Privacy Policy

Last updated: February 22, 2026

Your privacy matters to us. This policy details how Risk Management Platform collects, uses, and protects your data — designed for compliance with GDPR, CCPA, and other applicable regulations.

Introduction

Risk Management Platform ("we," "our," or "us"), operated by Chronodat LLC, is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our enterprise risk management platform, website, and related services (collectively, the "Service").

By accessing or using the Service, you consent to the data practices described in this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access the Service. This Privacy Policy is incorporated into and subject to our Terms of Service.

Information We Collect

Personal Information You Provide

  • Account information: name, email address, password, and profile details
  • Organization information: company name, URL slug, industry, address, phone, and website
  • Risk management data: risk assessments, mitigation plans, comments, tags, attachments, and activity logs
  • Contact form submissions: name, email, subject, and message content
  • Payment information: billing details processed securely through Stripe (we do not store full card numbers on our servers)

Information Collected Automatically

  • Usage data: pages visited, features used, session duration, and interaction patterns
  • Device information: browser type, operating system, screen resolution, and time zone
  • Log data: IP addresses, access times, referring URLs, and error logs
  • Cookies and similar technologies: session cookies, preference cookies, and analytics cookies
  • Performance data: page load times and feature usage frequency for service improvement

Information from Third Parties

  • Authentication providers: Azure AD or Microsoft Teams profile data (name, email, avatar) when you use SSO
  • Integration data: information from connected services (Microsoft Teams) as configured by your organization
  • Payment processor: transaction status and billing details from Stripe

How We Use Your Information

We use collected information for the following purposes, which we consider necessary for the performance of our contract with you and/or our legitimate business interests:

  • Provide, operate, and maintain the Service, including risk register, heatmap, dashboards, and reporting features
  • Authenticate users and manage access control, custom roles, and permissions across your organization
  • Send transactional communications including risk assignment notifications, deadline reminders, and security notices
  • Process payments and manage subscription billing through our payment processor (Stripe)
  • Provide customer support and respond to technical inquiries
  • Analyze usage patterns and performance metrics to improve the Service and develop new features
  • Detect, prevent, and address technical issues, security threats, and abuse
  • Comply with legal obligations, enforce our Terms of Service, and protect our rights

Data Sharing and Third Parties

We do not sell, rent, or trade your personal information to third parties for their marketing purposes. We share data only in the following circumstances:

  • Service providers: We work with trusted third parties who process data on our behalf under strict data processing agreements. Current providers include: Microsoft Azure (cloud hosting and database), Stripe (payment processing), and Resend (transactional email delivery)
  • Within your organization: Data is shared with members of your organization according to the roles and permissions configured by your organization administrator
  • Integrations you enable: When you connect Microsoft Teams, data flows to that service as configured by your administrator and subject to Microsoft's privacy policy
  • Legal requirements: We may disclose information if required by law, regulation, subpoena, or court order. We will notify you where legally permitted
  • Business transfers: In the event of a merger, acquisition, or sale of assets, user data may be transferred. We will notify affected users before data becomes subject to a different privacy policy
  • Protection of rights: We may share information to protect our rights, property, or safety, or that of our users or the public

Data Infrastructure and Storage

Database Technology: Your data is stored in Microsoft SQL Server (Azure SQL), a fully managed enterprise-grade relational database trusted by organizations worldwide. Azure SQL provides ACID-compliant transactions, ensuring data integrity and consistency.

Hosting: Our infrastructure is hosted on Microsoft Azure with enterprise-grade security controls. Data is stored in secure, geographically redundant data centers with SOC 2 Type II certification.

Backups: Automated daily backups with point-in-time recovery capability. Backups are encrypted and stored in a separate geographic region for disaster recovery.

Data Residency: By default, data is processed in the United States (Azure regions). Enterprise customers may request specific data residency configurations.

Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. Specifically:

Active accounts: Data is retained for the duration of your active subscription and account activity.

Deleted accounts: Upon account termination, we retain data for 90 days to allow data export. After 90 days, data is permanently deleted from active systems.

Audit logs: Retained according to your subscription plan (30 days to unlimited), for security, compliance, and debugging purposes.

Analytics data: Aggregated, anonymized analytics data may be retained indefinitely as it cannot be linked to individual users.

Legal holds: We may retain data longer if required for ongoing legal proceedings or compliance obligations.

You or your organization administrator can export your data at any time.

Data Security

We implement industry-standard and above security measures to protect your data:

  • Encryption in transit (TLS 1.3) and at rest (AES-256) for all data
  • Multi-tenant architecture with strict tenant isolation at the database layer
  • Multi-factor authentication (MFA) support and enforcement options
  • Custom role-based access control (RBAC) with granular, configurable permissions
  • Regular security audits, penetration testing, and vulnerability assessments
  • Azure AD and Microsoft Teams SSO for enterprise identity management
  • Session management with configurable timeout policies
  • Comprehensive audit logging of all administrative actions and data access
  • Automated security monitoring and anomaly detection
  • Incident response procedures with defined escalation paths

Your Rights

Depending on your location, you may have the following rights regarding your personal data. We will respond to verified requests within the timeframes required by applicable law:

Under GDPR (European Economic Area)

  • Right of access: Request a copy of the personal data we hold about you
  • Right to rectification: Request correction of inaccurate or incomplete data
  • Right to erasure: Request deletion of your personal data subject to legal retention requirements
  • Right to restrict processing: Request that we limit the processing of your data
  • Right to data portability: Receive your data in a structured, machine-readable format (CSV, PDF)
  • Right to object: Object to processing based on legitimate interests or for direct marketing
  • Right to withdraw consent: Withdraw consent at any time without affecting prior lawful processing
  • Right to lodge a complaint: File a complaint with your local data protection supervisory authority

Under CCPA (California)

  • Right to know: What personal information is collected, used, shared, or sold
  • Right to delete: Request deletion of personal information, subject to exceptions
  • Right to opt-out: Opt-out of the sale of personal information (note: we do not sell personal information)
  • Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights
  • Right to correct: Request correction of inaccurate personal information

Exercising Your Rights

  • Self-service: Many data rights can be exercised directly through your account settings (profile editing, data export, account deletion)
  • Email request: Send a verified request to support@chronodat.com
  • Organization administrators: For organization-level data requests, contact your organization administrator
  • Response time: We aim to respond to all verified requests within 30 days

Cookies and Tracking

We use cookies and similar technologies to operate and improve the Service:

Essential cookies: Required for authentication, security, CSRF protection, and core functionality. These cannot be disabled.

Preference cookies: Remember your settings such as theme (dark/light mode), sidebar state, and display preferences.

Analytics cookies: Help us understand how the Service is used so we can improve it. We use privacy-respecting analytics that do not track individual users across websites.

Session cookies: Temporary cookies that expire when you close your browser, used for session management and security.

You can control cookie preferences through your browser settings. Disabling non-essential cookies may affect some personalization features. We do not use third-party advertising cookies.

International Data Transfers

Our Service is primarily hosted in the United States on Microsoft Azure. When data is transferred across international borders, we ensure appropriate safeguards are in place:

- Standard Contractual Clauses (SCCs): We use EU-approved SCCs for transfers of personal data from the EEA/UK - Data Processing Agreements (DPAs): We maintain DPAs with all service providers that include appropriate data transfer mechanisms - Encryption: All data is encrypted in transit and at rest, regardless of where it is processed - Access controls: Access to personal data is limited to authorized personnel who need it to provide the Service

Children's Privacy

The Service is not intended for or directed at children under 16 years of age. We do not knowingly collect personal information from children under 16. If you become aware that a child has provided us with personal information without parental consent, please contact us immediately at support@chronodat.com and we will take steps to delete such information.

Changes to This Policy

We may update this Privacy Policy from time to time. When we make changes:

- We will update the "Last updated" date at the top of this page - For material changes, we will notify registered users via email or in-app notification at least 14 days before the changes take effect - We will provide a summary of significant changes

Your continued use of the Service after the effective date constitutes acceptance of the revised policy.

Contact Us

If you have questions about this Privacy Policy, wish to exercise your data rights, or need to report a privacy concern, please contact us:

Email: support@chronodat.com Phone: +1 281-888-2734 Contact Form: [Contact Page](/contact)

We aim to respond to all privacy-related inquiries within 30 days.

Questions About Privacy?

Your Data is Protected

Our team is here to help you understand how we protect your data. Learn about our enterprise-grade security measures.