Overview
VylintShield, Inc. (“VylintShield,” “we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, share, and protect information when you use our compliance documentation and audit-readiness platform and related services (the “Service”).
This Policy is designed to comply with the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), as applicable.
1. Information We Collect
1.1 Account Information
When you register, we collect:
- Full name
- Business email address
- Company name and size
- Job title / role
- Password (stored in hashed form)
- Billing address and payment method details (processed by Stripe, our third-party payment processor; VylintShield does not store raw card numbers)
1.2 Compliance and Configuration Data
To provide the Service, we process data you upload or connect, which may include:
- Policies, procedures, and internal documents
- Evidence artifacts (screenshots, logs, configuration exports)
- Vendor information and risk assessments
- Integration data pulled from connected tools (AWS, GitHub, Google Workspace, Jira, Slack, etc.)
This data is yours. We process it only to deliver the Service.
1.3 Usage and Telemetry Data
We automatically collect information about how you use the Service:
- Pages visited, features accessed, and time spent
- Browser type, operating system, and IP address
- Clickstream and interaction data (e.g., button clicks, navigation paths)
- Error logs and crash reports
This data helps us improve the Service and diagnose issues.
1.4 Communications
If you contact us for support or otherwise communicate with us, we retain those communications and any information you provide.
1.5 Cookies and Similar Technologies
We use cookies, web beacons, and similar tracking technologies for:
- Authentication and session management (strictly necessary)
- Analytics and usage measurement (functional/analytics)
- Marketing and advertising attribution (optional; requires your consent where required by law)
You can manage cookie preferences via our cookie banner or your browser settings.
2. How We Use Your Information
We use collected information to:
| Purpose | Legal Basis (GDPR) |
|---|---|
| Provide and operate the Service | Contract performance |
| Process payments via Stripe and manage subscriptions | Contract performance |
| Send transactional emails (receipts, alerts, security notices) | Contract performance / Legitimate interest |
| Provide customer support | Contract performance / Legitimate interest |
| Improve and develop the Service (using anonymized/aggregated data) | Legitimate interest |
| Send product updates and marketing communications | Consent (where required) / Legitimate interest |
| Comply with legal obligations | Legal obligation |
| Detect, prevent, and investigate fraud or security incidents | Legitimate interest |
We do not sell your personal data to third parties.
3. Third-Party Service Providers
We share data with trusted third-party processors who assist in operating the Service. Each is bound by data processing agreements and handles data only as instructed:
| Provider | Purpose | Data Shared |
|---|---|---|
| Vercel | Hosting and CDN | Usage logs, IP addresses |
| Stripe | Payment processing | Billing info, transaction data |
| AWS | Cloud infrastructure and storage | Compliance data, account data |
| Resend / SendGrid | Transactional email delivery | Email address, notification content |
| PostHog / Mixpanel | Product analytics | Usage/telemetry data (pseudonymized) |
| Sentry | Error monitoring | Error logs, limited account context |
| Intercom / Plain | Customer support | Account info, support conversation content |
| Linear | Internal issue tracking | Support ticket content (internal only) |
We may update this list as our service providers change. Significant changes will be reflected here within 30 days.
4. Data Retention
We retain personal data for as long as necessary to fulfill the purposes described in this Policy:
- Account data: Retained for the duration of your subscription plus 3 years, unless you request deletion sooner.
- Compliance and configuration data: Retained for the duration of your subscription. Upon termination, deleted within 30 days at your request.
- Usage/telemetry data: Retained in identifiable form for up to 24 months, then aggregated/anonymized.
- Billing records: Retained for 7 years to comply with financial recordkeeping requirements.
- Communications: Retained for up to 3 years from the last interaction.
After applicable retention periods, data is securely deleted or irreversibly anonymized.
5. Data Transfers
VylintShield is incorporated in the United States. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your data may be transferred to and processed in the US.
For such transfers, we rely on:
- Standard Contractual Clauses (SCCs) as approved by the European Commission
- UK International Data Transfer Agreements (IDTAs) where applicable
We also maintain a Data Processing Addendum (DPA) available for enterprise customers upon request at privacy@vylintshield.com.
6. Your Rights
Depending on your location, you may have the following rights:
For All Users
- Access: Request a copy of personal data we hold about you.
- Correction: Request correction of inaccurate or incomplete data.
- Deletion: Request deletion of your personal data (“right to be forgotten”), subject to legal retention requirements.
- Portability: Receive your personal data in a structured, machine-readable format.
- Opt-out of marketing: Unsubscribe from marketing emails at any time via the unsubscribe link or by contacting us.
EU/UK Residents (GDPR/UK GDPR)
In addition to the above, you have the right to:
- Restrict processing: Ask us to limit how we use your data.
- Object to processing: Object to processing based on legitimate interest or for direct marketing.
- Withdraw consent: Where we rely on consent, withdraw it at any time (this does not affect prior processing).
- Lodge a complaint: With your local data protection authority (e.g., the ICO in the UK, or your EU supervisory authority).
California Residents (CCPA/CPRA)
You have the right to:
- Know what personal information we collect, use, disclose, or sell
- Delete personal information we hold about you (with exceptions)
- Correct inaccurate personal information
- Opt out of the “sale” or “sharing” of personal information (VylintShield does not sell personal information)
- Non-discrimination for exercising your privacy rights
To submit a privacy request, contact us at privacy@vylintshield.com or use the request form at vylintshield.com/privacy-request. We will respond within 30 days (GDPR) or 45 days (CCPA/CPRA).
We may need to verify your identity before processing requests.
7. Security
We implement industry-standard security measures to protect your data, including:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
- Role-based access controls and least-privilege principles
- Regular security assessments and penetration testing
- Incident response procedures with breach notification within 72 hours
No method of transmission over the internet is 100% secure. If you believe your account has been compromised, contact security@vylintshield.com immediately.
8. Children’s Privacy
The Service is intended for business use only and is not directed at individuals under 18 years of age. We do not knowingly collect personal data from minors. If we become aware of such collection, we will delete the data promptly.
9. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated by:
- Email notification to your registered address
- In-app notification at least 30 days before changes take effect
Continued use of the Service after the effective date constitutes acceptance of the updated Policy.
10. Contact Us
For privacy questions, requests, or concerns:
Privacy Officer
VylintShield, Inc.
Email: privacy@vylintshield.com
Subject line: “Privacy Request — [your name/company]”
For EU/UK residents, our EU representative can be reached at: eu-rep@vylintshield.com
VylintShield, Inc. — We take your compliance data as seriously as you do.