Privacy Policy
Last updated: May 2026
Who we are
ACA Notes is a sole trader business based in Ireland, selling printed study notes and digital study tools for Chartered Accountants Ireland (CAI) examinations. References to "we", "us", and "our" in this policy refer to ACA Notes.
For data protection purposes, ACA Notes is the data controller for personal data collected through this website.
Contact: info@acanotes.com
What data we collect and why
When you make a purchase
When you place an order, your payment is processed by Stripe. We do not store your card details. Stripe collects and processes payment data under their own privacy policy and PCI-DSS compliance.
As part of the checkout process, we collect:
- Your name and email address (from Stripe Checkout)
- Your delivery address for physical orders
- Order details (products purchased, amount paid)
This data is used to fulfil your order, send purchase confirmation and fulfilment emails (including ACA Notes Tutor access links), and handle any queries or refund requests.
Legal basis: Contract performance (Article 6(1)(b) GDPR).
ACA Reader access and product protection
If you purchase ACA Reader access, we may process Reader account and usage data to provide your purchased modules, keep your access secure, track study progress, save bookmarks, support subject search, and protect the digital study materials from misuse.
Reader product-protection data may include account access events, device and session activity, module access, protected page activity, search and bookmark activity, and usage patterns that may indicate sharing, scraping, copying, automated access, or other misuse.
This data is used to operate the Reader, protect the product, investigate suspected abuse, and apply proportionate access controls where needed, such as re-authentication, session restrictions, blocked protected actions, or account review.
Legal basis: Contract performance (Article 6(1)(b) GDPR) where processing is needed to provide purchased Reader access, and legitimate interests (Article 6(1)(f) GDPR) for account security, abuse prevention, and protection of ACA Notes intellectual property.
Email communications
We send transactional emails related to your purchase — order confirmation (via Stripe), fulfilment emails (via Resend), and any support correspondence. We do not send marketing emails without your separate consent.
If you request sample notes, we use your email address to send the requested sample information and relevant ACA Notes study resources.
Website usage and analytics
We use PostHog for website analytics. PostHog is hosted in the EU (Frankfurt, Germany). Analytics operates at two levels:
- Anonymous analytics (no consent required): By default, PostHog collects anonymous, cookieless usage data — page views, general browsing patterns, and aggregated funnel metrics. No cookies are set and individual visitors cannot be identified across sessions. Legal basis: legitimate interest (Article 6(1)(f) GDPR).
- Cookie-based analytics (consent required): If you accept analytics cookies, PostHog enables session replays, heatmaps, and cross-session identification using cookies. These features are only activated after explicit consent. Legal basis: consent (Article 6(1)(a) GDPR).
You can manage your analytics cookie preferences at any time via the "Cookie Preferences" link in the site footer. See our Cookie Policy for full details.
PostHog's privacy policy: posthog.com/privacy
Google and Microsoft Ads measurement
We use the Google Tag (gtag.js) and Google Ads conversion tracking to measure whether advertising leads to sample requests, checkout starts, cart activity, and purchases. The tag is loaded in Google Consent Mode V2 with advertising and analytics storage denied by default. Marketing consent is separate from analytics consent.
If you grant Marketing consent, Google may use Google Ads cookies and click identifiers such as gclid, gbraid, and wbraid to attribute conversions. For purchases, our Stripe webhook may upload forward-flowing offline conversions to Google Ads using stored click identifiers, transaction value, currency, and consent metadata.
We also use Microsoft Advertising Universal Event Tracking (UET) to measure the same storefront conversion events. Microsoft UET is not loaded until Marketing consent is granted. If you arrive from a Microsoft ad, we may store the msclkid click identifier for checkout attribution in the same way as other ad click identifiers.
Where Marketing consent permits it, we may use Enhanced Conversions by sending Google a SHA-256 hash of a normalised email address, never the plaintext email. For purchases this hash is only returned to the order-success page when Marketing consent was granted at checkout.
If matched-audience advertising such as Google Customer Match is used in future, it will only use email addresses collected with separate explicit permission, and only in hashed form.
Legal basis for marketing and advertising tracking: Consent (Article 6(1)(a) GDPR).
Who we share data with
We share data only with third-party services essential to operating this business:
- Stripe — payment processing. Your payment data is handled by Stripe under their own privacy policy and PCI-DSS compliance. Stripe may be subject to transfers outside the EU; they operate under appropriate safeguards.
- Resend — transactional email delivery for fulfilment emails. Only your email address and the content of the email are shared.
- Cloudflare — website hosting and delivery. Cloudflare processes request data as part of serving the site. See Cloudflare's privacy policy for details.
- PostHog — website analytics. Hosted in the EU (Frankfurt). Collects anonymous usage data by default; richer analytics data after consent. See PostHog's privacy policy.
- Google — Google Tag, Google Ads conversion measurement, Consent Mode V2, Enhanced Conversions, offline conversion uploads, and consented matched-audience advertising where separately authorised. Google may process data outside the EEA under its applicable transfer safeguards.
- Microsoft — Microsoft Advertising UET conversion measurement where Marketing consent has been granted. Microsoft may process data outside the EEA under its applicable transfer safeguards.
We do not sell or rent your personal data. We only share marketing or advertising measurement data with Google or Microsoft when the relevant consent has been granted.
How long we keep data
Order records are retained for 7 years in compliance with Irish tax and accounting obligations. Email communications are retained for as long as necessary to support customer service and refund requests.
You may request deletion of your data at any time, subject to our legal retention obligations.
Your rights
Under GDPR, you have the right to:
- Access the personal data we hold about you
- Correct inaccurate data
- Request deletion of your data, where we have no legal obligation to retain it
- Object to certain processing
- Portability of your data in a machine-readable format
- Lodge a complaint with the Data Protection Commission (Ireland) if you believe your rights have been infringed
To exercise any of these rights, email info@acanotes.com. We will respond within 30 days.
Security
This website is served over HTTPS. Payment processing is handled entirely by Stripe — we do not handle, store, or transmit card data. Order and customer data stored in Stripe is subject to Stripe's security standards.
Changes to this policy
We will update this policy if our data practices change. The "last updated" date at the top of this page will reflect the most recent revision. For significant changes, we will take reasonable steps to notify affected users where possible.
Contact
For any privacy-related questions, email info@acanotes.com.
You may also contact the Data Protection Commission (Ireland) at dataprotection.ie.