Legal
Privacy Policy
Production trust surfaces should read like part of the platform: clear ownership, clear contacts, and a calm documentation standard.
Owner
CVERiskPilot LLC
Location
San Antonio, Texas
Last updated
April 28, 2026
Enterprise privacy terms
Enterprise customers may receive a DPA, subprocessor list, and security measures exhibit as part of the contract packet. Those signed terms control where they conflict with this public policy for the covered Services.
1. Scope
This Privacy Policy describes how CVERiskPilot LLC collects, uses, discloses, and protects personal information in connection with our website, hosted application, APIs, documentation, support, sales, and related services.
2. Information We Collect
We may collect account information, contact details, billing and subscription records, authentication metadata, device and usage data, support communications, uploaded files, vulnerability records, compliance evidence, ticket metadata, integration metadata, audit logs, and operational logs.
3. Customer Data
Customer Data is processed to provide the Services on behalf of Customer. Customer is responsible for ensuring it has the rights and notices required to submit Customer Data to the Services. Enterprise data-processing terms may be governed by a signed DPA.
4. How We Use Information
We use information to provide, secure, support, improve, monitor, and operate the Services; process payments; communicate with users; troubleshoot issues; prevent abuse; comply with law; and analyze product usage and reliability.
5. AI Processing
AI-assisted features may send prompts, vulnerability context, case details, and outputs to configured model providers. CVERiskPilot does not intentionally use Customer Data submitted through the Services to train third-party foundation models unless separately agreed in writing.
6. Disclosures
We may disclose information to service providers and subprocessors that support hosting, billing, AI inference, monitoring, analytics, email, security, and support; to Customer administrators; to customer-directed integrations; and when required by law or necessary to protect rights, safety, or security.
7. Security
We use administrative, technical, and organizational safeguards designed to protect information, including access controls, tenant scoping, encryption in transit, audit logging, secure credential handling, backup procedures, and vulnerability management practices. No system is perfectly secure.
8. Retention
We retain information for as long as needed to provide the Services, comply with legal obligations, resolve disputes, enforce agreements, support security, maintain backups, and keep legitimate business records. Customer Data deletion and return may be governed by a signed agreement.
9. Your Choices
Depending on your relationship with CVERiskPilot and applicable law, you may request access, correction, deletion, export, or restriction of personal information. Some requests must be directed to the Customer organization that controls the relevant account or data.
10. Restricted Data
Do not submit PHI, PCI cardholder data, classified information, export-controlled technical data, CUI, or other data requiring special contractual handling unless expressly authorized in a signed order form or SOW.
11. International Transfers
CVERiskPilot is based in the United States. If international transfer safeguards are required for an enterprise customer, the parties may address them in a DPA, Standard Contractual Clauses, UK transfer addendum, or another lawful transfer mechanism.
12. Changes
We may update this Privacy Policy from time to time. The updated version will be posted with a revised effective date. Material changes may be communicated through the Services or another reasonable notice method.