Privacy Policy

Information you provide: • Account information: name, email address, password • Company information: company name, industry, size • Security assessment data: answers to onboarding questions, scores, gaps, and roadmap items • Communication content: notes, policies, reports you create within the Service Information collected automatically: • Usage data: pages visited, features used, time spent in the Service • Technical data: IP address, browser type, device type, operating system • Cookies: session management and preferences Information we do NOT collect: • Payment card numbers (processed by Stripe) • Government ID numbers • Biometric data • Sensitive health information beyond what you voluntarily enter for security assessment purposes

We use your information to: • Provide and improve the Service • Send you transactional emails (account, digests) • Respond to your support requests • Ensure the security of the Service • Comply with legal obligations We do NOT use your information to: • Sell to third parties • Train AI or machine learning models • Display advertising • Profile you for marketing without consent

Your data is stored using Supabase (PostgreSQL), hosted on AWS infrastructure. Data is encrypted at rest and in transit using industry-standard encryption (AES-256, TLS 1.2+). We implement row-level security to ensure your data is only accessible to authorized users within your organization.

We share your data only with service providers necessary to operate the Service: • Supabase (database and storage) • Vercel (hosting and deployment) • Resend (transactional email) • Stripe (payment processing — billing data only) We require all service providers to maintain appropriate security standards and prohibit them from using your data for any other purpose. We do not share your data with: • Advertisers • Data brokers • Other users or organizations • AI training datasets

Depending on your location, you may have the right to: • Access: request a copy of your data • Correction: update inaccurate information • Deletion: request deletion of your account and data • Portability: export your data in standard formats • Objection: opt out of certain processing activities To exercise these rights, use the Admin > Data Export section in the app, or contact support@tandemlens.net. We will respond to requests within 30 days.

If you are located in the European Economic Area, you have additional rights under the GDPR. Legal basis for processing: • Contract performance: to provide the Service • Legitimate interests: to improve and secure the Service • Consent: for optional communications Our data processors are listed in Section 4. Data transfers outside the EEA use standard contractual clauses where required. To exercise your GDPR rights, contact: support@tandemlens.net

If you are a California resident, you have rights under the California Consumer Privacy Act: • Right to know what personal information we collect • Right to delete personal information • Right to opt-out of sale (we do not sell data) • Right to non-discrimination for exercising rights To exercise these rights, contact: support@tandemlens.net

We use essential cookies for: • Session management (keeping you logged in) • Language and theme preferences We do not use tracking cookies or advertising cookies. You can disable cookies in your browser settings, but this may affect Service functionality.

We retain your data for as long as your account is active. When you delete your account: • Your data is immediately inaccessible to others • Data is permanently deleted within 30 days • Backup copies are purged within 90 days Some data may be retained longer if required by applicable law.

The Service is not directed to children under 16. We do not knowingly collect information from children. If you believe we have collected information from a child, contact us immediately.

We will notify you of material changes by email at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the most recent changes.

Privacy questions and data requests: Email: support@tandemlens.net Website: vigil.tandemlens.net Tandem Lens Cybersecurity