← Back to Home

Privacy Notice

Last updated: February 1, 2026

This Privacy Notice explains how GRCTrail (pre-launch) ("we", "us", "our") collects and uses personal data when you visit our website or use our compliance management platform (the "Services").

Note: GRCTrail is currently in pre-launch. If you are using GRCTrail through your employer or another organization, that organization is usually the data controller for personal data you enter into GRCTrail (e.g., DSAR requests, vendor contacts, evidence files). In those cases, we act as a processor and handle that personal data under our Data Processing Addendum (DPA) and your organization's instructions.

Contact Information

Privacy: [email protected]

General: [email protected]

1. Key Points

  • We collect contact and account data to provide the Services (login, security, billing, support).
  • Customers may upload or store personal data in the platform (evidence, DSAR logs, vendor contacts, ROPA entries). We process this on the customer's behalf.
  • We use service providers (hosting, email, analytics, payments). Some may be outside the EEA; where required, we rely on appropriate safeguards.
  • You have GDPR rights (access, deletion, objection, etc.). If you're a customer end user, your organization may handle your request.

2. Scope: Website vs. Product Data

  • Website Data (marketing site, docs, contact forms): We are the controller for this data.
  • Product Account Data (your GRCTrail user account): We are the controller for basic account/admin data (name, work email, role, login/security logs).
  • Customer Content (data your organization puts into GRCTrail): Your organization is typically the controller; we are the processor.

3. Personal Data We Collect

Depending on how you use the Services, we may collect:

Information You Provide

  • Account details: name, work email, job title/role, team/company name
  • Support communications: messages, attachments, recordings (if you choose to share them)
  • Billing details: billing contact, invoice details, payment status (payment card details are usually handled by our payment provider)

Information Collected Automatically

  • Usage and device data: IP address, device/browser info, timestamps, pages/screens viewed, interactions
  • Security logs: authentication events, admin actions, audit logs (who changed what, when)

Customer Content You Upload or Create

  • Evidence files, policy documents, templates, audit logs
  • Vendor contacts and contract artifacts (e.g., DPAs)
  • DSAR request records (which may include data subject identity/contact details)
  • ROPA processing activity records (which can reference categories of data and sometimes roles/owners)

Sensitive Data: GRCTrail is not designed for collecting special category data. If you upload sensitive data into evidence or DSAR records, you control that content and we process it only on your instructions.

Required vs Optional Data

Required data: If you do not provide required account or billing information (e.g., name, work email, billing contact), we may be unable to:

  • Create or administer your account
  • Provide the Services or enable certain features
  • Process payment and invoicing
  • Respond to support requests

Optional data: Marketing preferences and non-essential cookies are optional. Choosing not to provide them will not affect core access to the Services, but may limit certain features (e.g., receiving product updates or enabling analytics/marketing cookies for personalized experiences).

4. How We Use Personal Data

We use personal data to:

  • Provide the Services: create accounts, enable features, store content, generate exports
  • Secure the Services: authentication, access control, fraud prevention, audit logging
  • Support and communicate: respond to requests, onboarding, product updates
  • Improve the Services: usage analytics, debugging, performance
  • Billing and administration: subscriptions, invoices, account notices
  • Legal compliance: respond to lawful requests, enforce terms, protect rights

5. Legal Bases (EEA/UK)

Where GDPR applies, we rely on:

  • Contract: to provide the Services to you/your organization
  • Legitimate interests: service security, product improvement, fraud prevention
  • Consent: e.g., optional marketing emails, certain cookies
  • Legal obligation: tax/accounting, lawful requests

When we process Customer Content as a processor, the customer determines the legal basis.

6. Sharing and Recipients

We may share personal data with:

  • Service providers (processors/subprocessors): hosting, storage, email delivery, analytics, customer support tools, payment processing
  • Professional advisors: legal, accounting, auditors (as needed)
  • Business transfers: merger/acquisition (with appropriate protections)
  • Legal requirements: where required by law

We do not sell personal data.

7. International Transfers (Outside the EEA/UK)

Some of our service providers may process personal data outside the EEA/UK. Where required, transfers are covered by appropriate safeguards.

Transfer Safeguards by Category

We rely on the following mechanisms for international transfers:

  • EU Standard Contractual Clauses (SCCs) (plus the UK Addendum where applicable), or
  • Adequacy decisions where available (e.g., for transfers to countries recognized by the EU Commission as providing adequate protection).

Our service providers typically fall into these categories:

  • Hosting and infrastructure: cloud storage, database hosting
  • Email delivery: transactional and marketing email services
  • Analytics: usage analytics and performance monitoring
  • Customer support: helpdesk and ticketing systems
  • Payment processing: billing and subscription management

Supplementary Measures

Where appropriate, we implement supplementary technical and organizational measures to protect transferred data, including:

  • Encryption in transit (TLS/SSL)
  • Encryption at rest where feasible
  • Strict access controls and least-privilege principles
  • Regular security assessments of subprocessors

We maintain a list of subprocessors and transfer safeguards (vendor, purpose, location, mechanism). You can request a copy of the relevant SCCs and details of applicable supplementary measures by emailing [email protected].

8. Cookies and Tracking

We use cookies and similar technologies for:

  • Essential site functionality (security, session management)
  • Analytics (under consent where required)
  • Marketing (only if enabled; under consent where required)

You can manage cookies via your browser settings or our cookie banner.

9. AI-Powered Features

GRCTrail may offer AI-assisted features such as:

  • Summaries, suggestions, or scoring of policy text and compliance artifacts
  • Drafting internal procedure templates

How It Works

When you request an AI feature, relevant text may be sent to an AI service provider to generate the output. We recommend:

  • Avoid including unnecessary personal data in free-text fields
  • Use redaction where possible in evidence uploads before analysis

Automated Decision-Making

We do not use automated decision-making (including profiling) that produces legal effects or similarly significantly affects individuals. AI features in GRCTrail provide assistive outputs (e.g., summaries or drafting suggestions) and are intended to be reviewed by users before they are applied. All final decisions remain under human control.

10. Retention

We keep personal data only as long as needed for the purposes above. The specific retention periods depend on the type of data and our legal obligations.

Retention Schedule

  • Account profile data (name, work email, role): retained while the account is active; deleted or anonymized within 90 days after account closure, except where we must retain it for legal, security, or dispute-resolution purposes (up to 6 years for statutory limitation periods).
  • Billing and invoice records: retained for 7 years to meet accounting and tax obligations.
  • Support communications: retained for 3 years after ticket closure (unless required longer for dispute handling or legal proceedings).
  • Audit and security logs: retained for 12 months (or longer if needed for security investigations or legal requirements).
  • Customer Content (evidence files, DSAR logs, vendor contacts, ROPA entries): retained for the duration of the subscription and handled upon termination according to the contract/DPA (export/return and deletion within 30 days of termination, unless you request earlier deletion).
  • Backups: may persist for up to 90 days; data is removed from active systems first and then ages out of backups on the normal cycle.

Where we cannot specify an exact retention period, we determine the period based on: (a) the duration of our relationship with you, (b) whether there is a legal obligation to retain the data, and (c) whether retention is advisable in light of our legal position (such as statutes of limitations, litigation, or regulatory investigations).

11. Security

We implement technical and organizational measures designed to protect personal data (access controls, encryption in transit, least privilege, audit logging, backups). No system is 100% secure, but we work to prevent unauthorized access and respond quickly to incidents.

12. Your GDPR Rights

Depending on your relationship with GRCTrail and applicable law, you may have rights to:

  • Access: obtain a copy of your personal data
  • Rectification: correct inaccurate or incomplete data
  • Deletion: request erasure of your personal data
  • Restriction: limit how we process your data
  • Objection: object to processing based on legitimate interests
  • Portability: receive your data in a structured, machine-readable format
  • Withdraw consent: where processing is based on consent
  • Lodge a complaint: with your local supervisory authority

Important: If your organization uses GRCTrail and you are requesting rights relating to Customer Content, your organization (the controller) may need to handle your request. We will assist the controller as required under our DPA.

13. How to Exercise Your Rights

To exercise your rights, email [email protected] from the address associated with your account and include:

  • (1) The right you want to exercise (e.g., access, deletion, rectification)
  • (2) What data or processing it relates to
  • (3) Any relevant context (e.g., workspace name, time period)

Response Timeline

We respond within one month of receiving your request. This may be extended by up to two months for complex requests (we'll notify you if an extension is needed and explain the reasons).

Identity Verification

We may request additional information to confirm your identity before processing your request. This helps protect your personal data from unauthorized access.

Controller vs Processor

If your request relates to Customer Content in an organization workspace, that organization (the controller) will handle the request. We will assist them as required under our DPA.

Limitations

Some rights may be limited where we must retain data for:

  • Legal compliance: tax, accounting, or regulatory obligations
  • Security and fraud prevention: protecting the Services and users
  • Dispute resolution: establishing, exercising, or defending legal claims
  • Rights of others: protecting the privacy and rights of other individuals

14. DO WE COLLECT INFORMATION FROM MINORS?

The Services are not intended for children, and we don't knowingly collect or solicit personal data from, market to, or knowingly sell personal data about children under 18. By using the Services, you confirm that you are at least 18, or that you are a parent/guardian and you consent to a minor dependent's use of the Services. If we become aware that we have collected personal data from someone under 18, we will deactivate the account and take reasonable steps to delete that data from our records as soon as possible. If you believe a child under 18 has provided us with personal data, please contact us at [email protected].

15. Changes to This Notice

We may update this notice from time to time. We'll update the "Last updated" date and, where appropriate, notify account admins.