Privacy Policy

Introduction

LukaGRC ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our security and compliance automation platform.

Information We Collect

Account Information

When you create an account, we collect:

• Name and email address
• Company name and role
• Password (stored encrypted)
• Billing information (processed securely through third-party providers)

Compliance Data

To provide our services, you may upload:

• Security policies and procedures
• Evidence and documentation
• Vendor assessment responses
• Control implementation details

Usage Information

We automatically collect:

• Log data (IP addresses, browser type, access times)
• Feature usage and interaction patterns
• Performance and error data

How We Use Your Information

We use your information to:

• Provide, operate, and maintain our platform
• Process AI-powered analysis and recommendations
• Improve and personalize your experience
• Send service updates and security notifications
• Respond to support requests
• Prevent fraud and ensure platform security
• Comply with legal obligations

AI Processing

LukaGRC uses AI to analyze your compliance documentation. You can choose between:

• Cloud AI: Data is processed by third-party AI providers (Google Gemini) in accordance with their privacy policies and our data processing agreements.
• Local AI: Data is processed entirely on your infrastructure using Ollama. Your data never leaves your network.

We do not use your compliance data to train AI models or share it with third parties beyond necessary service providers.

Data Security

We implement industry-standard security measures including:

• Encryption in transit (TLS 1.3) and at rest
• Multi-tenant data isolation
• Regular security audits and penetration testing
• Access controls and authentication
• Audit logging of all data access

Data Sharing

We do not sell your personal information. We may share data with:

• Service Providers: Cloud hosting (AWS), AI providers (Google), payment processors, and analytics tools that help us operate our platform
• Legal Requirements: When required by law, subpoena, or to protect our rights
• Business Transfers: In the event of a merger, acquisition, or sale of assets

All third-party providers are bound by confidentiality agreements and data processing agreements.

Data Retention

We retain your data as long as your account is active or as needed to provide services. You may request deletion of your account and data at any time by contacting hello@lukagrc.com.

Some data may be retained for legal or compliance purposes even after account deletion.

Your Rights

Depending on your location, you may have the right to:

• Access your personal data
• Correct inaccurate data
• Request deletion of your data
• Object to or restrict processing
• Data portability
• Withdraw consent

To exercise these rights, contact us at hello@lukagrc.com.

International Data Transfers

Your data may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place through standard contractual clauses and other legal mechanisms.

Cookies and Tracking

We use essential cookies for authentication and session management. We do not use advertising or tracking cookies. You can control cookie settings through your browser.

Children's Privacy

LukaGRC is not intended for users under 18. We do not knowingly collect information from children.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the platform. Continued use after changes constitutes acceptance.

Contact Us

For privacy-related questions or to exercise your rights:

Email: hello@lukagrc.com