Guardara AI

Privacy Policy

Last updated: March 15, 2026

1. Introduction

Guardara AI, Inc. ("Guardara AI," "we," "us," or "our") operates the Guardara AI platform at www.guardara.ai (the "Service"), a compliance automation platform that helps organizations achieve and maintain security certifications including SOC 2, ISO 27001, NIST 800-53, and other regulatory frameworks. This Privacy Policy describes how we collect, use, disclose, and protect your personal information when you use our Service.

By accessing or using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access or use the Service.

2. Information We Collect

2.1 Account Information

When you create an account, we collect the following personal information:

  • First and last name
  • Work email address
  • Password (stored in hashed form only; we never store plaintext passwords)
  • Organization name
  • Mailing address (optional)
  • Phone numbers — primary mobile, secondary mobile, and home phone (optional)

2.2 Billing Information

Payment processing is handled entirely by Stripe, Inc. We do not store credit card numbers, bank account details, or other sensitive payment information on our servers. We retain only a Stripe customer identifier and subscription identifier to manage your account.

2.3 Compliance and Organizational Data

In the course of using the Service, you may upload or generate the following types of data:

  • Policy documents (generated by AI or uploaded manually)
  • Evidence files (screenshots, configuration exports, logs, certificates)
  • Audit cycle information (dates, audit firm names, notes)
  • Control mappings and artifact metadata
  • Chat session transcripts from the AI Audit Q&A Assistant
  • Custom control definitions and execution results

2.4 Cloud Integration Data

When you connect cloud accounts (AWS, Microsoft Azure, or Google Cloud Platform), we collect and process the following:

  • OAuth tokens — For Azure and GCP, we store encrypted OAuth 2.0 access tokens and refresh tokens to maintain authorized access to your cloud resources. Tokens are encrypted at rest using AES-256 encryption.
  • IAM Role ARN and External ID — For AWS, we store the cross-account IAM role ARN and external ID used for secure role assumption. No long-term AWS access keys are stored.
  • Cloud resource metadata — We collect read-only compliance findings from your cloud accounts, including security posture data, policy compliance status, resource configurations, and security alerts. We do not modify, create, or delete any resources in your cloud accounts.
  • Project and subscription identifiers — GCP project IDs, organization IDs, Azure tenant IDs, and subscription IDs used to scope compliance scans.

2.5 Usage and Analytics Data

We automatically collect certain information about how you interact with the Service, including:

  • AI token consumption (LLM tokens, VM tokens, and third-party API tokens)
  • Feature usage patterns (which features you use and how frequently)
  • Browser type, operating system, and device information
  • IP address and approximate geographic location
  • Pages visited and actions taken within the Service
  • Timestamps of account activity

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Service delivery — To provide, maintain, and improve the Guardara AI platform, including AI-powered policy generation, compliance scanning, and audit preparation features.
  • Account management — To create and manage your account, process subscription payments, and provide customer support.
  • Cloud compliance scanning — To connect to your authorized cloud accounts and collect read-only security and compliance data for analysis and reporting.
  • AI processing — To generate policy documents, analyze compliance gaps, answer audit-related questions, and execute custom control checks using large language models.
  • Usage metering — To track AI token consumption against your subscription plan limits and send usage alerts when you approach your allocation.
  • Communications — To send transactional emails including password reset links, email verification, and token usage alerts. We use Resend as our email service provider.
  • Security — To detect, prevent, and respond to fraud, abuse, and security incidents.
  • Legal compliance — To comply with applicable laws, regulations, and legal processes.

4. Data Sharing and Third-Party Services

We do not sell your personal information. We share data with the following categories of third-party service providers, solely to operate and improve the Service:

Service ProviderPurposeData Shared
Stripe, Inc.Payment processingEmail, name, payment method details
ResendTransactional email deliveryEmail address, name
AI / LLM ProvidersPolicy generation, compliance analysis, Q&APrompts containing compliance context (anonymized where possible)
Cloud Providers (AWS, Azure, GCP)Compliance data collectionOAuth tokens / IAM role credentials (used to read your own data)
Hosting InfrastructureApplication hosting and data storageAll Service data (encrypted in transit and at rest)

We may also disclose your information if required by law, subpoena, or other legal process, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

5. Cloud Integration Security

We take the security of your cloud integrations seriously. Our approach follows the principle of least privilege:

  • Read-only access — All cloud integrations request only read-only permissions. We never modify, create, or delete resources in your cloud accounts.
  • OAuth 2.0 — Azure and GCP connections use industry-standard OAuth 2.0 authorization code flows. You authorize access through your cloud provider's consent screen, and you can revoke access at any time from your provider's console.
  • IAM Role Assumption — AWS connections use cross-account IAM role assumption with unique external IDs. No long-term access keys are stored.
  • Token encryption — All OAuth tokens are encrypted at rest using AES-256 encryption before storage in our database.
  • Automatic token refresh — Access tokens are automatically refreshed before each scan to minimize the window of valid credentials.
  • Revocable at any time — You can disconnect any cloud integration from the Guardara AI dashboard, or revoke access directly from your cloud provider's console.

6. Data Retention

We retain your personal information and compliance data for as long as your account is active or as needed to provide the Service. Specifically:

  • Account data — Retained for the duration of your account. Upon account deletion, personal information is removed within 30 days.
  • Compliance data — Policy documents, evidence files, and audit records are retained for the duration of your subscription. You may delete individual items at any time.
  • Cloud evidence — Compliance findings from cloud scans are retained until you delete them or disconnect the integration.
  • Chat transcripts — AI Q&A session transcripts are retained for the duration of your account.
  • Usage logs — Token usage logs are retained for 12 months for billing and analytics purposes.
  • Backup copies — Encrypted backups may persist for up to 90 days after data deletion.

7. Data Security

We implement industry-standard security measures to protect your data, including:

  • TLS/SSL encryption for all data in transit
  • AES-256 encryption for sensitive data at rest (including OAuth tokens and credentials)
  • Bcrypt password hashing with salting
  • Secure session management with HTTP-only cookies and JWT tokens
  • Role-based access control (RBAC) with organization-level data isolation
  • Regular security assessments and vulnerability scanning
  • Audit logging of all sensitive operations

While we strive to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to promptly notifying affected users in the event of a data breach.

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

8.1 General Data Protection Regulation (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the right to:

  • Access — Request a copy of the personal data we hold about you.
  • Rectification — Request correction of inaccurate or incomplete data.
  • Erasure — Request deletion of your personal data ("right to be forgotten").
  • Restriction — Request that we restrict processing of your data.
  • Portability — Request a machine-readable copy of your data.
  • Objection — Object to processing based on legitimate interests.
  • Withdraw consent — Withdraw consent at any time where processing is based on consent.

8.2 California Consumer Privacy Act (CCPA)

If you are a California resident, you have the right to:

  • Know — Request disclosure of the categories and specific pieces of personal information we have collected.
  • Delete — Request deletion of your personal information.
  • Opt-out — Opt out of the sale of personal information. Note: we do not sell personal information.
  • Non-discrimination — Exercise your rights without discriminatory treatment.

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days.

9. Cookies and Tracking Technologies

We use the following cookies and similar technologies:

  • Session cookies — Essential cookies required for authentication and maintaining your logged-in state. These are HTTP-only, secure cookies that cannot be accessed by JavaScript.
  • Preference cookies — Used to remember your settings, such as theme preference (light/dark mode).
  • Analytics cookies — Used to understand how you interact with the Service and to improve user experience.

You can control cookie preferences through your browser settings. Disabling essential cookies may prevent you from using certain features of the Service.

10. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including the United States. These countries may have data protection laws that differ from those in your jurisdiction. We implement appropriate safeguards, including standard contractual clauses approved by the European Commission, to ensure that your data is protected in accordance with this Privacy Policy.

11. Children's Privacy

The Service is designed for business use and is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us immediately and we will take steps to delete such information.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last updated" date. For significant changes, we will also send an email notification to the address associated with your account. Your continued use of the Service after any changes constitutes acceptance of the updated Privacy Policy.

13. Contact Us

If you have any questions about this Privacy Policy, your personal data, or wish to exercise your data protection rights, please contact us:

Guardara AI, Inc.

Email: [email protected]

Website: www.guardara.ai

© 2026 Guardara AI, Inc. All rights reserved.

Privacy Policy·Terms of Service·Home