Privacy Policy

1. Information We Collect

1.1 Account Information

When you create an account, we collect your name, email address, company name, job title, and password (stored as a bcrypt hash). If you subscribe to a paid plan, we collect billing information through our payment processor, Stripe. We do not store credit card numbers on our servers.

1.2 Company Data

You may upload or enter data about your organization’s software licenses, contracts, vendors, users, and related information (“Company Data”). This data is stored within your isolated tenant environment and is not shared with other customers.

1.3 Usage Data

We automatically collect information about how you interact with the Service, including pages visited, features used, AI chat interactions, timestamps, browser type, device information, and IP address. This data is used to improve the Service and provide analytics.

1.4 AI Interaction Data

When you use our AI chat features, we process your queries and the AI-generated responses. Conversation memory is maintained to provide contextual, personalized assistance. AI interactions are processed through Anthropic’s Claude API and OpenAI’s embedding services.

2. How We Use Your Information

We use the information we collect to:

1. Provide, operate, and maintain the Service, including AI-powered license analysis and optimization recommendations.
2. Process transactions and manage your subscription.
3. Send transactional communications (account verification, password resets, billing notifications, contract renewal alerts).
4. Improve and develop the Service, including AI accuracy and tool performance.
5. Detect, prevent, and address security issues, fraud, and technical problems.
6. Comply with legal obligations.

We do not sell your personal information to third parties. We do not use your Company Data to train AI models for other customers.

3. Data Sharing and Third-Party Services

We share your information only in the following circumstances:

3.1 Service Providers

We use trusted third-party services to operate the platform. These providers are contractually obligated to protect your data:

• Amazon Web Services (AWS): Cloud infrastructure hosting, including compute (ECS Fargate), database (RDS PostgreSQL), caching (ElastiCache Redis), and object storage (S3).
• Anthropic: AI processing for our conversational interface (Claude API). Your queries are sent to Anthropic for processing but are not used by Anthropic to train their models under our API agreement.
• OpenAI: Embedding generation for semantic search capabilities (text-embedding-3-small model).
• Stripe: Payment processing for subscriptions. Stripe’s privacy practices are governed by their own privacy policy.
• Vercel: Frontend hosting and content delivery for licenseiq.net.
• Google Workspace: Business email services (@licenseiq.net).

3.2 Legal Requirements

We may disclose your information if required by law, court order, or government regulation, or if we believe disclosure is necessary to protect the rights, property, or safety of LicenseIQ, our users, or the public.

3.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. We will provide notice before your information becomes subject to a different privacy policy.

4. Data Security

We implement comprehensive security measures to protect your data:

• Encryption: Data is encrypted at rest (AES-256 via AWS) and in transit (TLS 1.2+).
• Multi-Tenant Isolation: Row-Level Security (RLS) ensures your data is completely isolated from other customers at the database level. Every query is filtered by your company identifier.
• Authentication: JWT-based authentication with 15-minute access tokens and 7-day refresh tokens. Passwords are hashed using bcrypt.
• Access Controls: Role-based access control (RBAC) with four permission levels: Admin, Manager, HR, and Employee.
• Audit Logging: All data access and modifications are logged with user identity, timestamp, and action details for compliance and forensic purposes.
• Rate Limiting: API endpoints are rate-limited to prevent abuse (5 requests/minute for authentication, 100 requests/minute for API calls).
• PII Detection: Automated scanning for personally identifiable information in uploaded documents with masking capabilities.

5. Data Retention

We retain your Company Data for as long as your account is active. After account termination, we retain your data for 30 days to allow for export, after which it is permanently deleted. Usage logs and analytics data may be retained in anonymized form for up to 24 months for service improvement purposes. Audit logs required for compliance are retained for the minimum period required by applicable regulations.

6. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

6.1 GDPR Rights (EEA/UK Residents)

• Right of Access: Request a copy of your personal data.
• Right to Rectification: Request correction of inaccurate data.
• Right to Erasure: Request deletion of your personal data (“right to be forgotten”).
• Right to Portability: Receive your data in a structured, machine-readable format (JSON or CSV).
• Right to Object: Object to processing of your data for certain purposes.
• Right to Restrict Processing: Request limitation of processing in certain circumstances.

LicenseIQ supports these rights through built-in GDPR compliance endpoints. To exercise these rights, contact privacy@licenseiq.net or use the data management tools within your account settings.

6.2 California Residents (CCPA)

If you are a California resident, you have the right to know what personal information we collect, request deletion of your personal information, opt out of the sale of personal information (note: we do not sell personal information), and not be discriminated against for exercising your privacy rights.

7. Cookies and Tracking

We use essential cookies for authentication and session management. We do not use advertising cookies or third-party tracking cookies. Our analytics are limited to first-party usage data necessary to improve the Service.

8. International Data Transfers

Your data is stored and processed in the United States (AWS us-east-1 region). If you access the Service from outside the United States, your information will be transferred to the US. We implement appropriate safeguards for international data transfers as required by applicable law.

9. Children’s Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected information from a child under 18, we will take steps to delete that information.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service at least 30 days before the changes take effect. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

11. Contact Us

For privacy-related inquiries or to exercise your data rights: