Privacy Policy
1. Introduction
SeedGovernance ("we," "us," or "our") operates the SeedGovernance platform (app.seedgovernance.com), the marketing website (seedgovernance.com), and related services (collectively, the "Service"). This Privacy Policy describes how we collect, use, disclose, and protect your personal information when you interact with our Service.
By using our Service, you agree to the collection and use of information as described in this Privacy Policy. If you do not agree, please do not use the Service.
2. Information We Collect
2.1 Marketing Site Analytics
When you visit our marketing website (seedgovernance.com), we may collect the following information through analytics tools:
- Pages visited, time spent on pages, and navigation paths
- Referring URL, browser type, operating system, and device type
- Approximate geographic location derived from IP address (country/region level only)
- Interaction events such as button clicks and form submissions
This data is collected using cookies and similar technologies. See our Cookie Policy for more details.
2.2 Quick Assessment Data
Our Quick Assessment tool collects the following personally identifiable information (PII):
- Required: Company name, industry, company size range, and operating regions
- Optional: Work email address (if you choose to receive your results via email)
Quick Assessment responses are processed to generate framework recommendations. If you provide an email address, we store it to deliver your results and may use it for marketing communications (with your consent). Assessment data submitted without an email is processed transiently and is not linked to an identifiable individual.
2.3 Account Registration Data
When you create a SeedGovernance account, we collect:
- Full name, work email address, and password (hashed)
- Company name, company size, and industry
- Selected data residency region
- Billing information (processed by our payment provider; we do not store full payment card details)
2.4 Tenant Data (Customer Content)
When you use the SeedGovernance platform, you and your authorized users create and store governance content including policies, procedures, assessment responses, control mappings, and documents ("Tenant Data"). Tenant Data is owned by you and processed by us solely to provide the Service. See our Data Processing Agreement for details on how Tenant Data is handled.
2.5 Usage and Log Data
We automatically collect usage data when you interact with the platform, including:
- Login and authentication events (timestamps, IP addresses, device info)
- Feature usage patterns and navigation within the application
- Error logs and performance metrics
- API request metadata
3. How We Use Your Information
We use collected information for the following purposes:
- Service delivery: To provide, operate, and maintain the SeedGovernance platform
- Account management: To create and manage your account, authenticate access, and process billing
- Communication: To send transactional emails (account confirmations, password resets, billing receipts), service notifications, and security alerts
- Marketing: To send product updates, newsletters, and promotional content (only with your consent; you may opt out at any time)
- Analytics and improvement: To understand how the Service is used, identify issues, and improve the user experience
- Security: To detect, prevent, and respond to fraud, abuse, and security incidents
- Legal compliance: To comply with applicable laws, regulations, and legal processes
4. Marketing Emails
We may send you marketing emails about product updates, new features, compliance tips, and industry news. We will only send marketing emails if you have:
- Explicitly opted in during account registration or the Quick Assessment
- Given consent through a separate opt-in mechanism
Every marketing email includes an unsubscribe link. You can also manage your email preferences in your account settings or by contacting us at support@seedgovernance.com. Unsubscribe requests are honored within 48 hours. Transactional emails (password resets, security alerts, billing notices) are not affected by your marketing preferences.
5. Data Sharing and Sub-Processors
We do not sell your personal information. We share information only with the following categories of third parties:
| Sub-Processor | Purpose | Data Location |
|---|---|---|
| Microsoft Azure | Cloud infrastructure, compute, storage, database | Your selected region (EU, ME, or US) |
| Stripe | Payment processing and subscription management | United States |
| Resend | Transactional and marketing email delivery | United States |
| Vercel (or equivalent) | Marketing site hosting and edge delivery | Global CDN |
We may also disclose information when required by law, in response to valid legal process, or to protect the rights, safety, or property of SeedGovernance, our users, or the public.
6. Data Retention
We retain your information according to the following schedule:
- Account data: Retained for the duration of your active subscription plus 90 days after account closure to allow for reactivation
- Tenant Data: Retained for the duration of your subscription. Upon account deletion, Tenant Data is permanently deleted within 30 days from all primary storage and within 90 days from backup systems
- Marketing site analytics: Aggregated analytics data is retained for 26 months. IP addresses are anonymized within 24 hours of collection
- Quick Assessment data (without email): Processed transiently and not retained beyond the session
- Quick Assessment data (with email): Retained for 12 months or until you request deletion
- Audit logs: Retained for 90 days (Pro) or 1 year (Enterprise) after the triggering event
- Billing records: Retained for 7 years as required by financial regulations
7. Data Residency
SeedGovernance offers three data residency regions. When you create an account, you choose one of:
- Europe: Azure West Europe (Netherlands)
- Middle East: Azure UAE North (Dubai)
- United States: Azure East US (Virginia)
Your Tenant Data (governance content) is stored and processed exclusively within your selected region. Account metadata and billing data may be processed in the United States by our payment processor and email provider. See Section 5 for details.
8. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal information:
- Access: Request a copy of the personal information we hold about you
- Rectification: Request correction of inaccurate or incomplete personal information
- Deletion: Request deletion of your personal information (subject to legal retention obligations)
- Portability: Request an export of your personal information in a structured, machine-readable format (JSON or CSV)
- Restriction: Request that we restrict the processing of your personal information in certain circumstances
- Objection: Object to processing of your personal information for direct marketing purposes
- Withdrawal of consent: Withdraw consent for marketing communications at any time
To exercise any of these rights, contact us at privacy@seedgovernance.com. We will respond within 30 days (or sooner where required by applicable law). We may request verification of your identity before processing your request.
8.1 GDPR-Specific Rights (EEA, UK, and Switzerland)
If you are located in the European Economic Area, United Kingdom, or Switzerland, our legal bases for processing your personal information are:
- Contract performance: Processing necessary to provide the Service you have subscribed to
- Legitimate interests: Analytics, security, and service improvement, balanced against your data protection rights
- Consent: Marketing communications and non-essential cookies
- Legal obligation: Tax, financial, and regulatory record-keeping
You have the right to lodge a complaint with your local data protection authority.
8.2 CCPA/CPRA Rights (California)
If you are a California resident, you have additional rights under the California Consumer Privacy Act and California Privacy Rights Act, including the right to know what personal information we collect, the right to delete, and the right to opt out of the sale or sharing of personal information. We do not sell or share personal information as defined by the CCPA/CPRA.
9. Security
We implement industry-standard security measures to protect your personal information. See our Security page for details on encryption, infrastructure, access controls, and audit logging.
10. Children's Privacy
Our Service is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us at privacy@seedgovernance.com and we will promptly delete it.
11. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email (for registered users) and by posting a notice on our website at least 30 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.
12. Contact Us
If you have questions about this Privacy Policy or our data practices, contact us at:
- Email: privacy@seedgovernance.com
- Support: support@seedgovernance.com
- Contact form: seedgovernance.com/contact