Privacy Policy

1. Introduction

SafeGuardGRC LLC, doing business as Kompflow (“we”, “our”, or “us”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service at kompflow.com. By using our service, you agree to the practices described in this policy.

2. Information We Collect

2.1 Information You Provide

• Account Information: Email address, password (encrypted)
• Firm Information: Firm name, size, location, client count
• Team Contacts: Names, phone numbers, email addresses of incident response team members
• Software Details: Tax software used, document storage providers
• Payment Information: Processed securely by Stripe (we do not store credit card details)

2.2 Compliance Assessments & Resource Data

• Quiz & Assessment Responses: Your answers to compliance readiness assessments, including the Breach Readiness Quiz, Cyber Insurance Reality Check, Governance Gaps Assessment, and any other interactive resources we offer. This may include selected states, firm size, client count, IT setup, and assessment-specific responses.
• Contact Information: Name, email address, firm name provided when requesting personalized reports or accessing gated resources such as the Compliance Requirements Matrix
• Anonymized Survey Data: Assessment responses are aggregated and anonymized for industry research and service improvement

By submitting an assessment, accessing a gated resource, and providing your email, you consent to receive your personalized results or resource via email. If you opt in to marketing communications, you agree to receive occasional compliance tips and product updates from Kompflow. You can unsubscribe from marketing emails at any time using the unsubscribe link in our emails. Your personal information (name, email) is never shared with third parties for marketing purposes.

2.3 Automatically Collected Information

When you visit our site, we automatically collect certain information through cookies and similar technologies. Kompflow serves customers in the United States and operates under an opt-out model: analytics and advertising measurement load by default, and you may opt out at any time using the “Do not sell or share my info” link in our footer or by declining via our cookie disclosure banner. See Section 8 for details on each cookie and how to opt out.

• Essential (always collected): IP address (for security and abuse prevention), authentication session tokens, cookie preference flag
• Analytics (opt-out available): Pages visited, time on page, scroll depth, referral source, browser type, device type, operating system, screen resolution, and general geographic location (city-level, derived from anonymized IP). Collected via Google Analytics 4 (with IP anonymization enabled) and Google Tag Manager.
• Session behavior (opt-out available): Anonymized recordings of mouse movement, clicks, and scroll behavior, plus aggregate heatmaps, used to diagnose usability issues. Form input fields are masked by default and we never see passwords or personal data typed into forms. Collected via Microsoft Clarity.
• Advertising performance (opt-out available): Page views and conversion events (e.g., checkout, email submission) used to measure the effectiveness of our advertising campaigns. Collected via Google Ads conversion tracking (loaded through Google Tag Manager) and, where active, the LinkedIn Insight Tag. LinkedIn may infer professional demographics (industry, job function, company size) based on LinkedIn member data.

3. How We Use Your Information

• To provide and maintain our service
• To generate customized data inventories, risk assessments, security policies, incident response plans, and compliance documentation
• To process payments and manage subscriptions
• To deliver your personalized Incident Readiness Report and compliance recommendations via email
• To conduct anonymized industry research based on aggregated quiz responses
• To send service-related notifications, updates, and compliance reminders
• To send marketing communications about our products and services (with your consent)
• To analyze site usage and improve our service (via Google Analytics 4, Google Tag Manager, and Microsoft Clarity, with opt-out available)
• To measure the effectiveness of our advertising campaigns (via Google Ads conversion tracking and LinkedIn Insight Tag, with opt-out available)
• To provide customer support
• To comply with legal obligations

Marketing Communications: You can opt-out of marketing emails at any time by clicking the unsubscribe link in our emails or by submitting a request through our contact form. Please note that you will continue to receive essential service-related communications (e.g., compliance reminders, security alerts) regardless of your marketing preferences.

4. Data Sharing and Disclosure

We do NOT sell your personal information.

We may share data with:

• Infrastructure & Hosting: Supabase (database, authentication), Vercel (application hosting)
• Payments: Stripe (payment processing; we never store credit card details)
• AI Processing: Anthropic (document generation; data is not used to train AI models). See our AI Governance page for details on how AI is used, what data is involved, and our safeguards.
• Email: Resend (transactional and marketing email delivery)
• Analytics & Tag Management: Google Analytics 4 and Google Tag Manager (anonymized site usage data, opt-out available)
• Session Analytics: Microsoft Clarity (anonymized session recordings and heatmaps with form fields masked, opt-out available)
• Advertising Measurement: Google Ads and LinkedIn Insight Tag (ad campaign performance data, opt-out available)
• Legal Requirements: When required by law, court order, or to protect our rights
• Business Transfers: In connection with a merger, acquisition, or sale of assets

Note: Your incident response plans, WISPs, and firm compliance data are never shared with third parties for marketing purposes.

5. Data Security

We implement industry-standard security measures to protect your data:

• Encryption: AES-256 encryption at rest, TLS 1.2+ in transit
• Access Controls: Multi-factor authentication, role-based access
• Data Separation: Complete client data isolation with row-level security
• Regular Audits: Ongoing security reviews and updates

While we use best practices to protect your data, no method of transmission over the internet is 100% secure.

6. Data Retention

We retain your information for as long as your account is active or as needed to provide services. Upon account deletion, we delete your personal data within 30 days, except where retention is required by law or for legitimate business purposes (e.g., resolving disputes, enforcing agreements).

• Account data: Retained while your account is active; deleted within 30 days of account closure
• Quiz data: Session data retained for 90 days for support purposes; email and contact information retained until you request deletion
• Analytics data: Google Analytics retains data for 14 months (Google's default); Microsoft Clarity retains session recordings for up to 13 months; LinkedIn retains Insight Tag data for up to 90 days; Google Ads conversion data retains per Google Ads defaults
• Cookie preference: Stored in your browser's local storage indefinitely until you clear it

7. Your Rights

Depending on your location, you have the right to:

• Access: Request a copy of your personal data
• Correction: Update inaccurate or incomplete information
• Deletion: Request deletion of your data (“right to be forgotten”)
• Export: Download your compliance documents and firm data
• Opt-Out of Marketing: Unsubscribe from marketing emails at any time
• Opt out of cookies: Use the “Do not sell or share my info” link in our footer to opt out of analytics and advertising cookies at any time (see Section 8)
• Object: Object to processing of your data for certain purposes

To exercise these rights, submit a request through our contact formand select "Privacy Request" as the topic.

8. Cookies and Tracking Technologies

8.1 Our Cookie Model (US Opt-Out)

Kompflow serves customers in the United States. Under applicable US state privacy laws (including the California Consumer Privacy Act / California Privacy Rights Act, the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, and the Utah Consumer Privacy Act), we operate on an opt-out basis. Analytics and advertising-measurement cookies described in Section 8.2 load by default. You may opt out at any time using either of the following:

• Click “Do not sell or share my info” in the footer of any page on kompflow.com. This sets your preference immediately, and no further analytics or advertising hits will be sent from your browser.
• Click Decline on the cookie disclosure banner that appears on your first visit.

Your opt-out preference is stored in your browser's local storage under the key sgrc_cookie_consent. To re-enable analytics after opting out, use the same footer link, which will switch to read “Enable analytics cookies.” Clearing your browser's storage for kompflow.com resets the preference and the disclosure banner will reappear on your next visit.

8.2 Types of Cookies and Trackers

8.3 What We Do NOT Do

• We do not sell your personal information for money or other valuable consideration.
• We do not serve targeted advertisements on our site.
• We do not share cookie data with third parties for their own independent advertising purposes.
• We do not build cross-site user profiles for ad targeting.
• We do not use fingerprinting or any tracking technologies beyond the cookies and tags listed in Section 8.2.

8.4 Do Not Track and Global Privacy Control

There is no industry-standard interpretation of the browser-level “Do Not Track” (DNT) header, so we do not currently respond to it. We are evaluating support for the Global Privacy Control (GPC) signal as adoption by browsers and US states matures. In the meantime, the “Do not sell or share my info” link in our footer is a one-click opt-out that achieves the same result and is honored immediately.

9. Third-Party Services

Our service integrates with the following third parties, each with their own privacy policies:

• Supabase: Database and authentication. Privacy Policy
• Stripe: Payment processing. Privacy Policy
• Anthropic: AI-powered document generation. Privacy Policy · Our AI Governance
• Resend: Transactional and marketing email delivery. Privacy Policy
• Google Tag Manager: Tag orchestration for analytics and advertising measurement (loaded by default, opt-out available). Privacy Policy
• Google Analytics 4: Website analytics (loaded by default, opt-out available). Privacy Policy · Opt-Out Browser Add-On
• Microsoft Clarity: Anonymized session recordings and heatmaps with form fields masked (loaded by default, opt-out available). Privacy Statement
• Google Ads: Conversion measurement for our search campaigns (loaded by default, opt-out available). Privacy Policy · Ad Settings
• LinkedIn: Advertising campaign measurement where active (loaded by default, opt-out available). Privacy Policy · Ad Preferences

10. International Data Transfers

Your data may be transferred to and processed in the United States and other countries where our service providers operate. By using our service, you acknowledge that your data may be transferred outside your country of residence. We ensure appropriate safeguards are in place to protect your data in accordance with this Privacy Policy and applicable law.

11. Children's Privacy

Our service is designed for business professionals and is not intended for individuals under 18. We do not knowingly collect information from children. If we become aware that we have collected data from a child, we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via email or prominent service notification at least 30 days before taking effect. The “Last Updated” date at the top of this page indicates when the policy was most recently revised. Continued use after changes constitutes acceptance of the updated policy.

13. State-Specific Rights

California Residents (CCPA/CPRA)

California residents have additional rights including the right to know what personal information is collected, the right to deletion, and the right to opt-out of the “sale” or “sharing” of personal information. We do NOT sell your personal information for money. Some advertising-measurement cookies described in Section 8.2 may, under the broad CPRA definition of “share,” constitute sharing for cross-context behavioral advertising. To exercise your right to opt out, click “Do not sell or share my info” in the footer of any page, or decline via the cookie disclosure banner. Your preference is honored immediately on your browser.

Virginia, Colorado, Connecticut, Utah, and Other State Privacy Laws

Residents of states with comprehensive privacy laws have rights to access, correct, delete, and obtain a copy of personal data, as well as opt-out of targeted advertising, sale of personal data, and profiling. The footer opt-out link described above exercises your opt-out for advertising-measurement cookies. To exercise the other rights, contact us using the information in Section 14.