Privacy Policy

1. Overview

Chequr, Inc. (“Chequr,” “we,” “our,” or “us”) builds an AI-native governance, risk, and compliance platform used by security and compliance teams to automate evidence collection, map controls, and monitor frameworks such as SOC 2, ISO 27001, HIPAA, and GDPR. Privacy is foundational to that mission: our customers trust us with sensitive audit data, and we treat our own practices with the same rigor we help them uphold.

This Privacy Policy applies to information we collect through the Chequr website, the Chequr product (including our dashboards, integrations, and APIs), and our sales and support communications. It covers data about visitors, prospects, customer administrators, and end users who access the platform on behalf of a Chequr customer.

When Chequr processes personal data on behalf of a customer, we act as a processor (or “service provider”) and our Data Processing Addendum governs that relationship. This policy primarily describes the data we process as a controller.

2. Information We Collect

We collect information in four broad categories. We aim to collect only what we need to deliver and improve the service.

Account information

When you create a Chequr account or request a demo, we collect your name, business email, company name, job title, and, where applicable, phone number. If you log in via an identity provider (such as Google Workspace or Okta), we receive basic profile information from that provider.

Usage data

We collect information about how you interact with Chequr, including pages visited, features used, clickstream events, timestamps, referring URLs, IP address, browser type, operating system, and device identifiers. This data helps us understand adoption, troubleshoot issues, and improve the product.

Integration data

Chequr integrates with systems like AWS, GitHub, Okta, Jira, and HR platforms to automatically collect evidence for compliance frameworks. When your organization authorizes an integration, we ingest configuration metadata, user lists, log summaries, and other artifacts relevant to the controls you're monitoring. We only request the scopes required for compliance use cases and document every data field we read in our integration catalog.

Cookies and tracking

We use cookies and similar technologies for authentication, session management, preference storage, analytics, and limited marketing attribution. You can manage non-essential cookies at any time via the cookie banner shown on your first visit or by revisiting your preferences link in the site footer. For more detail, see our Cookie Notice.

3. How We Use Your Information

We use the information we collect to operate, secure, and improve Chequr, and to communicate with customers and prospects. Specifically, we use it to:

• Provide, maintain, and deliver the Chequr platform, including authenticating users, executing integrations, generating evidence, and rendering dashboards.
• Improve our product by analyzing usage patterns, debugging errors, and training internal (non-customer- facing) models that help classify evidence and suggest control mappings.
• Communicate with you about account activity, security events, product updates, educational resources, and (with your consent where required) marketing.
• Comply with legal obligations, respond to lawful requests, and enforce our Terms of Service.
• Detect, investigate, and prevent fraud, abuse, and security incidents affecting Chequr or our customers.

We do not sell personal information, and we do not use customer data to train public or third-party AI models.

4. How We Share Information

We share information only as described below, and only with parties bound by appropriate confidentiality and security obligations.

• Sub-processors. We use a limited set of vetted infrastructure and operational vendors (for hosting, email, analytics, and support). The current list is published at our sub-processors page, and we notify customers of material changes.
• Legal requirements. We may disclose information when we believe in good faith that disclosure is required by law, regulation, legal process, or a valid governmental request. Where legally permitted, we notify affected customers.
• Business transfers. If Chequr is involved in a merger, acquisition, or sale of assets, personal information may be transferred as part of that transaction, subject to the protections in this policy.
• With your consent. We share information with third parties when you direct us to, such as when you connect a new integration or request a joint meeting with a partner.

5. Data Retention

We retain personal data only as long as necessary for the purposes described in this policy or as required by law. Account and configuration data is retained for the life of your subscription. Evidence and audit artifacts follow retention windows you configure in the product, with a default of seven years to support typical audit cycles.

When a customer account is closed, we delete or anonymize customer data within 30 days of the end of the contract, unless a longer retention period is required by law or agreed to in writing. Individual users can request deletion of their personal data at any time using the mechanisms described under Your Rights.

Backups are purged on a rolling 35-day cycle; data contained in backup snapshots is deleted as those snapshots age out.

6. Your Rights

Depending on where you live, you may have rights over your personal data, including under the EU/UK General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA/CPRA). These include the right to:

• Access the personal data we hold about you.
• Correct inaccurate or incomplete information.
• Delete your personal data, subject to limited exceptions.
• Port your data to another service in a machine-readable format.
• Object to certain processing, including direct marketing.
• Restrict processing while a dispute is resolved.

To exercise any of these rights, email privacy@chequr.com. We will verify your request and respond within the timeframes required by applicable law. If you are a user of a Chequr customer's instance, please also contact that organization, which is the controller of your data.

7. International Transfers

Chequr is headquartered in the United States, and our primary production infrastructure runs in AWS regions in the US and the EU. When we transfer personal data from the European Economic Area, the United Kingdom, or Switzerland to the US, we rely on the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, and the EU-US Data Privacy Framework where applicable.

Enterprise customers can elect EU data residency at provisioning time, in which case customer data remains in our EU region for storage and primary processing. We maintain up-to-date transfer impact assessments and supplement contractual measures with technical controls including encryption and strict access governance.

8. Security

We use industry-standard administrative, technical, and physical safeguards to protect your information. All customer data is encrypted in transit with TLS 1.2 or higher, and at rest using AES-256. Secrets are stored in hardware-backed key management and access is gated behind SSO with mandatory multi-factor authentication.

Chequr maintains SOC 2 Type II and ISO 27001 attestations, with audits performed annually by an independent CPA firm. We run continuous vulnerability scanning, quarterly penetration tests, and a documented incident response program. No system is perfectly secure, but we work every day to make ours as safe as we can — and we notify affected customers promptly if an incident materially impacts their data.

Security reports, penetration test letters, and our latest SOC 2 Type II are available to prospects and customers under NDA through the Chequr Trust Center.

9. Children's Privacy

Chequr is a business-to-business product and is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal information from a child, we will delete it promptly. If you believe a minor has provided us personal information, please contact privacy@chequr.com.

10. Changes to This Policy

We may update this Privacy Policy as our practices evolve or as legal requirements change. When we make material changes, we will post a notice on this page, update the “Last updated” date above, and, for significant changes, notify account administrators by email at least 30 days before the change takes effect. Your continued use of Chequr after the effective date constitutes acceptance of the revised policy.

Prior versions of this policy are archived and available on request.

11. Contact Us

If you have questions about this policy or how we handle your data, please get in touch.

• General privacy inquiries: privacy@chequr.com
• Data Protection Officer: dpo@chequr.com
• EU representative (under Art. 27 GDPR): eu-rep@chequr.com
• Mailing address: Chequr, Inc., 548 Market Street, PMB 72941, San Francisco, CA 94104, USA