Privacy Policy

We collect information you provide directly:

• Account information: Name, email address, company name, and billing information when you create an account.

• Organization data: Security policies, compliance documentation, questionnaire responses, and other content you create or upload to the platform.

• Communications: Messages you send to our support team, feedback you provide, and survey responses.

We also collect information automatically:

• Usage data: How you interact with our platform, features you use, and actions you take.

• Device information: Browser type, operating system, IP address, and device identifiers.

• Cookies: We use essential cookies for authentication and preferences. See our cookie section below.

We use your information to:

• Provide our services: Generate policies, run gap analyses, answer questionnaires, and deliver the core vCISO Lite functionality.

• Improve the platform: Understand usage patterns, identify bugs, and develop new features. We analyze aggregate, anonymized data—never individual customer content.

• Communicate with you: Send service updates, security alerts, billing notices, and respond to support requests.

• Ensure security: Detect fraud, prevent abuse, and protect the platform and our users.

• What we never do:
• - Sell your data to third parties
• - Use your content to train AI models
• - Share your compliance documentation without your explicit consent
• - Access your data except when necessary to provide support you've requested

Our platform uses AI to power features like policy generation and questionnaire responses. Here's how we handle your data:

• Burn after reading: When you use AI features, your data is sent to our AI providers (see Responsible AI page for details), processed, and immediately discarded. It is not stored, logged, or used for training.

• No model training: Your content is never used to train AI models—ours or anyone else's. We have data processing agreements with all AI providers that explicitly prohibit training on customer data.

• Isolated processing: Each AI request is processed in isolation. Your data is not combined with other customers' data or retained between sessions.

For complete details on our AI practices, see our Responsible AI page.

We share information only in these limited circumstances:

• Service providers: We work with trusted providers for hosting (AWS), payment processing (Stripe), and email (SendGrid). All providers are contractually bound to protect your data and are SOC 2 certified.

• AI providers: As described above, with strict data handling requirements.

• Legal requirements: We may disclose information if required by law, subpoena, or court order. We will notify you unless legally prohibited.

• Business transfers: If vCISO Lite is acquired or merges with another company, your information may be transferred. We will notify you before any such transfer.

• With your consent: We may share information when you explicitly ask us to, such as generating audit packs for your auditors.

• Active accounts: We retain your data for as long as your account is active and you're using our services.

• After cancellation: When you cancel, we retain your data for 30 days in case you change your mind. After that, we delete it from our production systems within 90 days.

• Backups: Data may persist in encrypted backups for up to 12 months for disaster recovery purposes.

• Legal holds: We may retain data longer if required by law or to resolve disputes.

• Export your data: You can export all your data at any time from your account settings. We provide it in standard formats (PDF, JSON) so you can take it with you.

Depending on your location, you have rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.

• Correction: Update or correct inaccurate information.

• Deletion: Request deletion of your personal data (subject to legal retention requirements).

• Portability: Export your data in a machine-readable format.

• Objection: Object to certain processing of your data.

• Restriction: Request that we limit how we use your data.

To exercise these rights, contact privacy@vciso.lite or use the tools in your account settings. We respond to all requests within 30 days.

vCISO Lite is based in the United States, and your data is processed and stored in the US.

• EU/UK users: We rely on Standard Contractual Clauses (SCCs) approved by the European Commission for transfers of personal data from the EU/UK to the US.

• Data localization: Enterprise customers can request data residency in specific regions. Contact sales for details.

• Adequacy: We continuously monitor regulatory developments and update our practices to maintain compliance with international data protection laws.

We use cookies to make our platform work:

• Essential cookies: Required for authentication, security, and core functionality. You cannot opt out of these.

• Analytics cookies: Help us understand how you use the platform. These are anonymized and don't track you across other sites. You can opt out in your account settings.

• We don't use:
• - Advertising cookies
• - Third-party tracking cookies
• - Social media cookies

Our platform works with cookies disabled, though some features like staying logged in require them.

For privacy-related questions or to exercise your rights:

• Email: privacy@vciso.lite

• Mail:
• vCISO Lite Privacy Team
• 123 Security Way
• San Francisco, CA 94105

• Data Protection Officer: dpo@vciso.lite

We take privacy seriously and respond to all inquiries within 30 days.