GRC Pocket Auditor - Privacy Policy

This Privacy Policy explains how NodeCypher Inc. ("NodeCypher", "we", "us", "our") handles information in connection with the GRC Pocket Auditor mobile app (the "App") and our website at https://nodecypher.com (the "Site").

Plain-English summary: The App runs on your device. Your audit answers, scores, and results are stored only on your device and are never sent to us. The App has no account, and we do not collect your name or email through it. The limited information we or our providers handle is described below.

1. Who we are

NodeCypher Inc., 9580 Yonge St, Unit 9, Richmond Hill, Ontario, Canada. For any privacy question or request, contact privacy@nodecypher.com. Our Data Protection Officer can be reached at dpo@nodecypher.com.

2. Information stored only on your device (not collected by us)

• Your audit responses, readiness scores, and gap results are stored locally on your device. They are not transmitted to or stored by us — we have no server that receives them and cannot see them.
• PDF snapshots you generate are created on your device.
• Answer backup files you export are created by you and shared to a destination you choose; we do not receive them.
• Uninstalling the App or clearing its data deletes this information from your device.

3. Information we or our providers process

(a) Purchase information. In-app purchases are processed by the Apple App Store or Google Play and by our entitlement provider, RevenueCat. These providers process purchase and receipt data and assign an anonymous app-user identifier to manage your unlocks and the "restore purchases" feature. We receive purchase status linked to that anonymous identifier — we do not receive your name, email, or payment-card details. See the privacy policies of Apple, Google, and RevenueCat.

(b) Website and document-access logs. When you visit the Site or open a remediation-document link, our hosting provider automatically records standard technical information such as IP address, date/time, the page or file requested, and browser/device type. This is used to operate and secure the Service.

(c) Bookings and enquiries. If you book a consultation (via Cal.com) or contact us by email, we receive the information you provide (such as name, email, and message) to respond and deliver the service. Cal.com processes booking data per its own privacy policy.

(d) Usage analytics. The App currently does not use third-party usage analytics. If this changes, we will update this Policy and the App Store / Google Play data disclosures before collecting such data.

4. How we use information

• To provide and operate the App and Site, deliver purchased content, and enable restore-purchases.
• To respond to enquiries and provide any services you book.
• To secure, maintain, and improve the Service and prevent abuse.
• To comply with legal obligations.

5. Legal bases (UK GDPR / EU GDPR)

Where UK/EU data-protection law applies, we rely on: performance of a contract (providing the purchases/services you request); our legitimate interests (operating, securing, and improving the Service); consent (where required); and legal obligations. Where processing relies on consent, you may withdraw it at any time.

6. Sharing

We do not sell your personal data. We share limited data only with service providers acting on our behalf — Apple, Google, RevenueCat (purchases), Cal.com (bookings), and our hosting provider — and where required by law.

7. International transfers

Some providers (e.g., RevenueCat, Cal.com, hosting) may process data outside your country, including in the United States. Where required, such transfers are covered by appropriate safeguards such as Standard Contractual Clauses.

8. Retention

Device-stored data remains until you delete it or uninstall the App. Purchase records are retained by the stores/RevenueCat per their policies and as needed for support and legal/accounting requirements. Enquiry and booking data is kept only as long as necessary for its purpose and any legal requirements. Server logs are retained for a limited period for security and operations.

9. Your rights

Subject to applicable law (including UK/EU GDPR), you may have rights to access, correct, delete, restrict, or object to processing of your personal data, and to data portability. Because most of your information stays on your device and we operate without accounts, the personal data we hold about you is minimal. To make a request about data we hold, contact privacy@nodecypher.com. You also have the right to complain to a supervisory authority — in the UK, the Information Commissioner's Office (ICO).

US/California residents: you may have rights to know, delete, and opt out of the "sale" of personal information. We do not sell personal information. — confirm wording with counsel.

10. Children

The App and Site are intended for business use by adults and are not directed at children. We do not knowingly collect personal data from children.

11. Security

We use reasonable technical and organisational measures to protect information. The on-device design means your audit data is not exposed through our systems. No method of transmission or storage is completely secure.

12. Changes to this Policy

We may update this Policy. We will post the updated version with a new "Last updated" date and, where appropriate, update the in-app and store disclosures.

13. Contact

NodeCypher Inc., 9580 Yonge St, Unit 9, Richmond Hill, Ontario, Canada, dpo@nodecypher.com.