communications via email or telephone with our support or translator network
AcudocX USA primarily acts as a service provider / processor on behalf of business clients (controllers). We act as a controller for information about our own corporate customers, vendors, translators, and website visitors.
3. Notice at Collection
| Category of Personal Information | Examples | Purpose of Use | Retention Period | Sold or Shared? |
|---|---|---|---|---|
| Identifiers | Name, email, phone, billing and shipping address, account ID | Account setup, billing and support | 7 years (post-transaction for tax records) | No |
| Sensitive personal information | Documents containing SSNs, passports, immigration or medical data | Translation services only (with confidentiality protections) | 30 days then secure deletion | No |
| Financial information | Payment card details (processed via Stripe) | Payment processing | Stripe retains per PCI standards | No |
| Internet / network activity | IP address, browser type, pages visited | Site security and analytics | 24 months (maximum) | No |
| Geolocation (coarse) | City/region based on IP address | Fraud prevention | 24 months | No |
| Professional / employment | Translator qualifications, certifications | Contractor management | Duration of contract + 7 years | No |
We never sell or share personal information for monetary or advertising purposes.
4. Legal Bases for Processing (GDPR / UK GDPR)
When processing data subject to the GDPR or UK GDPR, we rely on the following lawful bases:
-
Contract performance: to provide requested translations.
-
Legal obligation: to maintain records or respond to lawful requests.
-
Legitimate interests: to secure systems, prevent fraud, and improve services.
-
Consent: for optional communications or where required for sensitive-data handling.
You may withdraw consent at any time without affecting prior lawful processing.
5. Information We Collect
We may collect:
-
Directly from you or our clients: personal and sensitive information contained in uploaded documents or forms.
-
Automatically: usage metrics, IP address, device type, operating system, and session data via cookies and logs.
-
From third parties: payment processors (Stripe), cloud hosts (AWS), and customer management tools.
6. Cookies and Tracking Technologies
We use first-party and limited third-party cookies to:
-
Maintain session security
-
Measure website performance
-
Remember user preferences
We do not use cookies for behavioural advertising.
You may adjust browser settings to refuse cookies or clear them at any time.
Our websites honour Global Privacy Control (GPC) signals where technically feasible.
7. How We Use Personal Information
-
To deliver translation and document processing services
-
To communicate with clients and translators
-
To process payments and maintain financial records
-
To comply with laws, regulations, and contracts (including HIPAA where applicable)
-
To ensure security and prevent fraud or abuse
-
To improve our platform functionality and customer experience
-
For optional business-to-business marketing (with opt-out mechanism)
We never use translation content to train AI models.
8. AI and Machine Learning Use
-
AI tools assist human translators and clients by suggesting draft translations.
-
Models operate within a segregated environment; no uploaded document data is retained for training.
-
All final translations undergo human review and certification.
-
AI outputs are audited for accuracy and bias under the NIST AI Risk Management Framework.
9. Disclosure of Information
We disclose data only to:
-
Service providers / sub-processors: AWS, Stripe, Zendesk, and CRM vendors under written contracts with confidentiality and security requirements.
-
Translators and contractors: bound by codes of ethics, NDAs and data-handling clauses.
-
Affiliates and subsidiaries: for internal administration.
-
Regulators or law enforcement: when legally required.
-
Business successors: in mergers or reorganisations subject to equivalent protections.
We prohibit our service providers from using information for their own purposes.
10. Sensitive Personal Information and Limitation of Use
Sensitive information (e.g., passport numbers, medical records, racial or ethnic data) is processed only to provide translation services requested by our clients.
We do not use such information for marketing or profiling and limit employee access on a need-to-know basis.
Individuals may request that use be further restricted by contacting privacy@acudocx.com.
11. Data Retention and Deletion
| Data Type | Retention Period | Deletion Method |
|---|---|---|
| Translation documents | 30 days from completion of service | Encrypted erasure and verified deletion logs |
| Account records and billing data | 7 years (post-transaction) | Secure archival per tax law |
| Analytics logs | 24 months max | Automatic purge cycle |
| Contractor agreements and qualifications | Contract term + 7 years | Secure erasure or archival |
| Security logs / incident reports | Up to 7 years | Secure deletion after expiry |
Data is deleted or de-identified once no longer needed for legal or business purposes.
12. Data Security Measures
We apply administrative, technical, and physical controls including:
-
Encryption in transit (TLS 1.2+) and at rest (AES-256)
-
Multi-factor authentication and role-based access
-
Data segregation between clients
-
Continuous logging and monitoring
-
Periodic penetration testing and staff training
-
Written Incident Response Plan and Breach Notification Procedure
13. Breach Notification Procedure
If a data incident creates risk of harm, we will notify affected clients and regulators as required by law and our contracts (typically within 72 hours for EU/UK residents or without unreasonable delay for U.S. states).
14. International Transfers
Data may be processed in the United States and Australia.
For cross-border transfers, we use:
-
Standard Contractual Clauses (SCCs) for EEA/UK data, with Transfer Impact Assessments.
-
Australian Privacy Principles (APP 8) compliance statements for cross-border disclosure.
-
Vendor agreements requiring equivalent safeguards.
15. Your Privacy Rights
Depending on your jurisdiction, you may have the right to:
-
Know what personal information we collect and why
-
Access and receive a copy of your data
-
Correct inaccurate data
-
Delete personal information
-
Limit use of sensitive personal information
-
Opt out of sale or sharing (we do not sell or share)
-
Port your data to another provider
-
Appeal a denied request
How to Exercise Your Rights
Submit a request to privacy@acudocx.com.
We verify your identity and respond within 45 days (extendable by another 45 days when necessary).
Appeals: If you disagree with our response, email privacy@acudocx.com with “Privacy Appeal” in the subject line. A Privacy Officer will review within 45 days.
We will not discriminate for exercising any privacy right.
16. HIPAA and Government Contractor Compliance
Where we process protected health information (PHI) for a HIPAA-covered entity, we act as a Business Associate and enter into a Business Associate Agreement (BAA).
We maintain HIPAA-aligned security controls and training for personnel with access to PHI.
For federal or state contracts, we comply with applicable privacy and security clauses (e.g., FAR 52.224-1 and -2).
17. Children’s Privacy
Our services are intended for adults. We do not knowingly collect data from children under 13 (16 in the EEA). If we discover such data, we delete it immediately upon notification.
18. Privacy by Design and Accountability
We conduct privacy impact assessments for new systems and AI features, maintain records of processing activities, and train staff on data protection obligations.
Regular audits ensure ongoing compliance and continuous improvement.
19. Policy Updates and Version Control
We may update this Policy periodically. Material changes will be announced by email or website banner at least 30 days before they take effect.
Archived versions are available upon request.
20. Contact Information
AcudocX USA, Inc.
Attn: Privacy Officer
Email: privacy@acudocx.com
Mail: 2000 Central Ave, Suite 100, Boulder, Colorado, United States 80301
For EU/UK data subjects, our representatives may be contacted at info@acudocx.com.
Australian residents may contact the Office of the Australian Information Commissioner (OAIC).
21. Summary of Key Compliance Features
| Framework | Implemented Measures |
|---|---|
| CCPA / CPRA | Notice at Collection table, 30-day deletion policy, no sale/share statement, appeal procedure |
| Colorado CPA / Virginia VCDPA | Verified request mechanisms and rights of correction and appeal |
| GDPR / UK GDPR | Lawful bases, data-subject rights, SCCs for transfers, privacy impact assessments |
| HIPAA | Business Associate Agreements, access controls, audit logging |
| Australian APPs | Cross-border disclosure statement and access/correction rights |
| AI Governance | Human review mandate, bias testing, NIST AI RMF alignment |
