FastGRCSign in →

Privacy Policy

Effective date: February 26, 2026

1. Introduction

FastGRC (“we”, “our”, or “us”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our GRC platform and related services (collectively, the “Service”).

By using the Service, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Information You Provide

  • Account information: name, work email address, organization name, password
  • Profile data: job title, role within your organization
  • Payment information: billing address, payment method details (processed securely by Stripe — we do not store card numbers)
  • GRC data: risks, controls, evidence, compliance frameworks, audit logs, vendor records, incident reports, and other compliance content you enter into the platform
  • Communications: messages sent to our support team

2.2 Information Collected Automatically

  • Usage data: pages visited, features used, actions taken, timestamps
  • Device data: IP address, browser type and version, operating system
  • Cookies and local storage: session tokens, theme preferences, authentication state

2.3 Information from Third Parties

  • OAuth providers: if you sign in with Google or GitHub, we receive your name, email, and profile picture
  • Integrations: when you connect AWS, GitHub, Jira, or Slack, we receive data necessary to provide the integration (e.g., security alerts, issue data)

3. How We Use Your Information

  • Provide, maintain, and improve the Service
  • Process transactions and send billing-related communications
  • Send transactional emails (account confirmation, password reset, team invitations)
  • Respond to support requests
  • Send product updates and security notices (you can opt out of marketing emails)
  • Detect and prevent fraud, abuse, and security threats
  • Comply with legal obligations
  • Enforce our Terms of Service

We do not sell your personal data or Customer Data to third parties. We do not use your GRC content (risks, controls, evidence, etc.) to train AI models.

4. AI and Data Processing

The FastGRC AI copilot sends your queries and relevant context to the Anthropic API to generate responses. Data sent to the AI is subject to Anthropic's Privacy Policy. We use Anthropic's API under a commercial agreement that prohibits using our data for model training.

If you provide your own AI API key in Settings, your queries are sent directly to the respective AI provider under their terms.

5. Data Sharing and Disclosure

We share your information only in these circumstances:

  • Service providers: Supabase (database and auth), Stripe (payments), Resend (transactional email), Anthropic (AI), Vercel (hosting) — each bound by data processing agreements
  • Your organization: data you enter is visible to other users within your organization account
  • Legal requirements: if required by law, court order, or government authority
  • Business transfers: in connection with a merger, acquisition, or sale of assets, with notice to you
  • With your consent: any other sharing with your explicit permission

6. Data Security

We implement industry-standard security controls, including:

  • Encryption at rest (AES-256) and in transit (TLS 1.3)
  • Row-Level Security (RLS) in the database — your data is isolated from other organizations
  • Immutable audit log with cryptographic hash chain for tamper detection
  • Role-based access control (RBAC) within organizations
  • Multi-factor authentication support

No system is 100% secure. If you believe your account has been compromised, contact us immediately at support@fastgrc.ai.

7. Data Retention

We retain your account data for as long as your account is active. GRC content (risks, controls, evidence, audit logs) is retained for the duration of your subscription and for 90 days after account closure, after which it is permanently deleted. Immutable audit logs may be retained longer to satisfy legal or regulatory requirements.

You may request a full data export at any time from Settings → Organization.

8. Cookies

We use the following cookies and local storage:

  • Authentication cookies: set by Supabase to maintain your session (strictly necessary)
  • Preference storage: theme setting (light/dark) stored in browser localStorage (strictly necessary)

We do not use advertising cookies or track you across third-party websites.

9. Your Rights

Depending on your location, you may have rights including:

  • Access: request a copy of your personal data
  • Correction: update inaccurate or incomplete data
  • Deletion: request deletion of your personal data (subject to legal retention requirements)
  • Portability: receive your data in a machine-readable format
  • Objection: object to processing based on legitimate interests
  • Restriction: request restriction of processing in certain circumstances

To exercise any of these rights, contact us at support@fastgrc.ai. We will respond within 30 days.

10. International Data Transfers

FastGRC is based in the United States. If you access the Service from outside the US, your data may be transferred to and processed in the US. We use Standard Contractual Clauses (SCCs) and other appropriate safeguards for transfers from the European Economic Area (EEA), UK, and Switzerland.

11. Children's Privacy

The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that a child under 18 has provided personal data, we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or in-app notice before they take effect. The “Effective date” at the top reflects the latest revision.

13. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, contact us at:

FastGRC, Inc.

Email: support@fastgrc.ai