Privacy Policy
Last updated: April 4, 2026
1. Introduction
GovernLayer Inc. ("GovernLayer," "we," "us") respects your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI governance platform and related services.
2. Information We Collect
| Category | Data | Purpose |
|---|
| Account | Email, company name, hashed password | Authentication, billing |
| API Usage | Request metadata, timestamps, endpoints called | Rate limiting, usage metering, debugging |
| Governance Data | System names, risk scores, audit records, drift coefficients | Providing the governance service |
| Technical | IP address, user agent, request headers | Security, abuse prevention |
3. What We Do NOT Collect
- We do not store the content of your AI model inputs or outputs in our logs.
- We do not use your governance data to train any machine learning models.
- We do not sell, rent, or share your personal data with third parties for marketing.
- When using local inference (Ollama), your data never leaves your infrastructure.
4. How We Use Your Information
- To provide, maintain, and improve the Service.
- To process transactions and send related information (confirmations, invoices).
- To detect, prevent, and address security incidents and abuse.
- To comply with legal obligations.
- To communicate service updates and changes.
5. Data Storage and Security
- Data is stored in PostgreSQL with encryption at rest.
- All connections use TLS 1.2 or higher.
- Passwords are hashed using bcrypt with unique salts.
- API keys are stored as hashed values; plaintext is shown only once at creation.
- Audit records are SHA-256 hash-chained for tamper evidence.
- Infrastructure hosted on SOC 2 Type II compliant providers.
6. Data Retention
- Account data: Retained while your account is active, deleted within 30 days of account closure.
- Audit ledger: Retained for the duration of your subscription plus 90 days, unless a longer retention is required by applicable regulation.
- API logs: Retained for 90 days for debugging and security purposes.
- Backups: Purged within 30 days of data deletion.
7. Your Rights
Depending on your jurisdiction, you may have the right to:
- Access the personal data we hold about you.
- Request correction of inaccurate data.
- Request deletion of your data.
- Export your data in a machine-readable format.
- Object to or restrict processing of your data.
- Withdraw consent at any time.
To exercise any of these rights, contact privacy@governlayer.ai.
8. International Data Transfers
If you are located outside the United States, your data may be transferred to and processed in the United States. We implement appropriate safeguards for such transfers, including standard contractual clauses where required by GDPR.
9. Self-Hosted Deployments
If you deploy GovernLayer on your own infrastructure (Docker, Kubernetes, air-gapped), all data remains within your environment. No data is transmitted to GovernLayer servers in self-hosted mode.
10. Cookies
The GovernLayer API does not use cookies. The web dashboard uses a JWT token stored in localStorage for authentication. No third-party tracking cookies are used.
11. Third-Party Services
We use the following third-party services:
- Railway: Infrastructure hosting (SOC 2 Type II)
- Stripe: Payment processing (PCI DSS Level 1)
- GitHub: Source code and CI/CD
12. Children's Privacy
The Service is not directed at individuals under 16 years of age. We do not knowingly collect personal data from children.
13. Changes to This Policy
We will notify you of material changes via email or through the Service at least 30 days before they take effect.
14. Contact
For privacy inquiries: privacy@governlayer.ai
GovernLayer Inc.
Registered in Delaware, United States