Privacy Policy

1. Introduction

This Privacy Policy applies to ShelfGRC, a cloud-based software-as-a-service (SaaS) platform provided by Shelf Labs. We are committed to compliance with applicable data protection laws, including:

• Australian Privacy Principles (APPs) under the Privacy Act 1988
• General Data Protection Regulation (GDPR) for EU users
• California Consumer Privacy Act (CCPA) for California residents

2. Information We Collect

2.1 Information You Provide Directly

When you use ShelfGRC, you may provide us with the following information:

• Account Information: Name, email address, job title, organization name, phone number
• Billing Information: Payment card details, billing address (processed securely through third-party payment processors)
• Customer Data: Risk assessments, control documentation, evidence files, compliance records, incident reports, and other GRC-related content you upload or create
• Communications: Messages, feedback, and support requests you send to us

2.2 Information Collected Automatically

When you access and use ShelfGRC, we automatically collect:

• Usage Data: Pages viewed, features used, time spent, actions taken within the platform
• Device Information: IP address, browser type and version, operating system, device identifiers
• Log Data: Access times, error logs, performance metrics
• Cookies and Similar Technologies: Session cookies, preference cookies, analytics cookies (see Section 8)

2.3 Information from Third Parties

We may receive information from:

• Authentication Providers: If you sign in using third-party authentication (e.g., Google, Microsoft)
• Payment Processors: Transaction confirmation and billing information
• Analytics Services: Aggregated usage statistics and performance data

3. How We Use Your Information

3.1 Service Provision

We use your information to:

• Provide, maintain, and improve ShelfGRC
• Process your account registration and authentication
• Enable core features including risk management, compliance tracking, and evidence storage
• Generate AI-powered proposals and recommendations
• Provide customer support and respond to inquiries
• Process payments and manage subscriptions

3.2 AI and Machine Learning

We use your Customer Data to power AI features, including:

• Generating risk assessment suggestions
• Recommending controls and compliance actions
• Analyzing trends and patterns in your GRC data
• Improving AI model accuracy and relevance

Important: We do not use your Customer Data to train AI models that serve other customers. Your data remains isolated within your tenant. See our AI Usage Policy for more details.

3.3 Communication

We may use your contact information to:

• Send service-related notifications and updates
• Respond to your support requests
• Send important security or legal notices
• Provide product updates and feature announcements (you may opt out)

3.4 Analytics and Improvement

We analyze usage data to:

• Understand how users interact with ShelfGRC
• Identify and fix bugs and performance issues
• Develop new features and improvements
• Monitor service availability and security

3.5 Legal Compliance

We may use your information to:

• Comply with legal obligations and regulatory requirements
• Enforce our Terms and Conditions
• Protect our rights, property, and safety
• Prevent fraud, abuse, and security threats

4. Data Storage and Security

4.1 Data Storage

Your data is stored securely using Supabase, a cloud database platform built on PostgreSQL. Data is stored in geographically distributed data centers with redundancy and backup systems.

Data Residency: You may select your preferred data region during account setup (e.g., Australia, EU, US). Your Customer Data will be stored in your selected region, subject to Supabase's infrastructure availability.

4.2 Security Measures

We implement industry-standard security measures to protect your data, including:

• Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Access Controls: Role-based access control (RBAC) and multi-tenant data isolation
• Authentication: Secure authentication with support for multi-factor authentication (MFA)
• Monitoring: Continuous security monitoring and audit logging
• Vulnerability Management: Regular security assessments and penetration testing
• Incident Response: Documented incident response procedures

4.3 Data Retention

We retain your data as follows:

• Active Accounts: Customer Data is retained for the duration of your subscription
• Terminated Accounts: Customer Data is retained for 30 days after termination, then permanently deleted
• Audit Logs: Retained for 7 years to comply with regulatory requirements
• Billing Records: Retained for 7 years for tax and accounting purposes

You may request early deletion of your data by contacting us at privacy@shelflabs.com.

5. Data Sharing and Disclosure

5.1 We Do Not Sell Your Data

We do not sell, rent, or trade your personal information or Customer Data to third parties for marketing purposes.

5.2 Service Providers

We share data with trusted third-party service providers who assist us in operating ShelfGRC, including:

• Supabase: Database and backend infrastructure
• Vercel: Frontend hosting and content delivery
• Payment Processors: Stripe or similar for payment processing
• AI/LLM Providers: OpenAI, Anthropic, or similar for AI features
• Analytics Services: Usage analytics and performance monitoring

These service providers are contractually obligated to protect your data and use it only for the purposes we specify.

5.3 Legal Requirements

We may disclose your information if required by law or in response to:

• Valid legal process (subpoena, court order, warrant)
• Government or regulatory requests
• Protection of our legal rights or safety
• Investigation of fraud, security threats, or violations of our Terms

5.4 Business Transfers

If Shelf Labs is involved in a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. We will notify you of any such change and provide options regarding your data.

6. Your Privacy Rights

6.1 Access and Portability

You have the right to access your personal information and Customer Data. You may export your data at any time through the ShelfGRC interface in standard formats (CSV, JSON).

6.2 Correction and Update

You may update your account information and Customer Data at any time through your account settings.

6.3 Deletion

You may request deletion of your personal information and Customer Data by:

• Canceling your subscription (data deleted after 30 days)
• Contacting us at contact@shelflabs.io for immediate deletion

Note: We may retain certain information as required by law or for legitimate business purposes (e.g., audit logs, billing records).

6.4 Opt-Out of Marketing

You may opt out of marketing communications by:

• Clicking "unsubscribe" in marketing emails
• Updating your communication preferences in account settings
• Contacting us at contact@shelflabs.io

Note: You cannot opt out of essential service communications (e.g., security alerts, billing notifications).

6.5 GDPR Rights (EU Users)

If you are located in the European Union, you have additional rights under GDPR:

• Right to Object: Object to processing of your personal data
• Right to Restrict: Request restriction of processing
• Right to Lodge a Complaint: File a complaint with your local data protection authority

6.6 CCPA Rights (California Residents)

If you are a California resident, you have rights under CCPA:

• Right to know what personal information we collect and how it's used
• Right to delete personal information
• Right to opt out of sale of personal information (we do not sell your data)
• Right to non-discrimination for exercising your rights

7. International Data Transfers

ShelfGRC is operated from Australia. If you access the Service from outside Australia, your data may be transferred to and processed in Australia or other countries where our service providers operate.

For EU users, we ensure adequate protection through:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data Processing Agreements (DPAs) with service providers
• Compliance with GDPR requirements for international transfers

8. Cookies and Tracking Technologies

8.1 Types of Cookies We Use

ShelfGRC uses the following types of cookies:

• Essential Cookies: Required for authentication, security, and core functionality (cannot be disabled)
• Preference Cookies: Remember your settings and preferences
• Analytics Cookies: Help us understand usage patterns and improve the Service

8.2 Managing Cookies

You can manage cookie preferences through:

• Your browser settings (most browsers allow you to block or delete cookies)
• Our cookie consent banner (for non-essential cookies)

Note: Disabling essential cookies may prevent you from using certain features of ShelfGRC.

9. Third-Party Links and Services

ShelfGRC may contain links to third-party websites or integrate with third-party services. This Privacy Policy does not apply to third-party sites or services. We encourage you to review the privacy policies of any third-party services you use.

10. Children's Privacy

ShelfGRC is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected information from a child, we will delete it promptly.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of material changes by:

• Posting the updated policy on this page with a new "Last Updated" date
• Sending an email notification to your registered email address
• Displaying an in-app notification

Continued use of ShelfGRC after changes become effective constitutes acceptance of the updated Privacy Policy.

12. Contact Us