Privacy Policy

ShieldScore provides compliance automation software for startups and small businesses. This Privacy Policy explains what information we collect, how we use it, and the choices available to customers, prospects, and end users who interact with our website, application, and support channels.

Information We Collect

We collect account details, organization details, billing information, uploaded evidence metadata, support correspondence, and technical usage data such as IP address, device and browser information, authentication events, and audit-log activity generated inside the product.

Uploaded evidence files are stored to support compliance workflows and are processed according to your workspace configuration, retention choices, and applicable contractual commitments.

How We Use Information

We use personal and organizational information to provide the ShieldScore service, authenticate users, secure accounts, process payments, deliver transactional emails, support customer requests, maintain audit trails, improve product performance, and comply with legal obligations.

Sharing and Subprocessors

We share data only with service providers necessary to operate ShieldScore, including infrastructure, payment, storage, email, and analytics vendors. Our primary processors currently include Railway, Vercel, AWS S3, Stripe, SendGrid, and managed PostgreSQL infrastructure on Railway.

We do not sell personal information or share customer data for third-party advertising.

Platform-Metadata Retention

Our infrastructure sub-processors (Railway, Vercel, AWS) maintain their own control-plane metadata — environment-variable change history, deployment logs, audit trails — as part of their platform services. This platform metadata is logically separate from ShieldScore application data and is retained per each provider's published platform policy. Detailed disclosure of what each platform retains, along with references to each provider's published retention policy, is available on request via privacy@shieldscore.ai.

Demo Session Data

Visitors who exercise the ShieldScore public demo create an ephemeral organization scoped to a single browser session. Demo data is governed by a separate retention regime from paying-customer data, the Tombstone Two-Timer: a soft-tombstone at createdAt + 1 hour + grace (access blocked, signed deletion receipt emitted), followed by hard-purge at tombstonedAt + 90 days (PII scrubbed; cascade child rows FK-rewritten to a per-organization system sentinel actor; the 90-day default is environment-tunable via TRUST_CENTER_DEMO_RETENTION_DAYS). The demo-org sweep cron that creates T1 soft-tombstones AND processes T2 hard-purges is currently in DRY_RUN observation through a 2026-06-13 LIVE flip target; both passes share the same DEMO_ORG_SWEEP_DRY_RUN flag, so no new tombstones are being written during the bridge window. T1 access-blocking is enforced live at the auth layer for any organization with tombstonedAt already set (including the R13.AC L2 backfill cohort). Bridge-state disclosure is at /incidents/r13-ac and the full operational specification is at /demo-data-handling. Customer organizations classified orgType=PRODUCTION are never subjected to the Tombstone Two-Timer policy by code-level guard.

Retention

ShieldScore enforces tier-explicit and framework-explicit retention floors across customer data, applied programmatically by per-organization cron. Workspace administrators may configure retention beyond the floor through in-app controls but cannot reduce retention below the floor while the subscription is active.

Default tier floors (active subscriptions). Starter and Growth tiers carry a 365-day floor on both audit-log and evidence retention. Professional and Enterprise tiers carry a 90-day floor on both.

Framework regulatory floors. Where a customer's enabled compliance frameworks impose longer retention requirements, ShieldScore applies the larger of the tier floor and the framework floor automatically. As of this writing, HIPAA carries a 2,190-day (six-year) evidence floor (45 CFR §164.316(b)(2)) and PCI DSS carries a 365-day evidence floor (PCI DSS Req. 10.7). Other enabled frameworks default to the tier floor unless their explicit regulatory floor is encoded in a future release. When multiple frameworks are enabled, the applied floor is the maximum across them.

Audit-log retention specifics. Audit logs are stored in a tamper-evident Merkle-chain structure with per-row HMAC sealing. When a row passes its retention boundary, ShieldScore soft-deletes it (marking deletedAt with an accompanying change-history entry); the chain remains intact across the soft-delete so historical chain verification continues to work. Workspace administrators can review and verify retention status through the Audit-Log Retention surface in the dashboard, and the corresponding Merkle-recipe documentation is published at /demo-data-handling.

Customer rights interaction. The deletion rights described under Your Choices and Rights remain available; however, where a regulatory floor under HIPAA §164.316 or PCI DSS Req. 10.7 applies, ShieldScore may continue to retain the relevant evidence until the regulatory floor elapses, after which deletion proceeds in accordance with that customer right.

Security

We use administrative, technical, and physical safeguards designed to protect personal information, including access controls, encrypted transport, role-based permissions, audit logging, and vendor security controls appropriate for a SaaS compliance platform. No method of transmission or storage is completely secure, so we cannot guarantee absolute security.

Your Choices and Rights

Depending on your location, you may have rights to access, correct, export, delete, or restrict certain personal information. Workspace administrators can also update organization details and export data from within the application. To make a privacy request, contact privacy@shieldscore.ai.

Changes

We may update this Privacy Policy from time to time. When we make material changes, we will update the effective date on this page and, where appropriate, provide additional notice in the product or by email.