Skip to main content

Privacy Policy

Effective: February 24, 2026Version 1.0

1. Introduction

Ataraxia GRC, Inc. (“we,” “us,” or “our”) operates the Ataraxia GRC platform at ataraxiagrc.com. This Privacy Policy describes how we collect, use, share, and protect your personal information when you use our Service.

By creating an account or using our Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

2. Information We Collect

2.1 Account Information

When you create an account, we collect your name, email address, organization name, and job title. We may also collect your CAGE code, company size, NAICS code, and annual DoD contract revenue as part of the onboarding process.

2.2 Assessment Data

As you use the Service, we collect the data you enter, including control statuses, compliance assessment responses, implementation descriptions, SPRS scores, tech stack selections, evidence metadata, and organizational security posture information.

2.3 Payment Information

Payment transactions are processed by Stripe, Inc. We do not store credit card numbers, bank account numbers, or other sensitive payment credentials on our servers. We receive limited payment information from Stripe, such as the last four digits of your card, expiration date, billing address, and transaction history, for account management and billing purposes.

2.4 Usage Data

We automatically collect information about how you interact with the Service, including pages visited, features used, timestamps of activity, IP address, browser type and version, device information, and referring URLs.

2.5 Communication Data

We collect the content of messages you send to our support team, feedback you provide, and any other communications you initiate with us.

2.6 Public Calculator Data

Our free SPRS calculator may be used without an account. If you choose to provide your email address for a lead capture, we collect that email along with SPRS calculation inputs. No account is required to use the calculator.

3. How We Use Information

We use the information we collect to:

  • Provide, maintain, and improve the Service
  • Calculate SPRS scores and generate compliance documents (SSPs, POA&Ms, policies)
  • Process payments and manage billing
  • Send transactional emails related to your account, billing, and security notifications
  • Improve the Service through analytics and usage patterns
  • Generate anonymized, aggregated insights about compliance trends (never identifying individual customers)
  • Comply with legal obligations and respond to legal process
  • Protect the security and integrity of the Service

4. AI Data Processing

Certain features of the Service use artificial intelligence (Anthropic Claude) to generate content and provide compliance guidance. When you use AI-powered features (copilot chat, SSP generation, remediation suggestions), your assessment data and organizational context may be included in API calls to our AI provider.

  • AI processing occurs via API calls to Anthropic. Prompts include organizational context necessary for generating relevant responses.
  • Anthropic’s commercial API does not retain or train on customer data per their data processing terms.
  • You control what data is submitted to AI features through your use of those features. AI features are optional and can be used selectively.

5. Data Sharing

We do NOT sell your personal data. We share data only with the following service providers who assist us in operating the Service:

  • Supabase (AWS) — Database hosting and authentication. Data stored in US regions.
  • Vercel — Application hosting and content delivery network (CDN).
  • Anthropic — AI processing via API for copilot and document generation features.
  • Stripe — Payment processing and billing.
  • Cloudflare — DNS, DDoS protection, and CDN.
  • Resend — Transactional email delivery.

A complete list of our subprocessors is maintained at ataraxiagrc.com/subprocessors.

We may also disclose information if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of Ataraxia GRC, our customers, or the public.

6. Data Security

We implement commercially reasonable security measures to protect your data, including:

  • Encryption in transit using TLS 1.2 or higher
  • Encryption at rest using AES-256
  • Row-level security (RLS) policies in the database
  • Role-based access control (RBAC) for multi-user organizations
  • Comprehensive audit logging of access and state changes
  • Regular security updates and dependency monitoring

No method of electronic storage or transmission is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.

7. Data Retention

  • Active accounts: Data is retained for the duration of your subscription.
  • Post-termination: You have a 30-day export window after termination. Customer Data is deleted within 90 days after the export window closes.
  • Audit logs: Retained for 1 year for compliance and security purposes.
  • Anonymized aggregate data: Retained indefinitely, as it cannot be used to identify any individual or organization.
  • Payment records: Retained per legal and tax requirements (typically 7 years).

8. Your Rights

You have the right to:

  • Access: Request a copy of your personal data held by us.
  • Correction: Request correction of inaccurate personal data.
  • Deletion: Request deletion of your personal data, subject to legal retention requirements.
  • Export: Download your data in standard formats through the Service’s export functionality.
  • Opt-out: Unsubscribe from marketing communications at any time.
  • California residents: See Section 9 for additional CCPA/CPRA rights.

To exercise any of these rights, contact us at privacy@ataraxiagrc.com. We will respond within 45 days of receiving your request.

9. California Privacy Rights (CCPA/CPRA)

Note: The CCPA applies to for-profit businesses meeting certain thresholds (annual revenue exceeding $26.625M or processing data of 100,000+ California residents). Ataraxia GRC may not currently meet these thresholds but includes this section proactively to demonstrate our commitment to privacy.

Categories of personal information collected (per CCPA categories): Identifiers (name, email); commercial information (subscription and payment data); internet activity (usage data, IP addresses); professional information (job title, company).

  • We do not sell or share personal information for cross-context behavioral advertising.
  • Right to know: You may request the categories and specific pieces of personal information we have collected.
  • Right to delete: You may request deletion of your personal information.
  • Right to correct: You may request correction of inaccurate personal information.
  • Right to opt-out: Not applicable, as we do not sell personal information.
  • Non-discrimination: We will not discriminate against you for exercising your privacy rights.
  • Authorized agent requests are accepted with proper verification.

10. Cookies

We use only essential cookies necessary for the operation of the Service:

  • Authentication cookies: To maintain your login session and verify your identity.
  • Session management cookies: To ensure the security and functionality of your session.

We do not use third-party advertising cookies, tracking cookies, or cross-site tracking technologies. We do not use Google Analytics. Any analytics we perform use privacy-respecting methods that do not track individual users across sites.

11. Children’s Privacy

The Service is not directed to persons under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us at privacy@ataraxiagrc.com.

12. International Data

The Service is operated from and data is processed and stored in the United States. If you access the Service from outside the United States, you consent to the transfer and processing of your data in the United States, which may have different data protection standards than your jurisdiction. For customers requiring specific data transfer mechanisms, we can provide Standard Contractual Clauses upon request.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days’ notice via email to the address associated with your account. The updated policy will also be posted at ataraxiagrc.com/privacy. Your continued use of the Service after the effective date of any changes constitutes acceptance of the updated policy.

14. Contact

For questions or concerns about this Privacy Policy or our data practices, contact us at:

privacy@ataraxiagrc.com

Ataraxia GRC, Inc.
Durango, Colorado
United States