Privacy Policy
Effective Date: June 12, 2026
[[SQUARE_BRACKETS]] must be replaced before launch.Current effective date shown on this page: June 12, 2026The Short Version
You own your data. We store each organization's data in its own isolated database, use it only to provide the Service, never sell it, and delete it permanently when you ask us to. Details below.
1. Information We Collect
Account information: name, work email address, password (stored only as a salted bcrypt hash — we cannot read your password), organization, and role.
Risk and business data you provide: risk registers, controls, KRIs, loss runs, insurance policies, claims, captive financials, documents you upload, and survey responses. This is your content — you control it.
Demo and contact requests: name, email, company, phone, and message submitted through our marketing site forms.
Usage and security data: login timestamps, IP addresses, browser/OS family, and security events (failed logins, password resets, role changes). We collect these to protect your account, not to profile you.
2. How We Use Your Information
We use your information solely to:
- Provide, operate, and improve the Service
- Generate AI-assisted risk analysis you explicitly request
- Authenticate you and secure your account (lockouts, session revocation, audit logging)
- Send transactional emails — password resets, account invitations, and demo-request notifications
- Respond to demo requests and support inquiries
- Comply with legal obligations
We do not sell your data. We do not use your risk or business data to train AI models, and we do not share it with advertisers or data brokers.
Each customer organization's data is stored in a dedicated, isolated database — not commingled in shared tables. Access to your organization's database is bound to your organization's authenticated sessions at the data-routing layer.
All data is encrypted in transit using TLS (HTTPS). Access within our team is restricted to authorized personnel for support and operations purposes, and every administrative access is recorded in an audit log.
4. AI Processing
When you use AI-assisted features (risk scoring, bow-tie generation, scenario analysis, document extraction, etc.), the relevant content is transmitted to third-party large language model providers to generate the requested output. We send only what is needed for the specific analysis you request.
AI outputs are advisory and may contain errors — see our Terms of Service for the full disclaimer on AI limitations and professional advice.
5. Third-Party Service Providers
We use a small number of vetted processors to operate the Service:
- Cloud hosting & database infrastructure — application and data hosting
- AI model providers — processing for AI-assisted features you invoke
- Email delivery (Resend) — transactional emails such as password resets and invitations
- Public data sources (e.g., USGS, NOAA) — external risk intelligence; no customer data is sent to these sources
Each provider processes data only on our instructions and only to the extent needed to provide their service.
You may, at any time:
- Access & export — tenant administrators can export their organization's complete dataset on demand
- Correct — update account and business data directly in the product
- Delete — request permanent deletion of your organization's database ("right to be forgotten"); this is built into the product, not a support-ticket process
- Object or restrict — contact us to object to or restrict specific processing
We honor these rights in accordance with applicable laws, including GDPR and CCPA where they apply.
7. Data Retention
We retain your data for as long as your account is active or as needed to provide the Service. When a tenant is deleted or a purge is requested, the organization's database is permanently removed. Security and audit records may be retained for a limited period as required for fraud prevention and legal compliance. Login-attempt counters and expired reset tokens are purged automatically.
8. Cookies & Local Storage
We do not use advertising or tracking cookies. The application stores authentication tokens in your browser's local storage strictly to keep you signed in. Clearing your browser storage signs you out.
9. Children's Privacy
The Service is a business-to-business platform and is not directed to individuals under 18. We do not knowingly collect personal information from children.
10. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or through the Service, and the effective date above will be revised. Continued use of the Service after changes constitutes acceptance of the updated policy.
11. Contact Us
For privacy questions, data-rights requests, or concerns, contact us at:
privacy@fractionalrisk.ai
