Privacy Policy

1. Who we are

Secriiti ("Secriiti", "we", "us") provides a privacy-first insider and access risk detection service (the "Service") operated at secriiti.com. The data controller is [Company legal name], located at [registered address]. This policy explains how we handle information when you visit our website or use the Service.

2. Our core privacy commitment

Secriiti is built to detect security risk from metadata, not content. As a product principle and a matter of policy, we do not read message, email, chat, or document content; we do not log keystrokes or record screens; and we do not generate secret per-individual risk scores. See our privacy approach for detail.

3. Information we process

3.1 Website visitors

• Contact details you submit — e.g., the email address you provide to request early access.
• Basic usage data — standard server logs and, where enabled, privacy-respecting analytics about how the site is used.

3.2 Customer (Service) data

When a customer connects systems to the Service, we process metadata from those systems, such as authentication and session events, access grants and entitlement changes, resource-access patterns, and volume/movement signals. We do not ingest the contents of messages, files, or records.

4. How we use information

• To provide, operate, secure, and improve the Service.
• To generate risk signals, reports, and recommendations at the team and role level.
• To respond to early-access requests and communicate about the Service.
• To comply with legal obligations and enforce our Terms of Service.

We do not sell personal information, and we do not use customer metadata to train models shared across other customers.

5. Legal bases (where applicable)

Where data protection laws such as the GDPR apply, we rely on legal bases including performance of a contract, legitimate interests (operating and securing the Service), consent (e.g., marketing communications), and compliance with legal obligations. [Confirm bases with counsel for your jurisdictions.]

6. Sharing and subprocessors

We share information only with service providers who help us operate the Service under appropriate contractual protections, including cloud infrastructure provided by Amazon Web Services. We may disclose information where required by law. [Maintain a current subprocessor list and link it here.]

7. International transfers

Information may be processed in countries other than yours. Where required, we use appropriate safeguards for international transfers. [Specify mechanisms, e.g., Standard Contractual Clauses, with counsel.]

8. Retention

We retain metadata and signals for a configurable period appropriate to the Service, then delete or de-identify it. Customers may disconnect a source to stop further collection or request deletion of tenant data, subject to legal retention requirements.

9. Security

We protect information with encryption in transit and at rest, tenant isolation, and least-privilege internal access. See our Security page for our posture and roadmap. No method of transmission or storage is perfectly secure.

10. Your rights

Depending on your location, you may have rights to access, correct, delete, or restrict processing of your personal information, and to object or withdraw consent. To exercise these rights, contact us at [privacy contact to be published]. We will respond consistent with applicable law.

11. Children

The Service is intended for organizations and is not directed to children. We do not knowingly collect personal information from children.

12. Changes

We may update this policy from time to time. We will update the "Last updated" date and, where appropriate, provide additional notice.

13. Contact

Questions about this policy can be directed to [privacy contact to be published], or by mail to [Company legal name, registered address].