Privacy Policy

Victor Yax doing business as ControlNexus ("we," "us," or "our") operates the ControlNexus compliance tracking platform ("the Service"). This Privacy Policy explains how we collect, use, store, and protect your information when you use the Service.

By using the Service, you agree to the collection and use of information in accordance with this policy.

Account Information

When you create an account, we collect:

• Your name and email address
• Your organization name
• Your password (stored in hashed form — we never store plaintext passwords)

Usage Data

We collect information about how you use the Service, including:

• Pages visited and features used
• Actions taken within the Service (tracked in our audit log)
• Browser type and IP address

Content You Upload

We store files and data you upload to the Service, including:

• Evidence files attached to compliance controls
• Notes and implementation details
• Client organization information

Payment Information

Payment information is processed by Stripe. We do not store your credit card numbers. We retain your Stripe customer ID and subscription status to manage your account.

We use the information we collect to:

• Provide, operate, and maintain the Service
• Process subscription payments
• Send account-related emails (verification, password reset, subscription notifications)
• Respond to support requests
• Improve the Service
• Comply with legal obligations

We do not sell your personal information to third parties.

We do not use your data or uploaded content to train AI models.

Your data is stored on servers provided by Supabase, which operates infrastructure in the United States. We implement row-level security controls to ensure your data is logically isolated from other customers.

We use industry-standard encryption in transit (TLS) and at rest. Access to production data is restricted to authorized personnel only.

Despite these measures, no system is perfectly secure. We cannot guarantee absolute security of your data.

We retain your data for as long as your account is active. If you cancel your subscription and request account deletion, we will delete your data within 30 days, except where we are required by law to retain it longer.

Audit log entries are retained for the life of your account to support compliance and security purposes.

We use the following third-party services to operate the Service:

• Stripe — payment processing. Stripe's privacy policy: https://stripe.com/privacy
• Supabase — database and file storage. Supabase's privacy policy: https://supabase.com/privacy
• Cloudflare — content delivery and DDoS protection. Cloudflare's privacy policy: https://www.cloudflare.com/privacypolicy/

These services may process your data in accordance with their own privacy policies.

We use essential cookies to maintain your session and keep you signed in. We do not use advertising cookies or third-party tracking cookies.

Depending on your location, you may have the right to:

• Access the personal data we hold about you
• Correct inaccurate data
• Request deletion of your data
• Export your data

To exercise any of these rights, contact us at victor.yax@controlnexus.io.

The Service is not directed at children under 18 years of age. We do not knowingly collect personal information from children.

If you believe we have inadvertently collected information from a child, contact us immediately.

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice in the Service. The effective date at the top of this page reflects when the policy was last updated.

For questions about this Privacy Policy or to exercise your data rights, contact:

Victor Yax doing business as ControlNexus

Fort Collins, Colorado

victor.yax@controlnexus.io