1. What We Collect

Access request form submissions: Name, work email, organisation name, organisation type, job title, regulatory frameworks, use case description, system count estimate, current tooling, decision-maker status, referral source. Used to evaluate and process access requests.

API call data (assessment audit log): For each assessment API call, we record: organisation ID, API key identifier (prefix only — not the full key), system type requested, assessment category, regulatory frameworks requested, governance decision returned, templates applied, trust score, required actions count, call duration, status (completed / failed). This is the audit trail required for regulatory defensibility of the platform itself.

API credentials: API keys are hashed with SHA-256 before storage. The full key is shown once at provisioning and is not recoverable. The stored hash cannot be reversed to the original key.

Email subscriptions (Validation Futures): Email address and the article page from which you subscribed. Used only to send Validation Futures perspectives.

Website usage: Standard server logs (IP address, browser type, pages visited, timestamps). Not linked to assessment activity.

2. What We Do Not Collect

• The actual content of the systems you are assessing (system names, configurations, environments, user lists)
• Your internal validation documentation, SOPs, or quality records
• Personal health information, patient data, or clinical trial data
• Payment information (handled directly by Stripe — we never see card numbers)
• Anything not listed in Section 1

3. Where Data Is Stored

Primary database: Supabase (PostgreSQL), hosted on AWS us-east-1 (Northern Virginia, United States).

Email delivery: Resend, used only to transmit confirmation and notification emails. Resend does not retain email content beyond delivery.

Stripe: Payment processing. Stripe stores billing information under its own privacy policy. We store only the Stripe customer ID and subscription ID in our database.

No data is stored in the EU, UK, or any other jurisdiction. If your organisation’s data residency requirements require non-US storage, contact us before requesting access.

4. How Data Is Used

Data collected through the platform is used exclusively for:

• Providing the governance assessment service
• Maintaining the audit trail required for platform regulatory defensibility
• Processing and reviewing access requests
• Managing API usage and billing
• Sending transactional emails (confirmation, approval, credentials)
• Sending Validation Futures perspectives (email subscribers only)

Your data is not used to train machine learning models, improve assessment outputs for other customers, or derive competitive intelligence. Assessment outputs generated for your systems are not shared with any other organisation.

5. Data Retention

Access request records: Retained for the lifetime of the commercial relationship plus 3 years for record-keeping purposes.

Assessment audit log: Retained indefinitely. These records are part of the platform’s regulatory audit trail and cannot be selectively deleted without compromising audit integrity. On account termination, audit log records are anonymised (org ID and API key ID replaced with a non-reversible hash) rather than deleted.

API credentials (hashes): Retained until revoked. Revoked key hashes are retained for 1 year to detect and block replay attempts.

Email subscription records: Retained until unsubscribed plus 30 days. Unsubscribe by replying with ‘unsubscribe’ in the subject line.

Server logs: Retained for 90 days.

6. Access Controls

Access to the production database is restricted to:

• The platform’s Edge Functions using the service role key (for API operations only)
• The platform operator (Maanas Mylavarapu) via authenticated Supabase dashboard access
• No third-party services have direct database access

Row-level security is enabled on all tables. Service role keys are stored as Supabase Edge Function secrets and are not exposed in code, logs, or responses.

7. Data Security

• All data in transit is encrypted via TLS 1.2+
• All data at rest is encrypted via AES-256 (Supabase default)
• API keys are hashed before storage and are not recoverable
• Database access requires authenticated credentials; no public database access is permitted
• Security incidents affecting customer data will be disclosed within 72 hours of discovery

8. Your Rights

You may request at any time:

• Access: A copy of all data held about your organisation
• Correction: Update of any inaccurate data in your access request or organisation record
• Deletion: Removal of your organisation’s data. Assessment audit log records will be anonymised rather than deleted (see Section 5). API key hashes will be revoked and retained for 1 year.
• Portability: Export of your assessment audit log in JSON format

Submit requests to mylavarapu8@gmail.com. Requests are processed within 14 business days.

9. Third-Party Services

The platform uses these third-party services:

• Supabase — database hosting. Supabase Privacy Policy
• Resend — transactional email. Resend Privacy Policy
• Stripe — payment processing. Stripe Privacy Policy

No other third-party services receive customer data.

10. Changes

Material changes to this Data Handling statement will be notified by email to your account address with 30 days’ notice. The date at the top of this page reflects the most recent review.

Questions

Data handling questions: mylavarapu8@gmail.com. For legal questions about these Terms, see the Terms of Service.

1. What We Collect

Access request form submissions: Name, work email, organisation name, organisation type, job title, regulatory frameworks, use case description, system count estimate, current tooling, decision-maker status, referral source. Used to evaluate and process access requests.

API call data (assessment audit log): For each assessment API call, we record: organisation ID, API key identifier (prefix only — not the full key), system type requested, assessment category, regulatory frameworks requested, governance decision returned, templates applied, trust score, required actions count, call duration, status (completed / failed). This is the audit trail required for regulatory defensibility of the platform itself.

API credentials: API keys are hashed with SHA-256 before storage. The full key is shown once at provisioning and is not recoverable. The stored hash cannot be reversed to the original key.

Email subscriptions (Validation Futures): Email address and the article page from which you subscribed. Used only to send Validation Futures perspectives.

Website usage: Standard server logs (IP address, browser type, pages visited, timestamps). Not linked to assessment activity.

2. What We Do Not Collect

• The actual content of the systems you are assessing (system names, configurations, environments, user lists)
• Your internal validation documentation, SOPs, or quality records
• Personal health information, patient data, or clinical trial data
• Payment information (handled directly by Stripe — we never see card numbers)
• Anything not listed in Section 1

3. Where Data Is Stored

Primary database: Supabase (PostgreSQL), hosted on AWS us-east-1 (Northern Virginia, United States).

Email delivery: Resend, used only to transmit confirmation and notification emails. Resend does not retain email content beyond delivery.

Stripe: Payment processing. Stripe stores billing information under its own privacy policy. We store only the Stripe customer ID and subscription ID in our database.

No data is stored in the EU, UK, or any other jurisdiction. If your organisation’s data residency requirements require non-US storage, contact us before requesting access.

4. How Data Is Used

Data collected through the platform is used exclusively for:

• Providing the governance assessment service
• Maintaining the audit trail required for platform regulatory defensibility
• Processing and reviewing access requests
• Managing API usage and billing
• Sending transactional emails (confirmation, approval, credentials)
• Sending Validation Futures perspectives (email subscribers only)

Your data is not used to train machine learning models, improve assessment outputs for other customers, or derive competitive intelligence. Assessment outputs generated for your systems are not shared with any other organisation.

5. Data Retention

Access request records: Retained for the lifetime of the commercial relationship plus 3 years for record-keeping purposes.

Assessment audit log: Retained indefinitely. These records are part of the platform’s regulatory audit trail and cannot be selectively deleted without compromising audit integrity. On account termination, audit log records are anonymised (org ID and API key ID replaced with a non-reversible hash) rather than deleted.

API credentials (hashes): Retained until revoked. Revoked key hashes are retained for 1 year to detect and block replay attempts.

Email subscription records: Retained until unsubscribed plus 30 days. Unsubscribe by replying with ‘unsubscribe’ in the subject line.

Server logs: Retained for 90 days.

6. Access Controls

Access to the production database is restricted to:

• The platform’s Edge Functions using the service role key (for API operations only)
• The platform operator (Maanas Mylavarapu) via authenticated Supabase dashboard access
• No third-party services have direct database access

Row-level security is enabled on all tables. Service role keys are stored as Supabase Edge Function secrets and are not exposed in code, logs, or responses.

7. Data Security

• All data in transit is encrypted via TLS 1.2+
• All data at rest is encrypted via AES-256 (Supabase default)
• API keys are hashed before storage and are not recoverable
• Database access requires authenticated credentials; no public database access is permitted
• Security incidents affecting customer data will be disclosed within 72 hours of discovery

8. Your Rights

You may request at any time:

• Access: A copy of all data held about your organisation
• Correction: Update of any inaccurate data in your access request or organisation record
• Deletion: Removal of your organisation’s data. Assessment audit log records will be anonymised rather than deleted (see Section 5). API key hashes will be revoked and retained for 1 year.
• Portability: Export of your assessment audit log in JSON format

Submit requests to mylavarapu8@gmail.com. Requests are processed within 14 business days.

9. Third-Party Services

The platform uses these third-party services:

• Supabase — database hosting. Supabase Privacy Policy
• Resend — transactional email. Resend Privacy Policy
• Stripe — payment processing. Stripe Privacy Policy

No other third-party services receive customer data.

10. Changes

Material changes to this Data Handling statement will be notified by email to your account address with 30 days’ notice. The date at the top of this page reflects the most recent review.

Questions

Data handling questions: mylavarapu8@gmail.com. For legal questions about these Terms, see the Terms of Service.