Privacy Policy

Effective date: June 15, 2026 · Last updated: June 15, 2026

Ervian ("we", "us", "our") operates ervian.app. This Privacy Policy explains what information we collect, how we use it, who we share it with, and your rights regarding it. We take privacy seriously — our platform helps organizations manage compliance, and we hold ourselves to the same standard we help our customers achieve.

Contents

1. Information We Collect 2. How We Use Information 3. Organization Data and Compliance Records 4. Data Sharing 5. Data Retention 6. Security 7. Organization Data Isolation 8. Cookies and Tracking 9. Your Rights 10. International Data Transfers 11. Children's Privacy 12. Changes to This Policy 13. Contact

1. Information We Collect

Account and organization information

Account: Email address, password (stored as a bcrypt hash — we never store plaintext passwords), account creation date
Organization: Organization name, industry, company size, timezone, subscription plan
Business profile: Business name, entity type, formation state, country, revenue range, employee count, product categories, operating states

Team member information

Email addresses of invited team members
Role assignments within your organization
Invitation status and acceptance dates
Activity logs (who created, updated, or completed records)

Compliance operations data

When you use Ervian to manage compliance, we store:

Obligations: Compliance obligation records, due dates, owners, status, and completion dates
Tasks: Task titles, descriptions, assignees, due dates, status, and priority
Evidence: Evidence request details, collection instructions, submission dates, approval status, reviewer notes, and evidence metadata. We store evidence records and associated files you upload.
Compliance requests: Request titles, assignees, due dates, status history, and linked evidence
Audit records: Audit workspace details, linked obligations, evidence references, and readiness scores

Vendor information

Vendor names, categories, contact details, and owner assignments
Risk assessment scores and review dates
DPA status, contract dates, and renewal information
Questionnaire titles, statuses, and completion dates

Training and acknowledgement records

Training assignment details: title, type, assignee name and email, due dates, completion dates
Certification records: name, holder, issuer, expiry dates
Policy acknowledgement records: policy title, version, assignee, acknowledgement date

Usage data

Pages visited, features used, session duration
Browser type, operating system, IP address
Error logs and performance data

Payment information

Payment details (card number, billing address) are collected and stored by Stripe, our payment processor. We do not store full payment card information. We receive and store subscription status, plan tier, and billing history.

2. How We Use Information

Purpose	Information used
Operating the platform	All account, organization, and compliance data
Matching obligations to your profile	Business profile information
Calculating readiness scores	Obligation, evidence, and task records
Sending deadline reminders and alerts	Email address, obligation due dates
Team collaboration features	Team member emails and role assignments
Generating reports	All compliance operations data for your organization
Processing payments	Subscription and billing data via Stripe
Customer support	Account information, error logs
Security and fraud prevention	Usage data, IP addresses
Product improvement	Aggregated, anonymised usage patterns

3. Organization Data and Compliance Records

Your organization owns its data

All compliance records, evidence, vendor information, training records, and other data created or uploaded by your organization remain the property of your organization. Ervian processes this data to operate the Service. We do not claim ownership of your compliance data.

Evidence files

Evidence files you upload (documents, screenshots, certificates) are stored securely and accessible only to members of your organization with appropriate permissions. Ervian does not access, review, or use your evidence files for any purpose other than storing and delivering them to your team.

Compliance record confidentiality

We treat your compliance records with strict confidentiality. Ervian staff do not access your organization's compliance data except: (a) to provide support you have requested, (b) to investigate a reported security incident, or (c) when required by law.

Sub-processors

We may use sub-processors to store and process data on our behalf. Current key sub-processors include: cloud hosting infrastructure, SendGrid (email delivery), Stripe (payment processing). We require sub-processors to maintain appropriate security standards.

4. Data Sharing

We do not sell your personal data. We do not share your compliance data with third parties for their own marketing or commercial purposes.

We may share information:

With your organization's team members according to their assigned roles and permissions
With sub-processors necessary to operate the Service (hosting, email, payments)
When required by law or valid legal process, after notifying you where permitted
In a business transfer such as a merger or acquisition, where your data may transfer to a successor entity

5. Data Retention

Active accounts

We retain your data for as long as your organization's account is active. Compliance records are retained to support your ongoing audit readiness needs.

After account cancellation

When you cancel your subscription, your organization data is retained for 30 days to allow you to export records. After 30 days, organization data is scheduled for deletion from production systems. Backups are retained for up to 90 days after production deletion.

Specific record types

Evidence records: Retained for the life of your account plus 30 days post-cancellation
Training and acknowledgement records: Retained for the life of your account plus 30 days
Vendor records: Retained for the life of your account plus 30 days
Audit records: Retained for the life of your account plus 30 days
Usage logs: Retained for up to 12 months
Payment records: Retained as required by applicable financial regulations (typically 7 years)

6. Security

We implement appropriate technical and organizational security measures including:

Passwords stored using bcrypt hashing — plaintext passwords are never stored
Data encrypted in transit using TLS
Role-based access controls enforced at the application level
Organization data isolation enforced at both application and database levels
Access to production systems restricted to authorized personnel

No system is perfectly secure. We cannot guarantee that security measures will prevent all unauthorized access. In the event of a security breach affecting your data, we will notify you as required by applicable law.

To report a security concern: security@ervian.app

7. Organization Data Isolation

Ervian enforces strict isolation between organizations. Users from one organization cannot access data belonging to another organization. This is enforced at the application level through organization-scoped data access controls. Our architecture ensures that all data queries are filtered to the authenticated user's organization.

8. Cookies and Tracking

We use essential cookies to maintain your logged-in session. We may use analytics cookies (e.g. anonymised usage statistics) to understand how the platform is used and improve it. We do not use advertising or cross-site tracking cookies.

You can disable cookies through your browser settings, though this may prevent the platform from functioning correctly.

9. Your Rights

Depending on your location, you may have the following rights:

Access: Request a copy of personal data we hold about you
Correction: Request correction of inaccurate data
Deletion: Request deletion of your personal data (subject to legal retention requirements)
Portability: Request your data in a portable format
Objection: Object to certain processing activities

Organization Owners and Administrators can delete team members and manage organization data directly within the platform. For personal data requests, contact privacy@ervian.app.

10. International Data Transfers

Ervian is operated from the United States. If you are located outside the US, your information may be transferred to and processed in the US. We take steps to ensure appropriate safeguards are in place for international transfers.

11. Children's Privacy

The Service is not directed at individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact privacy@ervian.app.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or in-app notice at least 14 days before the changes take effect. The "Last updated" date at the top of this policy reflects the most recent revision.

13. Contact

For privacy questions or data requests:
privacy@ervian.app

For security concerns:
security@ervian.app

Ervian — ervian.app