Privacy Policy

Effective date: 13 April 2026

1. Data Controller

The controller of your personal data is Guardiso — a sole proprietorship operated by Michal Lewandowski, based in Poland. Contact details for the controller are provided in section 10.

Data protection contact:

General email: info@guardiso.com
Security email: security@guardiso.com

2. Data We Collect

We collect the following categories of personal data:

Category	Details	Source
Account data	Email address, full name, profile picture	Google OAuth
Organization data	Company name, industry, size, location	Provided by user
Usage data	Access logs, IP addresses, browser type, in-app actions	Automatic
User content	Policies, risks, controls, evidence, questionnaires	Provided by user

3. Purposes & Legal Bases

We process your data on the following legal bases (GDPR Art. 6):

Purpose	Legal Basis
Service delivery (account, dashboard, ISMS features)	Art. 6(1)(b) — contract performance
Security & fraud prevention	Art. 6(1)(f) — legitimate interest
Communications (transactional email, notifications)	Art. 6(1)(b) — contract performance
AI processing (policy generation, analysis)	Art. 6(1)(b) — contract performance
Legal obligations (accounting, taxes)	Art. 6(1)(c) — legal obligation

4. Data Retention

Data Type	Retention Period
Account & organization data	Until account deletion
User content (policies, risks, etc.)	Until account deletion
Access & usage logs	90 days
Billing data	5 years (legal obligation)

After account deletion, your data will be permanently removed within 30 days. Backups are purged within 90 days.

5. Data Recipients

We share your data with the following entities to the extent necessary for service delivery:

Recipient	Purpose	Location
Scaleway SAS	Application hosting, database, object storage, container registry	Warsaw, Poland
Anthropic PBC	AI Copilot query processing (optional) — query text only, transient processing	US (SCC + DPA)
OpenAI LLC	Generating embedding vectors for semantic search across the knowledge base (RAG)	US (SCC + DPA)
Google LLC	OAuth 2.0 authentication	US / EU
Resend Inc	Transactional email (invitations, notifications, password resets)	US (SCC)
Stripe Inc	Subscription payment processing — Guardiso never stores card data	US / Ireland (SCC + DPA)
Cloudflare Inc	DNS, DDoS protection, WAF, edge caching	US / EU (DPA)

A full list of subprocessors is available at /subprocessors.

6. International Transfers

Your data is stored on Scaleway servers in Warsaw (Poland), within the European Union.

AI features are optional. When a user uses AI Copilot, only the query content (for example a policy text to generate) is sent to Anthropic PBC (US). For semantic search across the knowledge base, document fragments are processed by OpenAI LLC (text-embedding-3-small model) to generate embedding vectors. Both providers operate under DPAs and Standard Contractual Clauses (SCCs), do not retain content after the request completes and do not use customer data to train AI models.

Subscription payments are handled by Stripe Inc (US / Ireland). Guardiso never sees or stores full payment card data — card details are passed directly to Stripe through their secure forms. Transfer is based on Stripe SCCs and DPA.

Your database, files, policies, risks, evidence and organisation configuration never leave the Scaleway data center in Warsaw.

7. Your Rights

Under GDPR, you have the following rights:

Right of access — you can request a copy of your personal data
Right to rectification — you can request correction of inaccurate data
Right to erasure — you can request deletion of your data ("right to be forgotten")
Right to portability — you can receive your data in a machine-readable format
Right to restriction — you can request restriction of processing in certain situations
Right to object — you can object to processing based on legitimate interest

To exercise your rights, contact us at info@guardiso.com.

You also have the right to lodge a complaint with the supervisory authority — the President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, Poland.

8. Cookies

We use cookies for proper service operation, authentication, and language preferences. For detailed information, see our Cookie Policy.

9. Changes to This Policy

We reserve the right to update this privacy policy. We will notify you of material changes via email or in-app notification with 30 days' advance notice.

10. Contact

If you have questions about this privacy policy or data processing, please contact us:

Controller: Guardiso (sole proprietorship of Michal Lewandowski)
Place of business: Poland
General email: info@guardiso.com
Security email: security@guardiso.com