GRCWatch Privacy Policy
Effective date: July 6, 2026 Last updated: July 6, 2026
GRCWatch LLC ("GRCWatch," "we," "us," or "our") provides an AI-native governance, risk, and compliance platform at grcwatch.io and its associated application (together, the "Service"). This Privacy Policy explains what personal information we collect, how we use it, and the choices you have.
This policy applies to visitors to our website, customers and their authorized users, and individuals who complete a vendor security questionnaire through our platform on behalf of one of our customers.
1. Information We Collect
Account and profile information. When you or your organization sign up, we collect name, work email, and authentication credentials, handled through our authentication provider.
Billing information. Payment is processed by Stripe. We do not store your full payment card details on our servers — Stripe handles that directly. We retain billing contact information, subscription status, and transaction history necessary to administer your account.
Compliance and product data. To provide the Service, we process the information your organization inputs or connects, including details about your security stack, policies, evidence, risk register entries, and control assessments across the compliance frameworks you select.
Vendor questionnaire respondent information. If your organization sends a vendor security questionnaire through GRCWatch, the vendor contact who completes it will provide their name, email, and questionnaire responses through a secure, single-use link. We process this information as directed by our customer (your organization), not on our own behalf. See Section 7 below.
AI processing data. GRCWatch uses AI (including models from Anthropic) to generate compliance guidance, gap analyses, and content based on your organization's inputs. We do not retain a persistent snapshot of the underlying inputs used for each AI request beyond what's needed to generate and display the result. See Section 3.
Website and usage data. Like most websites, we collect standard technical information when you visit grcwatch.io or use the Service — IP address, browser type, and pages viewed. We may also use analytics tools to understand how the Service is used; where we do, we describe those providers in Section 4.
Communications. If you contact us, or if we send you transactional or account-related emails (via Resend), we retain that correspondence.
2. How We Use Information
We use the information above to:
- Provide, operate, and maintain the Service
- Generate AI-assisted compliance guidance, gap analyses, and framework-mapped content specific to your organization
- Process payments and manage subscriptions
- Send transactional emails (account notices, questionnaire invitations, billing receipts)
- Provide customer support
- Maintain the security and integrity of the Service, including tenant data isolation
- Improve the Service over time
- Comply with legal obligations
We do not sell your personal information, and we do not use your compliance or product data to train AI models outside the context of providing the Service to you.
3. AI and Automated Processing
GRCWatch uses AI models (including Anthropic's Claude) to power features like gap analysis narratives, control mapping, and questionnaire content generation. Some technical details on how we handle this:
- We apply data minimization before sending information to AI providers — null and irrelevant fields are omitted from what's sent.
- We do not store a persistent copy of the raw context sent to the AI provider beyond generating your result.
- Error logs from AI processing are metadata-only; they do not contain the underlying content of your request.
- You can request deletion of AI-related cached data for your account through Settings.
Our AI features are designed to support your compliance work with informational analysis — they inform decisions made by you or your team, and are not used to make automated decisions that produce legal or similarly significant effects concerning an individual without human involvement.
4. How We Share Information
We share personal information only in the following circumstances:
Service providers. We use a limited set of subprocessors to operate the Service, each acting as a service provider that processes data only to provide services to us:
| Provider | Purpose |
|---|---|
| Supabase | Database, authentication, file storage |
| Stripe | Payment processing |
| Anthropic | AI-generated compliance content |
| Resend | Transactional email delivery |
| Vercel | Application hosting |
| Upstash | Rate limiting and abuse prevention |
Legal requirements. We may disclose information if required by law, subpoena, or other legal process, or to protect the rights, property, or safety of GRCWatch, our customers, or others.
Business transfers. If GRCWatch is involved in a merger, acquisition, or sale of assets, personal information may be transferred as part of that transaction, subject to this policy or a successor policy.
We do not sell personal information to third parties.
5. Data Retention
We retain personal information for as long as your account is active, or as needed to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements. You may request deletion of your account and associated data at any time, subject to what we're required to retain by law (for example, billing records).
6. Data Security
We maintain technical and organizational measures designed to protect personal information, including tenant-level data isolation, row-level security policies, encryption in transit, rate limiting on public endpoints, and secret management practices. No system is completely secure, and we cannot guarantee absolute security of information you transmit to us.
7. Vendor Questionnaire Respondents
If you're completing a vendor security questionnaire through GRCWatch, you're doing so at the request of one of our customers, who is the controller of that data. We process your questionnaire responses on that customer's behalf and instructions. Questions about how that customer will use your responses should be directed to them. Questions about how GRCWatch technically handles that data as a processor can be directed to us at the contact below.
8. Your Privacy Rights
Depending on where you live, you may have rights to access, correct, delete, or receive a copy of your personal information, and to object to or restrict certain processing. We honor these rights for all individuals who contact us with a verifiable request, regardless of location.
To exercise these rights, contact us at hello@grcwatch.io. We may need to verify your identity before completing your request.
If you are a California resident, the California Consumer Privacy Act (as amended) may give you additional specific rights. We do not sell or share personal information for cross-context behavioral advertising.
If you are located in the European Economic Area or United Kingdom, you may have rights under the GDPR, and may lodge a complaint with your local data protection authority.
9. Children's Privacy
The Service is intended for business use by adults. We do not knowingly collect personal information from anyone under 18.
10. International Data Transfers
GRCWatch is based in the United States, and our service providers primarily operate in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We'll update the "Last updated" date above, and for material changes, we'll provide additional notice as appropriate.
12. Contact Us
GRCWatch LLC 7901 4th N Ste 300, St Petersburg, FL 33702 hello@grcwatch.io