OpenGRC Portal OpenGRC

Privacy Policy

OpenGRC, LLC — Effective Date: January 1, 2026

1. Introduction

OpenGRC, LLC ("OpenGRC," "we," "us," or "our") is committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our services.

This policy applies to three distinct components of our service offering: the OpenGRC Website, the OpenGRC Portal, and the OpenGRC Application. Each component has different data collection and processing practices, which are detailed in this policy.

By accessing or using any of our services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with the terms of this policy, please do not access or use our services.

2. Data Controller Information

For the purposes of applicable data protection laws, including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), the data controller is:

OpenGRC, LLC

Casselberry, Florida, United States

Email: [email protected]

For any privacy-related inquiries, requests, or complaints, please contact us at the email address above. We will respond to your inquiry within thirty (30) days, or sooner as required by applicable law.

3. Definitions

For the purposes of this Privacy Policy, the following definitions apply:

  • "Personal Data" means any information relating to an identified or identifiable natural person, including but not limited to name, email address, company information, and payment details.
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
  • "OpenGRC Website" refers to our public-facing website used for marketing, information, and general company communications.
  • "OpenGRC Portal" refers to our customer management web application where customers manage their accounts, subscriptions, and billing information.
  • "OpenGRC Application" refers to the dedicated, standalone governance, risk, and compliance (GRC) application instance provisioned for each customer.

4. OpenGRC Website

4.1 Information We Collect

When you visit the OpenGRC Website, we automatically collect certain information through standard server logs and analytics tools. This information includes:

  • IP address and approximate geographic location
  • Browser type and version
  • Operating system
  • Pages visited and time spent on each page
  • Referring website or source
  • Date and time of access

4.2 Analytics

We use Microsoft Clarity, a web analytics service provided by Microsoft Corporation, to help us understand how visitors interact with our website. Microsoft Clarity collects information such as mouse movements, clicks, and scrolling behavior to generate session recordings and heatmaps. This data helps us improve the user experience on our website. For more information about Microsoft Clarity's data practices, please visit Microsoft's privacy policy.

4.3 Cookies

The OpenGRC Website uses cookies for session management purposes. These cookies are essential for the proper functioning of the website and do not track you across other websites. You may configure your browser to refuse cookies; however, this may affect the functionality of certain features.

4.4 Use and Sharing of Website Data

Information collected through the OpenGRC Website is used solely for our internal purposes, including website optimization, security monitoring, and understanding visitor behavior. We do not share, sell, rent, or otherwise disclose this information to third parties.

5. OpenGRC Portal

5.1 Information We Collect

When you register for and use the OpenGRC Portal, we collect business contact information necessary to provision your OpenGRC Application and manage our customer relationship. This information may include:

  • Full name
  • Email address
  • Company or organization name
  • Job title
  • Phone number
  • Billing address

5.2 Payment Information

Payment processing for the OpenGRC Portal is handled by Stripe, Inc., a PCI-DSS compliant third-party payment processor. When you make a payment, your payment card information is transmitted directly to Stripe and is not stored on our servers. Stripe's collection and use of your payment information is governed by their privacy policy, available at https://stripe.com/privacy. We receive only limited information from Stripe necessary to confirm transactions, such as the last four digits of your card and transaction status.

5.3 Purpose of Data Collection

We collect and process Portal data for the following purposes:

  • Provisioning and configuring your dedicated OpenGRC Application instance
  • Managing your subscription and processing payments
  • Providing customer support and technical assistance
  • Communicating important service updates and announcements
  • Internal customer relationship management

5.4 Cookies

The OpenGRC Portal uses cookies for session management to maintain your authenticated session while using the application. These cookies are strictly necessary for the Portal to function and cannot be disabled while using the service.

5.5 Use and Sharing of Portal Data

We do not sell, rent, or share your Portal data with third parties for their marketing purposes. Your information is used exclusively for the purposes outlined above. The only third-party service that receives your data is Stripe for payment processing, as described in Section 5.2.

6. OpenGRC Application

6.1 Customer Data Responsibility

The OpenGRC Application is a dedicated, standalone instance provisioned specifically for each customer. Any data stored within your OpenGRC Application instance, including any personal data or sensitive information, is your sole responsibility as the data controller.

OpenGRC, LLC acts as a data processor with respect to any personal data you store in your Application instance. We process this data only as necessary to provide the service and in accordance with your instructions. We do not access, use, analyze, or process the content of your Application data for any purpose other than providing and maintaining the service.

6.2 Cookies

The OpenGRC Application uses cookies for session management to maintain authenticated user sessions. These cookies are strictly necessary for the application to function properly.

6.3 Backups

OpenGRC, LLC performs nightly automated backups of all OpenGRC Application instances. These backups are encrypted and accessible only to authorized OpenGRC, LLC staff for the purposes of disaster recovery and service continuity. Backup data is subject to the same retention policies as active data and is deleted in accordance with Section 8 of this policy.

6.4 Customer Obligations

As a customer using the OpenGRC Application, you are responsible for:

  • Ensuring that your collection and use of personal data within the Application complies with all applicable privacy laws and regulations
  • Obtaining all necessary consents from individuals whose data you store in the Application
  • Maintaining appropriate privacy notices for your own users and data subjects
  • Responding to data subject requests related to data stored in your Application instance

7. Data Storage and Security

7.1 Data Location

All data associated with the OpenGRC Website, Portal, and Application is stored in Digital Ocean datacenters located in New York, United States. Upon request, customers may arrange for their OpenGRC Application instance to be hosted in any datacenter location where Digital Ocean operates. Additional terms may apply for alternative hosting locations.

7.2 Security Measures

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption of data in transit using TLS/SSL
  • Encryption of backup data at rest
  • Access controls limiting data access to authorized personnel only
  • Regular security assessments and monitoring
  • Secure software development practices

8. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law.

Portal and Application Data: Upon termination of your contract or subscription, we will retain your data for ninety (90) days to allow for account recovery or data export. After this period, all data will be securely deleted from our systems, including backups. You may request earlier deletion of your data by contacting us at [email protected].

Website Data: Server logs and analytics data are retained for a period of twelve (12) months, after which they are automatically deleted.

9. International Data Transfers

As our services are hosted in the United States, personal data collected from users in other jurisdictions, including the European Economic Area (EEA) and United Kingdom, will be transferred to and processed in the United States.

For transfers of personal data from the EEA or UK to the United States, we rely on Standard Contractual Clauses approved by the European Commission as a legal mechanism to ensure adequate protection for your data. You may request a copy of these clauses by contacting us at [email protected].

10. Your Rights Under GDPR

If you are located in the European Economic Area or United Kingdom, you have certain rights under the General Data Protection Regulation (GDPR) with respect to your personal data. These rights include:

  • Right of Access: You may request a copy of the personal data we hold about you.
  • Right to Rectification: You may request that we correct any inaccurate or incomplete personal data.
  • Right to Erasure: You may request that we delete your personal data, subject to certain exceptions.
  • Right to Restriction of Processing: You may request that we limit how we use your personal data.
  • Right to Data Portability: You may request a copy of your data in a structured, machine-readable format.
  • Right to Object: You may object to the processing of your personal data in certain circumstances.
  • Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority in your jurisdiction.

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within thirty (30) days.

11. Legal Basis for Processing (GDPR)

For users in the EEA and UK, we process personal data on the following legal bases:

  • Contract Performance: Processing necessary for the performance of a contract to which you are a party, such as providing the OpenGRC Portal and Application services.
  • Legitimate Interests: Processing necessary for our legitimate interests, such as improving our services, ensuring security, and analyzing website usage, where such interests are not overridden by your rights.
  • Legal Obligation: Processing necessary to comply with legal obligations to which we are subject.

12. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have certain rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to Know: You may request information about the categories and specific pieces of personal information we have collected about you, the sources of that information, the purposes for collection, and the categories of third parties with whom we share it.
  • Right to Delete: You may request that we delete your personal information, subject to certain exceptions.
  • Right to Correct: You may request that we correct inaccurate personal information.
  • Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information for cross-context behavioral advertising purposes.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.

To exercise these rights, please contact us at [email protected]. We will verify your identity before processing your request.

13. Children's Privacy

Our services are not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have inadvertently collected personal data from a child under 16, we will take steps to delete such information promptly. If you believe we may have collected information from a child under 16, please contact us at [email protected].

14. Third-Party Links and Services

Our services may contain links to third-party websites or services. This Privacy Policy does not apply to those third-party services, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party services you access.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. When we make material changes, we will notify you by posting the updated policy on our website with a new effective date. For significant changes, we may also provide notice via email to registered Portal users. Your continued use of our services after any changes constitutes your acceptance of the updated policy.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

OpenGRC, LLC

Privacy Inquiries

Email: [email protected]

We are committed to resolving any complaints about our collection or use of your personal data. We will respond to all inquiries within thirty (30) days of receipt.

Last Updated: January 1, 2026

← Back