Privacy Policy
This Privacy Policy explains how My Compliance Citadel, LLC (“My Compliance Citadel”, “we”, “us”) collects, uses, discloses, and protects personal data in connection with the my-cc.io AI Agent Trust Citadel platform (the “Service”). This policy applies to website visitors, prospective customers, paying customer organizations, authorized partner organizations, and end-users of partner-deployed instances.
If you are processing personal data under the GDPR or the UK GDPR through the Service, My Compliance Citadel acts as the data processor on your behalf. The customer organization (or the partner’s end-client organization, where applicable) is the data controller. This policy explains both roles.
1. Data We Collect
1.1 Account and Subscription Data
- Organization name, business email address, primary contact name and role
- Subscription tier, agent count, payment status, billing interval
- Stripe customer reference and subscription identifiers (we do not store payment card details — those remain with Stripe, Inc.)
- For partner accounts: partner organization name, contact, and the list of sub-organizations the partner has provisioned
1.2 Agent Telemetry (Customer Data)
When you install the My Compliance Citadel runtime SDK or governance proxy, the Service receives metadata describing the actions taken by each governed AI agent. This includes:
- The action type, tool name, and decision outcome (allow / require approval / deny)
- The compliance categories matched against the action
- A SHA-256 digest of the action input (never the raw input by default)
- Pseudonymized data-subject identifiers (per HIPAA §164.528 disclosure accounting and FERPA §99.32 record-of-disclosures requirements). Pseudonymization uses a per-tenant pepper, so cross-tenant collision is structurally impossible.
- Pseudonymized recipient identifier and transport mechanism (where applicable)
- Timestamp and chain-signature linking the event into the immutable audit ledger
Raw input content is processed by the SDK locally, redacted using the active PII Shield rules, and then either dropped or tagged before any telemetry leaves the customer’s runtime. My Compliance Citadel’s endpoints never receive raw personal data unless the customer has explicitly disabled the PII Shield for a specific category and has accepted the resulting compliance posture in writing.
1.3 Site Telemetry
- Cookies and similar technologies on the marketing site for analytics (Google Analytics) and load balancing. We do not use cross-site advertising cookies.
- Server access logs (IP address, user agent, request path) retained for thirty days for security analysis.
2. How We Use Data
We process personal data for the following purposes:
- To provide, operate, and support the Service
- To bill customers via Stripe for paid subscriptions
- To detect and prevent fraud, abuse, and security incidents (including rate-limiting and anomaly detection)
- To produce aggregated, de-identified analytics about platform usage
- To comply with our legal obligations and respond to lawful requests
We do not sell personal data. We do not use Customer Data to train any AI model.
3. Legal Bases (GDPR / UK GDPR)
| Purpose | Legal basis |
|---|---|
| Providing the Service to a customer organization | Contract (Art. 6(1)(b)) |
| Processing telemetry as a processor on the customer’s instructions | Processor under Art. 28; controller’s legal basis flows through |
| Billing, fraud prevention, security | Legitimate interest (Art. 6(1)(f)) |
| Legal compliance (e.g., responding to regulators) | Legal obligation (Art. 6(1)(c)) |
| Marketing communications to existing customers | Legitimate interest, with opt-out |
| Marketing communications to prospects | Consent (Art. 6(1)(a)) |
4. How We Share Data
We share personal data only with:
- Subprocessors: third-party infrastructure providers under a written data processing agreement. Current subprocessors: Railway (hosting), Cloudflare (DNS and TLS), Stripe (payments), Resend (transactional email), Google Workspace (internal email and collaboration).
- Partner organizations: where a customer has been provisioned by a partner under the Partner Program, the partner has visibility into the sub-organization’s billing posture, agent count, and aggregate TAC Score (Trusted Agent Citascore). The partner does not have access to the sub-organization’s raw audit chain events unless the sub-organization explicitly grants that access.
- Authorities: where required by law, subject to challenging unlawful or overbroad requests.
- In a merger, acquisition, or asset sale: subject to advance notice and continued compliance with this policy.
5. International Transfers
My Compliance Citadel operates primarily from the United States. When personal data originating in the European Economic Area, the United Kingdom, or Switzerland is transferred to the United States, transfers are protected by the Standard Contractual Clauses (2021 Commission Implementing Decision (EU) 2021/914) and supplementary technical measures including tenant-isolated encryption at rest and in transit. A customer-facing Data Processing Addendum incorporating the SCCs is available on request to [email protected].
6. Retention
Data retention is driven by the customer’s active compliance packs:
- HIPAA: six years from the date of the audit event
- SOX: seven years from the date of the audit event
- GDPR: until the data subject requests deletion, subject to legal hold
- Default (no specific pack active): seven years from the date of the audit event
- Account and subscription data: for the duration of the subscription plus seven years
- Site server logs: thirty days
Customers may export the full audit chain at any time during their subscription. On termination of the subscription, we delete personal data after the legally required retention period elapses or upon written request from the controller, whichever is later.
7. Your Rights
Depending on your jurisdiction, you may have rights to:
- Access the personal data we hold about you
- Correct inaccurate or incomplete personal data
- Request deletion of your personal data, subject to retention obligations
- Restrict or object to certain processing
- Receive a portable copy of your personal data
- Withdraw consent where processing is based on consent
- Lodge a complaint with your supervisory authority
If you are an end-user of a customer or partner organization, please direct rights requests to that organization first; we will support their fulfillment of your request.
To exercise any of these rights directly with My Compliance Citadel, contact [email protected]. We will respond within thirty days.
8. Security
We protect personal data with a layered security posture including:
- TLS 1.2+ for all data in transit; AES-256-GCM for data at rest, including a tenant-isolated key vault for sensitive secrets
- PostgreSQL row-level security on every multi-tenant table; cross-tenant access is rejected at the database level, not just at the application layer
- Three-tier API key hierarchy with absolute cross-tier isolation (Platform > Partner > Organization)
- Hash-chained immutable audit ledger with periodic integrity verification
- Quarterly penetration testing and continuous vulnerability scanning
- Mandatory two-factor authentication for all My Compliance Citadel administrative access
No system is perfectly secure. If we discover a personal data breach, we will notify affected customers within seventy-two hours, in line with GDPR Art. 33.
9. HIPAA-Specific Provisions
Where a customer processes Protected Health Information (PHI) through the Service, My Compliance Citadel can execute a Business Associate Agreement (BAA) prior to activation. The Service is designed to support HIPAA Security Rule Technical Safeguards (audit controls, integrity, transmission security) but does not constitute legal certification of HIPAA compliance. Customers remain responsible for their own administrative and physical safeguards.
10. Children
The Service is not directed at children under sixteen. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact [email protected] and we will delete it.
11. California Residents (CCPA / CPRA)
California residents have the right to know what personal information we collect, the right to delete personal information, the right to correct inaccurate information, the right to limit use of sensitive personal information, and the right to opt out of sales or sharing. We do not sell personal information. We do not share personal information for cross-context behavioral advertising. To exercise your rights, contact [email protected].
12. Cookies
The marketing site uses essential cookies (session, CSRF protection) and analytics cookies (Google Analytics). You can refuse non-essential cookies through your browser settings. The dashboard at app.my-cc.io uses only essential cookies and localStorage for session management.
13. Changes
We may update this policy from time to time. Material changes will be communicated by email to the primary contact on every active subscription at least thirty days before the effective date. The most recent version is always available at /privacy.
14. Contact
Data Protection Officer: [email protected]
General privacy questions: [email protected]
Mailing address: My Compliance Citadel, LLC, Gainesville, Florida, USA
For EU and UK data subjects, our representative under GDPR Art. 27 / UK GDPR Art. 27 will be appointed prior to the first EU/UK customer activation; contact [email protected] for the current designation.