Trust Center / Privacy
Privacy & data handling
A practical description of what data IlluminateRisk collects, why we collect it, how long we keep it, and how customers can exercise rights over their data. This page complements (but does not replace) the Privacy Policy and the Data Processing Addendum.
Downloaded from https://illuminaterisk.ai/trust/privacy.
Two kinds of data
IlluminateRisk handles two distinct kinds of personal data, and the controls around each are different:
- Account data we collect directly from our customers (a user's email, password hash, role, the organization they belong to, billing contact details). IlluminateRisk is the controller for this data.
- Customer Personal Data contained in documents and datasets that customers upload while investigating cases (names, addresses, SSNs, employer IDs, payment records). IlluminateRisk is a processor for this data; the customer is the controller.
What we collect (account data)
| Field | Purpose |
|---|---|
| Email address | Sign-in, transactional notifications, billing receipts. |
| Password hash | Authentication. Stored as a salted PBKDF2 hash; the cleartext password is never written to disk or logged. |
| Display name (optional) | Shown in audit-log entries so other org members can see who took an action. |
| Organization slug + role | Determines which tenant's data the user can access and which actions they can take. |
| Billing contact + tokenized card details | Subscription billing. Card numbers are tokenized by Stripe; IlluminateRisk never sees the PAN. See Subprocessors. |
| IP address (auth + uploads only) | Rate-limiting and audit. Stored on the audit-event row for the relevant action; not used for analytics or tracking. |
What we hold on the customer's behalf (Customer Personal Data)
Customers upload documents and datasets in the course of investigations. These may contain personal data about individuals who are not IlluminateRisk customers (employees, vendors, payees, claimants). We are a processor for that content. We do not access it for operational reasons, we do not use it for analytics, and we do not use it to train models. Every access to Customer Personal Data by IlluminateRisk personnel is audit-logged at the row level.
How long we keep it
| Data | Retention |
|---|---|
| Active customer documents and case work product | For the life of the subscription, plus 30 days after termination unless the customer requests immediate deletion. |
| Account credentials and billing records | For the life of the account, plus the period required by applicable tax and accounting law (typically 7 years). |
| Audit log entries | Minimum of 12 months. Some entries are retained longer for compliance evidence. |
| System logs (application, nginx, host) | 30 days on the host. Aggregated metrics may be retained longer in a depersonalized form. |
| Email delivery records (bounces, complaints, suppression list) | For the life of the account, so we don't accidentally re-deliver to addresses that have unsubscribed or hard-bounced. |
What we don't do
- We do not sell personal data, ever. There is no third-party tracking on the marketing site beyond what's necessary to serve the page (no Google Analytics, Segment, Mixpanel, etc.).
- We do not use Customer Personal Data to train AI models. The classifier and entity-extraction components run on our own infrastructure with models we ship with the product.
- We do not send customer documents to third-party LLM providers. The report-commentary feature uses a local language model that runs entirely on infrastructure we operate.
- We do not market to addresses from a customer's documents — they aren't our marketing list.
Subject rights
Individuals whose personal data is contained in a customer's IlluminateRisk account (e.g., a person named in an investigation) should direct rights requests to the customer, who is the controller. We will support customers in fulfilling such requests on a reasonable-effort basis.
For IlluminateRisk's own account holders, you may at any time:
- Request a copy of the personal data we hold about you as an account holder.
- Correct inaccurate or out-of-date data via the account settings page or by contacting us.
- Request deletion of your account; we will delete or anonymize the data, subject to legal-retention exceptions (billing, audit log).
- Withdraw consent for marketing email at any time via the unsubscribe link in any non-transactional message.
Submit requests to support@illuminaterisk.ai. We respond within thirty (30) days and will identify-verify in line with applicable law before disclosing any account data.
Export & deletion (customer-side)
Customers can export their data at any time via the in-product export flow: documents are downloadable individually or in bulk; case work product (findings, reports, parties, audit entries) exports as JSON. A full-account GDPR-style export covering every record tied to an organization is available on request through the account owner.
Account deletion is a customer-initiated action; the request triggers an
OrgErasureService pass that removes case data, documents,
datasets, findings, and party records associated with the organization.
Audit-log entries are retained for the period above so the deletion
itself remains accountable.
Cross-border transfers
All Customer Personal Data is stored in the United States (AWS us-east-2, Ohio). Customers in jurisdictions whose data-protection laws restrict transfers to the US should sign IlluminateRisk's Standard Contractual Clauses (SCCs) as part of the DPA package. Contact support@illuminaterisk.ai.
Cookies & tracking
The marketing site and Trust Center pages set no analytics cookies. The Platform application sets cookies strictly necessary for authentication and CSRF protection (per-tenant cookies scoped to the tenant subdomain). No advertising or cross-site tracking takes place.
Children
IlluminateRisk is a B2B tool not directed at children. We do not knowingly collect personal data from children under sixteen. If we learn we hold such data, we delete it without delay.
Contact
Privacy questions: support@illuminaterisk.ai. Legal / DPA / SCCs: support@illuminaterisk.ai.