Privacy Policy | TractionGRC

This Privacy Policy describes how TRACTIONGRC, INC. (“TractionGRC,” “we,” “us,” or “our”), a State of Washington corporation, collects, uses, shares, and protects information when you visit tractiongrc.com, use the TractionGRC platform, or otherwise interact with us (collectively, the “Services”). This Policy applies to all users, including free-tier accounts. Federal and state laws give consumers the right to limit some, but not all, sharing. We are committed to protecting your privacy and encourage you to review this Privacy Policy carefully to understand how your information is handled, as further described in our Terms of Service and Acceptable Use Policy, as may be amended from time to time.

TractionGRC provides a governance, risk, and compliance (“GRC”) platform. In using our Services, you may upload, generate, or connect sensitive information about your organization, including security practices, internal controls, suppliers, and infrastructure. We recognize the sensitivity of this data and take our responsibility to protect it seriously. This Privacy Policy explains how we collect, use, and safeguard that information.

1. Executive summary

This is a plain-language summary. The rest of the policy is the legally operative version.

We collect what we need to operate the platform and to support you. Nothing more.
TractionAI, our artificial intelligence (“AI”) assistant, may temporarily process limited organizational settings (such as organization name, size, industry, and frameworks in scope) solely for the purpose of generating a relevant response during an active interaction . This information is used only to the minimum extent necessary , is not retained after the response is generated , and is not used for training, profiling, or any secondary purpose .
TractionGRC information is hosted on Microsoft Azure in the United States.
We collect information you provide to us, including when you register an account, complete a transaction, link an external account to the Services, sign up to receive our email updates, fill out a form, or communicate with us. The only information we obtain about each individual visitor to our Services is that supplied voluntarily by the visitor. This information may include, but is not limited to: the visitor’s name, company name, title, gender, date of birth, email address, physical address, telephone number, credit card number, credit card verification code, credit card expiration date, username and password associated with the Services, government-issued identification numbers, government-issued identification cards, services or products requested, and relationship history and online activities with us and our affiliates. When we need additional personal information to provide customized content, or to inform you about new products or services, you are explicitly asked for that information.
You own your information. You may export or delete your account at any time through the account settings within the GRC platform.
We name the sub-processors we use, including which AI providers we work with, in Section 7.
General questions: visit our Contact page. For privacy-specific requests, email privacy@tractiongrc.com.

2. Definitions

For purposes of this Privacy Policy:

“Customer Data” means Customer Content, Billing Information, Account Information, and Support Communications, as outlined herein, processed by TractionGRC on behalf of a customer, excluding aggregated or de-identified analytics.
“Information” refers collectively to Personal Information and Customer Data, as applicable.
“Personal Information” means information that identifies or relates to an identifiable individual.

3. Information we collect

3.1 Information you provide to us

Account information. Name, work email address, password (stored hashed), organization name, organization size, industry, role, and any other profile details you choose to add.
Billing information. If you subscribe to a paid plan, you provide payment details directly to our payment processor, Stripe. We do not store full payment card details on our servers; we retain only limited billing metadata returned by Stripe (such as the last four digits, card brand, expiration date, and billing country). For information about how Stripe collects and processes payment data, please review the Stripe Privacy Policy.
Customer content. Information you, your team, or your suppliers upload, type, generate, or otherwise input into the GRC platform. This includes policies, controls, evidence files, gap analyses, plans of action and milestones (POA&Ms), supplier assessment responses, internal audit notes, management review records, domain registration and DNS information you submit for scanning, and any messages you send to TractionAI.
Support communications. If you contact support, we collect the information you choose to provide during the support interaction, including messages, attachments, and contact details.

3.2 Information we receive from other sources

Cloud connectors. If you choose to connect a Microsoft Azure or Google Workspace account to TractionGRC, we receive limited configuration and security-related information from those services based on the permissions you approve during setup. We collect only the information necessary to assess the controls you select and do not access or store the contents of files, emails, calendars, or other end-user data . See Section 6 for the full disclosure of what we access from Google Workspace.
Domain and DNS data. When you run a baseline or deep scan, we query public DNS, certificate transparency logs, and other public Internet sources for the domain you have verified. We do not scan domains you have not verified ownership of.
Identity providers. If you choose to sign in using an external identity service (such as signing in with your company account instead of a separate password), we receive basic account information the provider shares with us, typically your name, email address, and a unique user identifier.

3.3 Information we collect automatically

The types of information we may collect each time you visit one of our Services begins with our web server automatically recognizing and collecting the domain name, but not your email address. When you use our Services, we automatically collect certain Personal Information that is kept strictly confidential. We may use this information for internal and external purposes, including:

Transaction information. We collect information in connection with each transaction you engage in via the Services, including the transaction time, amount, counterparties (if any), and other transaction details.
Telemetry and product usage. We collect standard server logs in connection with your use of our Services, including the type of browser you use, access times, pages viewed, IP address, and the web page you visited before navigating to, or after navigating away from, the Services.
Device and connection. We collect information about the computer or mobile device you use to access our Services, including the hardware model, operating system and version, unique device identifiers, and mobile network information.
Location information. With your permission, we collect precise location from your mobile device in connection with your use of some of our Services. We may also derive approximate location from your IP address.

Information collected by tracking technologies.

Cookies. When you use our Services, we place a text file called a “cookie” in the browser files of your computer or mobile device. Cookies are pieces of information that a website or application transfers to an individual’s hard drive for record-keeping purposes. We use cookies to deliver content specific to your related interests, to avoid showing you the same message repeatedly, and to tailor a Service to better match your interests and preferences. Our cookies enable us to relate your use of our Services to information you have specifically and knowingly provided to us. Most browsers let you erase cookies, block all cookies, or receive a warning before a cookie is stored. Please refer to your browser instructions or help screen to learn more.
Mobile device identifiers. Mobile device identifiers are unique identifiers established by your mobile device operating system that we collect from our mobile applications. These identifiers are used for purposes similar to cookies.
Local storage. This is information that stores data locally in your browser, including user preferences.
Pixel tags. Pixel tags are small blocks of code often used in connection with cookies. Pixel tags (or web beacons) may be placed on our websites and emails, and allow us to track website usage, including to determine when emails have been opened and acted upon.

4. How we use information

We use the information described above for the following purposes:

Security. Our Services implement reasonable security practices and procedures designed to help protect against the loss, misuse, and alteration of the information under our control. Specifically, we employ security measures designed to protect the confidentiality and integrity of online transactions and Personal Information.
Provide and operate the service. Authenticate users, render your workspace, run scans you initiate, generate documents you request, track controls and findings, send notifications, and process payments.
Support you. Respond to questions, troubleshoot issues, investigate suspected abuse, and notify you of material changes.
Personalize TractionAI output. When TractionAI generates a policy, answer, or recommendation, we provide your organization’s profile information (organization name, size, industry, frameworks in scope, and similar context) to our AI provider as prompt context so the response is tailored to your organization. This context is used at the moment of generation and is not retained by the AI provider for model training under the agreements we maintain with them.
Secure the service. Detect, prevent, and respond to abuse, fraud, security incidents, and violations of our Terms of Service and Acceptable Use Policy.
Improve the service operationally. Analyze aggregated, de-identified usage patterns to understand which features are useful, where users encounter friction, and how to prioritize improvements. This is not the same as training AI models on customer data, which we do not do.
Communicate with you. Send transactional messages (verification, billing, security alerts, service updates), respond to inquiries, and, where you have opted in, send product updates and marketing communications you can unsubscribe from at any time.
Comply with law. Meet legal, regulatory, tax, and audit obligations applicable to TractionGRC.

5. Artificial intelligence (TractionAI)

TractionAI features use machine-learning models that were trained prior to deployment using a combination of licensed data, data created by human trainers, and publicly available information. Information processed through the TractionGRC platform is not used to train, fine-tune, or otherwise improve these models.

5.1 No training / no public models

TractionGRC uses enterprise AI services under contractual terms that prohibit model training on Customer Data. We do not use consumer or public AI services for TractionAI functionality.

5.2 What TractionAI uses at runtime

To produce a useful response, TractionAI uses, at the moment of generation:

Your prompt.
Workspace content, such as your organization profile (name, size, industry, frameworks in scope), the document or control you are working on, and recent conversation in the same session.
The pre-trained AI model’s own knowledge.

5.3 Operational logging

We log TractionAI requests and responses for a limited period for operational reasons: debugging, abuse prevention, safety review, and meeting our own compliance obligations. These logs are accessible only to authorized TractionGRC personnel and are not used for model training. See Section 9 for retention.

5.4 AI output is informational

TractionAI output is generated by a language model. It is informational and is not a substitute for professional advice, certified auditor review, or independent legal or compliance judgment. AI output may “hallucinate” at times, meaning generated output may be incorrect or incomplete. You are responsible for reviewing it before relying on it. See also our Terms of Service and Acceptable Use Policy.

6. Use of Google Workspace data

When you connect your Google Workspace account to TractionGRC, we receive limited information from Google to help evaluate your workspace’s security and compliance status. This section explains what information we access, how it is used, and how you can disconnect Google Workspace at any time.

6.1 What we access

We access only the minimum Google Workspace information needed to provide security and compliance features, including:

User and administrator account details. Basic information about users and administrator roles, such as whether additional sign-in verification is enabled or an account is suspended. This is used to assess access controls and account security.
Security and activity information. Summary records of administrator actions and sign-in activity. This is used to confirm audit logging is enabled and to identify inactive accounts that may require review.
Workspace identification information. Your verified domain name and a unique workspace identifier, used solely to identify and manage your Google Workspace connection within TractionGRC.

We use Google Workspace data only to provide the functionality you request, do not use it for advertising, and do not sell or share it except as necessary to operate the service. Google Workspace data is not used to train artificial intelligence or machine-learning models and is not accessed by humans except as required for support, security, or legal compliance. We do not modify any data in your Google Workspace; all OAuth scopes we request are read-only.

6.2 How we use this data

We use Google Workspace data only to produce the compliance signals shown on the Cloud Connect dashboard in TractionGRC, to compute related TractionScore contributions, and to create historical signal records that let you and your auditors see how your posture has changed over time. We do not transfer this data to third parties except to the sub-processors listed in Section 7.1, and we do not use it for advertising of any kind.

6.3 Limited Use commitment

TractionGRC’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy , including the Limited Use requirements.

Specifically, data accessed from Google APIs is:

Used only to provide and improve user-facing features of TractionGRC that are prominent in the application’s user interface (specifically, the Cloud Connect dashboard, compliance signal evaluation, and TractionScore).
Not transferred to third parties except as necessary to provide or improve those features (our sub-processors, listed in Section 7.1) or to comply with applicable law or as part of a merger, acquisition, or sale of assets.
Not used or transferred for serving advertisements, including retargeted, personalized, or interest-based advertising.
Not read by humans, except (a) with your affirmative consent for specific messages, (b) as necessary for security purposes such as investigating abuse, (c) to comply with applicable law, or (d) where the data has been aggregated and anonymized for internal operations.

6.4 Revoking access

You can revoke TractionGRC’s access to your Google Workspace at any time by disconnecting the integration from your Cloud Connect page in TractionGRC, or by visiting your Google Account permissions page. On disconnection, we delete the access and refresh tokens immediately. Historical compliance signals derived from your Google Workspace are retained according to the retention schedule in Section 9 unless you request earlier deletion under Section 10.

7. How we share information

We do not sell Personal Information. We share information only as described here.

7.1 Service providers and sub-processors

We share information with vendors who help us operate the service, under contractual confidentiality and data-protection obligations. Our current sub-processors are:

Microsoft Azure · cloud hosting, database, infrastructure, and Azure OpenAI Service inference. United States.
Anthropic, PBC · Claude API for some TractionAI features. United States.
Stripe, Inc. · payment processing and billing. United States.
Twilio SendGrid · transactional email delivery. United States.

We may add or change sub-processors. Material changes will be reflected here and on our Trust Center, which hosts the canonical, up-to-date list. Where required, we will communicate changes to customers in advance.

7.2 Within your organization

Information you submit to a workspace is visible to other authorized users of that workspace, subject to permissions configured by your administrator. Your administrator may have access to your activity within the workspace.

7.3 With your direction

If you connect a third-party service (for example, Microsoft Azure or Google Workspace), you authorize us to send and receive information from that service to perform the integration you have requested.

7.4 Legal and safety

We may disclose information if we believe in good faith that disclosure is required by law, legal process, or government request, or is necessary to protect the rights, property, or safety of TractionGRC, our users, or others. Where lawful, we will notify the affected customer before complying.

7.5 Change in control / business transfers

If TractionGRC is involved in a merger, acquisition, financing, or sale of assets, information may be transferred as part of that transaction. We will give notice before information becomes subject to a different privacy policy.

8. Where data is processed

Information is hosted on Microsoft Azure infrastructure in the United States. AI inference may be processed in the United States by Anthropic or Microsoft Azure OpenAI Service. Other sub-processors listed above operate primarily in the United States.

If you are located outside the United States, your information will be transferred to and processed in the United States, which may have data protection laws that differ from those of your country. By using the service, you consent to this transfer. Where required by law (for example, for personal data subject to UK GDPR or EU GDPR), we rely on appropriate transfer mechanisms with our sub-processors, including the European Commission’s Standard Contractual Clauses where applicable.

9. Data retention

Active accounts. We retain Customer Data for as long as your account is active, or as needed to provide the service.
Account closure. When a subscription ends or an account is closed, we retain Customer Data for up to 30 days to allow recovery, then delete or de-identify it from production systems.
Backups. Encrypted backups are retained on a rolling basis and are overwritten on the standard backup cycle (typically within 35 days).
Operational and security logs. Retained for up to 12 months for security, audit, abuse prevention, and compliance purposes.
Billing records. Retained for the period required by tax and accounting law (typically seven years in the United States).
Aggregate, de-identified analytics. May be retained indefinitely.

You can request earlier deletion as described in Section 10. Some retention is required by law and may not be deleted on request.

10. U.S. state privacy rights

Depending on your state of residence, you may have certain rights with respect to your personal information under applicable U.S. state privacy laws. These rights may include, subject to certain limitations and exceptions:

The right to access the personal information we maintain about you.
The right to correct inaccurate personal information.
The right to delete personal information.
The right to obtain a copy of your personal information in a portable format.
The right to opt out of certain processing, such as targeted advertising, the sale of personal information, or profiling that produces legal or similarly significant effects.
The right to appeal our decision if we decline to take action on a request, where required by law.

We will not discriminate against you for exercising any rights available under applicable law.

To exercise your rights, please contact us at privacy@tractiongrc.com or use the in-application controls where available. We may need to verify your identity before processing your request and will respond within the timeframe required by applicable law.

10.1 Additional notice to California residents

In November 2020, State of California voters passed Proposition 24, the California Privacy Rights Act (“CPRA”), which amended the California Consumer Privacy Act (“CCPA”). The CPRA gives “consumers” (defined as natural persons who are residents of California) four basic rights to their personal information: (1) the right to know, through a general privacy policy and with more specifics available upon request, what personal information a business has collected about them, where it was sourced from, what it is being used for, whether it is being disclosed or sold, and to whom it is being disclosed or sold; (2) the right to opt out of allowing a business to sell their personal information to third parties (or, for consumers under 16 years old, the right not to have their personal information sold absent their, or their parent’s, opt-in); (3) the right to have a business delete their personal information, with some exceptions; and (4) the right to receive equal service and pricing from a business, even if they exercise their privacy rights under the CCPA.

Furthermore, under California Civil Code Sections 1798.83 to 1798.84, California residents are entitled to ask for notice of Personal Information that we share with our affiliates or any third parties for marketing purposes, and for the contact information of those affiliates or third parties.

To protect your personal information from unauthorized access or deletion, we may require that you verify login credentials before submitting a request to know or delete personal information from us. If you do not have an account with us, or if we suspect fraudulent or malicious activity, we may ask you to provide additional personal information to authenticate and verify your identity. If we are unable to authenticate or verify your identity, we will not provide or delete your personal information.

You may submit a request to know, or a request to delete, your personal information through an authorized agent. For an authorized agent to act on your behalf, the agent must present signed written permission, and in some instances we may also require you to independently verify your identity.

11. Children’s privacy

TractionGRC is a business product. It is not directed to children, and we do not knowingly collect personal information from children under 13 (or under 16 in jurisdictions that apply that threshold). If you believe a child has provided us with personal information, email privacy@tractiongrc.com and we will delete it.

12. Changes to this policy

We may update this policy from time to time. The “Last updated” date at the top reflects the most recent change. If a change is material, we will notify you in advance through the service or by email. Continued use of the service after a change becomes effective constitutes acceptance of the updated policy.

13. Contact us

For privacy questions or to exercise your rights under this policy:

TractionGRC, Inc.
Attn: Privacy

Email: privacy@tractiongrc.com

For general questions, sales, partnerships, or support, please use our Contact page.