Privacy Policy

Effective date: 2026-05-24 · Last updated: 2026-05-24 · Operator: My Compliance Citadel, LLC

This Privacy Policy explains how My Compliance Citadel, LLC (“My Compliance Citadel”, “we”, “us”) collects, uses, discloses, and protects personal data in connection with the my-cc.io AI Agent Trust Citadel platform (the “Service”). This policy applies to website visitors, prospective customers, paying customer organizations, authorized partner organizations, and end-users of partner-deployed instances.

If you are processing personal data under the GDPR or the UK GDPR through the Service, My Compliance Citadel acts as the data processor on your behalf. The customer organization (or the partner’s end-client organization, where applicable) is the data controller. This policy explains both roles.

1. Data We Collect

1.1 Account and Subscription Data

1.2 Agent Telemetry (Customer Data)

When you install the My Compliance Citadel runtime SDK or governance proxy, the Service receives metadata describing the actions taken by each governed AI agent. This includes:

Raw input content is processed by the SDK locally, redacted using the active PII Shield rules, and then either dropped or tagged before any telemetry leaves the customer’s runtime. My Compliance Citadel’s endpoints never receive raw personal data unless the customer has explicitly disabled the PII Shield for a specific category and has accepted the resulting compliance posture in writing.

1.3 Site Telemetry

2. How We Use Data

We process personal data for the following purposes:

We do not sell personal data. We do not use Customer Data to train any AI model.

3. Legal Bases (GDPR / UK GDPR)

PurposeLegal basis
Providing the Service to a customer organizationContract (Art. 6(1)(b))
Processing telemetry as a processor on the customer’s instructionsProcessor under Art. 28; controller’s legal basis flows through
Billing, fraud prevention, securityLegitimate interest (Art. 6(1)(f))
Legal compliance (e.g., responding to regulators)Legal obligation (Art. 6(1)(c))
Marketing communications to existing customersLegitimate interest, with opt-out
Marketing communications to prospectsConsent (Art. 6(1)(a))

4. How We Share Data

We share personal data only with:

5. International Transfers

My Compliance Citadel operates primarily from the United States. When personal data originating in the European Economic Area, the United Kingdom, or Switzerland is transferred to the United States, transfers are protected by the Standard Contractual Clauses (2021 Commission Implementing Decision (EU) 2021/914) and supplementary technical measures including tenant-isolated encryption at rest and in transit. A customer-facing Data Processing Addendum incorporating the SCCs is available on request to [email protected].

6. Retention

Data retention is driven by the customer’s active compliance packs:

Customers may export the full audit chain at any time during their subscription. On termination of the subscription, we delete personal data after the legally required retention period elapses or upon written request from the controller, whichever is later.

7. Your Rights

Depending on your jurisdiction, you may have rights to:

If you are an end-user of a customer or partner organization, please direct rights requests to that organization first; we will support their fulfillment of your request.

To exercise any of these rights directly with My Compliance Citadel, contact [email protected]. We will respond within thirty days.

8. Security

We protect personal data with a layered security posture including:

No system is perfectly secure. If we discover a personal data breach, we will notify affected customers within seventy-two hours, in line with GDPR Art. 33.

9. HIPAA-Specific Provisions

Where a customer processes Protected Health Information (PHI) through the Service, My Compliance Citadel can execute a Business Associate Agreement (BAA) prior to activation. The Service is designed to support HIPAA Security Rule Technical Safeguards (audit controls, integrity, transmission security) but does not constitute legal certification of HIPAA compliance. Customers remain responsible for their own administrative and physical safeguards.

10. Children

The Service is not directed at children under sixteen. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact [email protected] and we will delete it.

11. California Residents (CCPA / CPRA)

California residents have the right to know what personal information we collect, the right to delete personal information, the right to correct inaccurate information, the right to limit use of sensitive personal information, and the right to opt out of sales or sharing. We do not sell personal information. We do not share personal information for cross-context behavioral advertising. To exercise your rights, contact [email protected].

12. Cookies

The marketing site uses essential cookies (session, CSRF protection) and analytics cookies (Google Analytics). You can refuse non-essential cookies through your browser settings. The dashboard at app.my-cc.io uses only essential cookies and localStorage for session management.

13. Changes

We may update this policy from time to time. Material changes will be communicated by email to the primary contact on every active subscription at least thirty days before the effective date. The most recent version is always available at /privacy.

14. Contact

Data Protection Officer: [email protected]
General privacy questions: [email protected]
Mailing address: My Compliance Citadel, LLC, Gainesville, Florida, USA

For EU and UK data subjects, our representative under GDPR Art. 27 / UK GDPR Art. 27 will be appointed prior to the first EU/UK customer activation; contact [email protected] for the current designation.