Privacy Policy

Effective date: June 1, 2026

1. Overview

Morton Technology Consulting LLC ("we", "us") operates ComplianceOS. This Privacy Policy describes how we collect, use, and protect information when you use the Service. By using the Service, you agree to the practices described here.

2. Information We Collect

Account Information

Name, email address, organization name, billing information (processed by Stripe — we do not store full card numbers), and account credentials.

Compliance Evidence and Documents

Files you upload to the Service for compliance tracking purposes. We extract structural metadata (file type, file size, classification category) for AI analysis. We do not send the full text content of uploaded documents to AI providers. Do not upload documents containing protected health information (PHI) in free-text fields. The Service is not a HIPAA-covered repository unless a Business Associate Agreement is in place.

Usage Data

Log data including IP addresses, browser type, pages visited, and feature interactions. Used for service operation, security monitoring, and product improvement.

3. How We Use Your Information

• To provide, operate, and maintain the Service
• To process payments and manage subscriptions
• To send transactional emails (account verification, billing receipts, security alerts)
• To generate AI-assisted compliance analysis using structural metadata only
• To detect and prevent fraud and security incidents
• To comply with legal obligations

4. AI Processing

When you use AI-powered features (such as gap analysis), we send structural metadata about your evidence records to Anthropic's Claude API. Specifically: record identifiers, file types, file sizes, and classification labels. We do not send free-text fields (titles, descriptions, file names) or document content to AI providers. Anthropic's privacy policy governs their handling of API inputs.

5. Sub-Processors

We use the following sub-processors to operate the Service:

• Anthropic — AI inference (structural metadata only)
• Stripe — Payment processing
• Resend — Transactional email delivery
• Vercel — Application hosting
• Neon — Database infrastructure
• Upstash — Cache and rate limiting

6. Data Retention

Active account data is retained for the duration of your subscription. Upon account deletion, your organization data and uploaded evidence are deleted within 30 days, except where retention is required by law. Financial records and audit logs are retained for 7 years.

7. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your data (subject to legal retention requirements)
• Export your organization's data in machine-readable format
• Withdraw consent where processing is based on consent

To exercise these rights, contact us at [email protected].

8. HIPAA and Healthcare Customers

If your organization is a HIPAA covered entity or business associate, and you wish to use ComplianceOS in a capacity that involves protected health information, a Business Associate Agreement (BAA) is required before use. Contact us at [email protected] to request a BAA. Do not use the Service for PHI without a BAA in place.

9. Security

We implement industry-standard security measures including encryption in transit (TLS), encryption at rest, multi-factor authentication, role-based access controls, and audit logging. No system is perfectly secure; you are responsible for maintaining the security of your account credentials.

10. Children's Privacy

The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal information from children.

11. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via email to account holders. Continued use of the Service after changes are posted constitutes acceptance.

12. Contact

Morton Technology Consulting LLC · Tallahassee, Florida · [email protected]