Privacy Policy

PathSeal ("PathSeal", "we", "our", or "us") operates the PathSeal compliance platform accessible at pathseal.com. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our services.

We are committed to GDPR compliance and to processing personal data lawfully, fairly, and transparently. If you have any questions, please contact us at privacy@pathseal.com.

PathSeal is the data controller for the personal data processed through the PathSeal platform. We process data on behalf of our customers (organisations) as a data processor for the compliance evidence and organisational data they upload.

Contact for data protection matters: privacy@pathseal.com

We collect the following categories of personal data:

Account data: Name, email address, job title, and authentication credentials when you create an account.

Organisational data: Organisation name, industry, and compliance-related information you provide.

Usage data: Log data, IP addresses, browser type, pages visited, and actions taken within the platform.

Payment data: Billing address and payment method details (processed by Stripe — we do not store card numbers).

Communications: Messages sent via our contact form or support channels.

Evidence and compliance data: Documents, policies, and evidence you upload to the platform (processed on your behalf as a data processor).

We process personal data on the following legal bases:

Contract performance (Art. 6(1)(b) GDPR): To provide you with the PathSeal service, manage your account, and process payments.

Legitimate interests (Art. 6(1)(f) GDPR): To improve our services, ensure platform security, prevent fraud, and send relevant product updates.

Consent (Art. 6(1)(a) GDPR): For marketing communications, where you have explicitly opted in.

Legal obligation (Art. 6(1)(c) GDPR): To comply with applicable laws, including tax and financial reporting requirements.

We use your personal data to:

• Provide, operate, and improve the PathSeal platform

• Authenticate you and manage your account

• Process payments and manage subscriptions

• Send transactional emails (account notifications, invoices, security alerts)

• Respond to support requests and enquiries

• Monitor and improve platform security

• Comply with legal obligations

• Send product updates and marketing communications (where you have consented or where we have a legitimate interest, with an easy opt-out)

All personal data and compliance evidence is stored within the European Union (EU). We use EU-based infrastructure provided by:

• **Neon** (PostgreSQL database) — Frankfurt, Germany

• **Vercel** — EU region deployments

• **AWS S3** — EU (Frankfurt) region for file storage

We do not transfer personal data outside the EEA without appropriate safeguards (Standard Contractual Clauses or adequacy decisions).

We retain personal data for as long as necessary to provide our services and comply with legal obligations:

• **Account data**: Retained for the duration of your account, plus 30 days after deletion to allow recovery.

• **Compliance evidence**: Retained for the duration of your subscription. Upon termination, you may request export within 30 days before deletion.

• **Billing records**: Retained for 7 years to comply with financial regulations.

• **Log data**: Retained for 90 days.

We share personal data only with:

Sub-processors required to deliver our service, including: Neon (database), Vercel (hosting), AWS (storage), Stripe (payments), Resend (transactional email). All sub-processors are bound by data processing agreements.

Legal authorities: Where required by law or to protect our rights.

We never sell your personal data to third parties.

As a data subject, you have the following rights:

• **Right of access** (Art. 15): Request a copy of your personal data.

• **Right to rectification** (Art. 16): Correct inaccurate or incomplete data.

• **Right to erasure** (Art. 17): Request deletion of your data ("right to be forgotten").

• **Right to restrict processing** (Art. 18): Limit how we use your data.

• **Right to data portability** (Art. 20): Receive your data in a machine-readable format.

• **Right to object** (Art. 21): Object to processing based on legitimate interests.

• **Rights related to automated decision-making** (Art. 22): We do not make solely automated decisions with legal effects.

To exercise any of these rights, email privacy@pathseal.com. We will respond within 30 days.

We use the following types of cookies:

Strictly necessary: Session authentication tokens required to operate the service. These cannot be disabled.

Analytics: We use PostHog (EU-hosted) to understand how users interact with the platform. You can opt out via your account settings.

We do not use third-party advertising or tracking cookies.

We implement industry-standard security measures to protect your data, including:

• Encryption in transit (TLS 1.3) and at rest (AES-256)

• Regular security audits and penetration testing

• Role-based access control and least-privilege principles

• SOC 2-aligned operational controls

• Employee security training

In the event of a personal data breach, we will notify affected users and the relevant supervisory authority within 72 hours as required by GDPR.

We may update this Privacy Policy from time to time. We will notify you of material changes by email and will post the updated policy on this page with a new "Last updated" date. Your continued use of PathSeal after changes constitutes acceptance of the updated policy.

For privacy-related questions or to exercise your rights: privacy@pathseal.com

You also have the right to lodge a complaint with your national data protection supervisory authority. In the EU, you can find your authority at edpb.europa.eu/about-edpb/board/members.