Privacy Policy

Last Updated: January 27, 2026

1. Introduction

Conformatiq ("we," "us," or "our") respects your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our CMMC readiness SaaS platform (the "Service") located at https://conformatiq.com.

By accessing or using the Service, you acknowledge that you have read, understood, and agree to the collection and use of information as described in this Privacy Policy. If you do not agree with this Privacy Policy, you must not use the Service.

This Privacy Policy is incorporated into and subject to our Terms of Use.

2. Information We Collect

We collect several types of information from and about users of our Service.

2.1 Information You Provide Directly

Account Information: When you register for an account, we collect:

  • Full name
  • Email address
  • Company/organization name
  • Job title or role
  • Phone number (optional)
  • Password (stored in encrypted form)
  • Billing and payment information

Profile Information: You may choose to provide additional information such as:

  • Profile photo
  • Department or team
  • Professional certifications
  • Communication preferences

Customer Data: Information you input, upload, or generate while using the Service, including:

  • CMMC assessment data
  • Compliance documentation
  • Security control implementations
  • Policy documents
  • Risk assessments
  • Audit reports
  • System inventory
  • Custom configurations and settings

Communications: When you contact us, we collect:

  • Support ticket information
  • Email correspondence
  • Chat logs
  • Feedback and survey responses
  • Phone call recordings (with notice)

2.2 Information Collected Automatically

Usage Data: We automatically collect information about your interaction with the Service:

  • Pages and features accessed
  • Time spent on pages
  • Click patterns and navigation paths
  • Search queries within the Service
  • Feature usage statistics
  • Error logs and crash reports

Device and Browser Information:

  • IP address
  • Browser type and version
  • Operating system
  • Device type and identifiers
  • Screen resolution
  • Language settings
  • Time zone

Cookies and Similar Technologies: We use cookies, web beacons, and similar tracking technologies to collect information. See Section 7 for details about cookies.

Log Data: Our servers automatically record information, including:

  • Access times and dates
  • Requested pages or features
  • HTTP status codes
  • Referring URLs
  • API calls and responses

2.3 Information from Third Parties

Integration Data: If you connect third-party services (e.g., cloud storage, identity providers), we may receive:

  • Authentication credentials
  • Profile information from those services
  • Data you authorize to be shared

Payment Processors: Our payment processors provide us with:

  • Transaction confirmations
  • Payment method information (last 4 digits only)
  • Billing status updates

Business Partners: We may receive information from business partners who refer customers or provide complementary services.

3. How We Use Your Information

We use the collected information for the following purposes:

3.1 Service Delivery and Functionality

  • Provide, operate, and maintain the Service
  • Process your transactions and manage subscriptions
  • Create and manage your account
  • Enable core features and functionality
  • Store and process your Customer Data
  • Generate compliance reports and assessments
  • Provide customer support and respond to inquiries

3.2 Service Improvement and Development

  • Analyze usage patterns and trends
  • Develop new features and functionality
  • Improve user experience and interface
  • Test and troubleshoot technical issues
  • Conduct research and analytics
  • Optimize performance and reliability

3.3 Communication

  • Send transactional emails (account confirmations, password resets)
  • Provide service announcements and updates
  • Respond to support requests
  • Send marketing communications (with your consent)
  • Conduct surveys and request feedback
  • Notify you of changes to our policies or Terms

3.4 Security and Compliance

  • Detect, prevent, and address fraud or security threats
  • Monitor and prevent prohibited activities
  • Enforce our Terms of Use and policies
  • Comply with legal obligations and regulations
  • Protect our rights, property, and safety
  • Conduct audits and maintain records

3.5 Business Operations

  • Manage billing and accounting
  • Process payments and issue invoices
  • Resolve disputes and troubleshoot problems
  • Analyze business performance
  • Plan capacity and resources

4. Legal Basis for Processing (GDPR)

If you are in the European Economic Area (EEA), our legal basis for collecting and using your personal information includes:

  • Contract Performance: Processing necessary to provide the Service under our Terms of Use
  • Legitimate Interests: Our legitimate business interests, such as improving the Service, security, and fraud prevention
  • Consent: Where you have provided consent for specific processing activities
  • Legal Obligation: Where required by law or regulation

You have the right to withdraw consent at any time where we rely on consent as the legal basis.

5. How We Share Your Information

We do not sell your personal information. We may share your information in the following circumstances:

5.1 Service Providers

We share information with third-party service providers who perform services on our behalf:

  • Cloud hosting providers (data storage and computing)
  • Payment processors and billing services
  • Email and communication platforms
  • Analytics and monitoring tools
  • Customer support software
  • Security and fraud prevention services
  • Marketing and advertising platforms

These service providers are contractually obligated to protect your information and use it only for the purposes we specify.

5.2 Business Transfers

If we are involved in a merger, acquisition, sale of assets, bankruptcy, or reorganization, your information may be transferred as part of that transaction. We will provide notice before your information is transferred and becomes subject to a different privacy policy.

5.3 Legal Requirements

We may disclose your information to comply with:

  • Legal obligations, court orders, or subpoenas
  • Government or regulatory requests
  • Law enforcement requirements
  • National security requests
  • Protection of our legal rights or property
  • Investigation of fraud, security issues, or violations of our Terms

5.4 With Your Consent

We may share information with third parties when you explicitly consent to such sharing.

5.5 Aggregate and De-identified Data

We may share aggregate, de-identified, or anonymized data that cannot reasonably be used to identify you for research, marketing, analytics, or other purposes.

5.6 Business Partners

With your permission, we may share information with business partners who provide complementary services or refer customers to us.

6. Data Retention

We retain your information for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

Account Data: Retained while your account is active and for a reasonable period thereafter (typically 30-90 days) to allow for account recovery.

Customer Data: Retained according to your subscription terms and deleted within 90 days after account termination, unless you request earlier deletion or we are required to retain it longer by law.

Billing Records: Retained for at least 7 years to comply with tax and accounting requirements.

Usage and Analytics Data: Typically retained for 2-3 years for analytical purposes.

Communications: Support tickets and correspondence retained for 3-5 years for quality assurance and legal compliance.

You may request deletion of your information at any time, subject to legal retention requirements.

7. Cookies and Tracking Technologies

7.1 Types of Cookies We Use

Essential Cookies: Required for the Service to function properly, including:

  • Session management
  • Authentication and security
  • Load balancing

Functional Cookies: Enhance functionality and personalization:

  • Remember your preferences and settings
  • Provide customized features
  • Support language and location settings

Analytics Cookies: Help us understand how you use the Service:

  • Track page views and navigation
  • Measure feature usage
  • Identify errors and performance issues

Marketing Cookies: Used for advertising and remarketing (with your consent):

  • Deliver relevant advertisements
  • Track campaign effectiveness
  • Personalize marketing content

7.2 Cookie Management

Most browsers accept cookies by default, but you can modify your browser settings to:

  • Block all cookies
  • Block third-party cookies only
  • Delete cookies after each session
  • Receive notifications before cookies are stored

Note that blocking or deleting cookies may limit your ability to use certain features of the Service.

7.3 Third-Party Analytics

We use third-party analytics services such as:

  • Google Analytics
  • Mixpanel
  • Hotjar

These services use cookies and similar technologies to collect usage data. You can opt out of Google Analytics using the Google Analytics Opt-out Browser Add-on.

7.4 Do Not Track Signals

Some browsers support "Do Not Track" (DNT) signals. Our Service does not currently respond to DNT signals, but you can use the cookie controls described above.

8. Data Security

We implement reasonable administrative, technical, and physical security measures to protect your information from unauthorized access, disclosure, alteration, and destruction.

8.1 Security Measures

  • Encryption: Data is encrypted in transit using TLS/SSL and at rest using industry-standard encryption
  • Access Controls: Strict access controls and authentication requirements
  • Network Security: Firewalls, intrusion detection, and monitoring systems
  • Secure Development: Security testing and code reviews
  • Employee Training: Regular security awareness training
  • Vendor Management: Security assessments of third-party providers
  • Incident Response: Procedures for detecting and responding to security incidents

8.2 Your Responsibilities

You are responsible for:

  • Maintaining the confidentiality of your account credentials
  • Using strong, unique passwords
  • Enabling two-factor authentication when available
  • Notifying us immediately of any unauthorized access
  • Keeping your software and devices secure

8.3 Limitations

No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security. You use the Service at your own risk.

9. Your Privacy Rights

Depending on your location, you may have certain rights regarding your personal information.

9.1 General Rights (All Users)

  • Access: Request a copy of your personal information
  • Correction: Request correction of inaccurate information
  • Deletion: Request deletion of your information
  • Portability: Request a copy of your data in a structured format
  • Objection: Object to certain processing activities
  • Support: Contact us with privacy concerns

9.2 GDPR Rights (EEA Residents)

In addition to the above, you have the right to:

  • Withdraw consent at any time
  • Restrict processing in certain circumstances
  • Lodge a complaint with your supervisory authority
  • Data portability in machine-readable format

9.3 CCPA Rights (California Residents)

California residents have additional rights:

  • Right to know what personal information is collected, used, and shared
  • Right to delete personal information (subject to exceptions)
  • Right to opt-out of the sale of personal information (we do not sell personal information)
  • Right to non-discrimination for exercising CCPA rights

9.4 Exercising Your Rights

To exercise any of these rights, contact us at privacy@conformatiq.com or through your account settings. We will respond to your request within 30 days (or as required by applicable law). We may require verification of your identity before processing requests.

10. Children's Privacy

The Service is not intended for children under 18 years of age. We do not knowingly collect personal information from children under 18. If we discover that we have collected information from a child under 18, we will delete it immediately. If you believe we have collected information from a child, contact us at privacy@conformatiq.com.

11. International Data Transfers

11.1 Data Location

Your information may be transferred to and processed in the United States or other countries where we or our service providers operate. These countries may have data protection laws different from your country.

11.2 EEA Data Transfers

If you are in the EEA, we transfer your data outside the EEA only when:

  • The destination country provides adequate data protection (as determined by the European Commission)
  • We have appropriate safeguards in place (such as Standard Contractual Clauses)
  • You have provided explicit consent

11.3 Privacy Shield

While the EU-U.S. Privacy Shield has been invalidated, we continue to apply its principles and use Standard Contractual Clauses for EEA data transfers.

12. California Privacy Rights

12.1 Shine the Light Law

California residents may request information about our disclosure of personal information to third parties for their direct marketing purposes. We do not share personal information with third parties for their direct marketing purposes.

12.2 CCPA Disclosures

Categories of Personal Information Collected (in the last 12 months):

  • Identifiers (name, email, IP address)
  • Commercial information (subscription data, payment history)
  • Internet activity (usage data, browsing history)
  • Professional information (job title, company)

Sources: Directly from you, automatically from your device, from third-party integrations

Business Purposes: Service provision, improvement, security, legal compliance, communication

Categories Shared: Service providers (all categories), payment processors (billing information), analytics providers (usage data)

Sale of Information: We do not sell personal information

13. Third-Party Links and Services

The Service may contain links to third-party websites, applications, or services that are not controlled by us. This Privacy Policy does not apply to third-party services. We are not responsible for the privacy practices of third parties. We encourage you to review the privacy policies of any third-party services you access.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

  • Posting the updated Privacy Policy with a new "Last Updated" date
  • Sending an email notification to your registered email address
  • Displaying a prominent notice on the Service

Your continued use of the Service after changes become effective constitutes acceptance of the updated Privacy Policy. We encourage you to review this Privacy Policy periodically.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

Email: privacy@conformatiq.com
Website: https://conformatiq.com
Address: [Your Physical Address - required for GDPR compliance]

Data Protection Officer (if applicable):
Email: dpo@conformatiq.com

EU Representative (if applicable):
[EU Representative Name and Contact Information]

16. Supervisory Authority Contact

If you are in the EEA and believe we have not addressed your privacy concerns adequately, you have the right to lodge a complaint with your local supervisory authority.

Appendix A: Definitions

Personal Information: Information that identifies, relates to, describes, or could reasonably be linked with a particular individual or household.

Customer Data: Information, documents, and data you input, upload, or generate while using the Service for CMMC compliance purposes.

Processing: Any operation performed on personal information, including collection, storage, use, disclosure, and deletion.

Controller: The entity that determines the purposes and means of processing personal information.

Processor: The entity that processes personal information on behalf of the controller.

EEA: European Economic Area, including EU member states plus Iceland, Liechtenstein, and Norway.

BY USING THE SERVICE, YOU ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTOOD THIS PRIVACY POLICY.