1Who we are
This policy explains how [Company Legal Name], trading as Guardrail ("we", "us"), handles personal data when you visit our website, take the free AI risk scorecard, or buy the AI Policy OS. We are the data controller for that personal data. Contact: [support@yourdomain].
2What we collect
| Data | When | Why |
|---|---|---|
| Name & email | Scorecard, newsletter, purchase, support | Send your result, deliver the product, reply to you, send updates you opted into. |
| Scorecard answers | You complete the scorecard | Generate your risk result; understand common needs in aggregate. |
| Order & billing info | You purchase | Process the sale, tax, receipts, refunds. Card details are handled by our payment provider — we don't store them. |
| Usage & device data | You browse the site | Basic, privacy-respecting analytics to improve the site. |
| Support messages | You email us | Help you and keep a record of the conversation. |
3How we use your data
- To deliver the product and provide customer support.
- To send the scorecard result and, if you opted in, occasional emails about updates and offers. You can unsubscribe anytime.
- To process payments, comply with tax/accounting obligations, and prevent fraud.
- To understand and improve our site and products, in aggregate.
4Legal bases
Where data-protection law (such as the GDPR) applies, we rely on: contract (to deliver what you bought), consent (for marketing emails and non-essential cookies), legitimate interests (to run and improve our business proportionately), and legal obligation (tax and accounting records). You can withdraw consent at any time.
5Who we share it with
We don't sell your personal data. We share it only with service providers who help us operate, under appropriate agreements:
- Payments: [Lemon Squeezy / Stripe] — processes your purchase and may act as merchant of record.
- Email & forms: [your email/ESP and form tool, e.g. Tally] — delivers the scorecard result and emails.
- Analytics: [e.g. Plausible / Google Analytics] — measures site usage.
- Hosting: [your host, e.g. Vercel / Cloudflare] — serves the site.
- Legal: authorities or advisors where required by law or to protect our rights.
6Cookies & analytics
We use essential cookies needed for the site to work, and [privacy-respecting / consent-based] analytics to understand traffic. Where required, we ask for your consent before setting non-essential cookies. You can control cookies in your browser settings.
7International transfers
Our providers may process data outside your country, including [regions, e.g. the EU/US]. Where we transfer personal data internationally, we rely on appropriate safeguards (such as Standard Contractual Clauses) as required by applicable law.
8How long we keep it
We keep personal data only as long as needed for the purposes above: order and tax records for the period required by law; marketing contacts until you unsubscribe; scorecard and support data for a reasonable period, then we delete or anonymize it.
9Your rights
Subject to your local law, you may have the right to access, correct, delete, or export your personal data, to object to or restrict certain processing, and to withdraw consent. To exercise any of these, email [support@yourdomain]; we'll respond within the timeframe the law requires. You may also complain to your local data-protection authority.
10Security
We use reasonable technical and organizational measures to protect personal data, and work with reputable providers. No method of transmission or storage is 100% secure, but we take protecting your information seriously and limit access to those who need it.
11Children
Our products are for businesses and are not directed to children. We do not knowingly collect data from anyone under 16. If you believe a child has provided us data, contact us and we'll delete it.
12Changes & contact
We may update this policy; we'll change the date above and, for material changes, give notice where appropriate. Questions or requests: [support@yourdomain].