Privacy policy

Last updated: April 2026

SecureGRC Ltd ("SecureGRC", "we", "us", "our") is committed to protecting the privacy of visitors to our website (securegrc.io) and users of our platform (app.securegrc.io). This policy explains what personal data we collect, why we collect it, how we use it, and your rights under UK data protection law.

SecureGRC Ltd is the data controller. We are registered in England and Wales and operate from Eagle Labs Barclays, London.

1. What data we collect

Data type	What we collect	How we collect it
Contact information	Name, email address, company name, job title	When you email us, request a demo, or submit a contact form
Website analytics	Pages visited, time on site, referral source, device type, approximate location (country/city level)	Google Analytics (with your cookie consent)
Cookie preferences	Your consent choices	Cookiebot consent management
Platform usage data	Actions taken within app.securegrc.io, models assessed, reports generated	When you use the SecureGRC platform

We do not collect sensitive personal data (health, ethnicity, political opinions, biometric data). We do not collect payment card information directly — any future payment processing will be handled by a PCI-compliant third-party processor.

2. What we do NOT collect

SecureGRC's metadata-only architecture means we never access, collect, or store:

AI model weights or parameters
Training datasets or training data samples
Proprietary source code or algorithms
Production infrastructure credentials or access tokens

Our platform assesses AI compliance using publicly available metadata only. This is a core architectural principle, not a feature — it is protected by our filed UK patent.

3. Why we collect your data (lawful basis)

Purpose	Lawful basis (UK GDPR)
Responding to your enquiry or demo request	Legitimate interest (Article 6(1)(f)) — you contacted us
Providing the SecureGRC platform service	Contract performance (Article 6(1)(b)) — delivering the service you signed up for
Website analytics (understanding how visitors use our site)	Consent (Article 6(1)(a)) — via Cookiebot cookie banner
Sending you relevant product updates or compliance insights	Legitimate interest (Article 6(1)(f)) — you can opt out at any time

4. How we use your data

We use your data to respond to your enquiries, deliver the SecureGRC platform, improve our website and product, and send you relevant information about AI compliance and our services. We will never sell your data to third parties. We will never share your data with third parties for their marketing purposes.

5. Who we share data with

We share data only with service providers who process data on our behalf:

Google Analytics — website analytics (USA, EU Standard Contractual Clauses in place)
Cookiebot (Cybot A/S) — cookie consent management (EU)
Railway — platform hosting (USA)
Vercel — website hosting (USA)
Google Workspace — email and documents (USA, EU SCCs in place)

For transfers to the USA, we rely on EU Standard Contractual Clauses and the UK International Data Transfer Agreement (IDTA) where applicable. We do not transfer data to any country without adequate safeguards.

6. How long we keep your data

Data type	Retention period
Contact enquiries	24 months from last contact, then deleted
Platform account data	Duration of service agreement plus 12 months
Website analytics	26 months (Google Analytics default)
Cookie consent records	12 months (then re-consent required)

7. Cookies

We use cookies on securegrc.io. When you first visit, our cookie banner (powered by Cookiebot) asks for your consent before setting any non-essential cookies.

Essential cookies

Required for the website to function. These do not require consent. They include Cookiebot's consent cookie which remembers your preference.

Analytics cookies

Google Analytics cookies help us understand how visitors use our site. These are only set if you consent. You can withdraw consent at any time by clicking the cookie icon in the bottom corner of any page.

We do not use advertising, tracking, or social media cookies.

8. Your rights

Under UK GDPR, you have the right to:

Access your personal data (request a copy of what we hold)
Rectify inaccurate data
Erase your data ("right to be forgotten")
Restrict processing
Object to processing based on legitimate interest
Data portability (receive your data in a structured format)
Withdraw consent at any time (for cookie-based processing)

To exercise any of these rights, email privacy@securegrc.io. We will respond within 30 days.

9. Security

We take the security of your data seriously. Our platform uses encryption in transit (TLS 1.3), encrypted database storage, and access controls. Compliance evidence generated by our platform is signed with post-quantum cryptography (CRYSTALS-Dilithium, NIST FIPS 204) to ensure long-term integrity.

10. Children

Our services are not directed at individuals under 18. We do not knowingly collect personal data from children.

11. Changes to this policy

We may update this policy from time to time. We will post the updated version on this page with a revised "last updated" date. Material changes will be communicated via email to registered platform users.

12. Contact us

If you have questions about this privacy policy or how we handle your data:

SecureGRC Ltd
Eagle Labs Barclays, London
Email: privacy@securegrc.io

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.