Privacy Policy

Effective Date: January 1, 2025

1. Introduction

RapidAudit AI ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our third-party risk management platform and services.

2. Information We Collect

2.1 Information You Provide

  • Account Information: Name, email address, company name, job title, phone number
  • Vendor Data: Vendor contact information, risk assessments, audit reports, certifications
  • Payment Information: Billing address, payment method details (processed by third-party payment processors)
  • Communications: Messages, support requests, feedback you send to us

2.2 Information Collected Automatically

  • Usage Data: Pages visited, features used, time spent, click patterns
  • Device Information: IP address, browser type, operating system, device identifiers
  • Cookies and Tracking: Session cookies, analytics cookies, preference cookies

2.3 Information from Third Parties

  • Vendor Intelligence: Publicly available risk data, cyber threat intelligence, financial information
  • Authentication Providers: SSO providers (Okta, Azure AD, Google Workspace)

3. How We Use Your Information

  • Service Delivery: Provide risk assessments, continuous monitoring, compliance reporting
  • Platform Improvement: Analyze usage patterns, develop new features, improve AI models
  • Communication: Send service updates, security alerts, marketing communications (with consent)
  • Security: Detect and prevent fraud, unauthorized access, security incidents
  • Legal Compliance: Comply with legal obligations, respond to lawful requests

4. Data Sharing and Disclosure

4.1 We Share Information With:

  • Service Providers: Cloud infrastructure (AWS), analytics (Google Analytics), support tools (Zendesk)
  • Business Partners: Integration partners with your explicit consent
  • Legal Requirements: Law enforcement, regulators when legally required
  • Business Transfers: In connection with merger, acquisition, or sale of assets

4.2 We Do Not:

  • Sell your personal information to third parties
  • Share vendor assessment data with competitors
  • Use your data to train AI models for other customers without consent

5. Data Security

We implement enterprise-grade security measures:

  • Encryption: AES-256 encryption at rest, TLS 1.3 in transit
  • Access Controls: Role-based access, multi-factor authentication, least privilege principle
  • Network Security: Firewalls, intrusion detection, DDoS protection
  • Compliance: SOC 2 Type II certified, ISO 27001 aligned
  • Monitoring: 24/7 security monitoring, automated threat detection
  • Incident Response: Documented procedures, notification within 72 hours

6. Data Retention

  • Active Accounts: Data retained for duration of service plus 90 days
  • Closed Accounts: Personal data deleted within 30 days (except legal requirements)
  • Vendor Assessments: Retained per customer retention policies, typically 3-7 years
  • Logs: Security logs retained 13 months, audit logs 7 years

7. Your Privacy Rights

7.1 All Users

  • Access: Request copy of your personal information
  • Correction: Update inaccurate information
  • Deletion: Request deletion of your data
  • Portability: Receive data in machine-readable format
  • Opt-Out: Unsubscribe from marketing communications

7.2 GDPR Rights (EU Residents)

  • Right to Object: Object to processing based on legitimate interests
  • Restriction: Restrict processing in certain circumstances
  • Automated Decisions: Opt-out of automated decision-making
  • Supervisory Authority: Lodge complaints with EU data protection authorities

7.3 CCPA Rights (California Residents)

  • Know: Categories of information collected, purposes, third parties shared with
  • Delete: Request deletion (with exceptions)
  • Opt-Out: Opt-out of "sale" (we don't sell personal information)
  • Non-Discrimination: Equal service regardless of privacy choices

8. International Data Transfers

We are based in the United States. If you access our services from outside the US, your information may be transferred to, stored, and processed in the US. We use Standard Contractual Clauses approved by the European Commission for EU data transfers.

9. Children's Privacy

Our services are not directed to individuals under 18. We do not knowingly collect information from children. If you believe we have collected information from a child, contact us immediately.

10. Cookies and Tracking

We use cookies for authentication, preferences, analytics, and security. You can control cookies through browser settings. See our Cookie Policy for details.

11. Changes to Privacy Policy

We may update this policy periodically. Material changes will be notified via email and platform notifications 30 days before effective date. Continued use after changes constitutes acceptance.

12. Contact Us

For privacy inquiries, requests, or complaints:

  • Email: privacy@rapidaudit.org
  • Mail: RapidAudit AI, Attn: Privacy Officer, 100 California Street, Suite 1500, San Francisco, CA 94111
  • Response Time: We respond to requests within 30 days

Data Protection Officer (EU): dpo@rapidaudit.org