Legal
Privacy Policy
Effective date: April 23, 2026
1. Who We Are
PostureCompass is operated by Seclight Inc., a corporation based in Montreal, Quebec, Canada. We are subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) and, where applicable, the General Data Protection Regulation (GDPR). Questions can be directed to our Privacy Officer at privacy@posturecompass.com.
2. Information We Collect
We collect: (a) Account data — name, work email, company name, and billing information provided during registration; (b) Asset & configuration data — metadata about the IT assets you connect to the Service, including hostnames, IP ranges, configuration states, and compliance scores; (c) Usage data — pages visited, features used, session duration, and error logs; (d) Communications — emails, support tickets, and survey responses you send us. We do not intentionally collect sensitive personal information (health, financial account numbers, government IDs).
3. How We Use Your Information
We use your data to: (a) provision and operate the Service; (b) process payments and manage subscriptions; (c) send transactional emails (invoices, alerts, security notifications); (d) improve product features through aggregate, anonymized analytics; (e) respond to support requests; and (f) comply with legal obligations. We do not use your data for targeted advertising and we never sell it to third parties.
4. Legal Bases for Processing (GDPR)
For users in the European Economic Area, we rely on the following legal bases: (a) Contract — processing necessary to deliver the Service; (b) Legitimate interests — product improvement and fraud prevention; (c) Legal obligation — compliance with applicable law; (d) Consent — marketing communications (you may withdraw consent at any time).
5. Data Sharing
We share data only with: (a) Sub-processors required to operate the Service (cloud hosting, payment processing, email delivery, error tracking) — each bound by data processing agreements; (b) Professional advisors (lawyers, accountants) under confidentiality obligations; (c) Law enforcement or regulators when required by law. A current list of sub-processors is available on request.
6. Data Security
We implement industry-standard controls including TLS encryption in transit, AES-256 encryption at rest, role-based access control, multi-factor authentication for internal systems, and regular third-party security assessments. Despite our efforts, no system is 100% secure. Please report suspected vulnerabilities to privacy@posturecompass.com.
7. Data Retention
We retain account data for the duration of your subscription plus 90 days to allow for recovery. Asset and configuration data is retained according to your plan's retention window (90 days for Free, 6 months for Core, 12 months for Scale and Hyperscale). Anonymized aggregate data may be retained indefinitely for product analytics.
8. International Transfers
Seclight Inc. is headquartered in Canada, which the European Commission has recognized as providing adequate data protection. Where we transfer data outside Canada or the EEA to sub-processors, we rely on Standard Contractual Clauses or equivalent safeguards.
9. Your Rights
Depending on your jurisdiction, you may have the right to: access the personal data we hold about you; correct inaccurate data; request deletion ("right to be forgotten"); restrict or object to processing; data portability; and withdraw consent. To exercise any right, contact privacy@posturecompass.com. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.
10. Cookies & Tracking
We use essential cookies for session management and authentication, and optional analytics cookies (PostHog or similar) to understand feature usage. You can disable non-essential cookies in your browser settings or via our cookie banner without affecting core functionality. We do not use third-party advertising trackers.
11. Children's Privacy
The Service is intended for business use and is not directed at children under 16. We do not knowingly collect personal data from minors. If you believe a minor has provided us data, contact privacy@posturecompass.com and we will delete it promptly.
12. Changes to This Policy
We may update this Privacy Policy periodically. Material changes will be communicated via email or in-app notice at least 14 days before taking effect. The "Effective date" at the top of this page reflects the most recent revision.
13. Contact Us
Privacy Officer — Seclight Inc., Montreal, Quebec, Canada. Email: privacy@posturecompass.com. For GDPR-related requests you may also contact our EU representative if applicable.