Privacy Policy

1. Information We Collect

We collect personal information in three ways.

Information you provide

• Account data: name, email address, password (hashed), organization name, job title, and profile preferences.
• Billing data: billing address, tax identifiers, and the last four digits and expiration of payment cards. Full payment card numbers are collected and processed directly by Stripe and are never stored on our servers.
• Service content: AI system descriptions, compliance assessment responses, MCP tool configurations, and other content you submit while using RegSeal or SettleGrid.
• Communications: messages you send to support, sales, or our team, and newsletter sign-ups.

Information collected automatically

• Usage and device data: IP address, browser type and version, operating system, referring URL, pages viewed, features used, timestamps, and crash diagnostics.
• Cookies and similar technologies: strictly necessary cookies for authentication and security, plus optional cookies described in our Cookie Policy.
• Telemetry: anonymized error reports and performance metrics, used solely to detect faults and improve reliability.

Information from third parties

• Identity providers: basic profile information from any single sign-on provider you choose to use, scoped to what you authorize.
• Payment processor: Stripe shares limited information with us about your transactions (success, failure, chargebacks, last four digits of the card). Stripe may also conduct identity verification when required and notify us of the outcome.

2. How We Use Personal Information

We use personal information to:

• Provide, operate, and maintain the Services and your account.
• Process payments, prevent fraud, comply with anti-money-laundering and tax obligations, and recover unpaid balances.
• Communicate with you about your account, security alerts, billing, product updates, and (with separate consent) marketing.
• Monitor usage to detect abuse, debug errors, and improve performance, reliability, and security.
• Develop and improve features, including by analyzing aggregated and de-identified usage patterns.
• Comply with legal obligations and enforce our Terms of Service.

We do not sell personal information for monetary consideration. We do not use customer content (assessment data, AI system metadata, or settlement events) to train our own AI models without explicit, separate written consent from the customer.

3. Legal Bases (EEA, UK, and Switzerland)

If you are in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases under the GDPR or UK GDPR:

• Contract (Art. 6(1)(b)): to deliver the Services you have signed up for and to perform our obligations to you.
• Legitimate interests (Art. 6(1)(f)): to operate, secure, and improve the Services, prevent fraud, and conduct direct B2B outreach where balanced against your rights.
• Legal obligation (Art. 6(1)(c)): to retain financial records, respond to lawful requests, and meet regulatory requirements.
• Consent (Art. 6(1)(a)): for non-essential cookies and any optional marketing communications. You may withdraw consent at any time.

4. How We Share Personal Information

We share personal information only as described below.

• Service providers and subprocessors. We share information with vendors that help us run the Services under written agreements that restrict their use to providing those services. See the subprocessor list in Section 5.
• Stripe. Payments are processed by Stripe, Inc. We share with Stripe the information needed to charge you and to comply with payment-network and anti-fraud rules. Stripe processes that information as an independent controller under its own privacy policy at stripe.com/privacy, and may further share that data with its own service providers and affiliates. If you use Stripe identity verification, you may be required to share government-issued identification and biometric information directly with Stripe.
• Affiliates. We may share information with our corporate affiliates, who use it consistent with this Policy.
• Legal and safety. We may disclose information when required by law, subpoena, or court order; to protect our rights, property, or safety, or that of our users or the public; and to investigate suspected fraud or violations of our terms.
• Business transfers. If we are involved in a merger, acquisition, financing, reorganization, or sale of assets, personal information may be transferred as part of that transaction. We will notify affected users where required by law.
• With your direction. We share information with third parties when you instruct us to (for example, by enabling an integration).

5. Subprocessors

We engage the following subprocessors to deliver the Services. Each is bound by a written agreement requiring confidentiality and appropriate safeguards.

RegSeal and SettleGrid may engage additional product-specific subprocessors (for example, AI inference providers used for assessment scoring or observability vendors). The current consolidated list is available on request. We provide reasonable advance notice of material subprocessor changes to customers under a signed Data Processing Addendum. To request the current list or to subscribe to change notifications, email privacy@alerterra.com.

6. Cookies and Tracking Technologies

We use a small number of strictly necessary cookies to authenticate users and maintain session security. We use optional analytics and preference cookies only after you opt in. You can manage your choices through our cookie banner or your browser settings. For details, see our Cookie Policy. Stripe sets its own cookies on pages where its scripts run; those are governed by Stripe's privacy policy.

7. International Data Transfers

Alerterra is headquartered in the United States and our primary infrastructure is located there. When we transfer personal information from the EEA, the United Kingdom, or Switzerland to the United States or to other countries that have not received an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (and the UK Addendum where applicable), and we apply supplementary technical and organizational measures. A copy of the applicable transfer mechanism is available on request.

8. Data Retention

We retain personal information only as long as necessary to provide the Services, comply with legal obligations, resolve disputes, and enforce agreements. Indicative retention periods:

• Account data: for the life of the account, plus up to 90 days after deletion.
• Billing and tax records: at least 7 years, as required by law.
• Security and audit logs: up to 18 months in identifiable form.
• Aggregated or de-identified analytics: indefinitely, where it cannot be re-associated with an individual.

9. Security

We protect personal information using AES-256 encryption at rest, TLS 1.3 in transit, role-based access controls, audit logging, and SOC 2-aligned operational controls. No system is perfectly secure, but we work to limit risk and to notify affected customers of confirmed incidents promptly. For detail on our practices, see Security.

10. Your Privacy Rights

Depending on where you live, you may have rights to access, correct, delete, port, restrict, or object to our processing of your personal information, and to opt out of certain uses. We honor these rights regardless of jurisdiction to the extent practical.

EEA, UK, and Switzerland (GDPR)

You have the right to access your data, request correction or erasure, restrict or object to processing, withdraw consent, and lodge a complaint with your supervisory authority. For decisions made solely by automated means with significant effects, you have the right to human review.

California (CCPA / CPRA)

California residents have the right to know what categories of personal information we collect and disclose, to access and receive a copy, to delete or correct it, to opt out of any “sale” or “sharing” for cross-context behavioral advertising, to limit our use of sensitive personal information, and to be free from retaliation for exercising these rights. As of this Policy's effective date, Alerterra does not sell personal information for monetary or other valuable consideration and does not share personal information for cross-context behavioral advertising.

Categories of personal information we collect (Cal. Civ. Code § 1798.140(v))

• A. Identifiers — name, email, postal address, IP address, account identifiers.
• B. Customer records (Cal. Civ. Code § 1798.80(e)) — billing address, partial payment-card identifiers (last four, expiration), and tax identifiers.
• D. Commercial information — subscription tier, transaction history, and product usage records.
• F. Internet/network activity — pages viewed, features used, referring URLs, session timestamps, and crash diagnostics.
• G. Geolocation — approximate location inferred from IP address. We do not collect precise geolocation.
• I. Professional or employment-related information — organization name and job title.
• K. Inferences — limited inferences drawn from product usage to improve features (e.g., preferred workflows). We do not build consumer profiles for advertising or ranking.

We do not collect Categories C (protected classifications), E (biometric data), H (sensory/audio recordings), J (educational records), or L (sensitive personal information) directly. If you opt to use Stripe's identity verification, you may submit Category E and Category L information directly to Stripe; that data is processed by Stripe under Stripe's privacy policy. We do not knowingly use or disclose any sensitive personal information beyond the limited business purposes permitted by Cal. Code Regs. tit. 11, § 7027 (security incident detection, fraud prevention, debugging, performing services reasonably expected by an average consumer, and short-term transient use).

Sources of personal information

Directly from you (when you create an account or use the Services), automatically as you interact with the Services (server logs, cookies), and from third parties you direct to provide it (single sign-on providers, Stripe transaction outcomes).

Business and commercial purposes for processing

• Performing the Services and managing accounts (the contract you signed up for).
• Processing payments and complying with billing, tax, and anti-fraud obligations.
• Auditing related to interactions with consumers, including ad-impression measurement (we do not run ad networks; this is internal usage measurement only).
• Detecting security incidents, protecting against malicious or illegal activity, and investigating violations of our Terms.
• Debugging to identify and repair errors that impair existing functionality.
• Internal research for technological development and demonstration.
• Quality and safety verification of the Services.

Categories of third parties to whom we disclose personal information

Payment processors; cloud infrastructure and hosting providers; database and authentication providers; product analytics and observability providers; professional advisors (auditors, lawyers); and government, regulatory, or law enforcement bodies when legally required. Specific vendors are listed in Section 5 (Subprocessors).

Automated Decision-Making Technology (ADMT)

California's ADMT regulations took effect on January 1, 2026, with business-facing compliance obligations for ADMT used in significant decisions beginning January 1, 2027. We use automated processing for limited purposes: compliance assessment scoring (RegSeal), fraud screening (SettleGrid), and rate-limit enforcement. None of these results in legal or similarly significant effects on consumers without human review. When ADMT obligations become enforceable for our use cases, we will provide pre-use notices, honor access and opt-out requests, and supply meaningful information about logic and likely outcomes as the regulations require.

“Do Not Sell or Share” / “Limit the Use of Sensitive PI”

Because we do not sell personal information, do not share it for cross-context behavioral advertising, and do not use sensitive personal information beyond the permitted business purposes referenced above, no separate “Do Not Sell or Share My Personal Information” or “Limit the Use of My Sensitive Personal Information” link is required. If our practices change, we will publish the required links on this page and on every page where personal information is collected.

Global Privacy Control and Do Not Track

We honor browser-level opt-out signals, including Global Privacy Control (GPC), to the extent they apply to our processing. Because we do not engage in “sale” or “sharing” subject to opt-out, GPC and Do Not Track signals primarily affect optional analytics cookies on our websites; we will not set non-essential cookies in browsers transmitting an opt-out signal.

Other U.S. states

Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Indiana, Tennessee, Delaware, New Jersey, New Hampshire, Kentucky, and other states with comprehensive privacy laws have similar rights. We honor verifiable requests submitted from these states.

How to exercise your rights

Email privacy@alerterra.com with your request and the email address associated with your account. We will verify your identity (and any authorized agent's authority) and respond within the statutory deadline — generally 45 days, extendable once by 45 days where permitted. There is no charge for a reasonable request, and we will not retaliate for the exercise of any privacy right.

11. Children's Privacy

The Services are intended for businesses and adult professionals. We do not knowingly collect personal information from children under 13 in the United States (consistent with the Children's Online Privacy Protection Act, 15 U.S.C. § 6501 et seq.) or under 16 in the European Economic Area or the United Kingdom (consistent with Article 8 of the GDPR and UK GDPR).

If you believe a child has provided us personal information, contact privacy@alerterra.com and we will delete it.

12. Third-Party Links and Integrations

The Services may link to or integrate with third-party websites and APIs we don't operate. Their privacy practices are governed by their own policies. We encourage you to review them.

13. Changes to This Policy

We may update this Policy from time to time. When we do, we will revise the “Last updated” date above and, for material changes, give reasonable advance notice via email or in-product notice before the changes take effect.