Legal

Privacy Policy

Effective date: 1 May 2026 · Last updated: 1 May 2026

This Privacy Policy explains how TractionGRC, Inc. (“TractionGRC,” “we,” “us,” or “our”), a Washington State corporation, collects, uses, shares, and protects information when you visit tractiongrc.com, use the TractionGRC platform, or otherwise interact with us. It applies to all users of the TractionGRC service, including free-tier accounts.

TractionGRC provides a governance, risk, and compliance (“GRC”) platform. The nature of our service means that you may upload, generate, or connect sensitive information about your organization’s security posture, internal controls, suppliers, and infrastructure. We take that responsibility seriously, and this policy is intended to be specific about what we do with that information.

1. Quick summary

This is a plain-language summary. The rest of the policy is the legally operative version.

  • We collect what we need to operate the platform and to support you. Nothing more.
  • We do not use customer data to train any AI model. Ever. TractionAI, our AI assistant, uses your organization’s settings (name, size, industry, frameworks in scope) only as context at the moment a response is generated — not as training material.
  • Customer data is hosted on Microsoft Azure in the United States.
  • You own your data. You can export it or delete your account at any time.
  • We name the sub-processors we use, including which AI providers we work with.
  • General questions: visit our Contact page. For privacy-specific requests, email privacy@tractiongrc.com.

2. Information we collect

2.1 Information you provide directly

  • Account information. Name, work email address, password (stored hashed), organization name, organization size, industry, role, and any other profile details you choose to add.
  • Billing information. If you subscribe to a paid plan, you provide payment details to our payment processor, Stripe. We do not store full payment card details on our servers; we store only the limited billing metadata Stripe returns to us (e.g., last four digits, brand, expiration, billing country).
  • Customer content. Information you, your team, or your suppliers upload, type, generate, or otherwise input into the platform. This includes policies, controls, evidence files, gap analyses, plans of action and milestones (POA&Ms), supplier assessment responses, internal audit notes, management review records, domain registration and DNS information you submit for scanning, and any messages you send to TractionAI.
  • Support communications. If you contact support, we collect the contents of your messages, attachments, and any contact details you include.

2.2 Information we receive from third parties you connect

  • Cloud connectors. If you connect a Microsoft Azure tenant or Google Workspace tenant to TractionGRC, we receive configuration and posture information from those services through their official APIs, scoped to the permissions you grant during the OAuth consent flow. We do not request, store, or process the contents of files, mailboxes, calendars, or other end-user productivity data unless explicitly required to evaluate a control you have selected. See section 5 for the full disclosure of what we access from Google Workspace.
  • Domain and DNS data. When you run a baseline or deep scan, we query public DNS, certificate transparency logs, and other public Internet sources for the domain you have verified. We do not scan domains you have not verified ownership of.
  • Identity providers. If you sign in via single sign-on (where supported), we receive the identity attributes the provider sends (typically email, name, and a stable user identifier).

2.3 Information we collect automatically

  • Telemetry and product usage. Pages visited, features used, timestamps, error events, and similar non-content metrics. This information helps us operate, secure, and improve the service.
  • Device and connection. IP address, browser type and version, operating system, time zone, and similar request metadata.
  • Cookies and similar technologies. See section 10.

3. How we use information

We use the information described above for the following purposes:

  • Provide and operate the service. Authenticate users, render your workspace, run scans you initiate, generate documents you request, track controls and findings, send notifications, and process payments.
  • Support you. Respond to questions, troubleshoot issues, investigate suspected abuse, and notify you of material changes.
  • Personalize TractionAI output. When TractionAI generates a policy, answer, or recommendation, we provide your organization’s profile information (organization name, size, industry, frameworks in scope, and similar context) to the AI provider as prompt context so the response is tailored to your organization. This context is used at the moment of generation and is not retained by the AI provider for model training under the agreements we maintain with them.
  • Secure the service. Detect, prevent, and respond to abuse, fraud, security incidents, and violations of our Terms of Service.
  • Improve the service operationally. Analyze aggregated, de-identified usage patterns to understand which features are useful, where users encounter friction, and how to prioritize improvements. This is not the same as training AI models on customer data, which we do not do.
  • Communicate with you. Send transactional messages (verification, billing, security alerts, service updates), respond to inquiries, and — where you have opted in — send product updates and marketing communications you can unsubscribe from at any time.
  • Comply with law. Meet legal, regulatory, tax, and audit obligations applicable to TractionGRC.

4. Artificial intelligence (TractionAI)

TractionAI is an AI assistant that helps you draft policies, evaluate controls, generate POA&M items, and answer GRC questions. Because customer trust in this feature is central to the platform, we make the following commitments:

4.1 No training on customer data

We do not use customer data to train, fine-tune, or otherwise improve any AI model — ours or any third party’s. This includes the content of your policies, your gap analyses, your evidence files, your supplier assessments, your domain scan findings, and the messages you exchange with TractionAI.

We rely on third-party AI providers (currently Anthropic and Microsoft Azure OpenAI Service) under enterprise terms that prohibit those providers from using your data to train their models.

4.2 What TractionAI does use

To produce a useful response, TractionAI uses, at the moment of generation:

  • The message you send (your prompt).
  • Relevant context from your workspace, such as your organization profile (name, size, industry, frameworks in scope), the document or control you are working on, and recent conversation in the same session.
  • The AI model’s own pre-existing training (which does not include your data).

This context is passed to the AI provider as part of the request, used to generate the response, and not retained by the provider for training.

4.3 Operational logging

We log TractionAI requests and responses for a limited period for operational reasons: debugging, abuse prevention, safety review, and meeting our own compliance obligations. These logs are accessible only to authorized TractionGRC personnel and are not used for model training. See section 8 for retention.

4.4 AI output is informational

TractionAI output is generated by a language model. It is informational and is not a substitute for professional advice, certified auditor review, or independent legal or compliance judgment. AI output may be incorrect or incomplete. You are responsible for reviewing it before relying on it. See also our Terms of Service.

5. Use of Google Workspace data

When you connect a Google Workspace tenant to TractionGRC, we access information from Google APIs to generate compliance signals about your workspace’s security posture. This section describes specifically what we access, how we use it, and your rights to revoke access at any time. Our use of Google APIs also follows Google’s Limited Use requirements, set out at the bottom of this section.

5.1 What we access

The data we access from Google Workspace is limited to what is necessary to produce compliance signals:

  • Directory data via the Admin SDK Directory API: the list of users in your workspace, their two-factor enrollment status, super-admin role assignments, and account suspension status. Used to compute compliance signals against ISO 27001 controls A.5.17 (authentication), A.8.2 (privileged access), and A.5.18 (access rights revocation).
  • Reports data via the Admin SDK Reports API: admin activity audit log counts and account login activity. Used to verify that audit logging is functioning (ISO 27001 control A.8.15) and to identify dormant accounts that may need to be deactivated (ISO 27001 control A.5.16).
  • Domain metadata via the Admin SDK Directory API: your workspace customer ID and verified domain name. Used to label your connection in TractionGRC and to scope our API calls to your tenant.

We do not access user file content, email content, calendar entries, chat messages, Drive documents, or any other end-user productivity data. We do not modify any data in your Google Workspace; all OAuth scopes we request are read-only.

5.2 How we use this data

We use Google Workspace data only to produce the compliance signals shown in the Cloud Connect area of TractionGRC, to compute related TractionScore contributions, and to create historical signal records that let you and your auditors see how your posture has changed over time. We do not transfer this data to third parties except to the sub-processors listed in section 6.1, and we do not use it for advertising of any kind.

5.3 Limited Use commitment

TractionGRC’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy , including the Limited Use requirements.

Specifically, data accessed from Google APIs is:

  • Used only to provide and improve user-facing features of TractionGRC that are prominent in the application’s user interface (specifically, the Cloud Connect dashboard, compliance signal evaluation, and TractionScore).
  • Not transferred to third parties except as necessary to provide or improve those features (our sub-processors, listed in section 6.1) or to comply with applicable law or as part of a merger, acquisition, or sale of assets.
  • Not used or transferred for serving advertisements, including retargeted, personalized, or interest-based advertising.
  • Not read by humans, except (a) with your affirmative consent for specific messages, (b) as necessary for security purposes such as investigating abuse, (c) to comply with applicable law, or (d) where the data has been aggregated and anonymized for internal operations.

5.4 Revoking access

You can revoke TractionGRC’s access to your Google Workspace at any time by disconnecting the integration from your Cloud Connect page in TractionGRC, or by visiting your Google Account permissions page. On disconnection, we delete the access and refresh tokens immediately. Historical compliance signals derived from your Google Workspace are retained according to the schedule in section 8 unless you request earlier deletion under section 9.

6. How we share information

We do not sell personal information. We share information only as described here.

6.1 Service providers and sub-processors

We share information with vendors who help us operate the service, under contractual confidentiality and data-protection obligations. Our current sub-processors are:

  • Microsoft Azure — cloud hosting, database, infrastructure, and Azure OpenAI Service inference. United States.
  • Anthropic, PBC — Claude API for some TractionAI features. United States.
  • Stripe, Inc. — payment processing and billing. United States.
  • Twilio SendGrid — transactional email delivery. United States.

We may add or change sub-processors. Material changes will be reflected here and on our Trust Center, which hosts the canonical, up-to-date list. Where required, we will communicate changes to customers in advance.

6.2 Within your organization

Information you submit to a workspace is visible to other authorized users of that workspace, subject to permissions configured by your administrator. Your administrator may have access to your activity within the workspace.

6.3 With your direction

If you connect a third-party service (e.g., Microsoft Azure, Google Workspace), you authorize us to send and receive information from that service to perform the integration you have requested.

6.4 Legal and safety

We may disclose information if we believe in good faith that disclosure is required by law, legal process, or government request, or is necessary to protect the rights, property, or safety of TractionGRC, our users, or others. Where lawful, we will notify the affected customer before complying.

6.5 Business transfers

If TractionGRC is involved in a merger, acquisition, financing, or sale of assets, customer information may be transferred as part of that transaction. We will give notice before customer information becomes subject to a different privacy policy.

7. Where data is processed

Customer data is hosted on Microsoft Azure infrastructure in the United States. AI inference may be processed in the United States by Anthropic or Microsoft Azure OpenAI Service. Other sub-processors listed above operate primarily in the United States.

If you are located outside the United States, your information will be transferred to and processed in the United States, which may have data protection laws that differ from those of your country. By using the service, you consent to this transfer. Where required by law (for example, for personal data subject to UK GDPR or EU GDPR), we rely on appropriate transfer mechanisms with our sub-processors, including the European Commission’s Standard Contractual Clauses where applicable.

8. Data retention

  • Active accounts. We retain customer data for as long as your account is active, or as needed to provide the service.
  • Account closure. When a subscription ends or an account is closed, we retain customer data for up to 30 days to allow recovery, then delete or de-identify it from production systems.
  • Backups. Encrypted backups are retained on a rolling basis and are overwritten on the standard backup cycle (typically within 35 days).
  • Operational and security logs. Retained for up to 12 months for security, audit, abuse prevention, and compliance purposes.
  • Billing records. Retained for the period required by tax and accounting law (typically seven years in the United States).
  • Aggregate, de-identified analytics. May be retained indefinitely.

You can request earlier deletion as described in section 9. Some retention is required by law and may not be deletable on request.

9. Your rights and choices

Depending on where you live, you may have rights under applicable law to:

  • Access the personal information we hold about you.
  • Correct inaccurate personal information.
  • Delete personal information.
  • Export your data in a portable format.
  • Object to or restrict certain processing.
  • Withdraw consent where processing is based on consent.
  • Lodge a complaint with a supervisory authority.

To exercise these rights, email privacy@tractiongrc.com. We will respond within the timeframe required by applicable law (typically 30 to 45 days). We may need to verify your identity before processing your request.

If you are an end user whose data was submitted by a TractionGRC customer (for example, a supplier whose questionnaire response is processed in our platform on behalf of that customer), you should direct your request to that customer in the first instance. We will support our customer in responding.

California residents. California consumers have specific rights under the California Consumer Privacy Act and California Privacy Rights Act, including the right to know, delete, correct, and opt out of “sale” or “sharing” of personal information. We do not sell personal information and do not share personal information for cross-context behavioral advertising.

10. Cookies and similar technologies

We use cookies and similar technologies for essential service functions (authentication, security, load balancing), preferences, and limited analytics. We do not use third-party advertising cookies. You can control cookies through your browser; disabling essential cookies may break the service.

11. Security

We implement administrative, technical, and physical safeguards designed to protect information, including encryption in transit and at rest, access controls, audit logging, vulnerability management, and incident response procedures. No system can guarantee perfect security; if you believe your account has been compromised, contact us immediately.

12. Children’s privacy

TractionGRC is a business product. It is not directed to children, and we do not knowingly collect personal information from children under 13 (or under 16 in jurisdictions that apply that threshold). If you believe a child has provided us with personal information, email privacy@tractiongrc.com and we will delete it.

13. Changes to this policy

We may update this policy from time to time. The “Last updated” date at the top reflects the most recent change. If a change is material, we will notify you in advance through the service or by email. Continued use of the service after a change becomes effective constitutes acceptance of the updated policy.

14. Contact us

For privacy questions or to exercise your rights under this policy:

TractionGRC, Inc.
Attn: Privacy

Email: privacy@tractiongrc.com

For general questions, sales, partnerships, or support, please use our Contact page.