Privacy Policy
v1.1.0
March 19, 2026
Introduction
Bee Interviewed Limited, trading as "AcornCloud" (hereinafter referred to as "AcornCloud", "we", "us", "our") is the data controller responsible for personal data collected through our early years childcare management platform, the AcornCloud application, the Parents Portal application, and associated services (collectively, the "Platform"). We are committed to transparent, lawful, and fair processing of personal data in full compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Data Protection Act 2018, and all applicable Irish and EU data protection legislation.
This Privacy Policy ("Policy") sets out the legal basis on which we collect, use, store, share, and protect personal data. It applies to all individuals whose data we process as a controller, including representatives of childcare services and organisations that subscribe to AcornCloud ("Customers"), users of the Platform including service managers and room staff ("Staff Users"), parents and guardians accessing the Parents Portal ("Parent Users"), prospective customers and enquirers ("Prospects"), and visitors to our website at acorncloud.app ("Website Visitors").
Where AcornCloud processes personal data on behalf of a Customer acting as data controller (for example, children's developmental records, attendance logs, or incident reports entered by the Customer's staff), AcornCloud acts solely as a data processor under a separate Data Processing Agreement ("DPA"). This Policy does not govern that processor-mode activity. Customers with queries about how their service's data is handled should refer to their DPA or contact AcornCloud directly.
Questions about this Policy? Contact our Data Protection team at privacy@acorncloud.net
Definitions
Term
Definition
Categories of Personal Data We Collect
The personal data we collect varies depending on how you interact with the Platform. We only collect data that is adequate, relevant, and limited to what is necessary for the purposes described in this Policy.
3.1 Customer and Prospect Data
When a childcare service or organisation enquires about or subscribes to AcornCloud, we collect:
Name, job title, and role within the organisation
Work email address and telephone number
Organisation name, address, and registration details
Billing information including payment card details (processed securely via our payment processor, Stripe)
Communication records including emails, call notes, and demo recordings
Subscription and account management information
3.2 Staff User Data
When a Staff User accesses the Platform, we collect and process:
Name, work email address, and staff role
4-digit access PIN used for Room Lounge authentication
Login session data including timestamps, IP address, and device type
Usage and activity data generated while using the Platform (including features accessed, actions taken, and session duration)
Training records, qualifications, and employment-related documentation uploaded by the Customer
Leave applications and scheduling information
3.3 Parent User Data
When a Parent User accesses the Parents Portal, we collect:
Name, email address, phone number, and home address
Relationship to enrolled child(ren)
Login credentials and account authentication data
Digital signatures applied to incident reports, medicine records, and consent forms
Messages sent via the in-app messaging system
Payment information where in-app billing is enabled by the Customer
Collector information (authorised persons added by the parent for child collection)
3.4 Website Visitor Data
When you visit acorncloud.app, we may collect automatically:
IP address and approximate geographic location
Browser type, version, and operating system
Pages visited, links clicked, and time spent on the Website
Referral source (e.g., search engine or referring website)
Cookie and tracking data as described in our Cookie Policy
3.5 Data We Do Not Collect as Controller
AcornCloud does not, in its capacity as data controller, collect or use children's personal data, children's developmental records, learning observations, photographs of children, medical histories, immunisation records, or any other data entered by Customers or their staff into the Platform about enrolled children. This data is processed solely as a data processor on behalf of the relevant Customer.
Legal Basis for Processing
AcornCloud relies on the following legal bases under Article 6 GDPR to process personal data in its capacity as controller:
4.1 Performance of a Contract
We process the personal data of Customer representatives and Staff Users where processing is necessary to provide the Platform services under our subscription agreement. This includes account creation, platform access, billing, and customer support.
4.2 Legitimate Interests
We rely on our legitimate interests in the following circumstances, having assessed that such interests are not overridden by the rights and interests of data subjects:
Analysing Platform usage to understand how features are used and to improve the product
Monitoring system security and detecting fraudulent or unauthorised activity
Sending service-related communications to existing customers
Contacting business-to-business prospects via professional email or LinkedIn in the context of their role
Quality assurance, including reviewing support interactions for training and service improvement
Retaining contact records following the end of a customer relationship for a reasonable period
4.3 Compliance with Legal Obligations
We may process personal data where we are required to do so under applicable law, including Irish tax and employment law, GDPR accountability obligations, or directions from regulatory bodies such as the Data Protection Commission.
4.4 Consent
Where we rely on consent as a legal basis, for example for marketing communications, non-essential cookies, or optional call recordings, we will seek your consent separately and clearly. You may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.
How we use your data
We use personal data for the following specific purposes:
5.1 Delivering and Managing the Platform
We use personal data to provision and maintain Platform accounts, authenticate users, provide customer support, process subscription payments, manage billing, and communicate with Customers about their accounts, service updates, and contractual matters.
5.2 Product Development and Improvement
We analyse usage and activity data from Staff Users and Parent Users in aggregated or pseudonymised form to understand how the Platform is used, identify friction points, prioritise new features, and improve existing functionality. Where we generate insights from usage data, we take steps to ensure the data cannot reasonably be attributed to individual users. Anonymised or fully aggregated data falls outside the scope of the GDPR and may be used and published by AcornCloud without restriction.
5.3 Security and Fraud Prevention
We process login data, session information, and usage patterns to detect and prevent unauthorised access, data breaches, account takeover, and other security incidents. We may share relevant data with our security sub-processors for this purpose.
5.4 Marketing and Sales
We may use contact details of Customers and Prospects to send relevant marketing communications about AcornCloud features, updates, events, and industry news. We will always provide an unsubscribe mechanism. We do not sell personal data to third parties for marketing purposes.
5.5 Legal and Regulatory Compliance
We may process and retain personal data where required by law, including to respond to lawful requests from public authorities, to enforce our contractual rights, or to establish, exercise, or defend legal claims.
5.6 AI-Assisted Features
The Platform includes AI-assisted functionality, including AI-generated content suggestions for broadcasts, lesson plans, messaging, and compliance documents. Where an individual enters text or data that is submitted to an AI model, that input is processed solely to generate the requested output and is not retained by the AI sub-processor beyond the immediate session. AcornCloud does not use children's data or sensitive data from the Platform to train AI models.
How we share your data
AcornCloud does not sell, rent, or trade personal data. We share personal data only in the following limited circumstances:
6.1 Sub-Processors
We use carefully selected third-party service providers ("sub-processors") to support the delivery of the Platform. All sub-processors are bound by data processing agreements that restrict their use of personal data to the purposes for which it was shared. Our current sub-processors include providers of the following categories of service:
Cloud infrastructure and hosting (European-region data centres where applicable)
Payment processing (Stripe Payments Europe Ltd.)
Customer relationship management and sales operations
Customer support and in-app communication
Email delivery and marketing automation
Website analytics and optimisation
AI content generation (for features described in Section 5.6)
Video call and recording tools (where consented)
6.2 Legal Requirements
We may disclose personal data to competent authorities, including An Garda Síochána, the Data Protection Commission, TUSLA, Revenue Commissioners, or courts of law, where we are required to do so under applicable law or a binding legal order. We will, where lawfully permitted, notify affected individuals of such disclosures.
6.3 Business Transfers
In the event of a merger, acquisition, asset sale, or restructuring involving AcornCloud, personal data held by us may be transferred to the successor entity. Affected individuals will be notified in advance of any such transfer, and the successor entity will be required to honour this Policy or provide equivalent protections.
6.4 Group Entities
AcornCloud may share personal data with affiliated entities within its corporate group for the purposes of internal administration, support, or product development, subject to equivalent data protection standards.
7. International Data Transfers
AcornCloud stores and primarily processes data within the European Economic Area ("EEA"). Where we engage sub-processors that transfer personal data outside the EEA, we ensure that appropriate safeguards are in place before any such transfer occurs, in accordance with Chapter V of the GDPR. Safeguards we rely on include:
Adequacy decisions made by the European Commission
Standard Contractual Clauses (SCCs) approved by the European Commission under Decision 2021/914
Binding Corporate Rules where applicable
Certification under recognised transfer frameworks, such as the EU-U.S. Data Privacy Framework
AcornCloud will not transfer personal data to a third country or international organisation unless the transfer complies with Chapter V GDPR. Customers may request a list of sub-processors and applicable transfer mechanisms by contacting privacy@acorncloud.net.
8. Data Retention
AcornCloud retains personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. The following retention periods apply:
Category
Period
At the end of the applicable retention period, personal data is securely deleted or anonymised. Anonymised data is no longer personal data and may be retained indefinitely for statistical or analytical purposes.
Security Measures
AcornCloud applies appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage. Our security practices include:
Encryption of data in transit using TLS 1.2 or higher
Encryption of data at rest using industry-standard algorithms
Role-based access controls (RBAC) limiting access to personal data to authorised personnel only
Staff training on data protection and information security
Regular security assessments, vulnerability scanning, and penetration testing
Incident response and breach notification procedures compliant with Articles 33 and 34 GDPR
Secure 4-digit PIN authentication for Room Lounge access, unique to each staff member
No system is completely immune to security risks. While we invest significantly in security, we cannot guarantee absolute security of data transmitted over the internet. In the event of a personal data breach that is likely to result in a risk to individuals' rights and freedoms, we will notify the Data Protection Commission within 72 hours post recognition and, where required, notify affected individuals without undue delay.
10. Your Data Protection Rights
Data subjects whose personal data AcornCloud processes as a controller have the following rights under the GDPR, which AcornCloud will honour without undue delay and within one calendar month of receiving a valid request (extendable by a further two months where the request is complex or numerous):
Right of Access (Article 15)
You have the right to obtain confirmation of whether AcornCloud processes your personal data and, if so, to receive a copy of that data together with information about the processing.
Right to Rectification (Article 16)
You have the right to have inaccurate personal data corrected and incomplete personal data completed without undue delay.
Right to Erasure (Article 17)
You have the right to request deletion of your personal data where it is no longer necessary for the purpose for which it was collected, where consent has been withdrawn and there is no other legal basis, where you have objected to processing under Article 21 and there are no overriding legitimate grounds, or where the data has been unlawfully processed. This right is subject to exceptions, including where processing is necessary for compliance with a legal obligation or the establishment of legal claims.
Right to Restriction of Processing (Article 18)
You have the right to request that we restrict processing of your personal data in certain circumstances, for example while the accuracy of the data is contested or an objection under Article 21 is pending.
Right to Data Portability (Article 20)
Where processing is based on consent or contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
Right to Object (Article 21)
You have the right to object at any time to processing based on our legitimate interests, including profiling, and to object to processing for direct marketing purposes. Where you object to direct marketing, we will cease processing immediately. Where you object to other legitimate interests-based processing, we will cease unless we can demonstrate compelling legitimate grounds that override your interests.
Right to Withdraw Consent
Where processing is based on consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before the withdrawal.
To exercise any of the above rights, please submit a written request to privacy@acorncloud.net. We may require verification of your identity before processing the request. We will not charge a fee for requests unless they are manifestly unfounded or excessive.
11. Cookies and Tracking Technologies
AcornCloud uses cookies and similar tracking technologies on its Website and, to a limited extent, within the Platform. Cookies are small text files stored on your device that help us recognise you, remember your preferences, and understand how you use our services.
We use the following categories of cookies:
Strictly Necessary Cookies: Required for the Platform to function. These cannot be disabled without affecting core functionality.
Functional Cookies: Allow us to remember your preferences and personalise your experience.
Analytics Cookies: Help us understand how users navigate the Website and Platform, so we can improve them. These are only set where you have given consent.
Marketing Cookies: Used to deliver relevant advertising and measure campaign effectiveness, only where consented.
On your first visit to the Website, you will be presented with a cookie consent banner. You may accept all, reject non-essential, or customise your choices. You may update your preferences at any time via the cookie settings link in the Website footer. For a full list of cookies we use, please refer to our Cookie Policy.
12. Children and our Services
The Platform is a business-to-business service and is not directed to children. AcornCloud does not knowingly collect personal data directly from any individual under the age of 16 in its capacity as data controller. Individuals under 16 may not create an account or use the Platform directly.
Children's personal data entered by Customers into the Platform (for example, attendance records, medical information, developmental observations) is processed by AcornCloud solely as a data processor on behalf of the Customer, under the terms of the applicable DPA. AcornCloud exercises no independent control or discretion over such data. Responsibility for ensuring lawful processing of children's data within the Platform rests with the Customer as controller.
13. Customer Obligations as Data Controllers
Where Customers enter personal data into the Platform, including data about enrolled children, staff, and parents, they act as independent data controllers in respect of that data. AcornCloud's role is solely as a processor under the DPA. Customers are responsible for:
Ensuring they have a valid legal basis for processing all personal data entered into the Platform
Providing appropriate privacy notices to parents, guardians, and staff whose data they input
Responding to data subject rights requests relating to data they control
Ensuring compliance with TUSLA, Pobal, and other applicable regulatory requirements relating to data kept on children and staff
Maintaining accurate records of processing activities in accordance with Article 30 GDPR
AcornCloud provides functionality to assist Customers in meeting their compliance obligations, including consent tracking, audit trails, and access controls. However, the use of these tools does not relieve Customers of their independent legal responsibilities as data controllers.
14. Data Processing Agreement
AcornCloud and each Customer are required to operate under a Data Processing Agreement ("DPA") that governs the processing of personal data by AcornCloud in its capacity as data processor. The DPA sets out the subject matter, duration, nature, and purpose of the processing, the type of personal data and categories of data subjects involved, and the obligations and rights of the Customer as controller.
The DPA is incorporated by reference into AcornCloud's standard Terms of Service. By subscribing to and using the Platform, Customers confirm acceptance of the DPA. A copy of the current DPA is available upon request from privacy@acorncloud.net or may be provided as a schedule to the subscription agreement.
15. Changes to This Policy
AcornCloud reserves the right to update this Policy at any time. We will indicate the version number and the date of the most recent update at the top of the document. Where changes are material, we will provide advance notice to Customers via email to the account holder's registered email address and, where applicable, via in-Platform notifications, at least 14 days before the changes take effect.
Continued use of the Platform or Website after the effective date of any revised Policy constitutes acceptance of the updated terms. We encourage you to review this Policy periodically.
16. Contact Us and How to Raise a Concern
AcornCloud is committed to resolving data protection queries and concerns promptly and transparently. If you have any questions about this Policy, about how we handle your personal data, or wish to exercise any of your rights, please contact us using the details below.
Data Controller
Bee Interviewed Limited (trading as AcornCloud)
privacy@acorncloud.net
acorncloud.app
Supervisory Authority
Data Protection Commission (Ireland)
www.dataprotection.ie
info@dataprotection.ie
If you believe we have not adequately addressed your concern, you have the right to contact the Data Protection Commission of Ireland or the supervisory authority in your country of residence or work at any time. Contact details for all EU supervisory authorities are available at edpb.europa.eu.