Privacy Policy

1. What Information Do We Collect?

Personal information you provide to us:

• Email address — provided during purchase. Used for account creation, login, and account-related communication.
• Payment information — processed entirely by Stripe (PCI DSS Level 1 compliant). We do not receive, store, or have access to your credit card number. You are redirected to Stripe's hosted checkout page, so card data never enters our systems.

Information automatically collected:

• Usage data — compliance progress (Met/Not Met/NA status per objective). This data is stored solely to provide product functionality.
• Access logs — pages viewed, timestamps, and IP addresses. Used for intellectual property protection, abuse prevention, and service reliability.
• Analytics data — we use Google Analytics (GA4) to collect anonymized usage data such as pages visited, session duration, approximate geographic location (city/country level), device type, browser type, and referral source. Google Analytics uses cookies to distinguish unique users. This data is aggregated and does not personally identify you.

Sensitive information: We do not process sensitive personal information.

All personal information you provide must be true, complete, and accurate. You must notify us of any changes to your personal information.

2. What Information Do We Not Collect?

We do not collect your name, company name, phone number, mailing address, biometric data, geolocation data, protected classifications, or any information beyond what is listed in Section 1.

3. How Do We Process Your Information?

We process your personal information to:

• Create and maintain your account.
• Process your purchase.
• Provide the product, including storing your compliance progress.
• Monitor for unauthorized access, scraping, or content redistribution.
• Communicate about your account (password resets and critical service updates only — we do not send marketing emails).
• Protect the security and integrity of the Services.
• Comply with legal obligations.

4. What Legal Bases Do We Rely On?

We process your information based on the following legal grounds:

• Performance of a contract — processing is necessary to fulfill our obligations under the Terms of Service, including providing access to the product you purchased.
• Legitimate interests — processing is necessary for security, fraud prevention, intellectual property protection, and service improvement, where those interests are not overridden by your rights.
• Legal obligations — processing is necessary to comply with applicable law.
• Consent — where required by law, we rely on your consent, which you may withdraw at any time by contacting us.

5. When and With Whom Do We Share Your Information?

We do not sell, rent, or share your personal information with third parties for marketing or any other purpose. Information is shared only with the following service providers, solely to operate the Services:

• AWS Cognito — account authentication and credential management.
• Stripe — payment processing. Stripe's privacy policy is available at stripe.com/privacy.
• Amazon Web Services — application hosting and data storage.
• Google Analytics (GA4) — anonymized website usage analytics. Google's privacy policy is available at policies.google.com/privacy. You may opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.

We may also share your information in the following situations:

• Business transfers — in connection with a merger, sale of company assets, financing, or acquisition of all or a portion of our business, your information may be transferred to the acquiring entity.
• Legal requirements — if required to do so by law, regulation, or valid legal process (e.g., subpoena, court order).
• Protection of rights — to protect and defend the rights, property, or safety of phraCTO LLC, our users, or the public.

We have not disclosed, sold, or shared any personal information to third parties for targeted advertising or marketing purposes in the preceding twelve (12) months.

6. Do We Use Cookies and Other Tracking Technologies?

We use essential cookies required for authentication and session management. We also use Google Analytics (GA4), which sets cookies to collect anonymized usage data (pages visited, session duration, device type, referral source). Google Analytics data is aggregated and is not used to personally identify you. We do not use advertising cookies, web beacons, or pixels. We do not engage in behavioral advertising or cross-site tracking.

You may opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on.

7. How Long Do We Keep Your Information?

We retain your personal information only as long as necessary for the purposes set out in this Privacy Policy, unless a longer retention period is required or permitted by law. Specifically:

• Account data and compliance progress — retained for the duration of your active access term.
• Access logs — retained for up to 12 months.
• Payment transaction records — retained as required by tax and accounting regulations.

When we have no ongoing legitimate business need to process your information, we will either delete or anonymize it. If deletion is not immediately possible (for example, because your information has been stored in backup archives), we will securely store your information and isolate it from further processing until deletion is possible.

8. How Do We Keep Your Information Safe?

We implement appropriate and reasonable technical and organizational security measures to protect your personal information. Your data is encrypted in transit (TLS) and at rest. Authentication is managed through AWS Cognito. Payment data is handled entirely by Stripe (PCI DSS Level 1 compliant) via a hosted checkout page and never touches our systems.

However, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure. While we strive to use commercially acceptable means to protect your personal information, we cannot guarantee its absolute security.

9. Do We Collect Information From Minors?

We do not knowingly collect data from or market to individuals under 18 years of age. By using the Services, you represent that you are at least 18 years old. If we learn that we have collected personal information from a person under 18, we will deactivate the account and take reasonable measures to promptly delete such data from our records. If you become aware of any data we have collected from a person under 18, please contact us at support@cmmcm365.us.

10. What Are Your Privacy Rights?

You have the following rights regarding your personal information:

• Right to access — request a copy of the personal information we hold about you.
• Right to correction — request that we correct inaccurate or incomplete personal information.
• Right to deletion — request that we delete your personal information, subject to certain legal exceptions.
• Right to withdraw consent — where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of prior processing.
• Right to non-discrimination — we will not discriminate against you for exercising any of your privacy rights.

To exercise any of these rights, contact us at support@cmmcm365.us. We will respond to your request within 30 days. We may need to verify your identity before processing your request.

You may also designate an authorized agent to make a request on your behalf. The authorized agent must provide sufficient proof of authorization.

11. Controls for Do-Not-Track Features

Most web browsers and some mobile operating systems include a Do-Not-Track (“DNT”) feature you can activate to signal your privacy preference. Because no uniform technology standard for recognizing and implementing DNT signals has been finalized, we do not currently respond to DNT browser signals. If a standard for online tracking is adopted that we must follow in the future, we will update this policy accordingly.

12. Do United States Residents Have Specific Privacy Rights?

If you are a resident of California, Colorado, Connecticut, Virginia, or another U.S. state with applicable privacy legislation, you may have additional rights under state law, including:

• The right to know whether we are processing your personal information.
• The right to access your personal information.
• The right to correct inaccuracies in your personal information.
• The right to request deletion of your personal information.
• The right to opt out of the sale of personal information or targeted advertising.
• The right to non-discrimination for exercising your rights.

We do not sell personal information. We do not share personal information for targeted advertising. We do not process personal information for profiling in furtherance of decisions that produce legal or similarly significant effects.

To exercise any of these rights, email us at support@cmmcm365.us. If your request is denied, you may appeal by emailing us with a written explanation. We will respond to appeals within the timeframe required by applicable law.

California “Shine The Light” Law: California Civil Code Section 1798.83 permits California residents to request information regarding the disclosure of personal information to third parties for direct marketing purposes. We do not disclose personal information to third parties for direct marketing purposes.

13. Do We Make Updates to This Policy?

We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. Material changes will be communicated via the email address associated with your account. The “Last updated” date at the top of this policy indicates when it was most recently revised. We encourage you to review this policy periodically.

14. How Can You Contact Us About This Policy?

If you have questions or comments about this policy, you may email us at support@cmmcm365.us or contact us by mail at:

15. How Can You Review, Update, or Delete Your Data?

You have the right to request access to the personal information we collect from you, to change that information, or to delete it. To request to review, update, or delete your personal information, please email us at support@cmmcm365.us. We will respond to your request within 30 days.