New: Autonomous AI risk intelligence is live — your compliance program in 12 minutes. Get started →
SCARLET RISK

Legal

Privacy Policy

Effective date: January 1, 1970

Scarlet Risk, Inc. ("Scarlet Risk," "we," "us," or "our") operates the Cardinal platform — an AI-powered risk intelligence and governance, risk, and compliance (GRC) suite that includes Cardinal Comply, Cardinal Intel, and Cardinal Finance. This Privacy Policy explains how we collect, use, disclose, store, and safeguard your information when you use our website, applications, and related services (collectively, the "Services"). By using the Services, you agree to the practices described below.

1. Information we collect

  • Account information: name, email address, job title, and password credentials.
  • Company information: company name, industry, size, and compliance frameworks relevant to your account.
  • Usage data: pages visited, features used, session duration, IP address, browser type, device identifiers, and similar telemetry.
  • Assessment results: vendor risk assessments, generated risk registers, incident response plans, policy libraries, security quiz results, intel briefings, and any content you input into the Cardinal platform.
  • Payment information: billing details processed through our payment processor, Stripe. Scarlet Risk does not store full payment card numbers.

2. How we use your information

  • To deliver and maintain Cardinal platform services.
  • To generate AI-powered risk assessments, policy drafts, compliance gap analyses, and intel briefings.
  • To process payments and manage subscriptions.
  • To communicate with you about your account, security alerts, product updates, and customer support requests.
  • To monitor, secure, debug, and improve the Services.
  • To comply with legal obligations.

3. Data storage

Customer data is hosted in our managed backend (Supabase) on United States–based infrastructure. We use industry-standard encryption in transit (TLS) and at rest. Access to production data is restricted to authorized personnel and audited.

4. Third-party service providers

We share limited information with sub-processors that help us operate the Services. Each is bound by contractual confidentiality and data protection obligations:

  • Anthropic (Claude API): AI model inference for policy generation, risk analysis, and intel briefings.
  • Stripe: payment processing and subscription billing.
  • Resend: transactional email delivery.
  • Supabase: managed database, authentication, and file storage.

We do not sell your personal information to third parties.

5. Your rights

You have the right to access, correct, export, or delete the personal information we hold about you. To exercise any of these rights, contact privacy@scarletrisk.com. We will respond within the timeframes required by applicable law.

6. Cookies

Scarlet Risk uses essential cookies only — strictly necessary to keep you authenticated and to maintain your session. We do not use advertising or third-party tracking cookies. You may disable cookies in your browser, but core features (such as login) will not function correctly.

7. GDPR and CCPA compliance

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation (GDPR), including the right to access, rectification, erasure, restriction, portability, and objection. Our lawful bases for processing include contract performance, legitimate interests, and consent where required.

If you are a California resident, the California Consumer Privacy Act (CCPA) and CPRA give you the right to know what personal information we collect, request deletion, opt out of any sale or sharing of personal information (we do not sell), and not be discriminated against for exercising your rights.

8. Data retention

We retain customer data for the duration of your active subscription plus 30 days after cancellation, after which data is deleted from production systems and removed from backups in the ordinary backup rotation. Aggregated or de-identified data may be retained longer for analytics and product improvement.

9. Children's privacy

The Services are intended for business use and are not directed to children under 16. We do not knowingly collect personal information from children.

10. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or through an in-product notice at least 30 days before they take effect.

11. Contact

For privacy questions or requests, contact us at privacy@scarletrisk.com.