Privacy Policy

Overview

This Privacy Policy explains how Do GRC ("we", "us", or "our") collects, uses, stores, and protects your personal information when you access or use our platform. We are committed to safeguarding your privacy and handling your data transparently.

Information We Collect

We may collect the following types of information:

• Account Information — name, email address, and authentication credentials when you create an account.
• Usage Data — learning progress, room completions, scenario responses, GRC tool records (e.g. risks, incidents, policies, vendors, audits), GRC Coach conversations, interview prep answers, and platform interaction patterns.
• Technical Data — browser type, device information, IP address, and cookies used to deliver core functionality.
• Product Analytics — page views, clicks and other interaction events, referrer URL and UTM campaign parameters, and approximate geolocation derived from IP address. We do not record your screen or session.

How We Use Information

We use your information to:

• Operate, maintain, and improve the Do GRC platform.
• Personalise your learning experience and track your progress.
• Provide AI-powered features such as the GRC Coach, AI scenario grading, interview prep feedback, and GRC tool data population.
• Send service-related communications such as account verification and updates.
• Analyse aggregated, anonymised usage trends to improve our content.
• Maintain the security and integrity of the platform.

Data Sharing and Disclosure

We do not sell your personal information. We may share data with trusted third-party service providers solely to operate and improve the platform. These sub-processors currently include Supabase (authentication and database), Vercel (hosting, edge delivery, and aggregate analytics), OpenAI (AI-powered features, as described below), Paddle (subscription billing as Merchant of Record; Paddle's checkout also supports PayPal as a payment method), Stripe (subscription billing; Merchant of Record for Stripe subscriptions opened on or after April 27, 2026, while legacy Stripe subscribers remain on the prior billing arrangement), PostHog (product analytics, as described below), and Cookiebot by Cybot A/S, Denmark (consent banner and consent-log storage). We may also disclose information if required by law or to protect our legal rights.

Product Analytics

We use PostHog to understand how the platform is used, diagnose bugs, and prioritise improvements. PostHog is loaded only in production and only when the corresponding environment keys are configured. We do not use PostHog's session replay feature — PostHog does not record your screen or session on Do GRC.

When PostHog is active, it captures:

• Page views (pathname and query string), clicks, form submissions, and similar interaction events generated by our interface.
• Browser and device metadata, referrer URL, UTM campaign parameters, and an approximate geolocation derived from IP address.

While you are signed out, events are associated with an anonymous device identifier stored in your browser. When you sign in, we associate that anonymous session with your Do GRC account identifier and attach a small set of person properties — your email address, account creation date, whether you currently hold a paid entitlement, and whether you have an active subscription — so that we can segment product usage by plan and support users who raise issues with us. When you sign out, we reset the local PostHog identifier so subsequent activity is no longer linked to your account.

Analytics and performance cookies, including PostHog and Vercel Analytics, are only loaded after you grant the Analytics category through our Cookiebot consent banner. You can review or withdraw your choice at any time via the "Manage cookie preferences" button on our Cookie Policy page, or by contacting us at the address below to request deletion of your PostHog data. When you withdraw consent we disable capture and clear the PostHog distinct-id stored in your browser.

AI-Powered Features and Third-Party Processing

Several platform features use third-party AI services to process your inputs and generate responses. These include the GRC Coach (conversations and journey generation), scenario and interview prep grading, and GRC tool data population. When you use these features, the content you submit is sent to our AI provider for processing.

We do not use your submissions to train third-party AI models, with the following narrow exceptions, all of which are routed through a separate OpenAI organisation in which input/output sharing is enabled so that OpenAI may use the non-personal inputs and outputs to improve their services:

• Exam prep generation — produces synthetic certification-style multiple-choice questions from non-personal inputs (exam name, domain, difficulty).
• "Populate examples" in our GRC tools — asks the model to invent realistic example records from scratch. None of your own GRC records are sent.
• Resume Point Generator— sends only a sanitised target-role string and the titles of Do GRC training modules you have completed. It does not send your name, contact details, or real employment history; the resume bullet points are generated from the platform's training content alone.

All other features — including the GRC Coach (chat and journey generation), interview prep, role play, scenario submissions, AI quiz answer checking, text-to-speech, and the per-record AI fill helpers in our GRC tools (which include the name or title of one of your actual records in the prompt) — use a separate OpenAI organisation in which input/output sharing is disabled, and inputs to those features are not used to train OpenAI's models and are retained by OpenAI only for the short abuse-monitoring window required by their API terms.

For text-to-speech specifically, the short text strings you choose to play are sent to OpenAI for audio synthesis and returned to your browser for immediate playback. We do not store the synthesised audio beyond playback.

Data Retention

We retain your personal information for as long as your account is active or as needed to provide you with our services. If you close your account, we will delete or anonymise your data within a reasonable timeframe, unless retention is required by law.

Your Rights

Depending on your jurisdiction, you may have the right to access, correct, delete, or export your personal data. You may also have the right to object to or restrict certain processing activities.

If you have an account, you can exercise most of these rights directly from your privacy controls: download a copy of your data, toggle marketing / analytics / AI-training preferences, correct your profile, or delete your account. For any right that isn't covered there, please contact us using the details below.

Security

We implement industry-standard security measures to protect your data, including encryption in transit, secure authentication, and regular access reviews. However, no method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

Contact

If you have questions or concerns about this Privacy Policy or your data, please contact us at hello@dogrc.com.