IlluminateRisk

Legal

Privacy policy.

Effective 2026-05-08 · Last updated 2026-05-08

This policy explains what data IlluminateRisk collects, what we do with it, and your rights. It applies to illuminaterisk.ai, platform.illuminaterisk.ai, and every tenant subdomain of the form {your-org}.illuminaterisk.ai (collectively, the "Service").

Customers governed by GDPR (EU/EEA, UK Data Protection Act, or Switzerland) — see the GDPR statement for the controller/processor relationship, legal basis, and supervisory-authority contacts.

1. Who we are

IlluminateRisk (the "Service") is operated by IlluminateRisk Inc., a Delaware C-corp headquartered in the United States. Address available on request to support@illuminaterisk.ai. For privacy questions specifically, email privacy@illuminaterisk.ai.

2. What we collect

We collect three categories of data, all minimal-necessary:

3. What we don't collect

4. How we use it

Account data + workspace data run the Service: authenticating you, rendering your data, running rules, sending notifications you've configured. Operational telemetry runs the audit log + abuse detection. We don't sell data to third parties under any definition, and we don't share it for advertising or marketing.

Sub-processors (current as of the effective date above):

All sub-processors are bound by data-protection terms equivalent to what we offer you. We notify you by email at least 30 days before adding a new sub-processor with access to customer workspace data.

Data is stored exclusively in the United States (AWS us-east-2). We don't transfer data outside the US. EU/UK customer data sent to the US relies on Standard Contractual Clauses; see the GDPR statement.

5. Your rights

Wherever you are, you have:

6. Retention

Workspace data is retained while your subscription is active and for 30 days after cancellation (read-only access). Deletion via the org-delete page is immediate.

Audit-log entries are retained indefinitely (SOC 2 control). Erased-user entries carry a non-reversible sentinel in place of the user id — the action record persists; the identity does not.

7. Security

SOC 2-aware controls baked in: per-host cookie isolation, append-only audit log, ClamAV virus scan on uploads, magic-byte content-type validation, password complexity + lockout, optional 2FA. Document blobs are stored per-tenant; no cross-tenant data path exists in the codebase.

Suspected security issue? support@illuminaterisk.ai.

8. Changes to this policy

We'll notify customers by email of any material change at least 30 days before it takes effect. The effective date at the top of the page is the source of truth.

Last reviewed 2026-05-08. Questions: privacy@illuminaterisk.ai.