At GoverningLayer, we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our universal governance infrastructure platform and related services (the “Services”).

Please read this privacy policy carefully. If you do not agree with the terms of this privacy policy, please do not access the Services.

1. Information We Collect

1.1 Information You Provide

We collect information that you provide directly to us:

• Account Information: Name, email address, company name, job title, and password when you create an account
• Payment Information: Billing details and payment card information (processed securely through our payment providers)
• Communications: Information you provide when you contact us for support, feedback, or inquiries
• Policy Data: Governance policies, rules, and configurations you create within the platform

1.2 Automatically Collected Information

When you use our Services, we automatically collect:

• Usage Data: API calls, policy evaluations, system logs, and performance metrics
• Device Information: IP address, browser type, operating system, and device identifiers
• Cookies and Tracking: We use cookies and similar technologies to analyze usage patterns and improve our Services
• Audit Trail Data: Blockchain-backed logs of authorization decisions and system events

1.3 Information from Third Parties

We may receive information from:

• Authentication providers (OAuth, SSO services)
• Payment processors
• Analytics and security service providers

2. How We Use Your Information

We use the information we collect to:

• Provide Services: Operate, maintain, and improve the GoverningLayer platform
• Process Transactions: Handle billing, payments, and subscription management
• Customer Support: Respond to inquiries, troubleshoot issues, and provide technical assistance
• Security & Compliance: Detect fraud, prevent abuse, ensure platform security, and comply with legal obligations
• Analytics: Analyze usage patterns to improve performance and user experience
• Communications: Send service updates, security alerts, and marketing communications (with your consent)
• Legal Compliance: Comply with applicable laws, regulations, and legal processes

3. How We Share Your Information

We do not sell your personal information. We may share your information with:

3.1 Service Providers

• Cloud infrastructure providers (AWS, Azure, GCP)
• Payment processors
• Analytics and monitoring services
• Customer support platforms

3.2 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.

3.3 Legal Requirements

We may disclose information when required by law or to:

• Comply with legal obligations and court orders
• Protect our rights, property, or safety
• Prevent fraud or security threats
• Cooperate with law enforcement

3.4 With Your Consent

We may share information with third parties when you explicitly consent to such sharing.

4. Data Security

We implement industry-leading security measures to protect your information:

• Encryption: AES-256 encryption at rest, TLS 1.3 in transit
• Access Controls: Role-based access control (RBAC) and multi-factor authentication
• Monitoring: 24/7 security monitoring and intrusion detection
• Auditing: Blockchain-backed immutable audit trails
• Certifications: SOC 2 Type II, ISO 27001, and HIPAA compliance
• Incident Response: Dedicated security team and incident response procedures

5. Data Retention

We retain your information for as long as necessary to:

• Provide you with our Services
• Comply with legal obligations (e.g., audit trail retention requirements)
• Resolve disputes and enforce agreements
• Meet regulatory requirements (GDPR, HIPAA, financial regulations)

Retention Periods

Upon account deletion, we will delete or anonymize your personal information within 90 days, except where retention is required by law or for legitimate business purposes.

6. Your Privacy Rights

Depending on your location, you may have the following rights:

6.1 General Rights

• Access: Request a copy of the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete information
• Deletion: Request deletion of your personal information (subject to legal requirements)
• Data Portability: Receive your data in a structured, machine-readable format
• Opt-Out: Unsubscribe from marketing communications

6.2 GDPR Rights (EU/UK Users)

If you are in the European Economic Area or UK, you have additional rights:

• Right to restriction of processing
• Right to object to processing
• Right to withdraw consent
• Right to lodge a complaint with a supervisory authority

6.3 CCPA Rights (California Users)

If you are a California resident, you have the right to:

• Know what personal information is collected
• Know whether personal information is sold or disclosed
• Say no to the sale of personal information
• Access your personal information
• Request deletion of personal information
• Not be discriminated against for exercising your rights

To exercise your rights: Contact us at [email protected]. We will respond to verified requests within 30 days.

7. Cookies and Tracking Technologies

We use cookies and similar technologies to:

• Maintain your session and preferences
• Analyze platform usage and performance
• Provide personalized experiences
• Prevent fraud and enhance security

Types of Cookies We Use

• Essential Cookies: Required for platform functionality (cannot be disabled)
• Analytics Cookies: Help us understand usage patterns
• Performance Cookies: Monitor system performance and errors
• Marketing Cookies: Track effectiveness of campaigns (with your consent)

You can control cookies through your browser settings. Disabling certain cookies may limit platform functionality. See our Cookie Policy for more details.

8. International Data Transfers

GoverningLayer operates globally. Your information may be transferred to and processed in countries other than your own, including the United States.

We ensure appropriate safeguards are in place for international transfers:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data Processing Agreements (DPAs) with all vendors
• Adequacy decisions where applicable
• Privacy Shield successor frameworks (where available)

9. Children’s Privacy

Our Services are not intended for children under 16 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately at [email protected].

10. Third-Party Services

Our Services may contain links to third-party websites and integrate with third-party services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Posting the updated policy with a new “Last Updated” date
• Sending email notification to your registered email address
• Displaying an in-platform notification

Your continued use of our Services after changes become effective constitutes acceptance of the updated Privacy Policy.

12. Regulatory Compliance

GoverningLayer complies with the following privacy regulations:

• GDPR: General Data Protection Regulation (EU)
• CCPA: California Consumer Privacy Act (USA)
• HIPAA: Health Insurance Portability and Accountability Act (for healthcare data)
• SOC 2 Type II: Security and privacy controls certification
• ISO 27001: Information security management
• Privacy Shield: EU-U.S. and Swiss-U.S. frameworks (and successors)

13. Data Protection Officer

For GDPR-related inquiries, you may contact our Data Protection Officer at:

Email: [email protected]
Subject Line: GDPR / Data Protection Inquiry