RiskPrep

Privacy Policy

Effective date: March 20, 2026

1. What We Collect

When you create an account or use RiskPrep, we collect:

  • Account information — email address and hashed password (managed by Supabase Auth).
  • Organization data — a randomly generated codename (not your real company name), subscription tier, selected frameworks, and team member email addresses.
  • Plan content — answers you provide in wizard questionnaires and scoping forms. We encourage you to use generic placeholders rather than real company-specific details.
  • Usage data — page views, feature usage, and error logs collected via Sentry for debugging purposes.
  • Payment information — processed entirely by Stripe. We do not store credit card numbers.

2. How We Use Your Data

  • To provide and improve the RiskPrep service.
  • To generate compliance plans, assessments, and recommendations tailored to your inputs.
  • To send transactional emails (account confirmation, team invitations) via SendGrid.
  • To process payments and manage subscriptions via Stripe.
  • To monitor application health and fix errors via Sentry.

3. Data Storage & Security

Your data is stored in a Supabase-managed PostgreSQL database with row-level security (RLS) enforced on all tables. All data is encrypted in transit (TLS) and at rest. Sessions are time-boxed and expire after periods of inactivity.

We apply security headers including Content Security Policy (CSP), HSTS, and X-Frame-Options on all pages. API routes are protected by rate limiting and origin verification.

4. Third-Party Services

  • Supabase — authentication, database, and storage.
  • Stripe — payment processing and subscription management.
  • SendGrid — transactional email delivery.
  • Sentry — error monitoring and performance tracking.
  • hCaptcha — bot protection on login and registration forms.
  • Vercel — application hosting and deployment.

Each third-party service processes only the data necessary for its function. We do not sell your data to any third party.

5. Cookies

We use cookies for authentication session management (Supabase auth tokens). These are essential cookies required for the application to function. We do not use advertising or tracking cookies.

hCaptcha may set its own cookies to distinguish humans from bots.

6. Your Rights

You may:

  • Access your data at any time through the application.
  • Export your plans in PDF or DOCX format (Pro and Team tiers).
  • Request deletion of your account and all associated data by contacting us.
  • Withdraw consent for non-essential data processing at any time.

7. Data Retention

We retain your data for as long as your account is active. If you delete your account, we remove your personal data within 30 days. Anonymized usage statistics may be retained for service improvement.

8. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email to registered users. Continued use of the service after changes constitutes acceptance.

9. Contact

For privacy-related questions or data deletion requests, contact us at privacy@riskprep.com.