Privacy Policy

1. Introduction

Fermata, LLC ("Company," "we," "us," or "our") operates VeloRisk, an AI-powered enterprise risk assessment platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

By using VeloRisk, you agree to the collection and use of information in accordance with this Privacy Policy.

2. Information We Collect

2.1 Information You Provide

• Account Information: Name, email address, company name, job title
• Payment Information: Processed by Stripe (we do not store credit card numbers)
• Assessment Data: All responses you provide during risk assessments, including information about your organization's structure, policies, and risk posture
• Communications: Messages you send to our support team

2.2 Automatically Collected Information

• Usage Data: Pages viewed, features used, time spent on platform
• Device Information: IP address, browser type, operating system
• Cookies: We use essential cookies to maintain sessions and authentication

3. How We Use Your Information

We use the information we collect to:

• Provide the Service: Process assessments, generate reports, and provide analysis
• Improve Our Service: Analyze usage patterns to enhance functionality and user experience
• Customer Support: Respond to your inquiries and provide technical assistance
• Security: Detect, prevent, and address fraud, security issues, and technical problems
• Legal Compliance: Comply with applicable laws and regulations
• Communications: Send service-related announcements and updates (we do not send marketing emails without your consent)

4. How We Share Your Information

We do not sell your personal information or assessment data to third parties.

We may share information in the following limited circumstances:

• Service Providers: Third parties who assist in operating our platform (e.g., hosting providers, payment processors like Stripe). These providers are bound by confidentiality agreements.
• Legal Requirements: When required by law, subpoena, or government request
• Business Transfers: In connection with a merger, acquisition, or sale of assets, subject to confidentiality agreements
• With Your Consent: When you explicitly authorize us to share specific information

5. Data Security

We implement industry-standard security measures to protect your data:

• Encryption: All data is encrypted in transit (TLS/SSL) and at rest (AES-256)
• Infrastructure: Hosted on Google Cloud Platform with SOC 2 Type II controls
• Access Controls: Strict authentication and authorization protocols limit employee access to customer data
• Monitoring: Continuous security monitoring and logging

However, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security.

6. Data Retention

We retain your data based on your purchase and usage pattern:

• Active Subscribers: Unlimited retention while your subscription is active, plus 24 months after subscription ends.
• Continuous Service Users: If you generate reports regularly (within 13 months of your previous report generation), we treat this as continuous service and retain all your historical reports indefinitely. If more than 13 months pass between generated reports, all reports are retained for 24 months from your last report generation date.
• One-Time Purchases: 24 months from report generation.
• Incomplete Assessments: Automatically deleted after 90 days of inactivity.
• User-Requested Deletion: You can export or delete your data at any time, regardless of retention policy. We will honor immediate deletion requests in compliance with GDPR and CCPA requirements.
• Anonymized Data: We may retain anonymized, aggregated usage data indefinitely for product improvement and analytics. This data cannot be used to identify you personally.

To request deletion of your data, contact us at hello@velorisk.io.

7. Your Rights and Choices

Depending on your location, you may have the following rights:

• Access: Request a copy of the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete information
• Deletion: Request deletion of your personal information (subject to legal obligations)
• Portability: Request transfer of your data to another service
• Objection: Object to certain processing of your information
• Restriction: Request restriction of processing in certain circumstances

To exercise these rights, contact us at hello@velorisk.io.

8. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. We ensure appropriate safeguards are in place to protect your information in accordance with this Privacy Policy and applicable data protection laws.

9. Children's Privacy

Our Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal information, please contact us.

10. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act:

• Right to know what personal information is collected, used, shared, or sold
• Right to delete personal information (subject to exceptions)
• Right to opt-out of the sale of personal information (note: we do not sell personal information)
• Right to non-discrimination for exercising CCPA rights

11. European Privacy Rights (GDPR)

If you are in the European Economic Area, you have rights under the General Data Protection Regulation (GDPR):

• Legal Basis: We process your data based on contract performance, legitimate interests, and legal compliance
• Data Controller: Fermata, LLC is the data controller for your personal information
• Rights: You have all rights described in Section 7 above
• Complaints: You have the right to lodge a complaint with your local data protection authority

12. Cookies and Tracking

We use cookies and similar technologies for:

• Essential Cookies: Required for authentication and basic functionality
• Analytics: To understand how users interact with our Service (if implemented)

You can control cookies through your browser settings. Disabling essential cookies may affect Service functionality.

13. Third-Party Services

Our Service uses the following third-party services:

• Stripe: Payment processing (see Stripe Privacy Policy)
• Google Cloud Platform: Infrastructure and hosting (see Google Cloud Privacy Policy)

We are not responsible for the privacy practices of third-party services. We encourage you to review their privacy policies.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new Privacy Policy on this page and updating the "Last Updated" date. Your continued use of the Service after changes constitutes acceptance of the updated Privacy Policy.

15. Contact Us

For questions, concerns, or to exercise your privacy rights, contact us at:

Fermata, LLC
Email: hello@velorisk.io
Website: www.velorisk.io