Privacy Policy

Effective Date: June 12, 2026

Template — legal review required. This document is a working draft written to the standard SaaS shape and must be reviewed and adapted by qualified counsel in your jurisdiction before it is executed with a customer, published as binding, or relied upon in a dispute. Placeholders shown in [[SQUARE_BRACKETS]] must be replaced before launch.Current effective date shown on this page: June 12, 2026

The Short Version

You own your data. We store each organization's data in its own isolated database, use it only to provide the Service, never sell it, and delete it permanently when you ask us to. Details below.

1. Information We Collect

Account information: name, work email address, password (stored only as a salted bcrypt hash — we cannot read your password), organization, and role.

Risk and business data you provide: risk registers, controls, KRIs, loss runs, insurance policies, claims, captive financials, documents you upload, and survey responses. This is your content — you control it.

Demo and contact requests: name, email, company, phone, and message submitted through our marketing site forms.

Usage and security data: login timestamps, IP addresses, browser/OS family, and security events (failed logins, password resets, role changes). We collect these to protect your account, not to profile you.

2. How We Use Your Information

We use your information solely to:

  • Provide, operate, and improve the Service
  • Generate AI-assisted risk analysis you explicitly request
  • Authenticate you and secure your account (lockouts, session revocation, audit logging)
  • Send transactional emails — password resets, account invitations, and demo-request notifications
  • Respond to demo requests and support inquiries
  • Comply with legal obligations

We do not sell your data. We do not use your risk or business data to train AI models, and we do not share it with advertisers or data brokers.

3. Data Isolation & Storage

Each customer organization's data is stored in a dedicated, isolated database — not commingled in shared tables. Access to your organization's database is bound to your organization's authenticated sessions at the data-routing layer.

All data is encrypted in transit using TLS (HTTPS). Access within our team is restricted to authorized personnel for support and operations purposes, and every administrative access is recorded in an audit log.

4. AI Processing

When you use AI-assisted features (risk scoring, bow-tie generation, scenario analysis, document extraction, etc.), the relevant content is transmitted to third-party large language model providers to generate the requested output. We send only what is needed for the specific analysis you request.

AI outputs are advisory and may contain errors — see our Terms of Service for the full disclaimer on AI limitations and professional advice.

5. Third-Party Service Providers

We use a small number of vetted processors to operate the Service:

  • Cloud hosting & database infrastructure — application and data hosting
  • AI model providers — processing for AI-assisted features you invoke
  • Email delivery (Resend) — transactional emails such as password resets and invitations
  • Public data sources (e.g., USGS, NOAA) — external risk intelligence; no customer data is sent to these sources

Each provider processes data only on our instructions and only to the extent needed to provide their service.

6. Your Rights — Access, Export, Deletion

You may, at any time:

  • Access & export — tenant administrators can export their organization's complete dataset on demand
  • Correct — update account and business data directly in the product
  • Delete — request permanent deletion of your organization's database ("right to be forgotten"); this is built into the product, not a support-ticket process
  • Object or restrict — contact us to object to or restrict specific processing

We honor these rights in accordance with applicable laws, including GDPR and CCPA where they apply.

7. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. When a tenant is deleted or a purge is requested, the organization's database is permanently removed. Security and audit records may be retained for a limited period as required for fraud prevention and legal compliance. Login-attempt counters and expired reset tokens are purged automatically.

8. Cookies & Local Storage

We do not use advertising or tracking cookies. The application stores authentication tokens in your browser's local storage strictly to keep you signed in. Clearing your browser storage signs you out.

9. Children's Privacy

The Service is a business-to-business platform and is not directed to individuals under 18. We do not knowingly collect personal information from children.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or through the Service, and the effective date above will be revised. Continued use of the Service after changes constitutes acceptance of the updated policy.

11. Contact Us

For privacy questions, data-rights requests, or concerns, contact us at:

privacy@fractionalrisk.ai