Privacy Policy

This Privacy Policy ("Policy") describes how Govantic, Inc., a Delaware corporation ("Govantic," "we," "us," or "our") collects, uses, discloses, and protects information in connection with the Govantic platform and related services (collectively, the "Service"), as well as our marketing website at govantic.com (the "Website").

By accessing or using our Service or Website, you agree to the practices described in this Policy. If you do not agree with this Policy, please do not use the Service or Website.

1. Who This Policy Applies To

This Policy applies to:

1.1 Website Visitors. Individuals who visit our Website (govantic.com), including the home page, features page, pricing page, about page, and related marketing pages.

1.2 Customers. Organizations that subscribe to and use the Service, including their designated Authorized Users (Admins, Managers, and Viewers).

1.3 Monitored Individuals. Individuals within a Customer's organization whose communications, activities, or data may be processed by the Service through Supervision Agents. Important: Govantic processes data about Monitored Individuals solely on behalf of and at the direction of our Customers. Customers are responsible for providing notice and obtaining any required consents from Monitored Individuals. If you are a Monitored Individual with questions about how your data is processed, please contact your employer or the organization that deployed Govantic.

2. Information We Collect

2.1 Information You Provide Directly

(a) Account Registration Information. When you create a Govantic account or Workspace, we collect:

• Full name
• Email address
• Password (stored as a cryptographic hash; we never store plaintext passwords)
• Organization/company name
• Workspace name and URL prefix

(b) Compliance Knowledge. Customers upload and create compliance-related content within the Service, including:

• Policies, standard operating procedures (SOPs), and source documents
• Regulatory frameworks selected or configured
• Requirements (AI-extracted or manually created)
• Controls and their configurations (agent type, response mode, confidence thresholds)
• Requirement-to-control mappings

(c) Contact and Communication Information. When you contact us via email (e.g., hello@govantic.com, legal@govantic.com) or through our Website, we collect the information you provide in your message.

(d) Payment Information. If you subscribe to a paid plan (Professional or Enterprise), we collect billing information such as company name, billing address, and payment method details. Payment card information is processed by our third-party payment processor and is not stored on our servers.

2.2 Information Collected Through the Service

(a) Data Processed by Supervision Agents. When Customers enable Supervision Agents, the Service processes data from connected third-party sources on behalf of the Customer. This may include:

• Communication Data: Messages, emails, and threads from Slack, Microsoft Teams, Gmail, Outlook, and Google Workspace, processed by the Communication Agent to detect potential compliance violations.
• Call and Meeting Data: Call recordings and transcripts from Gong, Zoom, Google Meet, and Microsoft Teams, processed by the Call Intelligence Agent.
• Financial Data: Invoices, contracts, purchase orders, and credit card transaction data, processed by the Financial Controls Agent.
• Technical Infrastructure Data: Cloud configurations, IAM policies, CloudTrail logs, GuardDuty findings, and infrastructure configuration data, processed by the Technical Controls Agent.
• Legal Document Data: Contracts, NDAs, vendor agreements, and DPA clauses (including from DocuSign), processed by the Legal Controls Agent.
• Endpoint Data: Software installation records, data movement logs, device encryption status, screen lock compliance, and application usage data from employee devices running the Govantic Desktop agent.
• Code Repository Data: Repository activity and configuration data from GitHub, processed by the Technical Controls Agent.

Critical Architecture Note: Data processed by Supervision Agents and the AI reasoning engine is processed within the Customer's own cloud account. This data does not transit Govantic's infrastructure. Govantic's web application and administration plane process only metadata, configuration data, and Workspace management data.

(b) Incident and Evidence Data. The Service generates and stores incident records when potential compliance violations are detected, including:

• Incident description and AI-generated explanation
• Severity assessment and violation likelihood
• Linked requirements and frameworks
• Timestamps
• Response actions taken (Intervene, Alert, or Log)
• Associated evidence

(c) Review and Approval Data. Records of human review decisions on AI-extracted requirements, including reviewer identity, approval status, and notes.

2.3 Information Collected Automatically

(a) Usage Data. We automatically collect information about how you interact with the Service and Website, including:

• Pages and features accessed
• Actions performed within the dashboard (e.g., creating frameworks, configuring controls, reviewing incidents)
• Date and time of access
• Session duration

(b) Device and Browser Information. We collect:

• Browser type and version
• Operating system
• Device type
• Screen resolution

(c) Network Information. We collect:

• IP address
• Approximate geographic location (derived from IP address)

(d) Local Storage. The Service uses browser local storage (not traditional cookies) to maintain your authentication session. Specifically, we store an authentication token under the key govantic-auth in your browser's local storage to keep you logged in between sessions.

(e) Cookies and Similar Technologies. Our Website may use cookies for:

• Essential functionality (e.g., remembering preferences)
• Analytics (to understand how visitors use our Website)
• Marketing (to measure the effectiveness of our campaigns)

You can control cookie preferences through your browser settings. Disabling essential cookies may affect the functionality of the Website.

3. How We Use Information

3.1 To Provide and Operate the Service

We use information to:

• Create and manage your Workspace and user accounts
• Authenticate users and maintain session security
• Process and store Compliance Knowledge (frameworks, policies, SOPs, requirements, controls)
• Execute Supervision Agent monitoring and compliance evaluation on behalf of Customers
• Generate AI-powered requirement extraction, mapping, and violation assessments
• Execute configured response actions (Intervene, Alert, Log)
• Create and maintain incident records and evidence chains
• Facilitate the requirement review and approval workflow
• Process background jobs (document extraction, requirement generation, embedding generation, framework indexing)

3.2 To Communicate With You

We use information to:

• Send transactional notifications related to your account and the Service (e.g., account verification, password resets, subscription confirmations)
• Respond to your inquiries and support requests
• Send product updates and service announcements
• With your consent, send marketing communications about new features, use cases, and offers

3.3 To Improve the Service

We use information to:

• Analyze usage patterns to improve Service features and user experience
• Identify and fix bugs, errors, and performance issues
• Develop new features and capabilities
• Generate aggregated, anonymized benchmarks and insights

3.4 To Ensure Security and Compliance

We use information to:

• Detect and prevent fraud, abuse, and unauthorized access
• Enforce our Terms and Conditions of Service
• Comply with legal obligations
• Protect the rights and safety of our users and third parties

3.5 For Billing and Payments

We use information to:

• Process subscription payments
• Send invoices and billing notifications
• Manage subscription plans and upgrades

4. How We Share Information

4.1 We Do Not Sell Personal Information

Govantic does not sell, rent, or trade personal information to third parties for their own marketing purposes.

4.2 Service Providers

We may share information with third-party service providers who assist us in operating the Service, including:

• Cloud infrastructure providers for hosting the web application and administration plane
• Payment processors for subscription billing
• Email service providers for transactional and marketing communications
• Analytics providers for Website usage analysis

All service providers are contractually obligated to use information only for the purposes of providing services to Govantic and to maintain appropriate security measures.

4.3 Customer-Directed Sharing

The Service integrates with third-party platforms at the Customer's direction. When a Customer connects the Service to third-party tools (e.g., Slack, Gmail, AWS), the Service accesses data from those platforms in accordance with the Customer's configuration. The Intervene response mode may cause Govantic to post messages or take actions within those third-party platforms on behalf of the Customer.

4.4 Legal Requirements

We may disclose information if required to do so by law, regulation, legal process, or governmental request, including:

• In response to a subpoena, court order, or similar legal process
• To comply with applicable laws and regulations
• To protect the rights, property, or safety of Govantic, our users, or the public

4.5 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, information may be transferred to the acquiring entity. We will notify affected users of any such transfer and any choices they may have regarding their information.

4.6 Aggregated and De-Identified Data

We may share aggregated, anonymized, and de-identified data that does not identify any individual or Customer. This data may be used for industry benchmarks, research, and to improve the Service.

5. Data Processing Architecture and Security

5.1 Single-Tenant Architecture

Govantic is designed with a single-tenant deployment model for Enterprise customers:

• AI Reasoning Engine: The AI reasoning engine runs inside the Customer's own cloud account. No Customer Data processed by the AI engine transits Govantic's infrastructure or any third-party environment.
• Supervision Agents: Signals from Supervision Agents are processed within the Customer's cloud environment.
• Web Application & Admin Plane: The Govantic web application and administration plane run on Govantic-managed infrastructure and process Workspace configuration, user management, and compliance knowledge metadata.
• Source Document Storage: Uploaded documents (policies, SOPs) are stored in the Customer's own storage, referenced by the Service via storage keys and checksums.

5.2 Security Measures

We implement industry-standard security measures to protect information, including:

• Encryption of data in transit (TLS/HTTPS)
• Encryption of data at rest
• Cryptographic hashing of passwords (passwords are never stored in plaintext)
• Role-based access control (Admin, Manager, Viewer) with permission enforcement at the application layer
• Workspace isolation - users can only access data within their own Workspace
• Email domain restrictions to control who can join a Workspace
• JWT-based authentication with token refresh mechanisms
• Audit logging of administrative actions

5.3 Data Retention

• Active Accounts: Customer Data is retained for as long as the Customer's Workspace remains active, unless the Customer deletes specific data.
• Source Documents: Retained in Customer's storage until deleted by the Customer or upon account termination.
• Incidents and Evidence: Retained within the Customer's Workspace for the duration of the subscription. Customers can configure retention policies as appropriate for their compliance requirements.
• Post-Termination: Upon termination of the Service, Customer Data is available for export for thirty (30) days. After this period, Govantic may permanently delete all Customer Data from its systems.
• Govantic Lite (Free Tier): Evidence retention is limited to seven (7) days, as described in the applicable plan documentation.
• Website Analytics Data: Retained for up to twenty-four (24) months.
• Backup Copies: Backup copies of data may be retained for a reasonable period following deletion for disaster recovery purposes, after which they are permanently deleted.

6. Your Rights and Choices

6.1 Account Information

You may access, update, or correct your account information at any time through the Settings page in the Service. Workspace Admins can manage users, roles, and workspace settings.

6.2 Data Export

Customers can export their data from the Service at any time during an active subscription.

6.3 Account Deletion

You may request deletion of your account by contacting us at privacy@govantic.com. Workspace Admins may also delete the entire Workspace, which will remove all associated data.

6.4 Marketing Communications

You may opt out of marketing communications at any time by:

• Clicking the "unsubscribe" link in any marketing email
• Contacting us at privacy@govantic.com

Opting out of marketing communications will not affect transactional communications related to your account.

6.5 Cookie Preferences

You can manage your cookie preferences through your browser settings. Most browsers allow you to block or delete cookies. Note that blocking essential cookies may impair the functionality of the Website.

6.6 Do Not Track

Our Website does not currently respond to "Do Not Track" signals from browsers.

7. Rights for Individuals in Specific Jurisdictions

7.1 European Economic Area, United Kingdom, and Switzerland (GDPR)

If you are located in the EEA, UK, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR) or equivalent local law:

(a) Right of Access. You have the right to request a copy of the personal data we hold about you.

(b) Right to Rectification. You have the right to request correction of inaccurate or incomplete personal data.

(c) Right to Erasure ("Right to Be Forgotten"). You have the right to request deletion of your personal data, subject to certain legal exceptions.

(d) Right to Restriction of Processing. You have the right to request that we restrict the processing of your personal data in certain circumstances.

(e) Right to Data Portability. You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.

(f) Right to Object. You have the right to object to the processing of your personal data based on our legitimate interests.

(g) Right to Withdraw Consent. Where processing is based on consent, you have the right to withdraw that consent at any time.

Legal Bases for Processing. We process personal data on the following legal bases:

• Contract Performance: To provide the Service you have subscribed to.
• Legitimate Interests: To improve the Service, ensure security, and communicate with you.
• Consent: For marketing communications and non-essential cookies.
• Legal Obligation: To comply with applicable laws and regulations.

Data Transfers. If you are located in the EEA, UK, or Switzerland, your personal data may be transferred to and processed in the United States, where Govantic is headquartered. We implement appropriate safeguards for such transfers, including Standard Contractual Clauses (SCCs) approved by the European Commission.

Data Processing on Behalf of Customers. Where Govantic processes personal data of Monitored Individuals on behalf of a Customer, the Customer acts as the Data Controller and Govantic acts as the Data Processor. In such cases, the Customer's privacy policy and data processing obligations apply. Govantic will enter into a Data Processing Agreement (DPA) with Customers as required under GDPR.

To exercise any of these rights, contact us at privacy@govantic.com. We will respond within thirty (30) days.

7.2 California (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

(a) Right to Know. You have the right to request that we disclose the categories and specific pieces of personal information we have collected, the sources of collection, the purposes of collection, and the categories of third parties with whom we share personal information.

(b) Right to Delete. You have the right to request deletion of your personal information, subject to certain exceptions.

(c) Right to Correct. You have the right to request correction of inaccurate personal information.

(d) Right to Opt Out of Sale/Sharing. Govantic does not sell or share personal information for cross-context behavioral advertising.

(e) Right to Non-Discrimination. We will not discriminate against you for exercising any of your CCPA/CPRA rights.

To exercise your rights, contact us at privacy@govantic.com. We will verify your identity before processing your request.

7.3 Other Jurisdictions

If you are located in a jurisdiction with specific privacy laws (e.g., Brazil's LGPD, Canada's PIPEDA), you may have similar rights to access, correct, delete, or restrict the processing of your personal data. Contact us at privacy@govantic.com to exercise these rights.

8. Information About Monitored Individuals

8.1 Govantic as a Data Processor

When Customers deploy Supervision Agents, the Service processes data about individuals within the Customer's organization ("Monitored Individuals"). This may include:

• Names and email addresses appearing in communications
• Message content in Slack, Teams, Gmail, and other monitored channels
• Call recordings and transcripts
• Financial transaction data associated with individuals
• Cloud and technical activity logs associated with user accounts
• Device and endpoint activity data

Govantic processes this data solely on behalf of and at the direction of the Customer. The Customer is the Data Controller (or equivalent under applicable law) and is responsible for:

• Determining the lawful basis for monitoring
• Providing notice to Monitored Individuals about the monitoring
• Obtaining any required consents
• Responding to data subject requests from Monitored Individuals

8.2 Requests from Monitored Individuals

If you are a Monitored Individual and wish to exercise your privacy rights (access, deletion, correction, etc.), please contact the organization that deployed Govantic (your employer or contracting party). Govantic will cooperate with the Customer to fulfill such requests in accordance with applicable law.

8.3 Endpoint Monitoring Disclosure

If the Govantic Desktop (Endpoint Agent) is installed on your device, it may collect:

• Software installation and removal events
• Data movement to external destinations (USB, cloud storage)
• Device encryption and screen lock status
• Certificate and password manager usage
• Application usage patterns

This data is collected to enforce your organization's compliance policies. The Endpoint Agent is designed to understand context and distinguish between legitimate business activities and potential policy violations. Contact your organization's IT or compliance team for more information about what is monitored and why.

9. Third-Party Services and Integrations

9.1 Third-Party Integrations

The Service integrates with the following categories of third-party services at the Customer's direction:

• Communication Platforms: Slack, Microsoft Teams, Gmail, Outlook, Google Workspace
• Video/Call Platforms: Gong, Zoom, Google Meet
• Cloud Infrastructure: AWS (IAM, CloudTrail, GuardDuty, AWS Config, S3)
• Document and Signing Platforms: DocuSign
• Financial Platforms: QuickBooks
• Code Repositories: GitHub

Each third-party integration is governed by that service's own privacy policy and terms of service. Govantic is not responsible for the privacy practices of third-party services. Customers should review the privacy policies of all connected services.

9.2 Third-Party Analytics

Our Website may use third-party analytics services to help us understand usage patterns. These services may collect information about your use of the Website through cookies and similar technologies.

9.3 Links to Third-Party Websites

Our Website may contain links to third-party websites. This Policy does not apply to those websites. We encourage you to review the privacy policies of any third-party websites you visit.

10. Children's Privacy

The Service and Website are not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have inadvertently collected personal information from a child under 18, we will take steps to delete such information promptly. If you believe we have collected information from a child under 18, please contact us at privacy@govantic.com.

11. International Data Transfers

Govantic is headquartered in the United States. If you access the Service or Website from outside the United States, your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate.

We implement appropriate safeguards for international data transfers, including:

• Standard Contractual Clauses (SCCs) for transfers from the EEA, UK, or Switzerland
• Data Processing Agreements with all sub-processors
• Technical measures to protect data during transfer

For Enterprise customers, the single-tenant deployment model ensures that Customer Data processed by Supervision Agents and the AI reasoning engine remains within the Customer's own cloud account and region.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last Updated" date at the top of this Policy
• Post the revised Policy on our Website
• Notify registered users via email or in-app notification at least thirty (30) days before the changes take effect

Your continued use of the Service or Website after the effective date of any changes constitutes your acceptance of the updated Policy.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Govantic, Inc.
Privacy inquiries: privacy@govantic.com
Legal inquiries: legal@govantic.com
General inquiries: hello@govantic.com

If you are located in the EEA and have concerns about our data processing practices that we have not satisfactorily addressed, you have the right to lodge a complaint with your local Data Protection Authority.

By using the Govantic Service or Website, you acknowledge that you have read and understood this Privacy Policy.