Privacy Policy

1. Introduction

SafeGuardGRC (“we”, “our”, or “us”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service at safeguardgrc.com. By using our service, you agree to the practices described in this policy.

2. Information We Collect

2.1 Information You Provide

• Account Information: Email address, password (encrypted)
• Firm Information: Firm name, size, location, client count
• Team Contacts: Names, phone numbers, email addresses of incident response team members
• Software Details: Tax software used, document storage providers
• Payment Information: Processed securely by Stripe (we do not store credit card details)

2.2 Compliance Assessments & Resource Data

• Quiz & Assessment Responses: Your answers to compliance readiness assessments, including the Breach Readiness Quiz, Cyber Insurance Reality Check, Governance Gaps Assessment, and any other interactive resources we offer. This may include selected states, firm size, client count, IT setup, and assessment-specific responses.
• Contact Information: Name, email address, firm name provided when requesting personalized reports or accessing gated resources such as the Compliance Requirements Matrix
• Anonymized Survey Data: Assessment responses are aggregated and anonymized for industry research and service improvement

By submitting an assessment, accessing a gated resource, and providing your email, you consent to receive your personalized results or resource via email. If you opt in to marketing communications, you agree to receive occasional compliance tips and product updates from SafeGuardGRC. You can unsubscribe from marketing emails at any time using the unsubscribe link in our emails. Your personal information (name, email) is never shared with third parties for marketing purposes.

2.3 Automatically Collected Information

When you visit our site, we may automatically collect certain information. Analytics data is only collected if you accept cookies via our consent banner. If you decline, no analytics or advertising cookies are set.

• Essential (always collected): IP address (for security and abuse prevention), authentication session tokens
• Analytics (consent required): Pages visited, time on page, referral source, browser type, device type, operating system, screen resolution, and general geographic location (city-level, derived from anonymized IP). Collected via Google Analytics 4 with IP anonymization enabled.
• Advertising performance (consent required): Page views and conversion events (e.g., quiz completion, email submission) used to measure the effectiveness of our LinkedIn advertising campaigns. LinkedIn may also infer professional demographics (industry, job function, company size) based on LinkedIn member data. Collected via the LinkedIn Insight Tag.

3. How We Use Your Information

• To provide and maintain our service
• To generate customized data inventories, risk assessments, security policies, incident response plans, and compliance documentation
• To process payments and manage subscriptions
• To deliver your personalized Incident Readiness Report and compliance recommendations via email
• To conduct anonymized industry research based on aggregated quiz responses
• To send service-related notifications, updates, and compliance reminders
• To send marketing communications about our products and services (with your consent)
• To analyze site usage and improve our service (via Google Analytics 4, with your consent)
• To measure the effectiveness of our advertising campaigns (via LinkedIn Insight Tag, with your consent)
• To provide customer support
• To comply with legal obligations

Marketing Communications: You can opt-out of marketing emails at any time by clicking the unsubscribe link in our emails or by submitting a request through our contact form. Please note that you will continue to receive essential service-related communications (e.g., compliance reminders, security alerts) regardless of your marketing preferences.

4. Data Sharing and Disclosure

We do NOT sell your personal information.

We may share data with:

• Infrastructure & Hosting: Supabase (database, authentication), Vercel (application hosting)
• Payments: Stripe (payment processing — we never store credit card details)
• AI Processing: Anthropic (document generation — data is not used to train AI models)
• Email: Resend (transactional and marketing email delivery)
• Analytics: Google Analytics 4 (anonymized site usage data — only with your consent)
• Advertising Measurement: LinkedIn (ad campaign performance data — only with your consent)
• Legal Requirements: When required by law, court order, or to protect our rights
• Business Transfers: In connection with a merger, acquisition, or sale of assets

Note: Your incident response plans, WISPs, and firm compliance data are never shared with third parties for marketing purposes.

5. Data Security

We implement industry-standard security measures to protect your data:

• Encryption: AES-256 encryption at rest, TLS 1.2+ in transit
• Access Controls: Multi-factor authentication, role-based access
• Data Separation: Complete client data isolation with row-level security
• Regular Audits: Ongoing security reviews and updates

While we use best practices to protect your data, no method of transmission over the internet is 100% secure.

6. Data Retention

We retain your information for as long as your account is active or as needed to provide services. Upon account deletion, we delete your personal data within 30 days, except where retention is required by law or for legitimate business purposes (e.g., resolving disputes, enforcing agreements).

• Account data: Retained while your account is active; deleted within 30 days of account closure
• Quiz data: Session data retained for 90 days for support purposes; email and contact information retained until you request deletion
• Analytics data: Google Analytics retains data for 14 months (Google's default); LinkedIn retains Insight Tag data for up to 90 days
• Cookie consent preference: Stored in your browser's local storage indefinitely until you clear it

7. Your Rights

Depending on your location, you have the right to:

• Access: Request a copy of your personal data
• Correction: Update inaccurate or incomplete information
• Deletion: Request deletion of your data (“right to be forgotten”)
• Export: Download your compliance documents and firm data
• Opt-Out of Marketing: Unsubscribe from marketing emails at any time
• Withdraw Cookie Consent: Decline or withdraw consent for analytics and advertising cookies at any time (see Section 8)
• Object: Object to processing of your data for certain purposes

To exercise these rights, submit a request through our contact form and select "Privacy Request" as the topic.

8. Cookies and Tracking Technologies

8.1 Cookie Consent

When you first visit our site, a cookie banner asks for your consent before any analytics or advertising cookies are loaded. You may accept or decline. No third-party tracking scripts are loaded unless you click “Accept.”

To change your preference after your initial choice, clear your browser's local storage for safeguardgrc.com (the item named sgrc_cookie_consent), or clear all cookies for our site. The consent banner will reappear on your next visit.

8.2 Types of Cookies We Use

8.3 What We Do NOT Do

• We do not serve targeted advertisements on our site
• We do not sell or share cookie data with third parties for their own advertising purposes
• We do not build cross-site user profiles for ad targeting
• We do not use fingerprinting or any tracking technologies beyond the cookies listed above

8.4 Do Not Track Signals

Our site respects your cookie consent choice via our banner. We do not currently respond to browser-level “Do Not Track” (DNT) signals, as there is no industry-standard interpretation of DNT. However, if you decline cookies via our consent banner, no analytics or advertising tracking scripts are loaded, which achieves the same result.

9. Third-Party Services

Our service integrates with the following third parties, each with their own privacy policies:

• Supabase: Database and authentication — Privacy Policy
• Stripe: Payment processing — Privacy Policy
• Anthropic: AI-powered document generation — Privacy Policy
• Resend: Transactional and marketing email delivery — Privacy Policy
• Google Analytics 4: Website analytics (loaded only with consent) — Privacy Policy · Opt-Out Browser Add-On
• LinkedIn: Advertising campaign measurement (loaded only with consent) — Privacy Policy · Ad Preferences

10. International Data Transfers

Your data may be transferred to and processed in the United States and other countries where our service providers operate. By using our service, you acknowledge that your data may be transferred outside your country of residence. We ensure appropriate safeguards are in place to protect your data in accordance with this Privacy Policy and applicable law.

11. Children's Privacy

Our service is designed for business professionals and is not intended for individuals under 18. We do not knowingly collect information from children. If we become aware that we have collected data from a child, we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via email or prominent service notification at least 30 days before taking effect. The “Last Updated” date at the top of this page indicates when the policy was most recently revised. Continued use after changes constitutes acceptance of the updated policy.

13. State-Specific Rights

California Residents (CCPA/CPRA)

California residents have additional rights including the right to know what personal information is collected, the right to deletion, and the right to opt-out of the “sale” or “sharing” of personal information. We do NOT sell or share your personal information as defined under the CCPA/CPRA. You may still exercise your right to opt out of analytics tracking by declining cookies via our consent banner.

Virginia, Colorado, Connecticut, and Other State Privacy Laws

Residents of states with comprehensive privacy laws have rights to access, correct, delete, and obtain a copy of personal data, as well as opt-out of certain processing activities including targeted advertising and profiling. To exercise these rights, contact us using the information in Section 14.