Privacy Policy

1. Introduction

1.1 Who We Are

Guard0 is an AI Security Posture Management platform operated by Rakshan AI Inc., a Delaware corporation. We are committed to protecting your privacy and ensuring you have a positive experience on our platform.

This Privacy Policy explains how we collect, use, disclose, and otherwise process personal information in connection with our website (guard0.ai), services, products, and applications (collectively, the "Service").

1.2 Scope of This Policy

This policy applies to all users of Guard0, including individuals who visit our website, create free or paid accounts, and customers who use our Team and Enterprise tier services. It does not apply to third-party websites, applications, or services linked from Guard0.

1.3 Key Principles

We believe in:

• Transparency about our data practices
• Lawful collection and processing of personal information
• Security and confidentiality of your data
• Respect for your privacy rights
• Accountability and compliance with applicable laws

2. Information We Collect

We collect personal information in several ways. The types of information we gather depend on how you interact with Guard0.

2.1 Information You Provide Directly

2.1.1 Account Registration and Profile Information

When you create a Guard0 account, we collect:

• Full name
• Email address
• Password (encrypted and hashed)
• Phone number (optional)
• Company/organization name
• Job title
• Department
• Profile picture (optional)
• Time zone and language preferences

2.1.2 Professional and Security Information

To provide our Service, we collect:

• Information about your organization's security infrastructure
• Security assessment data and configurations
• Audit logs and system information you upload or authorize us to scan
• Information about your compliance requirements (GDPR, HIPAA, SOC 2, etc.)

2.1.3 Payment and Billing Information

When you subscribe to a paid plan (Team or Enterprise tier), we collect:

• Billing name and address
• Company name and tax ID (for business accounts)
• Email address for billing correspondence
• The last 4 digits of your payment card
• Card expiration date (month and year)
• Billing history and invoices

2.1.4 Communications

We collect information when you:

• Contact us via email, contact form, or support chat
• Participate in surveys, webinars, or training sessions
• Subscribe to our newsletter or blog
• Provide feedback or file support tickets
• Attend virtual events or conferences

This includes the content of your messages, attachments, and communication metadata.

2.1.5 Credentials and Authentication

If you use single sign-on (SSO) or federated authentication, we collect:

• Identity provider information (e.g., your Okta, Azure AD, or Google account identifier)
• Authentication tokens (processed securely, not stored in plaintext)
• Multi-factor authentication data

2.2 Information Collected Automatically

2.2.1 Device and Network Information

When you access Guard0, we automatically collect:

• Device type, operating system, and browser type
• IP address
• MAC address (when applicable)
• Mobile device identifier (IDFA, Android ID) if you use our mobile app

2.2.2 Usage and Activity Data

We collect information about how you interact with our Service:

• Pages or features accessed
• Time and duration of activities
• Clicks, scrolling, searches, and queries
• Features used within your account
• Number of scans performed and their results
• API calls and integrations accessed
• Error messages and debugging information
• Performance metrics and session data

2.2.3 Cookies and Tracking Technologies

We use cookies, pixels, and similar technologies. See Section 6 (Cookies and Tracking) for details.

2.2.4 Log Data

Our servers automatically record:

• Request timestamps and methods
• Response status codes
• Referrer information
• User agent strings
• Geographic location (inferred from IP address)
• Request/response size

2.3 Information from Third Parties

2.3.1 Payment Processor

Stripe collects and shares with us:

• Transaction confirmations and payment success/failure status
• Last 4 digits of the payment card used
• Card expiration date
• Billing address
• Payment metadata and invoice records

See Section 5 for details on Stripe's role as a data processor.

2.3.2 Analytics and Tracking Providers

Google Analytics provides:

• Aggregated usage statistics
• Traffic source and referral information
• Device and browser data
• Geographic insights

2.3.3 Third-Party Services

When you integrate Guard0 with other tools (Slack, Microsoft Teams, Jira, etc.), we may receive:

• Data necessary to complete the integration
• Notification preferences and delivery status
• User information from your connected account (name, email, workspace identifier)

2.3.4 Publicly Available Sources

We may collect information from:

• Public business registries
• Industry databases
• Publicly available government records
• Your social media profiles (with your permission)

3. How We Use Your Information

Guard0 uses personal information for the following lawful purposes:

3.1 Service Delivery and Performance

• Creating and maintaining your account
• Providing, maintaining, and improving the Service
• Processing security assessments and scans
• Generating reports, recommendations, and insights
• Enabling integrations with third-party platforms
• Technical support and customer service
• Troubleshooting and resolving technical issues

3.2 Payment Processing and Billing

• Processing subscription payments and renewals
• Issuing invoices and receipts
• Managing billing cycles and refunds
• Fraud detection and prevention
• Enforcing payment terms

3.3 Communications

• Sending transactional emails (account confirmations, password resets, billing notifications)
• Responding to your inquiries and support requests
• Sending security alerts and policy update notices
• Delivering newsletters and marketing communications (with your consent)
• Notifying you of changes to our Service or policies

3.4 Analytics and Improvement

• Analyzing usage patterns to understand how customers use Guard0
• Identifying trends and optimizing features
• Conducting A/B testing and user experience research
• Measuring Service performance and reliability
• Creating aggregated, de-identified statistical reports

3.5 Security and Fraud Prevention

• Detecting, preventing, and addressing fraud and security incidents
• Protecting against malicious, deceptive, or illegal activity
• Enforcing our Terms of Service and other agreements
• Protecting the rights, property, and safety of Guard0, our users, and the public

3.6 Compliance and Legal Obligations

• Responding to legal requests from government authorities
• Fulfilling tax, audit, and compliance obligations
• Establishing, exercising, or defending legal claims
• Complying with applicable laws and regulations (GDPR, CCPA, HIPAA, etc.)

3.7 Marketing and Business Development

• Sending promotional offers and announcements (where permitted)
• Conducting market research and surveys
• Building customer lists for outreach (based on legitimate interest)
• Analyzing product adoption and market trends

4. Legal Bases for Processing (GDPR)

For users in the European Union, European Economic Area, United Kingdom, and Switzerland, we process personal information based on the following lawful bases under GDPR Article 6:

4.1 Contract Performance (Article 6(1)(b))

We process personal information necessary to:

• Create and manage your Guard0 account
• Provide the Service you have subscribed to
• Fulfill our contractual obligations to you
• Process payments and billing

Example: Processing your name, email, and account settings to deliver security scans and reports.

4.2 Legitimate Interests (Article 6(1)(f))

We process personal information where we have a legitimate business interest that is not overridden by your interests:

• Improving the security, performance, and features of Guard0
• Detecting and preventing fraud
• Analytics and understanding how customers use our Service
• Marketing and business development activities
• Protecting our legal interests and those of our users
• Enforcing our Terms of Service

Example: Using IP addresses and device information to detect and prevent unauthorized access attempts.

Balancing Test: We conduct a balancing test for legitimate interest processing to ensure your rights are not overridden. We provide transparency through this Privacy Policy and allow you to opt out of certain processing (see Section 11).

4.3 Consent (Article 6(1)(a))

We process personal information based on your explicit consent when:

• You opt in to marketing communications
• You authorize SSO or third-party integrations
• You provide information for purposes beyond what is necessary for the Service

Your Right: You may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

4.4 Legal Obligation (Article 6(1)(c))

We process personal information to:

• Comply with tax and accounting obligations
• Respond to lawful government requests
• Comply with data protection, industry, and anti-money laundering laws
• Enforce our Terms of Service and protect legal rights

Example: Retaining payment records for 7 years to comply with tax regulations.

4.5 Vital Interests (Article 6(1)(d))

In rare circumstances, we may process personal information to protect vital interests of individuals (e.g., in an emergency or health crisis).

5. Payment Data & Stripe

5.1 Stripe's Role

Guard0 partners with Stripe, Inc. to process payments for Team and Enterprise tier subscriptions. Stripe acts as a data processor and payment service provider.

5.2 What Information Guard0 Receives

When you make a payment, Stripe securely processes your complete payment card information. Guard0 does NOT receive, store, or process:

• Full credit card numbers
• CVV/security codes
• PIN numbers
• Complete card magnetic stripe data

Guard0 only receives:

• Last 4 digits of the card used
• Card expiration date (month and year)
• Billing address
• Payment status (successful, failed, declined)
• Transaction amount and date
• Invoice and receipt information

5.3 Stripe's Data Protection

Stripe is PCI-DSS Level 1 certified, meaning it meets the highest standard for credit card data security. Stripe has its own comprehensive privacy policy available at stripe.com/privacy.

By making a payment through Guard0, you also agree to Stripe's Terms of Service and Privacy Policy.

5.4 Stripe as a Sub-Processor

Stripe is listed as a sub-processor under our data processing agreements. For EU/EEA users, Stripe implements appropriate safeguards including Standard Contractual Clauses.

5.5 Payment Card Industry (PCI) Compliance

Guard0 is PCI-DSS compliant to the extent applicable to our role as a merchant. We do not store sensitive payment information, which is consistent with PCI-DSS requirements.

6. Cookies and Tracking Technologies

6.1 Overview

Guard0 uses cookies, pixels, web beacons, and similar technologies to enhance your experience, remember your preferences, and analyze how you use the Service.

6.2 Cookie Policy

A detailed Cookie Policy is available at guard0.ai/cookies. This policy includes:

• Description of each cookie and its purpose
• Types of cookies (essential, functional, analytical, marketing)
• Duration and expiration
• How to manage and disable cookies
• Your browser and device settings for controlling cookies

6.3 Third-Party Cookies

We use third-party cookies from:

• Google Analytics — for usage analytics and traffic analysis
• Calendly — for scheduling appointments (if you use our booking feature)
• Advertising partners — for remarketing and targeted advertising (where applicable)

6.4 Do Not Track

Some browsers include a "Do Not Track" (DNT) feature. Currently, there is no industry standard for recognizing DNT signals. Guard0 does not disable tracking based on DNT headers, but you can control cookies through your browser settings.

7. Data Sharing and Disclosure

7.1 Service Providers and Sub-Processors

Guard0 shares your personal information with trusted service providers who assist us in operating our Service. These providers are contractually bound to:

• Use your information only to provide services to Guard0
• Implement appropriate security measures
• Not disclose your information to third parties (except as required)
• Comply with applicable privacy laws

Key service providers include:

7.1.1 Payment Processing

• Stripe — Processes payments and maintains billing records. See Section 5.

7.1.2 Analytics

• Google Analytics — Analyzes usage patterns and user behavior (aggregated, non-personally identifiable information).

7.1.3 Scheduling and Communications

• Calendly — If you use our appointment scheduling feature.
• Email service providers — For transactional and marketing emails.

7.1.4 Cloud Infrastructure

• Cloud hosting providers (AWS, Google Cloud, or similar) — For storing data, hosting our Service, and ensuring uptime and security.

7.1.5 Other Sub-Processors

Guard0 may engage additional sub-processors for specific functions such as:

• Security monitoring and incident response
• Data backup and disaster recovery
• Customer support platforms
• Compliance and legal services

Complete Sub-Processor List: A complete list of current sub-processors is available upon request. EU/EEA users may request the full list by emailing privacy@guard0.ai.

7.2 Legal Requirements and Court Orders

We may disclose personal information if required by law or valid legal process:

• Subpoenas or court orders
• Search warrants
• Requests from law enforcement or government agencies
• National security letters
• Other legal obligations

When legally permitted, we notify users before disclosing their information, unless prohibited by law.

7.3 Business Transfers

If Guard0 or Rakshan AI Inc. is involved in a merger, acquisition, bankruptcy, dissolution, reorganization, or similar transaction or proceeding, your personal information may be transferred as part of that transaction. We will provide notice and, where required by law, obtain your consent before transferring your information.

7.4 With Your Consent

We may share your personal information with third parties when you explicitly consent to such sharing:

• Authorizing integrations with third-party platforms
• Participating in surveys or research
• Opting in to marketing partnerships

7.5 Aggregated and De-Identified Data

We may disclose aggregated, anonymized, or de-identified data that cannot reasonably identify you:

• Statistical reports and research
• Industry benchmarks and trend analysis
• Marketing materials and case studies
• Public data analytics

8. Sub-Processors

8.1 List of Current Sub-Processors

Guard0 relies on the following sub-processors for data processing:

8.2 Sub-Processor Changes

Guard0 may add, change, or remove sub-processors as our Service evolves. We will:

• Notify you of material changes to sub-processors
• Provide at least 30 days' notice before implementing changes (where required by law)
• Allow you to object to new sub-processors or request account deletion

For EU/EEA Users: You have the right to object to new sub-processors. If you object and we cannot accommodate your request, you may terminate your account without penalty.

8.3 Sub-Processor Agreements

All sub-processors are bound by data processing agreements that include:

• Limitations on use of personal information
• Confidentiality and security obligations
• Right to audit compliance
• Data subject rights support
• Standard Contractual Clauses (for international transfers)

8.4 Requesting Sub-Processor Information

EU/EEA users and customers with specific compliance requirements may request:

• Detailed information about all sub-processors
• Processing activities and locations
• Security certifications and compliance status
• Standard Contractual Clauses and other safeguards

Contact privacy@guard0.ai to request this information.

9. International Data Transfers

9.1 Processing Locations

Guard0 is based in the United States. We store and process personal information in the United States and may transfer data to other countries where we have operations or where our service providers are located.

9.2 Transfers from EU/EEA/UK/Switzerland

If you are in the European Union, European Economic Area, United Kingdom, or Switzerland, personal information is transferred outside these regions for processing. Guard0 implements appropriate safeguards:

9.2.1 Standard Contractual Clauses (SCCs)

We use Standard Contractual Clauses approved by the European Commission for transfers to the United States and other third countries. SCCs require processors to comply with EU data protection standards.

9.2.2 Other Transfer Mechanisms

Where applicable, we rely on:

• Adequacy decisions (e.g., if the UK's adequacy decision is maintained)
• Binding corporate rules
• Your explicit consent

9.2.3 Right to Object

You have the right to object to international transfers. If you object and we cannot accommodate your request, you may terminate your account.

9.3 Supplementary Measures

Guard0 implements additional technical and organizational measures to protect data in transit:

• Encryption in transit (TLS/HTTPS)
• Encryption at rest (AES-256)
• Access controls and authentication
• Regular security assessments

10. Data Retention

Guard0 retains personal information for as long as necessary to provide the Service and fulfill the purposes outlined in this Privacy Policy. Specific retention periods are:

10.1 Account Data

Retention Period: Duration of your account + 30 days after deletion

Account information (name, email, company, profile data) is retained while your account is active. After account deletion, we retain data for 30 days to:

• Verify deletion requests
• Recover account access if requested
• Comply with legal holds or pending litigation

After 30 days, account data is deleted unless legal obligations require longer retention.

10.2 Payment and Billing Records

Retention Period: 7 years from the date of transaction

Payment information is retained for:

• Tax compliance (federal and state regulations typically require 3-7 years)
• Accounting and audit purposes
• Resolving payment disputes
• Demonstrating PCI-DSS compliance

This period aligns with IRS requirements and generally accepted accounting standards.

10.3 Usage, Activity, and Analytics Data

Retention Period: 26 months from collection

Usage logs, activity data, and analytics are retained for:

• Service improvement and optimization
• Performance analysis
• Security investigation
• Resolving customer disputes

After 26 months, this data is aggregated or deleted.

10.4 Communications and Support Records

Retention Period: 3 years from the last communication

Support tickets, emails, and communication records are retained for:

• Resolving disputes
• Providing customer support
• Legal defense
• Knowledge management

10.5 Security and Access Logs

Retention Period: 1 year from the date of the event

Security logs, authentication records, and access attempts are retained for:

• Detecting and investigating security incidents
• Forensic analysis
• Compliance with security standards

10.6 Marketing and Consent Records

Retention Period: Until opt-out

Data related to marketing communications (email addresses, consent, preferences) is retained until:

• You unsubscribe from marketing communications
• You request deletion
• We cease marketing activities

10.7 Data Deletion Procedures

When retention periods expire, we:

• Delete personal information from production systems
• Purge data from backups within 90 days of the retention period expiration
• Maintain aggregated, de-identified data indefinitely

Exception: We may retain data longer if:

• Required by law or legal process
• Necessary to resolve disputes or enforce agreements
• Subject to a legal hold or freeze notice

10.8 Your Right to Deletion

You can request deletion of your personal information at any time by contacting privacy@guard0.ai. We will delete your information promptly, subject to legal retention obligations.

11. Your Privacy Rights

Guard0 respects your privacy rights and provides mechanisms for you to exercise control over your personal information.

11.1 GDPR Rights (EU/EEA/UK/Switzerland Users)

11.1.1 Right of Access (Article 15)

You have the right to:

• Obtain confirmation of whether your personal information is being processed
• Receive a copy of your personal information in a structured, commonly used, machine-readable format
• Understand the purposes, recipients, and retention of your data

How to Exercise: Email privacy@guard0.ai with "Data Access Request" in the subject line.

Response Time: We will respond within 30 days (extendable by 60 additional days for complex requests).

11.1.2 Right to Rectification (Article 16)

You have the right to:

• Correct inaccurate personal information
• Complete incomplete information
• Update outdated data

You can update most information directly in your Guard0 account settings. For other information, contact privacy@guard0.ai.

11.1.3 Right to Erasure (Article 17)

You have the right to request deletion of your personal information in certain circumstances:

• The data is no longer necessary for the purposes collected
• You withdraw consent
• You object to processing and there is no overriding legitimate interest
• The data was unlawfully processed
• Legal obligations require deletion

Exceptions: We may not delete information if:

• Necessary to fulfill contractual obligations
• Required by law
• Necessary for legal claims or defense

How to Exercise: Email privacy@guard0.ai with "Deletion Request" in the subject line.

11.1.4 Right to Restrict Processing (Article 18)

You have the right to restrict processing when:

• You contest the accuracy of data
• Processing is unlawful and you oppose deletion
• The data is no longer necessary but you need it for legal claims
• You have objected to processing pending verification

How to Exercise: Email privacy@guard0.ai with "Restriction Request" in the subject line.

11.1.5 Right to Data Portability (Article 20)

You have the right to:

• Receive your personal information in a structured, commonly used, machine-readable format
• Transmit that information to another controller without hindrance
• Request direct transmission to another controller where technically feasible

How to Exercise: Email privacy@guard0.ai with "Portability Request" in the subject line.

11.1.6 Right to Object (Article 21)

You have the right to object to processing based on:

• Legitimate interests (we will cease processing unless we can demonstrate compelling reasons)
• Direct marketing (we will immediately stop marketing communications)
• Profiling or automated decision-making

How to Exercise: Email privacy@guard0.ai with "Objection Request" in the subject line, specifying the processing activity.

11.1.7 Right to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing that produces legal or similarly significant effects. However, this right does not apply when:

• The decision is necessary to perform a contract
• Authorized by law
• Based on your explicit consent

Guard0 does not currently engage in fully automated decision-making with significant effects, but we respect this right.

11.1.8 Right to Lodge a Complaint

You have the right to lodge a complaint with your local data protection authority if you believe Guard0 is not complying with GDPR.

Supervisory Authorities:

• European Data Protection Board (EDPB): edpb.europa.eu
• Your country's Data Protection Authority (DPA)
• UK Information Commissioner's Office (ICO): ico.org.uk
• Swiss Federal Data Protection and Information Commissioner (FDPIC): edoeb.admin.ch

11.2 CCPA/CPRA Rights (California Residents)

11.2.1 Right to Know

You have the right to request:

• What categories of personal information we collected
• The purposes for collection
• The categories of sources from which we collected it
• The specific pieces of personal information we collected about you

11.2.2 Right to Delete

You have the right to request deletion of personal information we have collected from you, subject to exceptions:

• Information needed to complete a transaction
• Information needed to comply with legal obligations
• Information used for fraud prevention or security
• Information used to comply with law enforcement requests
• Information you consented to retain

11.2.3 Right to Correct

You have the right to request correction of inaccurate personal information.

11.2.4 Right to Opt-Out of Sale or Sharing

Guard0 does NOT sell your personal information.

We also do NOT share personal information for cross-context behavioral advertising. However, if we engage in such activities in the future, you will have the right to opt out. You can submit opt-out requests by emailing privacy@guard0.ai.

11.2.5 Right to Limit Use and Disclosure

You have the right to limit our use of personal information to:

• Performing services you requested
• Maintaining business relationships
• Fulfilling direct request purposes

11.2.6 Right to Non-Discrimination

Guard0 will not discriminate against you for exercising your CCPA/CPRA rights:

• We will not deny services or benefits
• We will not charge different prices or rates
• We will not provide lower quality service
• We will not suggest we will penalize you

We may offer financial incentives for data collection that is proportionate and non-discriminatory.

11.2.7 How to Exercise CCPA/CPRA Rights

Submit requests by emailing privacy@guard0.ai with:

• "CCPA Data Request," "CCPA Deletion Request," or "CCPA Correction Request" in the subject line
• Your name, email address, and account information
• A clear description of your request

Response Time: We will respond within 45 days (extendable by 45 days for complex requests). We may request verification of your identity.

11.3 Virginia VCDPA, Colorado CPA, and Other State Laws

Residents of Virginia, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Missouri, Montana, Nebraska, New Hampshire, and Tennessee have rights similar to CCPA, including rights to access, delete, correct, and opt out of targeted advertising.

Guard0 respects these rights and will comply with state law requirements. Use the same process as CCPA/CPRA above to exercise rights.

11.4 Exercising Your Rights

11.4.1 How to Submit Requests

You can exercise your privacy rights by:

• Email: privacy@guard0.ai (include "Privacy Request" and the specific right in the subject line)
• Mail: Privacy Officer, Rakshan AI Inc., privacy@guard0.ai
• Account Settings: For some rights (access to your data, updating information), you can exercise these directly in your Guard0 account.

11.4.2 Verification

To protect your privacy and security, we may:

• Request you verify your identity and account ownership
• Ask for sufficient information to locate your personal information
• Verify your authority to make requests on behalf of others

No Password Required: We will not ask for your password to verify your identity. If you forget your password, use the password reset feature.

11.4.3 Response Timeline

We aim to respond to all requests within:

• GDPR (EU/EEA/UK/Switzerland): 30 days (extendable by 60 days)
• CCPA/CPRA (California): 45 days (extendable by 45 days)
• Other State Laws: 45 days (extendable by 45 days)
• Other Requests: 30 business days

If we cannot fulfill your request, we will explain the reason.

11.4.4 No Charge Policy

Guard0 will not charge a fee for most privacy requests. We may charge a reasonable fee for:

• Multiple copies of the same information
• Manifestly unfounded or excessive requests
• Additional copies beyond the first

We will inform you of any fees before processing your request.

11.5 Authorized Agents

You can authorize an agent (attorney, family member, or representative) to submit requests on your behalf. We will require:

• Written authorization from you
• Verification of the agent's identity
• Verification of the authorization

12. CCPA-Specific Disclosures

12.1 Categories of Personal Information Collected

Under CCPA, Guard0 collects the following categories of personal information:

12.2 Purposes for Collection

Guard0 collects personal information for:

• Service Delivery: Providing, maintaining, and improving Guard0
• Transactions: Processing payments and billing
• Communication: Sending transactional and marketing messages
• Analytics: Understanding user behavior and improving features
• Security: Detecting fraud and protecting against unauthorized access
• Compliance: Fulfilling legal obligations and responding to requests
• Marketing: Targeted advertising and customer outreach (where permitted)

12.3 Retention of Personal Information

Guard0 retains personal information as described in Section 10 (Data Retention). We do not retain information longer than necessary for the stated purposes unless required by law.

12.4 Categories of Sources

Personal information is collected from:

• You (the user): Account registration, profile information, communications
• Automatic Collection: Cookies, pixels, server logs, device information
• Service Providers: Stripe (payments), Google (analytics), cloud providers
• Third-Party Services: Integrations with third-party platforms
• Public Sources: Business registries, social media, government records

12.5 Whether Personal Information is Sold or Shared

Guard0 does NOT sell personal information.

Under CCPA, "selling" means sharing information for monetary or valuable consideration. Guard0:

• Does not sell personal information to data brokers or third parties
• Does not share personal information for cross-context behavioral advertising
• Does not exchange personal information for money or other valuable consideration

If Guard0's business practices change, we will:

• Update this policy
• Provide 30 days' notice to California residents
• Provide an opt-out mechanism

12.6 Categories of Third Parties

Personal information may be shared with:

• Service Providers: Payment processors, analytics providers, cloud hosts, email providers
• Legal Authorities: Law enforcement, government agencies (as required by law)
• Business Partners: In the event of merger, acquisition, or asset sale
• Your Authorized Representatives: With your explicit consent

13. Children's Privacy

13.1 Age Restrictions

Guard0 is not intended for children under:

• 16 years old (under GDPR and similar laws)
• 13 years old (under COPPA in the United States)

We do not knowingly collect personal information from children under these ages.

13.2 Parental Consent

If you are under the minimum age in your jurisdiction, you may only use Guard0 with parental or guardian consent. Parents and guardians should supervise children's use of Guard0.

13.3 Discovering Unauthorized Child Data Collection

If we discover that we have collected personal information from a child under the minimum age without proper consent, we will:

• Delete the information promptly
• Notify the parent or guardian
• Implement measures to prevent future unauthorized collection

Report Child Data Collection: If you believe Guard0 has collected information from a child, contact privacy@guard0.ai immediately.

13.4 Educational Organizations

If Guard0 is used by an educational institution, the institution is responsible for:

• Obtaining appropriate consent before using the Service with students
• Complying with FERPA (Family Educational Rights and Privacy Act) and similar laws
• Monitoring student use

14. Security

14.1 Security Measures

Guard0 implements appropriate technical and organizational security measures to protect personal information from unauthorized access, alteration, disclosure, and destruction.

Our Security Practices Include:

• End-to-end encryption for sensitive data
• TLS/HTTPS encryption for data in transit
• AES-256 encryption for data at rest
• Multi-factor authentication
• Role-based access controls (RBAC)
• Regular security assessments and penetration testing
• Encryption key management and rotation
• Secure API design and rate limiting
• Web application firewalls and DDoS protection
• Intrusion detection and prevention systems
• Regular security training for employees

14.2 Security Page

For detailed information about Guard0's security infrastructure, certifications, and practices, visit our Security page at guard0.ai/security.

14.3 Incident Response

In the event of a data breach or security incident:

• We will investigate the scope and impact
• We will notify affected individuals without unreasonable delay (and within legally required timeframes)
• We will report to relevant supervisory authorities as required
• We will provide guidance on protective measures

14.4 Limitations

No security system is 100% secure. While we implement industry-standard protections, we cannot guarantee absolute security. You use Guard0 at your own risk. We recommend:

• Using strong, unique passwords
• Enabling multi-factor authentication
• Keeping your account credentials confidential
• Reporting security concerns immediately

15. Changes to This Privacy Policy

15.1 Policy Updates

Guard0 may update this Privacy Policy to reflect:

• Changes in our practices
• New features or services
• Changes in applicable law
• Improved clarity and transparency

15.2 Material Changes

If we make material changes to this Privacy Policy (such as expanding data collection, changing purposes, or adding new processors), we will:

• Notify you at least 30 days in advance
• Provide clear notice of the changes
• For EU/EEA users, obtain affirmative consent if required
• Allow you to object or terminate your account without penalty

Material Changes Include:

• Expanding purposes for processing
• Adding new categories of data collection
• Changing data retention periods
• Reducing your privacy rights
• Adding new sub-processors
• Changing international transfer mechanisms

15.3 Non-Material Changes

Minor updates (corrections, clarifications, formatting) may be made without advance notice. We encourage you to review this policy periodically.

15.4 Notification Methods

We will notify you of changes through:

• Email to your registered account email address
• In-app notification or banner
• Updates to guard0.ai/privacy
• Updates to this document

15.5 Acceptance of Changes

Continued use of Guard0 after changes become effective constitutes your acceptance of the updated Privacy Policy. If you disagree with changes, you may request deletion of your account.

Effective Date of Changes: We will clearly state the effective date of any policy update at the top of this document.

16. Data Protection Officer and Contact Information

16.1 Our Data Protection Officer

Guard0 designates a Data Protection Officer (DPO) responsible for:

• Overseeing compliance with this Privacy Policy and applicable laws
• Serving as a point of contact for privacy inquiries
• Assisting data subjects in exercising their rights
• Cooperating with supervisory authorities

Contact: privacy@guard0.ai

16.2 Privacy Rights Requests

To exercise any privacy rights described in Section 11, contact:

• Email: privacy@guard0.ai
• Subject Line: "Privacy Request" [specify the right]
• Include: Your name, account email, and clear request description

16.3 EU/EEA Data Protection Authorities

If you are located in the EU/EEA and have concerns about Guard0's data practices, you have the right to lodge a complaint with your local Data Protection Authority:

Key Contacts:

• European Data Protection Board: edpb.europa.eu
• European Commission (for adequacy decisions): ec.europa.eu/justice/article-29/index_en.htm

To Find Your Local DPA: Visit edpb.europa.eu/about-edpb/members_en

16.4 UK Information Commissioner's Office

UK users may contact the Information Commissioner's Office (ICO):

• Website: ico.org.uk
• Email: casework@ico.org.uk
• Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom

16.5 Swiss Supervisory Authority

Swiss users may contact the Swiss Federal Data Protection and Information Commissioner (FDPIC):

• Website: edoeb.admin.ch
• Email: contact@edoeb.admin.ch

17. Contact Us

17.1 Contacting Guard0

For questions about this Privacy Policy, our data practices, or to exercise your privacy rights, contact:

17.2 Mailing Address

17.3 Types of Inquiries We Handle

• Privacy policy questions
• Data subject access requests
• Complaint submissions
• Sub-processor information requests
• Data breach notifications
• Consent and preference management
• Opt-out requests
• General data protection inquiries

17.4 Response Expectations

Guard0 commits to:

• Acknowledging receipt of inquiries within 2 business days
• Responding to privacy requests in compliance with applicable timelines (30-45 days)
• Providing clear explanations if we cannot fulfill requests
• Maintaining confidentiality of your correspondence

Appendix A: Summary of Key Policies and Resources

Appendix B: Glossary

• Personal Information: Any information that identifies or can reasonably identify an individual, either alone or in combination with other data.
• Processing: Any operation on personal information (collection, use, storage, sharing, deletion, etc.).
• Sub-Processor: A third-party service provider that processes personal information on Guard0's behalf.
• Data Controller: The entity that determines the purposes and means of processing (Rakshan AI Inc.).
• Data Processor: An entity that processes personal information on behalf of a controller (e.g., Stripe, cloud providers).
• Standard Contractual Clauses (SCCs): EU-approved contractual language that provides safeguards for international data transfers.
• GDPR: General Data Protection Regulation (EU Regulation 2016/679).
• CCPA/CPRA: California Consumer Privacy Act / California Privacy Rights Act.
• DPA: Data Protection Authority (e.g., ICO in the UK, national DPAs in EU member states).
• DPO: Data Protection Officer.
• PCI-DSS: Payment Card Industry Data Security Standard.
• TLS/HTTPS: Encryption protocol for securing data in transit.
• AES-256: Advanced Encryption Standard with 256-bit key strength.