Legal
Privacy policy.
Effective 2026-05-08 · Last updated 2026-05-08
This policy explains what data IlluminateRisk collects, what we do
with it, and your rights. It applies to illuminaterisk.ai,
platform.illuminaterisk.ai, and every tenant subdomain
of the form {your-org}.illuminaterisk.ai
(collectively, the "Service").
Customers governed by GDPR (EU/EEA, UK Data Protection Act, or Switzerland) — see the GDPR statement for the controller/processor relationship, legal basis, and supervisory-authority contacts.
1. Who we are
IlluminateRisk (the "Service") is operated by IlluminateRisk Inc., a Delaware C-corp headquartered in the United States. Address available on request to support@illuminaterisk.ai. For privacy questions specifically, email privacy@illuminaterisk.ai.
2. What we collect
We collect three categories of data, all minimal-necessary:
- Account data. Email address, hashed password, optional 2FA secret, sign-in events. Sufficient to authenticate and audit.
- Workspace data. Documents, cases, parties, findings, datasets — the content you upload as a customer of the Service. Stored per-tenant; never co-mingled across organizations.
- Operational telemetry. IP address, user agent, and audit-event metadata for every action that mutates state. Required for SOC 2 and to detect abuse.
3. What we don't collect
- Analytics trackers. No Google Analytics, no Facebook Pixel, no Hotjar, no session replay. The marketing site loads no third-party JavaScript except Stripe (only on the billing-card setup page) and Cloudflare Turnstile (only on the public lead form, only when configured).
- Card numbers. Stripe's hosted iframe handles card capture; we receive a tokenized payment-method id and the safe display metadata (brand, last 4, expiry) — never the PAN.
- Email content. Replies to our notification emails go to support@illuminaterisk.ai and are not ingested into the analyst tool unless you explicitly upload them as a document.
- Cookies for advertising. The cookies we set are session/auth (essential), antiforgery (essential), and Stripe's iframe cookies on the billing page (essential for card setup). No tracking cookies, no consent banner is required because we set no non-essential cookies.
4. How we use it
Account data + workspace data run the Service: authenticating you, rendering your data, running rules, sending notifications you've configured. Operational telemetry runs the audit log + abuse detection. We don't sell data to third parties under any definition, and we don't share it for advertising or marketing.
Sub-processors (current as of the effective date above):
- Amazon Web Services (us-east-2, Ohio) — application hosting, object storage (S3), transactional email delivery (SES).
- Stripe, Inc. (US) — payment processing. Card numbers never reach our servers; Stripe's hosted iframe handles capture and we receive a tokenized payment-method id only.
- Cloudflare (US) — bot-protection (Turnstile) on the public marketing form. Activated only when configured.
All sub-processors are bound by data-protection terms equivalent to what we offer you. We notify you by email at least 30 days before adding a new sub-processor with access to customer workspace data.
Data is stored exclusively in the United States (AWS us-east-2). We don't transfer data outside the US. EU/UK customer data sent to the US relies on Standard Contractual Clauses; see the GDPR statement.
5. Your rights
Wherever you are, you have:
- Right of access & portability. Export every
record we hold for your workspace as a ZIP from
illuminaterisk.ai/portal/orgs/{slug}/export. Export is available to organization Admins; CSV plus JSON for structured records, original binaries for documents. - Right to erasure. Delete your entire workspace
from
/portal/orgs/{slug}/delete. Workspace content (documents, datasets, cases, parties, findings) is hard-deleted. Audit-log entries that referenced erased actors keep the action record for SOC 2 compliance but replace the actor identifier with an irreversible sentinel. - Right to correct. Every record is editable in-product by an Admin or the record's owner.
- Right to object & restrict processing. Email privacy@illuminaterisk.ai; we'll respond within 30 days.
- Right to lodge a complaint with your supervisory authority (e.g. ICO in the UK, your EU member state DPA, your Canadian provincial privacy commissioner).
6. Retention
Workspace data is retained while your subscription is active and for 30 days after cancellation (read-only access). Deletion via the org-delete page is immediate.
Audit-log entries are retained indefinitely (SOC 2 control). Erased-user entries carry a non-reversible sentinel in place of the user id — the action record persists; the identity does not.
7. Security
SOC 2-aware controls baked in: per-host cookie isolation, append-only audit log, ClamAV virus scan on uploads, magic-byte content-type validation, password complexity + lockout, optional 2FA. Document blobs are stored per-tenant; no cross-tenant data path exists in the codebase.
Suspected security issue? support@illuminaterisk.ai.
8. Changes to this policy
We'll notify customers by email of any material change at least 30 days before it takes effect. The effective date at the top of the page is the source of truth.
Last reviewed 2026-05-08. Questions: privacy@illuminaterisk.ai.