Privacy Policy

We collect information you provide directly to us when you create an account, use our services, or contact us. This includes: - Account information: name, email address, company name, and role. - Usage data: actions taken within the platform such as control completions, approvals, and comments. - Evidence and attachments: files you upload as part of control execution. - Technical data: IP address, browser type, device information, and access logs.

We use the information we collect to: - Provide, maintain, and improve our services. - Process control workflows, approvals, and audit trails. - Send you notifications related to your account and platform activity. - Respond to your requests, comments, and questions. - Monitor and analyze usage trends to improve the user experience. - Detect, prevent, and address technical issues and security threats.

Your data is stored securely on infrastructure provided by Supabase and hosted within the European Union. We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. All data in transit is encrypted using TLS 1.2 or higher. Data at rest is encrypted using AES-256. Access to production systems is restricted to authorized personnel with multi-factor authentication.

We do not sell your personal data. We may share your information only in the following circumstances: - Within your organization: data is shared with other users within your tenant according to role-based access controls. - Service providers: we use third-party services (hosting, email delivery, analytics) that process data on our behalf under data processing agreements. - Legal requirements: we may disclose information if required by law, regulation, or legal process. - Business transfers: in connection with a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction.

We retain your personal data for as long as your account is active or as needed to provide you services. Audit trail data is retained for the duration specified in your subscription agreement. When you request account deletion, we will remove your personal data within 30 days, except where retention is required by law or for legitimate business purposes.

Under the General Data Protection Regulation (GDPR), you have the right to: - Access: request a copy of your personal data. - Rectification: request correction of inaccurate data. - Erasure: request deletion of your personal data. - Portability: receive your data in a structured, machine-readable format. - Restriction: request limitation of processing. - Objection: object to processing based on legitimate interests. To exercise these rights, contact us at [email protected].

We use the following types of cookies and similar technologies: Strictly necessary cookies (no consent required) - Authentication and session cookies (Supabase) – required for login and secure access. - Language preference (NEXT_LOCALE) – stores your selected language. Optional cookies and third-party services (require consent) - Feedback widget (FeatureVote) – used to collect product feedback. May set its own cookies. Only loaded if you accept optional cookies. - Performance measurement (Web Vitals) – measures page load times to improve the experience. Only sent if you accept optional cookies. We do not use advertising or tracking cookies. You can change your choice by clearing the "cookie-consent" cookie in your browser. Third parties that process data on our behalf: - Supabase (authentication and database, EU) - Stripe (payment processing) - Anthropic (AI chat via Claude) - Resend (email delivery) - Vercel (hosting and infrastructure)

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on this page and updating the "last updated" date. Continued use of the service after changes constitutes acceptance of the revised policy.

If you have any questions about this Privacy Policy or our data practices, please contact us at: Email: [email protected]