Privacy Policy
Last updated: 13 April 2026
1. Introduction
Crown Signet LLC ("we", "our", "us") is the controller for personal information collected through the VeriGRC marketing website at verigrc.com, contact forms, account administration, and our own operational and security records. For Customer Data submitted to the VeriGRC platform at app.verigrc.com by or on behalf of a customer organisation, Crown Signet LLC generally acts as a processor or service provider under that organisation's instructions. This Privacy Policy explains what personal data we collect, how we use it, the legal basis for processing, and your rights in relation to it.
If you have questions about this policy or wish to exercise your rights, contact us at support@verigrc.com.
2. Information we collect
We collect the following categories of personal data:
- Account information — name, work email address, organisation name, and a hashed password when you register for a VeriGRC account.
- Contact form submissions — name, work email, company name, subject, and message content submitted via the /contact page.
- Usage telemetry — page views, feature interactions, and session metadata collected through Plausible Analytics, which is configured without cookies and is designed to provide aggregate website analytics without directly identifying visitors.
- Vendor portal submissions — assessment responses, evidence documents, and contact details submitted by third-party vendors at the request of a customer organisation.
- Integration data — data received through inbound integrations (e.g. vulnerability scan results, cloud security findings) as configured by administrators.
3. How we use your information
We process personal data on the following legal bases under GDPR Article 6:
- Contract — Art 6(1)(b): to create and manage your account, operate and deliver the VeriGRC platform, send transactional emails (assessment notifications, password resets) via Resend, and respond to contact form enquiries.
- Legitimate interest — Art 6(1)(f): to monitor service performance and uptime, detect and prevent abuse, improve the platform using aggregated usage telemetry, and maintain append-only audit logs required for multi-tenant security and compliance obligations.
We do not use your personal data for advertising. We do not sell personal data to third parties.
4. Data processors and sub-processors
We share data only with the following sub-processors necessary to operate the service:
- OVHcloud — hosting, database, object storage, and backup infrastructure for the VeriGRC platform.
- Resend — transactional email delivery for assessment notifications, account emails, and system alerts.
- Anthropic — AI inference for the VeriGRC AI Assistant, where enabled. Under our API agreement, prompts and responses are not used to train Anthropic models.
- Plausible Analytics — aggregate analytics for the verigrc.com marketing site. We do not use Plausible for behavioural advertising or cross-site tracking.
- Google reCAPTCHA — bot detection on the contact form.
All sub-processors are contractually bound to process data only as instructed and to maintain appropriate technical and organisational security measures.
5. Cookies and analytics
The verigrc.com marketing website uses Plausible Analytics, which is configured without cookies. No tracking or analytics cookies are set on the marketing site, and we do not use Plausible for behavioural advertising or cross-site tracking. The VeriGRC application at app.verigrc.com uses a single session cookie strictly necessary for authentication; this cookie is not used for tracking purposes.
The /contact page uses Google reCAPTCHA v3 for bot detection. reCAPTCHA sets cookies and transmits data — including your IP address and browser fingerprinting signals — to Google's servers to assess whether the form submission is from a human. This processing is governed by Google's Privacy Policy and Terms of Service. No other third-party advertising or behavioural tracking cookies are used on any Crown Signet LLC property.
6. Data retention
Account and platform data is generally retained for the duration of the active subscription and for up to 90 days after termination, unless a different retention period is required by law, agreed in writing, or needed for security, fraud prevention, dispute resolution, or backup integrity. Append-only audit log records may be retained for up to 7 years to support security, compliance, legal, and audit obligations. Contact form submissions are retained for 24 months. You may request early deletion by contacting support@verigrc.com.
7. Your rights
Under GDPR and applicable data protection law, you have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — correct inaccurate or incomplete data.
- Erasure — request deletion of your personal data, subject to legal retention obligations.
- Portability — receive your data in a structured, machine-readable format.
- Objection — object to processing based on legitimate interest.
- Restriction — request that we restrict processing in certain circumstances.
To exercise any of these rights, email support@verigrc.com. We will acknowledge your request within 5 business days and respond fully within 30 days.
8. International transfers
Data may be processed in the regions where Crown Signet LLC and its sub-processors operate. Where personal data is transferred outside the EEA or UK, we use appropriate safeguards such as Standard Contractual Clauses or other lawful transfer mechanisms where required.
9. Contact and complaints
For privacy-related enquiries or to exercise your data subject rights, contact us at support@verigrc.com or through our Contact page.
You also have the right to lodge a complaint with your local supervisory authority. In the UK this is the ICO (ico.org.uk); in Ireland this is the DPC (dataprotection.ie).
This Privacy Policy may be updated from time to time. Material changes will be posted on this page with a revised "Last updated" date.