Privacy Policy

We collect the following categories of information:

• Account information: your email address, company name, and password (stored as a hash — we never see your plaintext password).
• Security profile data: information you enter about your company’s infrastructure, security practices, and compliance posture. This is used solely to generate questionnaire responses.
• Questionnaire content: files you upload and the questions extracted from them.
• Usage data: how many questionnaires you have processed in a given month, for plan limit enforcement.
• Billing information: handled entirely by Stripe. We store only your Stripe customer ID — we never see or store your credit card number.

We use your information to:

• Provide and operate the Service (authenticate you, store your profile, generate AI responses).
• Send transactional emails (account confirmation, password reset, completion notifications). We do not send marketing emails without your separate consent.
• Enforce plan limits and process subscription payments.
• Respond to support messages you send through the app.
• Detect and prevent fraud or abuse.

We do not sell your data. We do not use your data for advertising.

We share data with the following sub-processors to operate the Service:

• Supabase — database and authentication hosting. Your data is stored on Supabase servers located in the United States.
• OpenAI — AI processing. When you generate questionnaire responses, your security profile and questionnaire text are sent to the OpenAI API. OpenAI’s API usage policies state that API inputs and outputs are not used to train their models. See OpenAI’s data usage policy.
• Stripe — payment processing. Stripe’s privacy policy governs data collected during checkout.
• Resend — transactional email delivery.
• Vercel — application hosting (United States).

We do not share your data with any other third parties except as required by law.

We retain your data for as long as your account is active. When you delete your account (via Settings → Danger zone), we permanently delete your profile, security profile, questionnaires, and answer vault from our systems. Residual copies in database backups are purged within 30 days.

Stripe retains billing records for legal and tax purposes per their own policy.

Your data is encrypted in transit (TLS) and encrypted at rest by our database provider (Supabase). Access to production data is restricted to service accounts necessary to run the application. Despite these measures, no system is perfectly secure — you use the Service at your own risk.

You may at any time:

• Access the data we hold about you by viewing your account and security profile in the app.
• Correct your data by editing your profile or account settings.
• Delete your account and all associated data via Settings → Danger zone.
• Request a copy of your data by contacting us at the address below.

If you are located in the European Economic Area, you have additional rights under the GDPR, including the right to lodge a complaint with your local supervisory authority.

We use cookies solely for authentication session management (set by Supabase Auth). We do not use tracking cookies or advertising cookies.

The Service is intended for business use only and is not directed at children under 16. We do not knowingly collect data from anyone under 16.

We may update this policy from time to time. If we make material changes we will notify you by email or by posting a notice in the app. Continued use of the Service after changes constitutes acceptance of the updated policy.

For any privacy-related questions or requests, contact us through the Settings → Contact us form in the app, or by emailing us directly.