Privacy Policy

    Last updated: Oct 2, 2025

    This Privacy Policy explains how Heimgard AI, Inc. ("Heimgard," "we," "us") collects, uses, and shares information when you visit heimgard.ai, use our Platform/APIs, or otherwise interact with us (together, the "Services").

    Scope; Roles

    Controller vs. Processor. For Website, account, billing, support, product telemetry, Heimgard is a controller. For Customer‑directed processing inside the Platform (e.g., scanning MCP servers you designate), Heimgard acts as your processor under a Data Processing Addendum (DPA). Request our DPA at [email protected].

    Information We Collect

    • Account & Contact Data: name, email, organization, role, team/workspace details.
    • Payment & Billing: billing contacts, plan, limited payment metadata via our payment processor.
    • Platform Data you provide: scan targets, registry entries, policies, approvals, artifacts, audit logs.
    • Device/Technical Data: IP address, browser/OS, identifiers, pages viewed, referrers.
    • Usage & Diagnostics: API calls, feature usage, performance metrics, error logs.
    • Third‑party Sources: SaaS integrations, SSO/IdP assertions, or data you connect.

    How We Use Information

    • Provide and secure the Services; detect, prevent, and investigate abuse.
    • Operate features like registry, approvals, policy enforcement, audit trails.
    • Improve reliability, security, and user experience (analytics, diagnostics).
    • Communications (service notices, product updates; marketing only with appropriate consent/opt‑out).
    • Legal & Compliance (e.g., OFAC/EAR screening, responding to lawful requests).

    Legal Bases (EEA/UK users)

    We process personal data under GDPR/UK GDPR where one or more bases apply: contract, legitimate interests (e.g., security, product improvement), consent (where required, e.g., marketing/non‑essential cookies), and legal obligations. You’ll always find the legal basis in our in‑product notices.

    Cookies & Tracking

    • We use cookies and similar technologies for essential operations and (with consent, where required) for analytics and site improvements. We do not set non‑essential cookies before consent in jurisdictions that require it, and we provide “reject all” and granular choices.
    • Global Privacy Control / Universal Opt‑Out. Where required by law, we honor browser‑based signals such as Global Privacy Control (GPC) and other Universal Opt‑Out Mechanisms (UOOM).

    How We Share Information

    We do not sell personal information. We share:

    • Service providers (hosting, security, analytics, support) under appropriate contracts.
    • Enterprise customers (visibility to admins for accounts under their domain).
    • Legal and safety (to comply with law or protect rights).
    • Business transfers (merger, acquisition, financing).

    We maintain a sub‑processor list at heimgard.ai/subprocessors and provide notice of material changes.

    Retention

    We retain personal data no longer than necessary for the purposes described. Typical defaults (unless your admin configures otherwise): audit logs (e.g., 12 months), scan artifacts (e.g., 90 days), billing and contract records as required by law.

    Your Rights

    • EEA/UK: access, portability, correction, deletion, restriction, and objection; response within one month (extendable where complex).
    • U.S. state laws: rights may include access, deletion, correction, portability, and opt‑out of sales/sharing, targeted advertising, and certain profiling. You may send a GPC/UOOM signal where supported. Some states require an appeals process if we deny a request.

    How to exercise your rights: email [email protected] or use our in‑product privacy portal. We may verify your identity. California residents may designate an authorized agent. We will not discriminate against you for exercising your rights.

    International Transfers

    Where we transfer personal data outside your jurisdiction, we use appropriate safeguards, including the EU Standard Contractual Clauses (2021/914) and, for the UK, the IDTA/Addendum. If we self‑certify to the EU‑U.S. Data Privacy Framework, we will reflect that here.

    Security

    We employ industry‑standard safeguards (encryption in transit, access controls, monitoring). No system is 100% secure; please protect your credentials and limit who can initiate scans.

    Children’s Privacy

    The Services are not directed to children under 13, and we do not knowingly collect personal information from them. If you believe a child has provided personal information, contact [email protected] and we will take appropriate action.

    Marketing Communications

    You can opt out of marketing emails at any time via the unsubscribe link. Per CAN‑SPAM, our emails include a physical postal address; you can also reach us using the contact details above.

    Changes to this Policy

    We may update this Policy from time to time. We will post the date of the latest update at the top and, where appropriate, provide additional notice.

    Contact Us

    Controller: Heimgard AI, Inc., [Postal Address]

    Privacy Email: [email protected]