Privacy Policy

Effective date: June 6, 2026 · Last updated: June 6, 2026

Quick summary

• We collect what we need to run the Service — account details, the metadata Govern360 produces when you connect your systems, and basic operational and security logs.
• We do not sell personal data. Ever.
• We do not train AI models on your data. Prompts and AI responses evaluated by Govern360 are not retained as raw content and are not used for model training.
• You can see, correct, export, or delete your data. See “Your rights” below.
• We use a small set of named subprocessors — listed publicly at govern360.ai/subprocessors.
• This is the legal version. A plain-language summary is no substitute for the full text below.

1. Who this policy applies to

This policy applies to:

• Visitors to the Site (govern360.ai and its subdomains).
• Prospects who request a demo, start a trial, or otherwise communicate with us.
• Customers — organizations that have signed an order form or other agreement with AIVONS to use the Service.
• Authorized users — individuals authorized by a Customer to access the Service (for example, security engineers, GRC leads, administrators, and end users whose AI activity is subject to the Customer’s governance program).

For data we receive about an Authorized User from a Customer (e.g., user identity, session metadata, AI activity), the Customer is the data controller. We process that data as the Customer’s processor under our Customer Agreement and Data Processing Addendum (“DPA”).

2. Information we collect

2.1 Information you provide directly

• Contact information: name, work email address, employer/company, job title or role, and (if you choose) phone number.
• Trial and demo requests: the information you submit through our trial wizard or contact forms.
• Communications: emails, support tickets, and other communications you send us.
• Account credentials: identifiers used to authenticate to the Service. Passwords are stored as salted hashes; we never see the plaintext.

2.2 Information we collect automatically when you use the Site or Service

• Usage data: pages viewed, features used, session timestamps, referring URLs, browser type, operating system, and approximate geographic location derived from IP address.
• Device and log data: IP addresses, user-agent strings, error reports, and security telemetry needed to operate and protect the Service.
• Cookies and similar technologies: see Section 11 below.

2.3 Information generated by the Service from your connected environment

When a Customer connects Govern360 to its environment (for example, via Microsoft Entra ID, Microsoft Purview, an AI gateway, a SASE provider, or a SIEM), we receive and generate:

• AI inventory metadata: identifiers of AI tools, agents, models, and integrations observed in the Customer’s environment.
• Governance events: policy evaluation outcomes (allowed, redacted, blocked), detector matches (by category, not raw content), agent attribution chains, token consumption metadata, and posture-score inputs.
• Configuration artifacts: enforcement-plane configuration objects (Purview specifications, Intune profiles, etc.) compiled from Customer policy intent and recorded as evidence.
• Audit and evidence records: the append-only evidence artifacts the Service produces for the Customer’s compliance reporting.

What we do not collect from your environment: Govern360 does not proxy AI traffic. It evaluates prompts and AI responses in-line on the Customer’s designated enforcement plane (browser extension, gateway, etc.) and retains the decision and structured metadata — not the raw prompt or response body. Where a Customer enables sampling for detector tuning, that sampling is opt-in, configurable, and scoped to redacted summaries.

2.4 Information from third parties

• Identity providers (e.g., Microsoft Entra ID, Google Workspace): when an Authorized User signs in via SSO, we receive identity attributes from the provider as authorized by the Customer.
• Sales and marketing tools: limited enrichment data (e.g., company size, public role) used solely to qualify and respond to inquiries.
• Subprocessors: operational data needed to deliver the Service (see subprocessor list).

3. How we use information

We use information for the following purposes. For users in the European Economic Area, the United Kingdom, and Switzerland, the GDPR/UK GDPR lawful basis is shown in italics.

• To provide and operate the Service — including authentication, processing governance events, generating evidence, and delivering features described in our documentation. Lawful basis: performance of a contract.
• To secure and protect the Service — including monitoring for fraud, abuse, intrusion, denial-of-service activity, and other security events. Lawful basis: legitimate interest in security; legal obligations.
• To support our Customers — including troubleshooting issues, managing accounts, and providing professional services. Lawful basis: performance of a contract; legitimate interest.
• To improve the Service — including measuring feature usage, fixing bugs, and developing new capabilities. We use aggregated and de-identified information for this purpose; we do not use Customer Content to train AI models. Lawful basis: legitimate interest.
• To communicate with you — including responding to your inquiries, sending service announcements, and (with your consent where required) marketing communications you can opt out of at any time. Lawful basis: legitimate interest; consent where required.
• To comply with legal obligations and protect rights — including responding to lawful requests, enforcing our Terms of Service, and defending claims. Lawful basis: legal obligation; legitimate interest.

4. How we share information

4.1 Subprocessors and service providers

We share information with a limited set of subprocessors that help us deliver the Service (for example, cloud hosting, email delivery, error reporting, billing). Each subprocessor is bound by a written contract that restricts use of the information to providing services to us. Our current subprocessor list is published at govern360.ai/subprocessors and we notify Customers in advance of material changes as set out in the DPA.

4.2 Customers and their authorized users

Information about an Authorized User’s activity in the Service is visible to other Authorized Users in the Customer’s tenant in accordance with the Customer’s access controls (roles, group scoping, etc.). The Customer, not AIVONS, controls those access decisions.

4.3 Legal disclosures

We may disclose information if we believe in good faith that disclosure is required by law, regulation, legal process, or a governmental request; or to protect the safety, rights, or property of AIVONS, our Customers, our users, or the public. Where legally permitted, we will notify the affected Customer before disclosure.

4.4 Business transfers

If AIVONS is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, information may be transferred as part of that transaction. The recipient will be bound by terms at least as protective as this Policy in respect of the transferred information.

4.5 What we do not do

We do not sell personal data. We do not share personal data for cross-context behavioral advertising. We do not use Customer Content to train AI models for ourselves or any third party.

5. International data transfers

AIVONS is based in the United States, and our infrastructure and subprocessors may process information in the United States and other countries. When we transfer personal data of EU/EEA, UK, or Swiss data subjects outside their jurisdiction, we rely on one or more lawful transfer mechanisms, which may include:

• European Commission Standard Contractual Clauses (SCCs) and, where applicable, the UK International Data Transfer Addendum (IDTA) and the Swiss FDPIC’s adopted SCCs.
• Additional technical and organizational safeguards, including encryption in transit and at rest, role-based access, and contractual restrictions on subprocessors.

6. How long we keep information

We retain personal data only as long as needed for the purposes described in this Policy, unless a longer retention period is required or permitted by law (for example, for tax, accounting, audit, or security purposes). Specific retention periods include:

• Account & contact information: for the duration of the Customer relationship plus a reasonable period thereafter to handle wind-down, audit, and dispute purposes (typically up to 24 months unless a longer period is required).
• Service usage and security logs: typically 13 months, retained to support security investigations and operational reliability.
• Compliance evidence artifacts: retained as configured by the Customer in the Service to meet the Customer’s own retention requirements (e.g., SOC 2, EU AI Act technical documentation).
• Marketing prospects: until you unsubscribe or for 24 months of inactivity, whichever comes first.

When information is no longer needed, we delete or de-identify it.

7. Security

We use industry-standard administrative, technical, and physical safeguards designed to protect information, including encryption in transit (TLS 1.2 or higher) and at rest, role-based access controls with mandatory multi-factor authentication for staff, network isolation per tenant, secret management with rotation, audit logging, and regular security reviews. Govern360 is architected to SOC 2 and ISO 27001 standards; formal certification is on our roadmap. No system can be guaranteed 100% secure; if we learn of a security incident affecting your information, we will notify affected parties in accordance with applicable law and our DPA.

8. Your rights and choices

Depending on where you live, you may have the following rights:

8.1 For all individuals

• Access: ask for a copy of the personal data we hold about you.
• Correction: ask us to correct inaccurate or incomplete personal data.
• Deletion: ask us to delete personal data we hold about you, subject to legal and contractual constraints.
• Portability: receive your personal data in a structured, commonly used, machine-readable format.
• Objection and restriction: object to or restrict certain processing.
• Withdraw consent: where processing is based on consent.
• Lodge a complaint with a supervisory authority in your jurisdiction.

8.2 EU/EEA, UK, and Swiss data subjects (GDPR / UK GDPR / FADP)

You have the rights listed above. To exercise them, contact us at privacy@aivons.com.

8.3 California residents (CCPA / CPRA)

Subject to the California Consumer Privacy Act as amended by the CPRA, California residents have the right to know what personal information we collect, sell, or share, the right to delete, the right to correct, the right to limit use of sensitive personal information, and the right to non-discrimination for exercising these rights. We do not sell personal information and we do not share personal information for cross-context behavioral advertising. To exercise your rights, contact privacy@aivons.com. You may also designate an authorized agent to act on your behalf, subject to identity verification.

8.4 If you are an Authorized User

If your data is processed by the Service because your employer or another organization (a Customer) directed us to, please direct your request to that Customer. We will support the Customer in responding.

8.5 How we verify requests

To protect you, we will verify your identity before responding to a rights request. We may ask for additional information to verify your identity proportionate to the sensitivity of the request.

9. Children’s privacy

The Service is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact privacy@aivons.com and we will delete it.

10. Automated decision-making

The Service evaluates events against Customer-configured policies and produces governance outcomes (e.g., a prompt may be redacted or blocked, an AI session may be flagged for review, a posture score may change). These outcomes are determined by Customer-defined rules and are reviewable in the Service. AIVONS does not engage in automated decision-making that produces legal or similarly significant effects on individuals as defined under GDPR Article 22 outside the parameters configured by our Customers.

11. Cookies and similar technologies

The Site uses a small number of cookies and similar technologies for the following purposes:

• Strictly necessary: keep you signed in, remember your preferences (e.g., expanded/collapsed navigation), and protect against fraud.
• Performance and analytics: measure how visitors use the Site so we can improve it. Where required by law, we use these only with your consent.

We do not use marketing or advertising cookies and we do not engage in cross-context behavioral advertising.

You can control cookies through your browser settings. Disabling some cookies may affect the Site’s functionality.

12. Changes to this policy

We may update this policy from time to time to reflect changes in our practices or for legal or operational reasons. If we make material changes, we will provide notice (for example, by updating the “Last updated” date above and, for Customers, through the Service or via email). Your continued use of the Service after the effective date of an updated policy constitutes acceptance of the changes.

13. Contact us

Privacy questions, requests, and complaints:

AIVONS, Inc.
Attn: Privacy — Govern360
Email: privacy@aivons.com
General inquiries: info@aivons.com