Privacy Policy

Last updated: October 5, 2025

Table of Contents

  1. 1. Information We Collect
  2. 2. How We Use Your Data
  3. 3. Data Sharing and Disclosure
  4. 4. Data Security and Protection
  5. 5. Your Rights and Choices
  6. 6. Regulatory Compliance
  7. 7. Contact Information

1. Information We Collect

Enterprise Account Information

When you create a CXOkit enterprise account, we collect:

  • Business contact information (name, email, phone, job title)
  • Company details (name, industry, size, revenue)
  • Billing and payment information (processed securely through certified payment processors)
  • User authentication credentials (encrypted and hashed)

Platform Usage Data

To provide and improve our AI-powered risk management services, we collect:

  • Risk assessment data and compliance information you input
  • Audit workflows, control frameworks, and policy configurations
  • System usage patterns and feature interactions
  • Performance metrics and error logs for platform optimization

Technical Information

We automatically collect certain technical data:

  • IP addresses, browser types, and device information
  • Session data and login timestamps
  • Cookies and similar tracking technologies
  • API usage and integration data

2. How We Use Your Data

Service Delivery

We use your information to:

  • Provide CXOkit's AI-powered risk management platform
  • Process risk assessments and generate compliance reports
  • Deliver real-time notifications and alerts
  • Enable collaboration features and workflow management

AI and Machine Learning

Our artificial intelligence systems use aggregated, anonymized data to:

  • Improve risk prediction accuracy and threat detection
  • Enhance compliance automation and workflow optimization
  • Develop new AI features and capabilities
  • Provide industry benchmarking and insights

Communication and Support

We may use your contact information to:

  • Send important service updates and security notifications
  • Provide customer support and technical assistance
  • Share product updates and new feature announcements
  • Conduct user research and feedback collection

3. Data Sharing and Disclosure

Zero Data Sale Policy: CXOkit never sells, rents, or trades your personal or business data to third parties.

Limited Sharing Scenarios

We may share your information only in these specific circumstances:

  • Service Providers: Trusted partners who help deliver our services (cloud hosting, payment processing) under strict confidentiality agreements
  • Legal Requirements: When required by law, court order, or government request
  • Business Transfers: In the event of a merger, acquisition, or sale of assets (with prior notice)
  • Safety and Security: To protect the rights, property, or safety of CXOkit, our users, or the public

International Transfers

CXOkit operates globally with data centers in multiple regions. We ensure all international data transfers comply with applicable privacy laws through:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions and approved certification mechanisms
  • Data localization options for enterprises with specific requirements

4. Data Security and Protection

Enterprise-Grade Security

CXOkit implements military-grade security measures:

  • Encryption: AES-256 encryption for data at rest and TLS 1.3 for data in transit
  • Access Controls: Multi-factor authentication, role-based permissions, and zero-trust architecture
  • Monitoring: 24/7 security monitoring, threat detection, and incident response
  • Compliance: SOC 2 Type II, ISO 27001, and industry-specific certifications

Data Retention

We retain your data only as long as necessary:

  • Active account data: For the duration of your subscription plus 90 days
  • Audit logs and compliance records: As required by applicable regulations (typically 7 years)
  • Anonymized analytics data: May be retained indefinitely for service improvement
  • Deleted account data: Securely purged within 30 days of account closure

5. Your Rights and Choices

Data Subject Rights

Under GDPR, CCPA, and other privacy laws, you have the right to:

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate or incomplete information
  • Erasure: Request deletion of your personal data ("right to be forgotten")
  • Portability: Receive your data in a structured, machine-readable format
  • Restriction: Limit how we process your data
  • Objection: Object to processing based on legitimate interests

How to Exercise Your Rights

To exercise any of these rights:

  1. Email us at privacy@cxokit.com with your request
  2. Use our self-service privacy portal within your CXOkit account
  3. Contact our Data Protection Officer for complex requests

We will respond to your request within 30 days and may require identity verification for security purposes.

6. Regulatory Compliance

Global Privacy Standards

CXOkit complies with major privacy regulations worldwide:

  • GDPR: European Union General Data Protection Regulation
  • CCPA: California Consumer Privacy Act and amendments
  • PIPEDA: Canada's Personal Information Protection and Electronic Documents Act
  • LGPD: Brazil's Lei Geral de Proteção de Dados
  • PDPA: Singapore Personal Data Protection Act

Industry-Specific Compliance

For enterprises in regulated industries, we maintain compliance with:

  • HIPAA: Health Insurance Portability and Accountability Act
  • SOX: Sarbanes-Oxley Act requirements
  • GLBA: Gramm-Leach-Bliley Act for financial institutions
  • FERPA: Family Educational Rights and Privacy Act

7. Contact Information

Privacy Questions

For privacy-related inquiries and data subject requests:

Email: privacy@cxokit.com
Response Time: Within 24 hours

Data Protection Officer

For complex privacy matters and compliance questions:

Email: dpo@cxokit.com
Phone: +1-800-CXO-RISK

Policy Updates

We may update this Privacy Policy periodically. Significant changes will be communicated via email and in-platform notifications. Continued use of CXOkit after policy updates constitutes acceptance of the new terms.