1. Introduction and Identity
This Privacy Policy describes how Acre Access, Inc., a Texas corporation ("Acre Access," "Acre," "we," "us," or "our") collects, uses, stores, and discloses information in connection with the Acre platform (the "Platform"). It applies to Outfitters (account holders), Clients (hunters and anglers who pay through the Platform), and visitors who submit Booking Requests. Acre Access, Inc. is the data controller for information collected through the Platform.
| Company | Acre Access, Inc. |
|---|---|
| Registered State | Texas (File No. 806253832, incorporated October 10, 2025) |
| Privacy Contact | support@getacreaccess.com |
| Support Contact | support@getacreaccess.com |
| Address | 1709 Champagne Oak, Canyon Lake, TX 78130 |
2. Scope
This Privacy Policy covers information processed by Acre Access, Inc. in connection with the Platform. It does not cover:
- Information collected directly by Stripe in connection with payment processing or Stripe Connect account onboarding (governed by Stripe's Privacy Policy at stripe.com/privacy);
- Information collected by Outfitters independently from their Clients outside of the Platform;
- Third-party websites linked from the Platform.
3. Information We Collect
3.1 From Outfitters (Account Holders)
When an Outfitter activates an account and uses the Platform, we collect:
| Category | Data |
|---|---|
| Identity | Name, business name, email address, phone number |
| Business profile | Logo, website URL, public booking page slug, business description |
| Financial / payment | Stripe Connected Account ID, Stripe Customer ID, Stripe Subscription ID, plan tier, onboarding status. Credit card and banking data are collected directly by Stripe — we do not receive or store this. |
| Account metadata | Account creation date, invite status, password change status, account activity |
| Dispute metrics | Aggregate dispute counts, payment counts, and dispute rate (calculated from transaction data) for account health monitoring |
3.2 From Clients (via Invoices — Entered by Outfitter)
When an Outfitter creates an invoice for a Client, we store Client information on behalf of the Outfitter. The Outfitter, not Acre Access, Inc., is the primary data controller for this information:
| Category | Data |
|---|---|
| Identity | Name, email address, phone number (optional) |
| Trip details | Hunt type, trip start and end dates, party size (hunter count) |
| Invoice content | Line items, amounts, deposit terms, notes entered by the Outfitter |
| Payment records | Payment amounts, deposit vs. balance type, Stripe payment intent IDs, platform fees, refund amounts and reasons. Credit card data is never stored by Acre Access, Inc. |
| Delivery records | Email delivery status, delivery method, and timestamps for invoice and payment confirmation emails |
3.3 From Prospective Clients (Booking Requests)
When a prospective hunter submits a Booking Request through an Outfitter's public booking page, we collect:
- Name, email address, and phone number;
- Preferred trip dates, party size, and target species (optional);
- Free-text notes (optional). Booking Request data is submitted directly by the individual to Acre Access, Inc.'s servers and is transmitted to the applicable Outfitter. For Booking Requests, Acre Access, Inc. acts as data controller.
3.4 Automatically Collected
- Authentication session data (managed by Supabase's auth system, stored in cookies);
- Standard server logs, including IP addresses and request timestamps (maintained by Vercel, our hosting provider);
- Webhook event IDs from Stripe (stored to prevent duplicate payment processing);
- Browser localStorage data saved temporarily on the Outfitter's or Client's own device (Booking Request form draft data — not transmitted to Acre's servers until submission).
3.5 What We Do Not Collect
- Credit card numbers, CVV codes, or full payment card data — Stripe Checkout handles all card entry;
- Government-issued ID numbers or Social Security Numbers — Stripe collects these directly for KYC on Express accounts;
- Third-party behavioral profiling data or data broker profiles;
- Data from minors (the Platform is not directed to individuals under 18).
4. How We Use Information
| Purpose | Description |
|---|---|
| Payment processing | Initiating Stripe Checkout sessions, recording payments, processing refunds, and managing Connected Accounts. |
| Transactional email | Sending invoice delivery, payment confirmation, payment failure, balance due, and refund emails via Resend. |
| Booking request routing | Transmitting Booking Request details to the applicable Outfitter. |
| CRM / contact management | Automatically creating and updating Outfitter contact records from invoice data. |
| Account management | Authenticating Outfitters, managing account status, and sending administrative communications. |
| Dispute and chargeback handling | Compiling evidence, monitoring dispute rates per Outfitter, and submitting responses to Stripe. |
| Fraud prevention | Detecting duplicate transactions and suspicious activity using webhook idempotency controls. |
| Legal compliance | Meeting Texas and federal tax, financial reporting, and regulatory obligations. |
| Platform improvement | Aggregate, non-identifiable usage analysis to improve the Platform. |
We do not use personal information for behavioral advertising, sale to third parties, or any purpose not described in this Privacy Policy.
5. How We Share Information
5.1 Service Providers
We share information with the following third-party service providers only as necessary to deliver the Platform's services:
| Provider | Information Shared | Purpose |
|---|---|---|
| Stripe, Inc. | Outfitter KYC/banking data, Client email address (pre-filled in checkout), payment amounts, invoice metadata | Payment processing, Stripe Connect account onboarding, KYC/AML compliance |
| Resend | Client name, email; Outfitter name, email; invoice content included in email body | Transactional email delivery |
| Supabase | All Platform data described in Section 3 | Database hosting and authentication |
| Vercel | Request logs, IP addresses | Application hosting and delivery |
When you provide personal information in connection with Acre, Stripe receives that information and processes it in accordance with Stripe's Privacy Policy (stripe.com/privacy).
5.2 Legal and Safety Disclosures
We may disclose information if required by applicable law, regulation, legal process, or government request, or if we believe disclosure is necessary to protect the rights, property, or safety of Acre Access, Inc., its users, or the public.
5.3 Business Transfers
In the event of a merger, acquisition, financing, or sale of all or substantially all of Acre Access, Inc.'s assets, personal information held by us may be transferred to the successor entity, subject to the same privacy commitments in this Policy.
5.4 No Sale of Data
Acre Access, Inc. does not sell, rent, or trade personal information to third parties for their own marketing or commercial purposes.
6. Data Retention
| Data Category | Retention Period | Basis |
|---|---|---|
| Outfitter account data | Duration of account + 7 years post-termination | Financial record-keeping requirements |
| Invoice and payment records | 7 years minimum | IRS and Texas tax retention requirements |
| Client contact records | Co-extensive with Outfitter account; cascade-deleted upon account deletion | Tied to Outfitter account lifecycle |
| Booking Requests | 2 years from submission or until invoice created, whichever is later | Operational purposes |
| Stripe webhook event IDs | 90 days | Duplicate payment prevention |
| Stripe payment data | Per Stripe's own retention policies, independent of Acre | Stripe controls this independently |
| Email delivery records | Per Resend's data retention settings (configurable) | Email delivery and audit |
7. Cookies and Similar Technologies
The Platform uses the following types of cookies:
| Type | Purpose | Required? |
|---|---|---|
| Authentication (Supabase) | Stores your authenticated session token so you remain logged in across page requests. No tracking or behavioral data is stored. | Yes — Platform cannot function without it |
| Meta Pixel (Meta Platforms, Inc.) | Tracks visits to our marketing website (getacreaccess.com) and measures the effectiveness of our advertising campaigns on Facebook and Instagram. This pixel is deployed on our marketing pages only — not on invoice payment pages (/pay/*) or authenticated dashboard pages. | No — opt out via Meta Ad Preferences |
| Google Ads / Google Analytics (Google LLC) | Tracks visits to our marketing website and measures advertising campaign performance across Google properties. Deployed on marketing pages only — not on payment or dashboard pages. | No — opt out via Google Ad Settings or Google Analytics Opt-Out Browser Add-on |
Marketing pixels (Meta and Google) are deployed exclusively on our public marketing website. They are not present on any page where payment is processed or where authenticated outfitter or client data is displayed. Data collected by these pixels is governed by Meta's and Google's respective privacy policies and is used solely for Acre Access, Inc.'s own advertising measurement and audience targeting. We do not sell pixel-derived data to third parties. For California and Texas residents: We honor Global Privacy Control (GPC) signals on our marketing pages. If you wish to opt out of the cross-context behavioral advertising enabled by marketing pixels, you may do so via the links above or by enabling GPC in your browser.
8. Your Rights and Choices
8.1 Outfitters
Outfitters may exercise the following rights with respect to their account data:
- Access: Request a copy of your account information.
- Correction: Update inaccurate account information through the dashboard or by contacting us.
- Data Export: Export your invoices, contacts, booking requests, and templates as a downloadable archive through the account settings.
- Deletion: Request deletion of your account and associated data, subject to retention requirements for financial records (Section 6).
8.2 Clients (Hunters / Anglers)
Clients' data is entered and controlled by the Outfitter who created the invoice. For data entered into an invoice (name, email, trip details), deletion or correction requests should be submitted directly to the Outfitter. Acre Access, Inc. will facilitate requests when instructed by the Outfitter, or will act independently where required by law. For Booking Request data (where Acre Access, Inc. is the controller), Clients may contact support@getacreaccess.com to request access, correction, or deletion.
8.3 Texas Data Privacy and Security Act (TDPSA)
If the Texas Data Privacy and Security Act (effective July 1, 2024) applies to Acre Access, Inc., Texas residents have the right to:
- Know what personal data we process;
- Access and obtain a copy of their personal data;
- Correct inaccurate personal data;
- Delete personal data;
- Opt out of the sale of personal data, targeted advertising, and profiling in furtherance of legal or similarly significant decisions. Acre Access, Inc. does not sell personal data, engage in targeted advertising, or use automated profiling for legal or significant decisions. We will respond to verified TDPSA requests within 45 days of receipt.
| --- |
8.4 California (CCPA/CPRA)
To the extent the California Consumer Privacy Act (CCPA/CPRA) applies, California residents have the right to know, delete, correct, and opt out of the sale or sharing of personal information. Acre Access, Inc. does not sell or share personal information for cross-context behavioral advertising. Requests may be submitted to support@getacreaccess.com.
8.5 How to Submit a Request
Email support@getacreaccess.com with the subject line "Privacy Request" and describe your request. We will respond within 30 days (45 days for TDPSA requests). We may request verification of your identity before processing requests.
9. Email Communications
Acre Access, Inc. sends transactional emails via Resend on behalf of Outfitters and on its own behalf. Transactional emails are sent automatically on platform events and are necessary for the delivery of the services described in the Terms of Service. These emails are not marketing communications and do not require opt-in consent under CAN-SPAM. Clients receive emails that appear to come from the Outfitter with Acre Access, Inc. disclosed in the email footer. Outfitters receive emails sent directly from Acre Access, Inc. Acre Access, Inc. does not operate a marketing email program. If marketing communications are introduced in the future, we will update this Policy and implement required opt-in mechanisms.
10. Security
Acre Access, Inc. implements technical and organizational measures to protect personal information, including:
- Encryption in transit (TLS/HTTPS) for all data transmissions;
- Encryption at rest via Supabase's default database encryption;
- Row Level Security (RLS) enforced at the database level, ensuring Outfitters can only access their own data;
- Server-side JWT validation for all authenticated requests;
- Webhook signature verification via Stripe webhook signing secrets;
- Payment idempotency controls to prevent duplicate charge processing. Stripe handles all PCI DSS compliance obligations for payment card data. Acre Access, Inc. does not receive or store card numbers, CVV codes, or expiration dates and is not a cardholder data environment. No security measure is 100% effective. In the event of a data breach affecting Client data, Acre Access, Inc. will notify affected Outfitters within 72 hours of discovery and comply with all applicable breach notification requirements.
11. Children's Privacy
The Platform is not directed to individuals under the age of 18 and we do not knowingly collect personal information from minors. If we learn that we have inadvertently collected information from a minor, we will delete it promptly. Contact us at support@getacreaccess.com if you believe we have collected a minor's information.
12. Changes to This Policy
We may update this Privacy Policy from time to time. The "Last Updated" date at the top of this Policy reflects the most recent revision. For material changes, we will notify affected Outfitters by email at least thirty (30) days before the change takes effect. Continued use of the Platform after the effective date constitutes acceptance of the revised Policy.
13. Contact
For privacy-related questions or requests:
| Company | Acre Access, Inc. |
|---|---|
| Address | 1709 Champagne Oak, Canyon Lake, TX 78130 |
| Privacy Email | support@getacreaccess.com |
| Support Email | support@getacreaccess.com |