Privacy Policy

1. Information We Collect

We collect information you provide directly: account details (name, email, organization), compliance data you create within the platform, and documents you upload as evidence.

We automatically collect technical data: IP address, browser type, device information, and usage analytics to improve the Service.

2. How We Use Your Information

We use your information to: provide and maintain the Service; authenticate your identity; process your compliance workflows; generate reports; send service notifications; and improve the platform.

We do not sell, rent, or share your personal information with third parties for marketing purposes.

3. Data Isolation & Security

Each organization's data is stored in a fully isolated tenant environment. Your compliance data, documents, and configurations are never accessible to other organizations or users outside your account.

We implement industry-standard security measures including encryption at rest and in transit, regular security audits, and access controls to protect your data.

4. AI Processing & LLM Data

When you use AI features, data is sent to the third-party AI provider associated with the API keys you configure (e.g., OpenAI, Anthropic). We do not store AI prompts or responses beyond what is necessary for the feature to function.

You control which AI provider processes your data by choosing and configuring your own API keys. No data is sent to AI providers without your explicit action.

5. Cookies & Tracking

We use essential cookies for authentication and session management. We may use analytics cookies to understand how the Service is used. You can control cookie preferences through your browser settings.

6. Data Retention

We retain your data for as long as your account is active. Upon account termination, you have 30 days to export your data. After this period, data is permanently deleted from our systems, including all backups, within 90 days.

7. Your Rights

You have the right to: access your personal data; correct inaccurate data; export your data in standard formats; request deletion of your data; and object to certain processing activities.

To exercise these rights, contact us at [email protected]. We will respond within 30 days.

8. International Data Transfers

Your data may be processed in countries outside your own. We ensure appropriate safeguards are in place for international data transfers in compliance with applicable data protection laws, including GDPR.

9. Children's Privacy

The Service is not intended for individuals under the age of 16. We do not knowingly collect personal information from children.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service at least 30 days before they take effect.

11. Contact

If you have questions about this Privacy Policy or your data, please contact our Data Protection Officer at [email protected].