Interim privacy policy — under legal review. Cipher One Tech LLC is in the process of engaging qualified legal counsel. The final reviewed version of this Privacy Policy will be published at this URL and supersede this draft entirely. The substantive practices described below are accurate and will not become more permissive in the final version.

Privacy Policy

Effective date: May 13, 2026 · Last updated: May 13, 2026

Cipher One Tech LLC ("Cipher One", "we", "us") operates the Readyline GRC service (the "Service") at readylinegrc.com and app.readylinegrc.com. This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and the rights you have over it.

This Privacy Policy works alongside our Terms of Service. Definitions used in the Terms (including "Customer Data", "Tenant") carry the same meaning here.

1. Roles & Scope

For data we collect about you directly when you create an account or use the Service (your name, email, password hash, login history, etc.), Cipher One acts as a data controller.

For Customer Data that you upload into the Service (compliance evidence, assessment notes, POA&M entries, etc.), Cipher One acts as a data processor and you (the Customer / Tenant administrator) are the controller. Our processing is governed by the Terms of Service.

2. Information We Collect

2.1 Information you provide

Category	What it is	Why we need it
Account identity	Your name, work email address, organization (Tenant) name	Identify you, send transactional email, scope your tenant
Authentication	Bcrypt-hashed password (never plaintext); encrypted TOTP secret; individually bcrypt-hashed 2FA recovery codes	Sign you in; protect your account from unauthorized access
Customer Data	Files, evidence artifacts, assessment notes, POA&M entries you submit to the Service	Operate the Service for you under Terms § 5
Support correspondence	Emails you send to hello@readylinegrc.com	Respond to your request

2.2 Information collected automatically

Category	What it is	Retention
Login history	IP address, user-agent, session id, timestamp of each successful login	30 days minimum (security monitoring)
Audit log	Append-only record of significant actions in your tenant (assessment edits, evidence uploads, POA&M changes, exports)	Lifetime of tenant; immutable
Server logs	HTTP method, request path, response status, latency	30 days; rotated
Aggregated metrics	Anonymized counts (e.g. total POA&M items across all tenants) with no link to specific user or organization	Indefinite; not personal data

2.3 Information from cookies

We use only essential cookies needed to keep you signed in and protect against cross-site request forgery (CSRF). Specifically:

readyline_grc_session — encrypted session id, expires 2 hours after last activity.
XSRF-TOKEN — CSRF protection token, expires with session.

We do not use third-party advertising cookies, analytics fingerprinting, or cross-site tracking. We honor browser "Do Not Track" signals — though since we don't track in the first place, the practical effect is the same.

3. How We Use Your Information

To provide, maintain, and secure the Service.
To authenticate your identity and detect unauthorized access (login alerts on novel sign-ins).
To send transactional email you've signed up for (verification, password reset, login alerts, security notices).
To respond to your support, billing, or privacy-rights requests.
To comply with legal obligations and respond to lawful requests.
To investigate suspected fraud, abuse, or violations of the Terms of Service.

What we do NOT do:

We do not use your personal information or Customer Data to train machine-learning or generative AI models — ours or any third party's.
We do not sell, rent, or trade your information to advertisers, data brokers, or any third party.
We do not send marketing emails without your explicit opt-in.
We do not share Customer Data with anyone except as required to operate the Service (Section 4) or compelled by valid legal process.

4. Subprocessors

We use a small set of vetted subprocessors to operate the Service. Each is bound by contractual obligations consistent with this policy.

Subprocessor	Purpose	Region
Resend, Inc.	Transactional email delivery (verification, password reset, login alerts)	United States
Microsoft 365	Inbound email handling for @readylinegrc.com addresses	United States
Cloudflare, Inc.	Authoritative DNS for readylinegrc.com	United States (global edge for DNS)
Hosting provider	Service infrastructure (compute + storage + database)	United States

5. How Long We Keep Your Information

Customer Data: lifetime of your account, plus thirty (30) days after account termination for export, then deleted within ninety (90) days.
Account identity: lifetime of your account; deleted on request after termination, subject to retention obligations under applicable law (e.g. tax/accounting records).
Audit log + login history: at least 30 days; longer if required by law or pursuant to a security investigation.
Backups: encrypted backups may persist deleted records for up to ninety (90) days before being overwritten by routine retention rotation.

6. Data Location & International Transfers

The Service operates from servers located in the United States. By using the Service, you consent to the transfer, processing, and storage of your information in the United States. The U.S. may have data-protection laws different from those of your jurisdiction. Where we transfer personal data of EU/UK residents to the U.S., we rely on the European Commission's Standard Contractual Clauses or other lawful transfer mechanisms (see Section 9 below).

7. Security

We implement commercially reasonable administrative, physical, and technical safeguards described in the Terms of Service, Section 7. Highlights:

TLS 1.2+ encryption of all traffic in transit.
Mandatory two-factor authentication on every account.
Per-tenant database and filesystem isolation.
Append-only audit log of significant actions.
Email alert on every novel-IP sign-in.

The Service has not yet been audited against FedRAMP, SOC 2, or ISO 27001, and is not authorized to host Controlled Unclassified Information (CUI). See Terms of Service Section 2 for full prohibition language.

8. Maryland Residents — Personal Information Protection Act (PIPA)

Cipher One Tech LLC is organized in the State of Maryland. We comply with the Maryland Personal Information Protection Act (Md. Code Ann., Com. Law §§ 14-3501 through 14-3508), as amended.

8.1 Information covered

"Personal information" under PIPA means a Maryland resident's first name (or first initial) and last name combined with one or more of the following: Social Security number; driver's license or state ID number; financial account or payment-card number with required access code; passport number; biometric data; health information; health insurance policy / certificate / subscriber ID; mother's maiden name; or unique electronic ID combined with a password.

The Service does not request or store any of these data elements. We collect only your name, work email, organization name, and authentication credentials. Customer Data you upload is governed by the Terms of Service Section 2 prohibition on uploading sensitive material — including SSNs, driver's license numbers, financial account numbers, biometric data, PHI, and PII of third parties.

8.2 Reasonable security

We implement and maintain reasonable security procedures and practices appropriate to the nature of the personal information we collect, in compliance with PIPA § 14-3503. The safeguards described in Section 7 above and in Terms of Service Section 7 satisfy this commitment for our current data scope.

8.3 Breach notification

If we determine that a security breach has resulted in the unauthorized acquisition of Maryland residents' personal information that could lead to identity theft or other harm, we will notify affected residents as soon as reasonably practicable, but in no event more than forty-five (45) days after we conclude the investigation, in compliance with PIPA § 14-3504. The notification will include:

A description of the categories of information involved.
Toll-free numbers and addresses for the major credit reporting agencies.
Information about the federal Fair Credit Reporting Act and the Maryland Attorney General's Office.
Steps the resident can take to protect themselves.

If the breach affects 1,000 or more Maryland residents, we will also notify the Maryland Office of the Attorney General before notifying affected residents, consistent with PIPA § 14-3504(h).

8.4 Disposal of records

When we no longer need records containing personal information of Maryland residents, we destroy them by shredding, erasing, or modifying them so that the information cannot practicably be read or reconstructed (PIPA § 14-3502).

9. California Residents — CCPA / CPRA

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you the following rights regarding personal information we hold about you:

Right to know what categories of personal information we have collected, the sources, the purposes for collection, and the categories of third parties with whom we share it.
Right to access the specific pieces of personal information we have about you.
Right to delete personal information we have collected (subject to certain exceptions, such as completing a transaction or complying with a legal obligation).
Right to correct inaccurate personal information.
Right to limit use of sensitive personal information (we do not collect any).
Right to opt out of "sale" or "sharing" of personal information for cross-context behavioral advertising. We do not sell or share your information for advertising — ever.
Right to non-discrimination for exercising any of these rights.

To exercise any of these rights, contact us at hello@readylinegrc.com. We will verify your identity (typically by confirming you control the email associated with your account) and respond within forty-five (45) days.

We have not "sold" personal information of any California resident in the past twelve (12) months and have no intention of doing so. We do not have actual knowledge of selling the personal information of any consumer under the age of 16.

10. EU/UK/EEA Residents — GDPR / UK GDPR

If you are in the European Union, United Kingdom, or European Economic Area, the General Data Protection Regulation (GDPR) grants you the following rights:

Right of access to your personal data and information about its processing.
Right to rectification of inaccurate or incomplete data.
Right to erasure ("right to be forgotten"), subject to certain exceptions.
Right to restrict processing in certain circumstances.
Right to data portability — receive your data in a structured, machine-readable format.
Right to object to processing based on legitimate interest.
Right to lodge a complaint with your local supervisory authority.

Lawful bases for processing:

Contract — to provide the Service you've requested (Art. 6(1)(b)).
Legitimate interest — to secure the Service (login alerts, audit log) and prevent abuse, balanced against your interests (Art. 6(1)(f)).
Legal obligation — to comply with applicable law (Art. 6(1)(c)).
Consent — for any optional marketing email you opt into (Art. 6(1)(a)).

For Customer Data you upload, we act as your data processor under Art. 28. A Data Processing Agreement is available on request — contact hello@readylinegrc.com.

11. Children

The Service is intended for business use by adults. We do not knowingly collect personal information from anyone under 18. If you believe we have inadvertently collected information from a child, contact us and we will delete it promptly.

12. Changes to This Policy

Material changes will be communicated to the Tenant administrator's email of record at least thirty (30) days before they take effect. The current version is always posted at readylinegrc.com/privacy with the "Last updated" date noted at the top.

13. Contact

Privacy questions, rights requests, or breach concerns: hello@readylinegrc.com. We respond within five (5) business days for general inquiries; rights requests within the statutory timeframes noted in Sections 8–10.

Cipher One Tech LLC
Maryland, United States

Reminder: this is an interim notice prepared by the operator pending review by qualified legal counsel. The substantive practices described here will not become more permissive; the final reviewed version will replace this draft entirely.