Pending legal review. Not yet binding.
This document is a working draft. Bracketed notes mark decisions that require counsel. Do not rely on it as a binding legal agreement until it has been reviewed and published.
Last updated: [DATE — set at publication]. Applies to [LEGAL ENTITY NAME] ("GRC Oversight", "we"), operator of grcoversight.com and the GRC Oversight platform.
We collect information you provide directly, information generated by your use of the platform, and limited technical data:
To provide, secure, and improve the service: operating your workspace, running scans you request, authenticating users, maintaining audit logs, providing support, billing, and meeting legal obligations. [Confirm whether any usage is for product analytics or marketing, and the legal basis where required.]
We do not sell personal data. We share data only with sub-processors that help us run the service (e.g. hosting, email delivery) and where required by law. [Maintain and link a current sub-processor list before launch.]
We retain customer content for the life of your account and for [RETENTION PERIOD — to be set] afterward, then delete or anonymize it. Backups and audit logs may persist for [BACKUP/AUDIT RETENTION — to be set]. [Confirm concrete periods with counsel.]
We apply tenant isolation, encryption of sensitive credentials at rest, and audit logging. See our security overview for current details.
Depending on your jurisdiction, you may have rights to access, correct, export, or delete your personal data, and to object to or restrict certain processing. [Enumerate jurisdiction-specific rights (e.g. GDPR/CCPA) and the request process with counsel.] To make a request, contact us.
[Specify where data is hosted and the transfer mechanism, if any, once hosting region and legal entity are finalized.]
We will post material changes here and update the date above. Questions about this policy: contact us.