Effective Date: February 9, 2026
Last Updated: February 9, 2026
This Privacy Policy describes how [Your Company Name] ("Company," "we," "us," or "our") collects, uses, discloses, and protects personal information when you use the CLARITY Act Compliance Assistant (the "Service"). We are committed to protecting your privacy and handling your personal information in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other relevant privacy regulations.
By using the Service, you consent to the collection, use, and disclosure of your personal information as described in this Privacy Policy. If you do not agree with this Privacy Policy, please do not use the Service.
We collect information that you voluntarily provide when using the Service, including:
Account Information: When you create an account, we collect your name, email address, and password (stored as a cryptographic hash). If you use OAuth authentication, we collect your name, email, and profile information from the authentication provider.
Organization Information: If you create or join an organization account, we collect organization name, industry type, and role information for access control purposes.
Payment Information: When you subscribe to a paid plan, our payment processor (Stripe) collects your payment card information, billing address, and transaction details. We do not store complete credit card numbers on our servers; we only retain the last four digits and card brand for display purposes.
User Content: We collect and store any data, documents, assessments, reports, or other content you create, upload, or submit through the Service, including compliance assessments, classification results, roadmaps, and evidence packs.
Communications: When you contact our support team or communicate with us via email, chat, or other channels, we collect the content of your communications and any information you choose to provide.
When you access or use the Service, we automatically collect certain information, including:
Usage Information: We collect information about your interactions with the Service, including pages viewed, features used, time spent, click patterns, and navigation paths.
Device Information: We collect information about the device you use to access the Service, including device type, operating system, browser type and version, screen resolution, and device identifiers.
Log Data: Our servers automatically record log data, including IP address, access times, requested URLs, HTTP status codes, referrer URLs, and user agent strings.
Cookies and Similar Technologies: We use cookies, web beacons, and similar tracking technologies to collect information about your browsing activities. See Section 8 for more details about our use of cookies.
Authentication Events: We log authentication-related events, including login attempts, password resets, account creation, and logout actions, along with associated timestamps and IP addresses.
We may receive information about you from third-party sources, including:
OAuth Providers: If you authenticate using a third-party OAuth provider (such as Google or GitHub), we receive basic profile information as permitted by that provider and your privacy settings.
Payment Processor: We receive transaction confirmation and subscription status information from Stripe, our payment processor.
Analytics Services: We may use third-party analytics services that collect information about your use of the Service to help us improve our offerings.
We use the personal information we collect for the following purposes:
Providing the Service: We use your information to create and maintain your account, process your subscription payments, provide customer support, and deliver the features and functionality of the Service.
Improving the Service: We analyze usage patterns and user feedback to improve our Service, develop new features, and enhance user experience.
Communications: We use your email address to send you service-related notifications, subscription confirmations, payment receipts, password reset links, and important updates about the Service. With your consent, we may also send you marketing communications about new features or services.
Security and Fraud Prevention: We use your information to detect, prevent, and respond to security incidents, fraudulent activity, and violations of our Terms of Service.
Compliance and Legal Obligations: We use your information to comply with applicable laws, regulations, legal processes, and governmental requests, and to enforce our Terms of Service.
Audit and Compliance: We maintain audit logs of compliance-sensitive operations to support security investigations, regulatory compliance, and troubleshooting.
Aggregated Analytics: We may create aggregated, anonymized, or de-identified data from your information for statistical analysis, research, and business intelligence purposes. Such data does not identify you personally.
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, our legal basis for collecting and using your personal information depends on the specific information and the context in which we collect it:
Contract Performance: We process your personal information to perform our contract with you (the Terms of Service), including providing the Service, processing payments, and delivering customer support.
Legitimate Interests: We process your personal information for our legitimate business interests, such as improving the Service, ensuring security, preventing fraud, and conducting analytics, provided these interests are not overridden by your data protection rights.
Legal Compliance: We process your personal information to comply with legal obligations, such as tax reporting, responding to legal requests, and maintaining audit logs as required by law.
Consent: In some cases, we process your personal information based on your consent, such as when you opt in to receive marketing communications or when we use certain cookies. You may withdraw your consent at any time.
We do not sell your personal information to third parties. We may share your information in the following circumstances:
Service Providers: We share your information with third-party service providers who perform services on our behalf, such as hosting providers, payment processors, email delivery services, and analytics platforms. These providers are contractually obligated to protect your information and use it only for the purposes we specify.
Organization Members: If you are part of an organization account, your information (such as name, email, and role) may be visible to other members of your organization and to organization administrators.
Business Transfers: If we are involved in a merger, acquisition, sale of assets, or bankruptcy, your information may be transferred as part of that transaction. We will notify you via email or prominent notice on our Service before your information is transferred and becomes subject to a different privacy policy.
Legal Requirements: We may disclose your information if required to do so by law or in response to valid requests by public authorities, such as court orders, subpoenas, or government investigations.
Protection of Rights: We may disclose your information when we believe it is necessary to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person, violations of our Terms of Service, or as otherwise required by law.
With Your Consent: We may share your information with third parties when you give us explicit consent to do so.
We retain your personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.
Account Data: We retain your account information for as long as your account is active. If you close your account, we will delete or anonymize your personal information within 90 days, except where we are required to retain it for legal, regulatory, or compliance purposes.
User Content: We retain your User Content for as long as your account is active and for 30 days after account closure to allow for account recovery. After this period, User Content is permanently deleted unless you have requested export or backup.
Audit Logs: We retain audit logs of compliance-sensitive operations for a minimum of 7 years to meet regulatory compliance requirements. These logs are stored securely with restricted access.
Payment Records: We retain payment transaction records for 7 years to comply with tax and financial reporting requirements.
Cookies: We retain cookies for the duration specified in Section 8 (Cookie Policy).
You may request deletion of your personal information at any time by contacting us. We will honor your request subject to legal and regulatory obligations that may require us to retain certain information.
We implement industry-standard security measures to protect your personal information from unauthorized access, use, disclosure, alteration, or destruction. Our security practices include:
Encryption: We use TLS/SSL encryption for data in transit and AES-256 encryption for sensitive data at rest.
Access Controls: We implement role-based access controls and authentication mechanisms to restrict access to personal information to authorized personnel only.
Password Security: User passwords are hashed using bcrypt with salt before storage. We never store passwords in plain text.
Security Audits: We conduct regular security assessments, vulnerability scans, and penetration testing to identify and address potential security risks.
Incident Response: We maintain an incident response plan to detect, respond to, and recover from security incidents.
Employee Training: Our employees receive training on data protection and security best practices.
Third-Party Security: We require our service providers to implement appropriate security measures to protect your information.
While we take reasonable measures to protect your information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security, and you use the Service at your own risk.
We use cookies and similar tracking technologies to collect information about your browsing activities and to provide, maintain, and improve the Service.
Essential Cookies: These cookies are necessary for the Service to function and cannot be disabled. They include session cookies that maintain your login state and authentication tokens.
Functional Cookies: These cookies enable enhanced functionality and personalization, such as remembering your preferences and settings.
Analytics Cookies: These cookies help us understand how users interact with the Service by collecting anonymous usage statistics. We use this information to improve the Service.
Preference Cookies: These cookies remember your cookie consent preferences and other settings.
Session Cookies: Expire when you close your browser.
Persistent Cookies: Remain on your device for a set period (typically 30 days to 1 year) or until you delete them.
You can control and manage cookies through your browser settings. Most browsers allow you to block or delete cookies. However, if you disable essential cookies, some features of the Service may not function properly.
Our cookie consent banner allows you to accept or reject non-essential cookies. You can change your cookie preferences at any time by accessing the cookie settings in the footer of our website.
Some browsers support a "Do Not Track" (DNT) feature that signals to websites that you do not want to be tracked. We do not currently respond to DNT signals because there is no industry standard for how to interpret and respond to such signals.
Depending on your location, you may have certain rights regarding your personal information:
If you are located in the EEA, UK, or Switzerland, you have the following rights under the GDPR:
Right of Access: You have the right to request a copy of the personal information we hold about you.
Right to Rectification: You have the right to request correction of inaccurate or incomplete personal information.
Right to Erasure ("Right to be Forgotten"): You have the right to request deletion of your personal information in certain circumstances.
Right to Restriction of Processing: You have the right to request that we restrict processing of your personal information in certain circumstances.
Right to Data Portability: You have the right to receive your personal information in a structured, commonly used, and machine-readable format and to transmit it to another controller.
Right to Object: You have the right to object to processing of your personal information based on legitimate interests or for direct marketing purposes.
Right to Withdraw Consent: If we process your personal information based on consent, you have the right to withdraw your consent at any time.
Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority if you believe we have violated your data protection rights.
If you are a California resident, you have the following rights under the CCPA:
Right to Know: You have the right to request information about the categories and specific pieces of personal information we have collected about you, the categories of sources from which we collected it, the business purpose for collecting it, and the categories of third parties with whom we share it.
Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions.
Right to Opt-Out of Sale: We do not sell your personal information. If we ever do so in the future, you will have the right to opt out.
Right to Non-Discrimination: You have the right not to receive discriminatory treatment for exercising your CCPA rights.
To exercise any of these rights, please contact us at [[email protected]]. We will respond to your request within 30 days (or as required by applicable law). We may need to verify your identity before processing your request.
You may also access and update certain account information by logging into your account settings.
The Service is hosted in the United States, and your personal information may be transferred to, stored in, and processed in the United States and other countries where our service providers operate. These countries may have data protection laws that differ from those in your country of residence.
If you are located in the EEA, UK, or Switzerland, we rely on appropriate safeguards for international data transfers, such as Standard Contractual Clauses approved by the European Commission. You may request a copy of these safeguards by contacting us.
The Service is not intended for children under the age of 18, and we do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete such information promptly. If you believe we have collected information from a child under 18, please contact us immediately.
The Service may contain links to third-party websites, services, or resources that are not operated by us. This Privacy Policy does not apply to such third-party services. We are not responsible for the privacy practices of third parties, and we encourage you to review their privacy policies before providing any personal information.
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. We will notify you of material changes by posting the updated Privacy Policy on the Service and updating the "Last Updated" date at the top of this document.
If we make material changes that significantly affect your rights, we will provide additional notice, such as via email or a prominent notice on the Service. Your continued use of the Service after the effective date of the updated Privacy Policy constitutes your acceptance of the changes.
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:
Privacy Officer
Email: [[email protected]]
Address: [Your Company Address]
Phone: [Your Phone Number]
For GDPR-related inquiries, you may also contact our Data Protection Officer at [[email protected]].
If you are located in the EEA, UK, or Switzerland, you may contact our Data Protection Officer regarding any questions or concerns about our data processing activities:
Data Protection Officer
Email: [[email protected]]
Address: [Your Company Address]
If you are located in the EEA, UK, or Switzerland and believe we have violated your data protection rights, you have the right to lodge a complaint with your local supervisory authority:
EU Member States: Contact your national data protection authority. A list is available at: https://edpb.europa.eu/about-edpb/board/members_en
United Kingdom: Information Commissioner's Office (ICO) - https://ico.org.uk/
Switzerland: Federal Data Protection and Information Commissioner (FDPIC) - https://www.edoeb.admin.ch/
By using the CLARITY Act Compliance Assistant, you acknowledge that you have read and understood this Privacy Policy.