VELORISK PRIVACY POLICY

1. Introduction

Fermata, LLC d/b/a VeloRisk ("Company," "we," "us," or "our") operates velorisk.io, an enterprise risk assessment platform (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard information about you and your organization when you use the Service.

This Privacy Policy is incorporated by reference into and forms part of our Terms of Service. By using the Service, you agree to the collection and use of information as described in this Privacy Policy. If you do not agree with this Privacy Policy, you must discontinue use of the Service.

Capitalized terms not defined here have the meanings given to them in our Terms of Service.

2. Information We Collect

2.1 Information You Provide Directly

• Account Information: Name, email address, and company name, provided during registration.
• Payment Information: Payment transactions are processed by Stripe. We do not store credit card numbers or full payment account details on our systems.
• Assessment Data: All responses, inputs, and materials you provide during risk assessments, including information about your organization's structure, policies, operations, and risk posture.
• Communications: Messages, inquiries, and other communications you send to our support or sales teams.

2.2 Information Collected Automatically

• Usage Data: Pages viewed, features accessed, time spent on the platform, clickstream data, and other interaction logs.
• Device and Technical Information: IP address, browser type and version, operating system, referring URLs, and device identifiers.
• Cookies and Similar Technologies: We use essential cookies to maintain sessions and authentication. See Section 12 for details.

We collect only the information reasonably necessary to provide the Service. Assessment data relates to your organization's policies, operations, and risk posture — not to the personal information of the individuals completing the assessment.

2.3 Information We Do Not Collect

We do not knowingly collect:

• Personal identifiers beyond the account registration information described above (name, email address, and company name)
• Special categories of sensitive personal data (including health, biometric, racial or ethnic origin, religious beliefs, or financial account credentials)
• Personal information from individuals under 18 years of age; or
• Personal information beyond what is reasonably necessary to provide the Service.

3. How We Use Your Information

We use the information we collect for the following purposes:

• Service Delivery: To process assessments, generate reports, deliver analysis, and provide all features of the Service.
• Service Improvement: To analyze usage patterns, identify bugs, and enhance the functionality and user experience of the Service.
• Customer Support: To respond to your inquiries, troubleshoot issues, and provide technical assistance.
• Security and Fraud Prevention: To detect, investigate, prevent, and address fraud, security incidents, and technical problems.
• Legal Compliance: To comply with applicable laws, regulations, and lawful governmental requests.
• Service Communications: To send service-related announcements, updates, and administrative notices. We do not send marketing or promotional emails without your explicit consent.

We will not use Your Data for any purpose materially different from those described above without providing you with notice and, where required by law, obtaining your consent.

4. Automated Analysis and Your Data

VeloRisk uses automated analytical systems to evaluate your assessment responses and generate risk reports and recommendations. This section explains how our platform processes your data.

4.1 How We Process Your Data

When you complete a risk assessment, your responses are processed by our analytical platform to:

• Identify patterns, gaps, and risk indicators in your organization's posture; and
• Generate structured analytical outputs.

Service outputs are analytical in nature and do not constitute legal, financial, or professional advice. See Section 6 of our Terms of Service.

4.2 Service Improvement

Service Improvement: We may use aggregated, anonymized, and de-identified data derived from assessments to improve the accuracy, performance, and quality of our analytical platform and the Service generally. This anonymized data cannot reasonably be used to identify you or your organization.

What We Do Not Do: We do not use your identifiable assessment responses, company name, or personally identifiable information to improve our systems. We do not share identified customer data with third-party providers for training or development purposes.

If you would prefer to opt-out of having your anonymized data used for service improvement, send a request to hello@velorisk.io from your registered email address.

5. How We Share Your Information

We do not sell, rent, or lease your personal information or assessment data to third parties.

We may share information only in the following limited circumstances:

• Service Providers: Third-party vendors who assist in operating the Service, including cloud hosting, payment processing, authentication, analytics, transactional email (Postmark), and form submission (Formspree) providers. These providers access Your Data only as necessary to perform services on our behalf and are bound by confidentiality and data protection obligations no less protective than those in this Privacy Policy. See Section 13 for our current sub-processor list.
• Legal Requirements: When required by applicable law, regulation, court order, subpoena, or valid governmental request. Where legally permissible, we will notify you before disclosing your information and cooperate with you in seeking a protective order.
• Business Transfers: In connection with a merger, acquisition, reorganization, or sale of all or substantially all our assets, provided that the successor entity agrees to be bound by this Privacy Policy or provides you with notice and an opportunity to opt out prior to any material change in data handling.
• Protection of Rights: When we believe in good faith that disclosure is necessary to protect the rights, property, or safety of VeloRisk, our users, or the public.
• With Your Consent: When you have explicitly authorized us to share specific information with identified third parties.

6. Data Security

We implement and maintain commercially reasonable administrative, technical, and physical safeguards designed to protect Your Data against unauthorized access, disclosure, alteration, loss, or destruction, including:

• Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS/SSL protocols.
• Encryption at Rest: All data stored on our systems is encrypted using AES-256 encryption.
• Infrastructure Security: The Service is hosted on Google Cloud Platform, which maintains SOC 2 Type II certification and industry-leading physical and network security controls.
• Access Controls: Access to customer data by VeloRisk employees and contractors is restricted on a strict need-to-know basis and subject to authentication and authorization protocols.
• Security Monitoring: We conduct continuous security monitoring and logging to detect and respond to potential threats.

Despite these measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security. In the event of a security incident affecting your data, we will notify you in accordance with applicable law and our obligations under the Terms of Service.

7. Data Retention

We retain Your Data for the periods described below, after which it is securely deleted or anonymized:

• Assessment Data: Retained for twenty-four (24) months from the date your report is generated.
• Repeat Customers: If you purchase subsequent assessments, all historical assessment data is retained for twenty-four (24) months from the date of your most recent report generation.
• Incomplete Assessments: Automatically deleted after ninety (90) days of inactivity.
• Anonymized Data: We may retain aggregated, anonymized usage data indefinitely for product improvement, analytics, and internal research, using only anonymized and aggregated data. This data cannot reasonably be used to identify you.

We may retain Your Data beyond these periods where we are required to: (i) comply with applicable legal obligations; (ii) resolve pending disputes; or (iii) enforce our agreements.

Your Right to Deletion: You may request deletion of Your Data at any time, regardless of the applicable retention period, by contacting us at hello@velorisk.io. Upon receipt of a verified deletion request, we will:

• Delete or permanently anonymize Your Data within thirty (30) days; and
• Provide written confirmation of deletion upon your request.

Exceptions: We may retain data notwithstanding a deletion request to the extent necessary to: (i) comply with applicable legal obligations; (ii) resolve pending disputes or enforce outstanding agreements; (iii) maintain aggregated, anonymized data that cannot identify you; or (iv) preserve backup copies for a commercially reasonable period not to exceed ninety (90) days.

8. Your Rights and Choices

Depending on your location and applicable law, you may have the following rights with respect to your personal information:

• Access: Request a copy of the personal information we hold about you.
• Correction: Request correction of inaccurate or incomplete personal information.
• Deletion: Request deletion of your personal information, subject to legal obligations and the retention terms in Section 7.
• Portability: Request that we provide your personal information in a structured, commonly used, machine-readable format.
• Objection: Object to certain processing of your personal information, including processing based on legitimate interests.
• Restriction: Request that we restrict processing of your personal information in certain circumstances.
• Withdraw Consent: Where processing is based on consent, withdraw your consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at hello@velorisk.io. We will respond to verified requests within the timeframes required by applicable law (and in any event within thirty (30) days). We will not discriminate against you for exercising any of these rights.

9. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "CCPA"):

• Right to Know: The right to know what personal information we collect, use, share, or disclose, and to receive a copy of the specific personal information we have collected about you in the twelve (12) months preceding your request.
• Right to Delete: The right to request deletion of personal information we have collected about you, subject to certain exceptions.
• Right to Correct: The right to request correction of inaccurate personal information we maintain about you.
• Right to Opt-Out of Sale or Sharing: We do not sell or share your personal information for cross-context behavioral advertising. No opt-out is required, but you may contact us to confirm.
• Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information beyond what is necessary to provide the Service.
• Right to Non-Discrimination: We will not discriminate against you for exercising any CCPA rights.

Categories of Personal Information Collected: In the past twelve (12) months, we have collected the following categories of personal information: identifiers (name, email, IP address); commercial information (purchase history); professional or employment-related information (job title, company); and internet or other electronic network activity information (usage data).

How to Submit a Request: To exercise your CCPA rights, contact us at hello@velorisk.io. We will verify your identity before processing your request. You may designate an authorized agent to make a request on your behalf by providing written authorization.

10. European Privacy Rights (GDPR)

If you are in the European Economic Area ("EEA"), United Kingdom, or Switzerland, the following additional terms apply:

Data Controller: Fermata, LLC d/b/a VeloRisk is the data controller for personal information processed in connection with the Service.

Legal Bases for Processing: We process your personal information on the following legal bases: (i) performance of a contract, where processing is necessary to provide the Service you have purchased; (ii) legitimate interests, where processing is necessary for our legitimate business interests (such as security and fraud prevention), provided those interests are not overridden by your rights; (iii) legal obligation, where processing is required to comply with applicable law; and (iv) consent, where you have provided explicit consent for specific processing activities.

International Transfers: Your personal information may be transferred to and processed in the United States or other countries outside the EEA. Where we transfer personal information from the EEA, we rely on appropriate safeguards, including Standard Contractual Clauses approved by the European Commission, to ensure your information receives an adequate level of protection.

Data Retention: We retain personal information only for as long as necessary to fulfill the purposes described in this Privacy Policy, consistent with Section 7.

Right to Lodge a Complaint: You have the right to lodge a complaint with the data protection authority in your country of residence. A list of EEA supervisory authorities is available at https://edpb.europa.eu/.

To exercise your GDPR rights, contact us at hello@velorisk.io. We will respond within thirty (30) days, or within the timeframe required by applicable law.

11. International Data Transfers

VeloRisk is based in the United States. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States, where our servers and central database operate. Data protection laws in the United States may differ from those in your country of residence.

We take appropriate steps to ensure that any international transfer of personal information is subject to appropriate safeguards consistent with this Privacy Policy and applicable data protection laws, including the use of Standard Contractual Clauses where required.

12. Cookies and Tracking Technologies

We use cookies and similar technologies to operate and improve the Service. Cookies are small text files stored on your device.

• Essential Cookies: Required for authentication, session management, and core platform functionality. These cannot be disabled without affecting the operation of the Service.
• Analytics Cookies: Used to understand how users interact with the Service, including pages visited and features used. We use this information to improve the Service. This information is gathered and stored by Google Analytics.

You can control cookies through your browser settings. Disabling essential cookies may prevent you from using the Service. For more information about cookies and how to manage them, visit www.allaboutcookies.org.

13. Third-Party Service Providers

We currently use the following third-party service providers who may access or process Your Data on our behalf:

• Stripe: Payment processing. Stripe Privacy Policy: https://stripe.com/privacy
• Google Cloud Platform: Infrastructure, hosting, and data storage. Google Cloud Privacy Policy: https://cloud.google.com/terms/cloud-privacy-notice
• Google Analytics: Website and product usage analytics. Google Privacy Policy: https://policies.google.com/privacy
• Auth0: Authentication and identity management. Auth0 Privacy Policy: https://auth0.com/privacy
• Postmark: Transactional email delivery. Postmark Privacy Policy: https://postmarkapp.com/privacy-policy
• OpenAI: Text generation for report narratives and recommendations. OpenAI Privacy Policy: https://openai.com/policies/privacy-policy
• Formspree: Contact and inquiry form submission. Formspree Privacy Policy: https://formspree.io/legal/privacy-policy

We are not responsible for the privacy practices of these third-party providers. We encourage you to review their privacy policies. We will update this list as our sub-processors change and will provide notice of material changes in accordance with Section 15.

14. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If you become aware that a child has provided us with personal information without parental consent, please contact us at hello@velorisk.io and we will take steps to delete such information promptly.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last Updated" date at the top of this Privacy Policy;
• Post the revised Privacy Policy on this page; and
• Where required by applicable law or where changes are material, provide you with additional notice (such as by email or in-app notification).

Your continued use of the Service after the effective date of any updated Privacy Policy constitutes your acceptance of the changes. If you do not agree with the updated Privacy Policy, you must discontinue use of the Service.

16. Contact Us

For questions, concerns, or to exercise your privacy rights, please contact us at:

VeloRisk (Fermata, LLC d/b/a VeloRisk)
Email: hello@velorisk.io
Website: www.velorisk.io

We aim to respond to all privacy-related inquiries within thirty (30) days.