Privacy Policy
This Privacy Policy describes how Custodia, LLC collects, uses, stores, and protects your personal information when you use our CMMC compliance readiness platform.
1. Information We Collect
We collect information you provide directly, including: (a) Account Information: name, email address, password, phone number; (b) Organization Information: company name, address, CAGE code, industry, employee count, security officer details; (c) Compliance Data: policy documents, evidence files, SSP inputs, control implementation details, attestation records; (d) Payment Information: billing address and payment method (processed by Stripe; we do not store full card numbers); (e) Communications: support requests, feedback, and correspondence with our team.
2. Information Collected Automatically
When you use the Service, we automatically collect: (a) Usage Data: features accessed, actions taken, time spent, error logs; (b) Device Information: browser type, operating system, device identifiers; (c) Log Data: IP address, access times, pages viewed, referring URLs; (d) Cookies and Similar Technologies: session cookies for authentication, preference cookies, and analytics cookies (see Cookie Notice).
3. How We Use Your Information
We use collected information to: (a) provide, maintain, and improve the Service; (b) process transactions and send billing notices; (c) respond to support requests and communicate about your account; (d) generate AI-assisted content based on your inputs; (e) calculate compliance scores and readiness metrics; (f) detect and prevent fraud, abuse, and security incidents; (g) comply with legal obligations; (h) send product updates and, with your consent, marketing communications.
4. Third-Party Service Providers (Subprocessors)
We share data with trusted third parties who help us operate the Service: (a) Stripe, Inc. - payment processing (San Francisco, CA); (b) Google Cloud / Gemini AI - AI content generation (processes prompts containing your compliance data); (c) Neon, Inc. - database hosting (serverless PostgreSQL); (d) Vercel, Inc. - application hosting and analytics; (e) Email service providers for transactional emails. These providers are contractually bound to protect your data and use it only as directed by us.
5. Data Retention
We retain your data for as long as your account is active or as needed to provide the Service. After account termination, we retain data for up to 30 days to allow for data export requests, then delete it unless retention is required by law or for legitimate business purposes (e.g., billing records for 7 years). Evidence files and compliance documents may be retained longer if required for audit trails. You may request earlier deletion by contacting support@custodiallc.com.
6. Data Security
We implement industry-standard security measures including: (a) encryption of data in transit (TLS 1.2+) and at rest (AES-256); (b) access controls and authentication requirements; (c) regular security assessments and monitoring; (d) employee security training; (e) incident response procedures. However, no system is 100% secure. You are responsible for maintaining the security of your account credentials.
7. Your Rights and Choices
Depending on your jurisdiction, you may have rights to: (a) access the personal data we hold about you; (b) correct inaccurate data; (c) delete your data (subject to legal retention requirements); (d) export your data in a portable format; (e) object to or restrict certain processing; (f) withdraw consent where processing is based on consent. To exercise these rights, email privacy@custodiallc.com. We will respond within 30 days.
8. International Data Transfers
Custodia is based in the United States. If you access the Service from outside the U.S., your data will be transferred to and processed in the U.S., which may have different data protection laws than your jurisdiction. By using the Service, you consent to this transfer. We implement appropriate safeguards for international transfers as required by applicable law.
9. Children's Privacy
The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If we learn we have collected data from a child, we will delete it promptly. If you believe a child has provided us with personal information, contact privacy@custodiallc.com.
10. California Privacy Rights
California residents have additional rights under the CCPA/CPRA, including: the right to know what personal information we collect, sell, or disclose; the right to delete personal information; the right to opt out of sale/sharing (we do not sell personal information); and the right to non-discrimination for exercising privacy rights. To submit a request, email privacy@custodiallc.com with "California Privacy Request" in the subject line.
11. Changes to This Policy
We may update this Privacy Policy periodically. We will notify you of material changes via email or in-app notice at least 30 days before they take effect. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy. The "Effective Date" at the top indicates when the policy was last revised.
12. Contact Us
For privacy-related questions or to exercise your rights, contact: Custodia, LLC, Privacy Inquiries, Pennsylvania, United States. Email: privacy@custodiallc.com. For general support: support@custodiallc.com.
Questions about this policy?
Contact us and we'll help clarify.