Privacy Policy

1. Introduction

SafeGuardGRC ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service at safeguardgrc.com.

2. Information We Collect

2.1 Information You Provide

• Account Information: Email address, password (encrypted)
• Firm Information: Firm name, size, location, client count
• Team Contacts: Names, phone numbers, email addresses of incident response team members
• Software Details: Tax software used, document storage providers
• Payment Information: Processed securely by Stripe (we do not store credit card details)

2.2 Governance Quiz Data

• Quiz Responses: Your answers to governance assessment questions
• Contact Information: Name, email address, company name, and company size provided when requesting quiz results
• Anonymized Survey Data: Quiz responses are aggregated and anonymized for industry research and service improvement

By submitting the governance quiz, you consent to receive your results via email and agree to receive occasional compliance tips and product updates from SafeGuardGRC. You can unsubscribe from marketing emails at any time using the unsubscribe link in our emails. Your personal information (name, email) is never shared with third parties for marketing purposes and is handled in accordance with this Privacy Policy.

2.3 Automatically Collected Information

• IP address and browser type
• Device information
• Usage data (pages viewed, features used, time spent)
• Cookies and similar tracking technologies

3. How We Use Your Information

• To provide and maintain our service
• To generate customized incident response plans and compliance documentation
• To process payments and manage subscriptions
• To deliver governance quiz results and personalized compliance recommendations via email
• To conduct anonymized industry research based on aggregated quiz responses
• To send service-related notifications, updates, and compliance reminders
• To send marketing communications about our products and services (with your consent)
• To improve our service and develop new features
• To provide customer support
• To comply with legal obligations

Marketing Communications: You can opt-out of marketing emails at any time by clicking the unsubscribe link in our emails or contacting us at privacy@safeguardgrc.com. Please note that you will continue to receive essential service-related communications (e.g., compliance reminders, security alerts) regardless of your marketing preferences.

4. Data Sharing and Disclosure

We do NOT sell your personal information.

We may share data with:

• Service Providers: Supabase (hosting), Stripe (payments), Anthropic (AI processing)
• Legal Requirements: When required by law, court order, or to protect our rights
• Business Transfers: In connection with a merger, acquisition, or sale of assets

Note: Your incident response plans and firm data are never shared with third parties for marketing purposes.

5. Data Security

We implement industry-standard security measures to protect your data:

• Encryption: AES-256 encryption at rest, TLS 1.2+ in transit
• Access Controls: Multi-factor authentication, role-based access
• Data Separation: Complete client data isolation with row-level security
• Regular Audits: Ongoing security reviews and updates

While we use best practices to protect your data, no method of transmission over the internet is 100% secure.

6. Data Retention

We retain your information for as long as your account is active or as needed to provide services. Upon account deletion, we delete your personal data within 30 days, except where retention is required by law or for legitimate business purposes (e.g., resolving disputes, enforcing agreements). Quiz responses are anonymized immediately after results are sent.

7. Your Rights

Depending on your location, you have the right to:

• Access: Request a copy of your personal data
• Correction: Update inaccurate or incomplete information
• Deletion: Request deletion of your data ("right to be forgotten")
• Export: Download your incident response plans and firm data
• Opt-Out: Unsubscribe from marketing emails (compliance emails required)
• Object: Object to processing of your data for certain purposes

To exercise these rights, contact us at privacy@safeguardgrc.com

8. Cookies and Tracking

We use cookies for:

• Essential Cookies: Authentication, session management (required for service)
• Analytics Cookies: Understanding how you use our service (optional)

We do NOT use third-party advertising cookies. You can disable cookies in your browser settings, but this may limit service functionality.

9. Third-Party Services

Our service integrates with:

• Supabase: Database and authentication - Privacy Policy
• Stripe: Payment processing - Privacy Policy
• Anthropic: AI processing - Privacy Policy

These third parties have their own privacy policies governing their use of your information.

10. International Data Transfers

Your data may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place to protect your data in accordance with this Privacy Policy.

11. Children's Privacy

Our service is not intended for individuals under 18. We do not knowingly collect information from children. If we become aware that we have collected data from a child, we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via email or prominent service notification at least 30 days before taking effect. Continued use after changes constitutes acceptance of the updated policy.

13. State-Specific Rights

California Residents (CCPA)

California residents have additional rights including the right to know what personal information is collected, sold, or disclosed, and the right to opt-out of sales (note: we do NOT sell your information).

Virginia, Colorado, Connecticut Residents

Residents of these states have rights to access, correct, delete, and obtain a copy of personal data, as well as opt-out of certain processing activities.