Privacy Policy
Last updated: March 2026
1. Introduction
BridgeGRC ("we", "us", "our") operates Compliance Copilot ("the Service"). This Privacy Policy explains how we collect, use, store, and protect your personal information when you use the Service.
2. Information We Collect
Account Information
- Username, email address, and hashed password when you register.
- We do not store your password in plain text.
Usage Data
- IP address, browser type, and access timestamps for security and analytics.
- Credit usage, analysis history, and feature interaction data.
Documents & Content
- Documents you upload for compliance analysis.
- AI-generated analysis results, findings, and reports.
3. How We Use Your Information
| Purpose | Legal Basis |
|---|
| Provide and operate the Service | Contract performance |
| Process your documents through AI analysis | Contract performance |
| Manage your account and credits | Contract performance |
| Send important service notifications | Legitimate interest |
| Prevent abuse and ensure security | Legitimate interest |
| Improve the Service | Legitimate interest |
4. AI Processing & Third-Party Providers
- Your document content is sent to third-party AI providers (such as OpenAI or Google) for analysis processing.
- We send only the text content necessary for compliance analysis, not your account details.
- AI providers process your data according to their own privacy policies and data processing agreements.
- We do not use your documents to train AI models.
5. Data Storage & Security
- Your data is stored on secured servers with encrypted connections (HTTPS/TLS).
- Passwords are hashed using industry-standard algorithms (Werkzeug/PBKDF2).
- Access to production databases is restricted to authorized administrators only.
- We perform regular backups to prevent data loss.
6. Data Retention
- Your account data is retained as long as your account is active.
- Uploaded documents and analysis results are retained until you delete them or your account is terminated.
- Upon account deletion, your personal data and documents are permanently removed within 30 days.
- Activity logs may be retained for up to 12 months for security purposes.
7. Your Rights
Depending on your jurisdiction, you may have the right to:
- Access — Request a copy of your personal data.
- Rectification — Request correction of inaccurate data.
- Deletion — Request deletion of your account and data.
- Data portability — Request your data in a structured format.
- Object — Object to certain processing of your data.
To exercise any of these rights, contact us at support@bridgegrc.com.
8. Cookies
The Service uses essential session cookies to maintain your login state. These cookies are:
- Strictly necessary — Required for the Service to function.
- HttpOnly — Not accessible to JavaScript for security.
- Secure — Transmitted only over HTTPS in production.
We do not use advertising or tracking cookies.
9. Data Sharing
We do not sell, rent, or trade your personal information. We may share data only:
- With AI processing providers as described in Section 4.
- If required by law, legal process, or governmental request.
- To protect the rights, safety, or property of BridgeGRC or its users.
10. International Data Transfers
Your data may be processed in jurisdictions outside your country of residence (e.g., where our servers or AI providers are located). We ensure appropriate safeguards are in place for any such transfers.
11. Children's Privacy
The Service is not intended for users under 18 years of age. We do not knowingly collect data from children.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify registered users of material changes. Continued use of the Service after changes constitutes acceptance.
13. Contact
For privacy questions or data requests, contact us at support@bridgegrc.com.