Privacy Policy

1. Scope and Applicability

This Policy applies to:

• Visitors to policyos.co and related web properties
• Users who register for or access the PolicyOS platform
• Customers who purchase, subscribe to, or evaluate PolicyOS products and services, including policy libraries, compliance frameworks, agreement templates, and AI-generated content features
• Individuals who contact us for sales, support, or general inquiries

This Policy does not apply to third-party websites, services, or applications that may be linked from our platform or website.

2. Information We Collect

We collect personal information in several ways, as described below.

2.1 Information You Provide Directly

When you interact with PolicyOS — whether creating an account, purchasing a product, requesting a demo, or contacting support — we may collect:

• Identity and contact data: full name, business email address, phone number, job title, and company name
• Account credentials: usernames, passwords (stored in hashed form), and authentication details
• Billing and payment data: payment card details, billing address, and transaction history (processed via PCI-compliant third-party payment processors; we do not store raw card data)
• Communications: messages, feedback, support tickets, demo requests, and any other content you send to us
• User-generated content: policies, compliance frameworks, governance documents, agreement templates, risk assessments, and other content you create, upload, or manage within the platform

2.2 AI-Generated Content and Prompts

PolicyOS offers features that allow you to generate original policies, agreements, and compliance content using artificial intelligence. In connection with these features, we may collect:

• Prompts, instructions, and inputs you submit to AI generation features
• Outputs generated on your behalf
• Feedback, ratings, or edits you provide on generated content

2.3 Platform and Usage Data

When you access or use the PolicyOS platform, we automatically collect technical and behavioral information, including:

• Log data: IP address, browser type and version, operating system, referring URLs, pages visited, and timestamps
• Device identifiers and session information
• Feature interaction data: which tools, templates, and platform features you use and how frequently
• Performance and error logs used to monitor reliability and diagnose issues

2.4 Cookies and Tracking Technologies

Our website and platform use cookies and similar technologies (such as pixels and local storage) to:

• Maintain session state and authentication
• Measure website traffic and user behavior via analytics tools
• Remember user preferences and settings
• Support security and fraud prevention

You may control cookies through your browser settings or any cookie preference tool we provide. Disabling certain cookies may affect platform functionality. See Section 9 for more information.

2.5 Information from Third Parties

We may receive personal information from:

• Identity and single sign-on (SSO) providers (e.g., Google, Microsoft) when you authenticate via those services
• Payment processors confirming subscription or purchase status
• Marketing and analytics partners providing aggregated audience or attribution data
• Publicly available sources or professional networks used to supplement account information

3. How We Use Personal Information

We use personal information only for lawful purposes and to the extent necessary. Our uses include:

3.1 Providing and Operating PolicyOS

• Creating and managing your account
• Delivering purchased products, including policy libraries, document templates, compliance frameworks, and AI-generated content
• Processing payments and fulfilling transactions
• Providing customer support and responding to inquiries
• Sending service notifications, invoices, and administrative communications

3.2 Platform Improvement and Personalization

• Analyzing usage patterns to improve features, performance, and user experience
• Personalizing content, recommendations, and workflow suggestions
• Conducting product research, A/B testing, and quality assurance
• Developing new products, templates, and AI capabilities

3.3 Security and Integrity

• Detecting, investigating, and preventing fraudulent, unauthorized, or illegal activity
• Enforcing our Terms of Service and other agreements
• Maintaining the security and integrity of the platform and customer data
• Complying with legal preservation or investigation requirements

3.4 Communications and Marketing

• Sending product updates, feature announcements, and educational content (where you have opted in or where permitted by law)
• Responding to marketing inquiries and managing relationships with prospective customers
• Conducting surveys and gathering feedback

You may opt out of marketing communications at any time by clicking "Unsubscribe" in an email or contacting us at privacy@policyos.co. Transactional and service-related communications are not subject to opt-out.

3.5 Legal and Compliance Obligations

• Meeting applicable legal, regulatory, tax, or audit requirements
• Responding to lawful requests from government or law enforcement authorities
• Establishing, exercising, or defending legal claims

4. Legal Basis for Processing (EEA, UK, and Similar Jurisdictions)

Where applicable law requires a legal basis for processing personal data, we rely on:

• Contract performance: processing necessary to provide services you have requested or purchased
• Legitimate interests: operating and improving our platform, preventing fraud, and conducting marketing to existing customers, provided such interests are not overridden by your rights
• Legal obligation: compliance with applicable laws and regulations
• Consent: where we have obtained your explicit consent, such as for certain marketing communications or optional AI training features

You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

5. How We Share Personal Information

We do not sell personal information. We do not share personal information with third parties for their own marketing purposes. We share information only as described below.

5.1 Service Providers

We engage trusted third-party vendors to support platform operations. These may include:

• Cloud infrastructure and hosting providers
• Payment processors (e.g., Stripe)
• Customer support and communication tools
• Analytics and monitoring services
• AI model and infrastructure providers used to power content generation features
• Identity and authentication providers

Service providers are contractually required to process personal information only for authorized purposes and to maintain appropriate security measures. Where required, we enter into Data Processing Agreements (DPAs) with these providers.

5.2 Business Transfers

In the event of a merger, acquisition, asset sale, financing, or bankruptcy, personal information may be transferred to the relevant successor entity. We will provide notice of any such transfer where required by applicable law.

5.3 Legal Disclosures

We may disclose personal information if we believe in good faith that such disclosure is necessary to:

• Comply with applicable law, regulation, or legal process
• Respond to lawful requests from government or law enforcement authorities
• Protect the rights, property, or safety of PolicyOS, our users, or the public

5.4 Aggregated and Anonymized Data

We may share aggregated, de-identified, or anonymized information that cannot reasonably be used to identify you — for example, industry-level statistics on policy adoption trends or AI content generation usage — for research, marketing, or product development purposes.

6. Data Retention

We retain personal information only as long as necessary for the purposes described in this Policy and as required or permitted by applicable law. Retention periods are determined by factors including:

• The nature of the information and the purposes for which it was collected
• Applicable legal, regulatory, tax, or audit retention requirements
• Our legitimate interests in maintaining records for dispute resolution and contract enforcement
• Your instructions or requests regarding deletion

When personal information is no longer needed, we delete or anonymize it in accordance with our data retention schedule. Certain residual copies may persist in backup systems for a limited period before being overwritten.

7. Data Security

We implement and maintain technical, administrative, and organizational safeguards designed to protect personal information from unauthorized access, disclosure, alteration, loss, or destruction. Our security practices include:

• Encryption of data in transit (TLS) and at rest
• Access controls and authentication requirements, including multi-factor authentication for privileged access
• Regular security assessments, vulnerability scanning, and penetration testing
• Employee security training and confidentiality obligations
• Incident response and breach notification procedures

While we take reasonable precautions, no security system is impenetrable. In the event of a data breach that triggers notification obligations under applicable law, we will notify affected individuals and relevant authorities as required. Learn more on our Security page.

8. Your Privacy Rights and Choices

Depending on your location, you may have rights under applicable privacy laws with respect to your personal information. These may include:

• Access: the right to request a copy of the personal information we hold about you
• Rectification: the right to request correction of inaccurate or incomplete information
• Erasure ("right to be forgotten"): the right to request deletion of your personal information, subject to our legal obligations and legitimate interests
• Restriction: the right to request that we limit processing of your information in certain circumstances
• Portability: the right to receive your personal information in a structured, machine-readable format
• Objection: the right to object to processing based on our legitimate interests
• Withdrawal of consent: the right to withdraw consent at any time where processing is based on consent
• Non-discrimination: we will not discriminate against you for exercising any of your privacy rights

To exercise any of these rights, please contact us at privacy@policyos.co. We will respond to verified requests within the timeframes required by applicable law (generally 30 to 45 days). We may need to verify your identity before processing certain requests.

If you are a resident of California, the European Economic Area, the United Kingdom, or another jurisdiction with specific privacy legislation, additional rights may apply. Please contact us for jurisdiction-specific information.

9. Cookies and Tracking Technologies

We use the following categories of cookies and similar technologies:

• Strictly Necessary Cookies: required for the platform to function, including session management and authentication. These cannot be disabled.
• Functional Cookies: enable personalization, saved preferences, and enhanced features.
• Analytics Cookies: help us understand how visitors use our website and platform (e.g., Google Analytics or equivalent tools). Data collected is aggregated and used to improve performance.
• Marketing Cookies: used to measure the effectiveness of our advertising and to deliver relevant content. We do not use third-party behavioral advertising cookies without consent.

You can manage cookie preferences via your browser settings or any cookie consent tool displayed on our website. Disabling analytics or functional cookies may affect certain features. Strictly necessary cookies cannot be disabled without impacting core platform functionality.

10. International Data Transfers

PolicyOS operates globally and may process or store personal information in the United States and other jurisdictions where we or our service providers maintain operations. These jurisdictions may have data protection laws that differ from those in your country.

Where we transfer personal data from the European Economic Area, United Kingdom, or Switzerland to jurisdictions that have not received an adequacy decision, we rely on appropriate safeguards such as:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• UK International Data Transfer Agreements (IDTAs) or addendums, as applicable
• Other lawful transfer mechanisms under applicable law

You may request a copy of the applicable transfer safeguards by contacting privacy@policyos.co.

11. Children's Privacy

PolicyOS is designed for business and professional use and is not directed at individuals under the age of 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected such information, we will take steps to delete it promptly.

12. Third-Party Websites and Integrations

Our website and platform may contain links to third-party websites, tools, or integrations. We are not responsible for the privacy practices, security, or content of third-party sites or services. We encourage you to review the privacy policies of any third-party services you access via PolicyOS.

13. AI-Powered Content Generation

PolicyOS provides features that allow users to generate original policies, agreements, compliance frameworks, and related content using AI. We are committed to responsible AI use. In connection with these features:

• We do not use customer-specific prompts or generated outputs to train our underlying AI models without explicit consent
• Generated content is provided for informational and drafting purposes and does not constitute legal advice
• We recommend that customers review all AI-generated content with qualified legal or compliance professionals before relying on it
• We implement safeguards to prevent the generation of harmful, unlawful, or deceptive content

For customers subject to regulations governing automated decision-making (such as GDPR Article 22), please contact us to discuss how AI features interact with your compliance obligations.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable law. When we make material changes, we will:

• Post the updated Policy on this page with a revised "Last Updated" date
• Notify registered users by email or in-platform notification where required by applicable law
• Where required, seek renewed consent

Your continued use of PolicyOS after the effective date of a revised Policy constitutes acceptance of the updated terms.

15. Contact Information

For questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact:

See also our Terms of Service.