Privacy Policy

Last updated: January 14, 2026

1. Information We Collect

1.1 Personal Information

When you authenticate via OAuth providers, we collect:

  • Name and email address from your OAuth provider
  • OAuth provider information (Google or Microsoft)
  • Organization name (if provided)
  • Payment information (processed securely through Stripe)

1.2 Usage Information

We automatically collect information about how you use our Service:

  • Security assessment responses (NIST CSF 2.0, BCDR, Basic Security)
  • Generated security policies and customization data
  • Tabletop exercise scenarios and results
  • Security guidance library interactions and AI chat queries
  • Log data (IP addresses, browser type, pages visited)
  • Device information and usage patterns

1.3 OAuth Information

If you choose to sign in with OAuth providers (Google, Microsoft, etc.), we collect:

  • Profile information from the OAuth provider
  • Email address
  • Basic profile data as permitted by the provider

2. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve our Service
  • Process payments and manage annual subscriptions
  • Generate security assessment reports, policies, and tabletop exercise documents
  • Provide AI-enhanced security guidance and insights
  • Enable team collaboration features (up to 5 team members)
  • Communicate with you about your account and the Service
  • Provide customer support
  • Analyze usage patterns to improve our Service
  • Comply with legal obligations

3. Information Sharing and Disclosure

We do not sell, trade, or otherwise transfer your personal information to third parties, except in the following circumstances:

3.1 Service Providers

We may share information with trusted third-party service providers who assist us in operating our Service:

  • Payment processing (Stripe)
  • Cloud hosting services
  • Email service providers
  • Analytics providers

3.2 Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities.

3.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of the transaction.

4. Data Security

We implement appropriate technical and organizational security measures to protect your information:

  • Encryption in transit and at rest
  • Regular security assessments
  • Access controls and authentication
  • Secure coding practices
  • Regular security updates

5. Data Retention

We retain your information for as long as necessary to provide the Service and comply with our legal obligations:

  • Account information: Until account deletion
  • Assessment data, policies, and documents: Until account deletion or upon request
  • Canceled subscription data: 7 days after subscription expiration for reactivation purposes
  • Payment records: As required by law (typically 7 years)
  • Usage logs: 2 years for analytics purposes

6. Your Rights and Choices

You have the following rights regarding your personal information:

6.1 Access and Correction

You can access and update your account information through your account settings.

6.2 Data Portability

You can request a copy of your data in a machine-readable format.

6.3 Deletion

You can request deletion of your account and associated data. Some information may be retained as required by law.

6.4 Opt-Out

You can opt out of marketing communications at any time by using the unsubscribe link in emails or contacting us directly.

7. Cookies and Tracking

We use cookies and similar technologies to:

  • Maintain your login session
  • Remember your preferences
  • Analyze usage patterns
  • Improve user experience

You can control cookies through your browser settings, but this may affect functionality.

8. Third-Party Services

Our Service integrates with the following third-party services:

  • Stripe: Payment processing for annual subscriptions (subject to Stripe's privacy policy)
  • OAuth Providers: Google and Microsoft authentication services (subject to their privacy policies)
  • AWS Bedrock: AI-powered security guidance and insights (subject to AWS privacy policy)

9. International Data Transfers

Your information may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place to protect your information in accordance with applicable data protection laws.

10. Children's Privacy

Our Service is not intended for use by children under the age of 13. We do not knowingly collect personal information from children under 13.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

  • Posting the updated policy on our website
  • Updating the "Last updated" date
  • Sending an email notification for significant changes

12. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at:

Email: privacy@compliancewire.com

13. Compliance

We are committed to complying with applicable data protection laws, including:

  • General Data Protection Regulation (GDPR)
  • California Consumer Privacy Act (CCPA)
  • Other applicable privacy laws