Privacy Policy

1 Data Controller

Steeled Inc., a Delaware Corporation, is the data controller for personal information collected through the ComplianceStack service. As data controller, we determine the purposes and means of processing your personal data in accordance with applicable privacy laws.

Contact for all privacy inquiries: compliancestack@polsia.app

Subject line for privacy requests: "Privacy Request — [Your Request Type]"

2 Information We Collect

Account & Registration Information

• Email address (required for account creation and waitlist registration)
• Name and company name (when provided)
• Job title, role, and industry (when provided during service requests)
• Account credentials (passwords stored as hashed values; we never store plaintext passwords)

Business & Submission Data

• Compliance framework preferences and regulatory scope selections
• Organizational information submitted for compliance assessments (industry, size, geographic operations)
• Documents, descriptions, and context you provide when using AI-powered features

Payment Information

Payment transactions are processed by Stripe. We do not store raw credit card numbers, CVV codes, or full payment card data on our systems. We receive and store: subscription status, billing history, last four digits of payment card, and Stripe customer identifiers.

Usage & Technical Data

• Pages visited, features accessed, session duration, and navigation patterns
• Browser type, operating system, device type, and screen resolution
• IP address and approximate geographic location (country/state level — not precise location)
• Referring URLs, search terms, and campaign parameters
• Error logs, crash reports, and performance data

AI Interaction Data

• Queries, prompts, and inputs you submit to AI-powered features
• AI-generated outputs delivered to you
• Feedback and ratings you provide on AI outputs (when applicable)
• Interaction patterns with AI features (which tools you use, frequency of use)

Note: We use anonymized, aggregated AI interaction data to improve our AI models and service quality. We do not use identifiable personal data to train AI models without your explicit consent. See Section 3 for details.

Cookies & Tracking Data

We use cookies and similar tracking technologies. See Section 11 (Cookie Policy) for full details. Analytics cookies (Google Analytics) and marketing cookies (Meta Pixel) are off by default and require your explicit consent.

Third-Party Data

We may receive information about you from third parties, such as OAuth providers if you sign in through a connected service. We use this information only to provide and improve the Service.

What We Do NOT Collect

Do not submit Protected Health Information (PHI), Social Security numbers, government-issued ID numbers, classified information, or sensitive personal data to the Service. ComplianceStack is not designed or certified to handle such information. Submitting such information violates our Terms of Service.

3 How We Use Your Information

Service Delivery (Contract Performance)

• Providing access to ComplianceStack features and generating requested AI outputs
• Processing payments and managing subscriptions
• Delivering purchased deliverables and sending order confirmations
• Providing customer support and responding to inquiries
• Sending service-related communications (account updates, security alerts, policy changes)

Service Improvement (Legitimate Interests)

• Analyzing aggregated usage patterns to improve platform features and user experience
• Improving AI model accuracy and output quality using anonymized, aggregated interaction data — never identifiable personal data without consent
• Debugging, testing, and quality assurance
• Fraud detection, security monitoring, and abuse prevention

Marketing & Communications (Consent-Based)

• Sending promotional emails about new features, products, or offers (opt-in; opt-out at any time)
• Measuring advertising effectiveness (requires consent for analytics/marketing cookies)
• Retargeting and lookalike audience campaigns (requires consent)

Legal Compliance

• Complying with applicable laws, regulations, and legal process
• Responding to lawful requests from government authorities
• Enforcing our Terms of Service and other agreements
• Protecting the rights, property, or safety of Steeled Inc., our users, or the public

We do not sell your personal information. We do not use your data to train AI models in ways that would make your personal information identifiable to third parties.

4 Legal Basis for Processing (GDPR)

For users in the EEA, UK, and Switzerland, we process personal data on the following legal bases under the GDPR:

• Contract Performance — Art. 6(1)(b): Processing necessary to provide the Service you've subscribed to or purchased, including account management, AI output delivery, and payment processing.
• Legitimate Interests — Art. 6(1)(f): Processing for security monitoring, fraud prevention, service improvement using anonymized data, and enforcing our Terms. We balance these interests against your rights and freedoms.
• Consent — Art. 6(1)(a): Processing for analytics cookies, marketing communications, and retargeting. You may withdraw consent at any time without affecting the lawfulness of prior processing.
• Legal Obligation — Art. 6(1)(c): Processing required to comply with applicable laws, such as financial record-keeping requirements and responses to lawful government requests.

For processing involving special categories of data (which we do not intentionally collect), we would rely on Art. 9(2)(a) explicit consent. If you believe you have inadvertently submitted special category data, contact us immediately at compliancestack@polsia.app.

5 Data Sharing & Service Providers

We share your information only with the following categories of recipients, each subject to data processing agreements and applicable legal protections:

Service Providers (Sub-processors)

• Polsia — AI platform infrastructure and agent execution services powering ComplianceStack
• Stripe — Payment processing, subscription management, and billing (subject to Stripe's Privacy Policy)
• Google Analytics — Website analytics (anonymized; requires consent; subject to Google's Privacy Policy)
• Meta (Facebook) — Advertising measurement and retargeting (requires consent; subject to Meta's Data Policy)
• AWS (Amazon Web Services) — Cloud infrastructure, data storage, and compute services
• SendGrid — Transactional and marketing email delivery

Legal Requirements

We may disclose your information when required by law, court order, subpoena, or other governmental authority, or when we believe in good faith that disclosure is necessary to protect our rights, prevent fraud or crime, or protect the safety of any person.

Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or substantially all of our assets, your information may be transferred to the acquiring or surviving entity. We will provide reasonable notice to affected users and this Privacy Policy will continue to govern your information unless you are notified otherwise.

With Your Consent

We may share your information with third parties when you explicitly consent to such sharing.

Aggregated or Anonymized Data

We may share aggregated, anonymized data that cannot reasonably identify any individual, for research, benchmarking, or marketing purposes.

We do not sell personal information to data brokers, advertisers, or third parties for monetary consideration. We do not share personal information for cross-context behavioral advertising without your consent.

6 No Sale of Personal Information

Steeled Inc. does not sell your personal information to third parties for monetary or other valuable consideration, as defined under the CCPA/CPRA and similar state privacy laws.

We do not share your personal information with third parties for the purpose of cross-context behavioral advertising without your explicit consent. When you provide consent for marketing cookies or advertising tracking (see Section 11), you may withdraw that consent at any time.

For California residents, Virginia residents, and residents of other states with applicable opt-out rights, see Sections 9 and 10 for how to exercise your opt-out rights.

7 Your GDPR Rights (EEA, UK & Switzerland)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights under the GDPR (or UK GDPR) regarding your personal data:

• Right of Access (Art. 15): Request a copy of the personal data we hold about you, along with information about how we process it.
• Right to Rectification (Art. 16): Request correction of inaccurate or incomplete personal data.
• Right to Erasure / "Right to be Forgotten" (Art. 17): Request deletion of your personal data, subject to applicable legal exceptions (e.g., legal obligations requiring retention).
• Right to Restriction of Processing (Art. 18): Request that we limit how we use your data in certain circumstances, such as while you contest its accuracy.
• Right to Data Portability (Art. 20): Receive your personal data in a structured, commonly used, machine-readable format, and transmit it to another controller where technically feasible.
• Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing purposes. Where you object to direct marketing, we will stop immediately.
• Right to Withdraw Consent (Art. 7(3)): Where processing is based on your consent, withdraw it at any time without affecting the lawfulness of prior processing.
• Right to Lodge a Complaint: Lodge a complaint with your national Data Protection Authority (DPA). For the UK, this is the Information Commissioner's Office (ICO). For EU residents, contact your local supervisory authority.
• Rights Related to Automated Decision-Making (Art. 22): Not be subject to solely automated decisions that produce significant legal effects, without human review.

We will respond to rights requests within 30 days of receipt. Complex requests may require up to 90 days with prior notice to you.

8 How to Exercise Your Privacy Rights

To exercise any of your privacy rights (GDPR, CCPA, or state-law rights), contact us at:

Email: compliancestack@polsia.app
Subject line: "Privacy Rights Request — [Access / Delete / Correct / Opt-Out / Portability / Object]"

Please include your name, email address associated with your account, and a description of your request. We may need to verify your identity before processing your request. We will not discriminate against you for exercising your privacy rights.

We will acknowledge receipt of your request within 5 business days and respond substantively within 30 days (or within the timeframe required by applicable law, where shorter).

9 CCPA Rights — California Residents

Under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), California residents have the following rights:

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected, used, disclosed, or sold about you in the prior 12 months.
• Right to Delete: Request deletion of personal information we have collected from you, subject to exceptions (e.g., completing transactions, detecting security incidents, legal obligations).
• Right to Correct: Request correction of inaccurate personal information we maintain about you.
• Right to Opt-Out of Sale/Sharing: Opt out of the sale of your personal information or the sharing of your personal information for cross-context behavioral advertising. (We do not sell personal information, but you may use this link to document your preference.)
• Right to Limit Use of Sensitive Personal Information: Limit our use and disclosure of sensitive personal information to purposes permitted by the CPRA.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights. You will not receive different pricing, service levels, or treatment for exercising these rights.

Categories of Personal Information Collected (CCPA Disclosure)

• Identifiers: Email address, name, IP address, account identifiers
• Commercial Information: Subscription status, purchase history, billing records
• Internet/Electronic Activity: Browsing history on our Service, feature usage patterns, AI interaction data
• Professional/Employment Information: Job title, company name, industry (when provided)
• Inferences: Profile inferences about compliance interests and preferences drawn from usage data

We do not collect biometric data, geolocation data (beyond approximate country/state), genetic data, or financial account numbers.

To submit a CCPA request, contact compliancestack@polsia.app with subject "CCPA Privacy Request." You may submit up to two data access requests per 12-month period. We will respond within 45 days (extendable to 90 days with notice).

10 State Privacy Rights (VA, CO, CT, UT & Other States)

Residents of the following states have additional privacy rights under their respective state privacy laws:

How to exercise state rights: Contact compliancestack@polsia.app and specify your state, the right you wish to exercise, and your contact information. We will respond within the timeframe required by your state's applicable law (typically 45–60 days).

Appeals: If we decline to act on your request, you may appeal by responding to our decision notice and requesting review. If your appeal is denied, you may submit a complaint to your state's attorney general or designated privacy authority.

We apply these rights to all residents of applicable states regardless of whether the state-specific threshold conditions are technically met, as a matter of good practice.

11 Cookie Policy & Preferences

We use cookies and similar technologies (pixels, local storage) on our Service. Non-essential cookies are off by default and require your explicit consent before activation.

Cookie Categories

• Essential Cookies (Always Active): Required for the Service to function. Includes session management, authentication tokens, security features, and load balancing. Cannot be disabled. Retention: session or up to 12 months.
• Analytics Cookies (Consent Required): We use Google Analytics to understand how users interact with our Service (page views, navigation paths, engagement). Off by default. Retention: 12–26 months.
• Marketing Cookies (Consent Required): We use Meta Pixel for advertising measurement and retargeting. Off by default. Requires explicit consent. Retention: up to 180 days (platform-specific).

You can withdraw consent for non-essential cookies at any time using the preference manager below.

12 International Data Transfers

Steeled Inc. is based in the United States. If you are accessing the Service from the EEA, UK, Switzerland, or other jurisdictions with data transfer restrictions, your personal data will be transferred to and processed in the United States.

We ensure that international transfers are made with appropriate safeguards in place, including:

• Standard Contractual Clauses (SCCs): We use the European Commission's approved SCCs (2021 version) for transfers from the EEA to the United States and other third countries, as required by GDPR Chapter V.
• UK IDTA: For transfers from the United Kingdom, we use the International Data Transfer Agreement (IDTA) approved by the UK ICO.
• Adequacy Decisions: Where applicable, we rely on adequacy decisions issued by the European Commission.

By using the Service from these jurisdictions, you acknowledge that your data will be transferred internationally under these safeguards. You may request a copy of applicable SCCs by contacting compliancestack@polsia.app.

13 Data Retention Periods

We retain personal data for as long as necessary for the purposes described in this Policy, or as required by law. The following table summarizes our standard retention periods:

Upon account deletion, we will delete or irreversibly anonymize your personal data within the periods specified above, except where retention is required by applicable law (e.g., financial records, legal holds). You may request deletion of your data at any time, subject to these retention requirements, by contacting compliancestack@polsia.app.

14 Security Measures

We implement industry-standard technical and organizational security measures designed to protect your personal data against unauthorized access, disclosure, alteration, and destruction. These measures include:

Despite these measures, no security system is impenetrable. If you suspect a security breach affecting your account, contact us immediately at compliancestack@polsia.app. In the event of a data breach affecting your rights and freedoms, we will notify you and applicable regulatory authorities as required by law.

15 Children's Privacy & COPPA

ComplianceStack is not directed to children under 13 years of age, and we do not knowingly collect personal information from children under 13 as covered by the Children's Online Privacy Protection Act (COPPA) or children under 16 as covered by the GDPR.

If we become aware that we have inadvertently collected personal information from a child under the applicable age threshold without verifiable parental consent, we will take steps to delete such information promptly.

If you are a parent or guardian and believe that your child has provided personal information to us without your consent, please contact us at compliancestack@polsia.app with the subject line "Child Data — COPPA Request."

16 Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will provide notice of material changes by:

• Updating the "Last Updated" date at the top of this Policy
• Posting a banner or notice on the Service
• For significant changes, sending email notification to registered users

Your continued use of the Service after the effective date of a revised Policy constitutes your acceptance of the changes. If you do not agree to the revised Policy, you must stop using the Service and may request deletion of your account.

We encourage you to review this Policy periodically to stay informed about our data practices.