Privacy Policy

1. Introduction and Scope

Custodia GRC, Inc. (“Company,” “we,” “us,” or “our”) operates the AIPolicyReady platform (“Platform”) at aipolicyready.com. This Privacy Policy explains how we collect, use, disclose, and protect personal information in connection with the Platform.

This Policy applies to: (a) Users who register for Platform accounts (“Account Holders”); (b) employees and personnel of Account Holders whose data is processed through the Platform (“Employee Data Subjects”); and (c) visitors to our website.

This Policy is designed to comply with applicable privacy laws including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), the Health Insurance Portability and Accountability Act (HIPAA) where applicable, and other relevant data protection frameworks.

2. Data Controller and Processor Relationship

For Account Holders: Custodia GRC, Inc. acts as the data controller for account registration data and billing information collected directly during the sign-up and subscription process.

For Employee Data Subjects: The Account Holder (your employer or the organization administering your AI governance program) acts as the data controller. Custodia GRC, Inc. acts as a data processor on behalf of the Account Holder for all employee data (including attestation records, quiz results, and signature data) processed through the Platform.

We process Employee Data Subject information only on documented instructions from the Account Holder and do not process such data for our own independent purposes. Organizations subject to GDPR may request a Data Processing Agreement (DPA) at compliance@aipolicyready.com.

3. Information We Collect

3.1 Account Registration Data

• Name and email address (collected via Clerk authentication)
• Organization name and role
• Authentication credentials (managed by Clerk; we do not store raw passwords)
• Billing and payment information (managed by our payment processor; we do not store payment card data)
• IP address and device metadata at time of account creation

3.2 Organizational Governance Data (Customer Data)

• Organization structure, department names, and headcount
• AI tools and use cases described during the intake process
• Generated AI Acceptable Use Policies and custom policy content
• Employee roster data uploaded by Account Holders (names, email addresses, departments)
• Employee attestation and quiz completion records
• Cryptographic signature data and attestation timestamps
• Compliance officer ticket contents and resolution records

3.3 Usage and Technical Data

• Log data including page visits, feature usage, and session duration
• IP addresses, browser type, and operating system
• Error and performance data for service reliability purposes

3.4 Communications Data

• Messages sent to us via the compliance contact form
• Support request content and resolution history

4. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), United Kingdom, and Switzerland, we process personal data under the following legal bases:

• Contract performance (Art. 6(1)(b)): Processing necessary to provide the Platform services, manage your subscription, and fulfill our contractual obligations
• Legitimate interests (Art. 6(1)(f)): Security monitoring, fraud prevention, service improvement, and ensuring Platform integrity
• Legal obligation (Art. 6(1)(c)): Compliance with applicable laws and regulations, including responding to lawful government requests
• Consent (Art. 6(1)(a)): For optional marketing communications — you may withdraw consent at any time

For processing employee attestation records on behalf of Account Holders, the legal basis is the Account Holder's controller determination. Typical bases include legitimate interests in demonstrating AI governance compliance or compliance with emerging AI regulatory obligations.

5. How We Use Information

We use collected information to:

• Provide, operate, maintain, and improve the Platform
• Process transactions and manage subscriptions
• Generate AI governance policies and compliance artifacts on your behalf
• Distribute policy documents and collect employee attestations as directed by Account Holders
• Send transactional emails (policy distribution, attestation requests, welcome notices)
• Provide compliance officer support and respond to ticket inquiries
• Detect and prevent fraud, abuse, and security incidents
• Comply with legal obligations and respond to lawful requests
• Analyze aggregated, de-identified usage patterns to improve service features

We do not use personal data or Customer Data to train, fine-tune, or otherwise improve AI models without your express written consent.

We do not sell personal information to third parties. We do not use personal information for behavioral advertising.

6. Information Sharing and Disclosure

We share information only in the following circumstances:

6.1 Service Providers (Sub-processors)

We engage trusted service providers to help operate the Platform. Current sub-processors include:

• Clerk: Authentication and identity management (clerk.com)
• Neon / PostgreSQL: Database hosting and storage
• Resend: Transactional email delivery
• Vercel: Platform hosting and CDN

All sub-processors are contractually required to protect personal data with appropriate security measures and to process data only as instructed.

6.2 Legal Requirements

We may disclose information if required by law, court order, or government authority, or to protect the rights, property, or safety of Custodia GRC, our users, or the public.

6.3 Business Transfers

In connection with a merger, acquisition, or sale of assets, personal data may be transferred to the successor entity. We will notify affected users via email or Platform notice before data is transferred and becomes subject to a different privacy policy.

6.4 With Your Consent

We may share information for other purposes with your explicit consent.

7. AI-Specific Privacy Considerations

The Platform uses AI to assist in generating policy content and compliance recommendations. In connection with AI processing:

• AI-generated content is subject to human review before being presented as final; the Platform enforces Human-in-the-Loop (HITL) controls
• Organizational intake data (AI tools used, departments, use cases) is processed to personalize policy generation and is treated as Customer Data
• No automated decision-making with legal or similarly significant effects on individuals occurs through the Platform without human oversight
• Employee quiz and attestation data is not used for individual profiling beyond the purpose of demonstrating governance compliance
• We implement data minimization practices and collect only the information necessary for AI governance purposes

8. Data Retention

We retain personal data and Customer Data for as long as necessary to provide the Platform services and as required by applicable law.

• Account Data: Retained for the duration of the account relationship plus 7 years, to support audit and legal compliance obligations
• Attestation Records: Retained for 7 years from the date of attestation; extended retention may apply for regulated industries (HIPAA: minimum 6 years; SEC: minimum 3–7 years)
• Usage Logs: Retained for 90 days for security and performance purposes
• Billing Records: Retained for 7 years as required for tax and financial compliance

Upon account termination, Customer Data is made available for export for thirty (30) days, after which it is deleted or anonymized. You may request earlier deletion subject to our legal retention obligations.

9. Security

We implement appropriate technical and organizational security measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. Measures include:

• Encryption of data in transit (TLS 1.2+) and at rest
• Cryptographic attestation records that provide tamper-evidence
• Access controls and authentication managed by Clerk
• Regular security reviews and dependency updates
• Audit logging of administrative access and sensitive operations

No transmission over the internet is 100% secure. In the event of a data breach that creates risk to the rights and freedoms of individuals, we will notify affected parties and relevant supervisory authorities as required by applicable law.

10. International Data Transfers

The Platform is operated from the United States. If you are located in the EEA, UK, or Switzerland, your personal data may be transferred to and processed in the United States. We implement appropriate transfer mechanisms including Standard Contractual Clauses (SCCs) as required under GDPR Chapter V.

11. Your Rights

11.1 Rights Under GDPR (EEA, UK, Switzerland)

• Right of access: Request a copy of the personal data we hold about you
• Right to rectification: Request correction of inaccurate personal data
• Right to erasure (“right to be forgotten”): Request deletion of your personal data, subject to legal retention requirements
• Right to restriction of processing: Request that we limit how we use your personal data
• Right to data portability: Receive your personal data in a structured, machine-readable format
• Right to object: Object to processing based on legitimate interests
• Rights related to automated decision-making: Not be subject to purely automated decisions with significant effects
• Right to withdraw consent: Where processing is based on consent, withdraw consent at any time

11.2 Rights Under CCPA/CPRA (California Residents)

• Right to know what personal information is collected, used, and disclosed
• Right to delete personal information
• Right to correct inaccurate personal information
• Right to opt out of the sale or sharing of personal information (we do not sell or share personal information)
• Right to limit use of sensitive personal information
• Right to non-discrimination for exercising privacy rights

To exercise any of these rights, contact us at compliance@aipolicyready.com. We will respond within 30 days (GDPR) or 45 days (CCPA). We may require verification of your identity before processing requests.

For Employee Data Subjects, requests should be directed to your employer (the Account Holder / data controller). We will assist Account Holders in fulfilling data subject requests as required under applicable law.

12. Cookies and Tracking Technologies

The Platform uses session cookies and similar technologies necessary for authentication and Platform functionality. We use Clerk session tokens for authentication state management.

We do not use third-party advertising cookies, behavioral tracking pixels, or cross-site tracking technologies. We do not share browsing data with advertising networks.

You may control cookie behavior through your browser settings. Disabling essential cookies may impair Platform functionality.

13. Children's Privacy

The Platform is intended for organizational use by adults (18+) in professional settings. We do not knowingly collect personal information from children under the age of 16. If you believe we have inadvertently collected such information, contact us immediately at compliance@aipolicyready.com.

14. Changes to This Privacy Policy

We may update this Privacy Policy periodically. We will notify you of material changes via email or Platform notice at least thirty (30) days before the changes take effect. The effective date of the current version is stated at the top of this document.

Continued use of the Platform following the effective date of a revised Privacy Policy constitutes acceptance of the updated terms.

15. Contact and Supervisory Authority

For privacy inquiries, rights requests, or complaints:

If you are located in the EEA and believe your data protection rights have been violated, you have the right to lodge a complaint with your local supervisory authority. A list of EU data protection authorities is available at ec.europa.eu/justice/data-protection/bodies/authorities.