Privacy Policy

1. Introduction

Stronghold Consulting LLC ("Certivox," "we," "us," or "our") operates the Certivox AI Governance platform at certivox.ai (the "Service"). We are a Service-Disabled Veteran-Owned Small Business (SDVOSB) registered in the United States. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. Please read this policy carefully. If you disagree with its terms, please discontinue use of the Service.

2. Information We Collect

2.1 Information You Provide Directly

• Account registration data: name, email address, organization name, industry, and company size
• Compliance content: AI system descriptions, gap assessment responses, control documentation, and evidence files you upload
• Billing information: handled entirely by Stripe. We do not store payment card data on our servers
• Communications: emails, support requests, and demo inquiries sent to us

2.2 Information Collected Automatically

• Log data: IP addresses, browser type, pages visited, and timestamps
• Session data: authentication tokens stored in secure, HTTP-only cookies
• Usage data: feature interactions and platform activity used to improve the Service

2.3 Information from Third Parties

• Google OAuth: if you sign in with Google, we receive your name and email address from Google
• Stripe: we receive subscription status, plan tier, and customer identifiers from Stripe for billing purposes

3. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the Certivox platform
• Process subscription payments and manage your account
• Generate compliance reports, gap assessments, and Statement of Applicability documents
• Send transactional emails including account confirmations and billing receipts
• Respond to customer support requests and inquiries
• Improve platform features and fix bugs
• Comply with legal obligations and enforce our Terms of Service

We do not sell your personal data or compliance data to third parties. We do not use your compliance content to train AI models.

4. Data Sharing and Third-Party Processors

We share data only with trusted third-party service providers necessary to operate the Service:

• Google Cloud Platform (GCP): Our infrastructure provider. All data is stored and processed on GCP in the us-central1 (Iowa) region. GCP is SOC 2, ISO 27001, and FedRAMP authorized.
• Firebase (Google): Used for authentication services including email/password login and Google OAuth.
• Stripe: Payment processing. Stripe handles all payment card data under PCI-DSS Level 1 compliance. Stripe may transfer payment data internationally under EU Standard Contractual Clauses and the EU-U.S. Data Privacy Framework.
• Resend: Transactional email delivery for account notifications and billing receipts.

We require all third-party processors to maintain appropriate data protection standards. We do not share your data with advertising networks or data brokers.

5. Data Retention

• Account and compliance data: Retained for the duration of your active subscription plus 90 days after cancellation, giving you time to export your data.
• Billing records: Retained for 7 years to comply with financial and tax regulations.
• Log data: Retained for up to 12 months for security and debugging purposes.
• Deleted accounts: Upon request, personal data is purged within 30 days, except where retention is required by law.

6. Data Security

We implement industry-standard security controls to protect your data:

• All data is encrypted in transit using TLS 1.2+ and encrypted at rest using AES-256
• Authentication is handled by Firebase with support for multi-factor authentication
• Our infrastructure runs on Google Cloud Platform within a private VPC with restricted network access
• Access to production systems is limited to authorized personnel only
• We are pursuing SOC 2 Type II certification

No method of electronic transmission or storage is 100% secure. While we implement strong safeguards, we cannot guarantee absolute security.

7. Your Rights and Choices

Depending on your location, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate or incomplete data
• Deletion: Request deletion of your personal data, subject to legal retention requirements
• Portability: Request your compliance data in a machine-readable export format
• Opt-out: Unsubscribe from marketing communications at any time via the unsubscribe link in any email
• CCPA (California residents): You have the right to know, delete, and opt out of the sale of personal information. We do not sell personal information.
• GDPR (EU/EEA residents): You have the rights of access, rectification, erasure, restriction, portability, and objection

To exercise any of these rights, contact us at privacy@certivox.ai.

8. Cookies

Certivox uses a single session cookie (certivox_session) to maintain your authenticated session. This cookie is HTTP-only, secure, and expires after 7 days of inactivity. We do not use advertising cookies or third-party tracking cookies.

9. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from minors. If you believe we have inadvertently collected such information, please contact us immediately.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email to the address on your account or by posting a prominent notice on the Service at least 30 days before the change takes effect. Your continued use of the Service after the effective date constitutes acceptance of the revised policy.

11. Contact Us

If you have questions or concerns about this Privacy Policy, please contact us: