Privacy Policy

Effective March 21, 2026 · v1.0 · Material changes will be communicated via email to active subscribers.

This Privacy Policy explains what information AutoSAM collects, how we use it, and what choices you have.

Data controller

For the purposes of the EU General Data Protection Regulation ("GDPR") and UK GDPR, the data controller is GovCertix LLC, a Virginia limited liability company with its principal office at 2461 Eisenhower Ave, Suite 200, Alexandria, VA 22314, United States. You may contact the data controller at privacy@autosam.io.

1. Information we collect

We collect account profile information (such as email and account metadata), usage and event telemetry, and service configuration data needed to provide monitoring, notifications, and billing.

2. How we use information

We use information to operate and secure the service, provide customer support, process billing, deliver product communications, and improve platform performance and reliability. Under GDPR Article 6, our lawful bases for processing are:

Service operation and delivery — Contract performance (Art. 6(1)(b))
Security and fraud prevention — Legitimate interest (Art. 6(1)(f))
Billing and tax compliance — Contract performance (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c))
Product communications — Legitimate interest (Art. 6(1)(f)) or consent (Art. 6(1)(a)), depending on the communication type
Analytics — Consent (Art. 6(1)(a)), collected via our cookie consent mechanism

3. Cookies and similar technologies

We use essential cookies for authentication and session security, analytics technologies to measure product usage, and functional telemetry to diagnose errors. Learn more at our cookie policy.

International data transfers

AutoSAM is operated from the United States. If you are located in the European Economic Area ("EEA"), United Kingdom, or Switzerland, your personal data may be transferred to and processed in the United States by our sub-processors listed in Section 4. These transfers are made pursuant to Standard Contractual Clauses ("SCCs") approved by the European Commission (Commission Implementing Decision (EU) 2021/914). PostHog, when operating in EU mode, stores EU user data within the European Union. You may request a copy of applicable SCCs by emailing privacy@autosam.io.

4. Data sharing and processors

We use trusted service providers under contractual safeguards. We do not sell your personal data. Our current sub-processors include:

Supabase — Database hosting and authentication (US)
Stripe — Payment processing and billing (US)
Resend — Transactional email delivery (US)
PostHog — Product analytics (EU, only with consent)
Sentry — Error monitoring and performance (US)
Vercel — Application hosting and CDN (US)
Upstash — Redis caching (US)

For a complete and versioned list of our sub-processors, see /legal/subprocessors.

5. Data retention

We retain data as needed to provide the service, comply with legal obligations, resolve disputes, and enforce agreements. Key retention periods:

Account data — retained while your account is active, deleted upon account deletion
Billing records — 7 years (IRS financial regulation requirement)
Audit logs — 365 days
Monitor run history — 30 days
Notification history — 90 days
API usage logs — 30 days

6. Security

We implement administrative, technical, and organizational safeguards designed to protect your data, including:

256-bit TLS encryption for all data in transit
AES-256 encryption for data at rest
Row-level security (RLS) enforced at the database layer
Multi-factor authentication (MFA) support for all accounts
SOC 2 Type II compliant infrastructure providers (Supabase, Vercel)

For full details on our security practices and architecture, see our Security page.

7. Your choices and rights

You can manage account settings and some communication preferences in-product. Depending on your jurisdiction, you may have the following rights:

Access — Request a copy of your personal data (Settings → Account → Export Data)
Rectification — Request correction of inaccurate data
Erasure — Request deletion of your account and data (Settings → Account → Delete Account)
Portability — Receive your data in a structured, machine-readable format (ZIP export)
Objection — Object to processing based on legitimate interests
Restrict processing — Request limitation of processing under certain conditions
Withdraw consent — Withdraw consent for analytics/marketing cookies at any time (Settings → Cookies)

For CCPA/CPRA: California residents have the following rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act (effective January 1, 2023):

Right to know — Request disclosure of the categories and specific pieces of personal information collected
Right to delete — Request deletion of personal information we hold about you
Right to correct — Request correction of inaccurate personal information (email privacy@autosam.io)
Right to opt-out of sale — We do not sell personal data; see our Do Not Sell My Personal Information page
Right to limit use of sensitive personal information — California residents may request that we limit the use and disclosure of sensitive personal information (contact privacy@autosam.io)
Right to non-discrimination — We will not discriminate against you for exercising any of these rights

For any privacy request, contact privacy@autosam.io. We will respond to verified requests within 45 days.

California "Shine the Light": Under California Civil Code §1798.83, California residents may request disclosure of whether a business has shared personal information with third parties for their direct marketing purposes. AutoSAM does not share personal information with third parties for direct marketing purposes. If you have questions, contact privacy@autosam.io.

8. State privacy rights

In addition to CCPA rights for California residents described above, residents of the following states have specific privacy rights under their respective laws. To exercise any of these rights, contact privacy@autosam.io. We will respond to verified requests within 45 days.

State	Law	Rights granted	How to exercise
Virginia	Virginia Consumer Data Protection Act (VCDPA)	Access, delete, correct, opt-out of sale/targeted advertising, data portability	Email privacy@autosam.io — 45-day response
Colorado	Colorado Privacy Act (CPA)	Access, delete, correct, opt-out of sale/targeted advertising, data portability	Email privacy@autosam.io — 45-day response
Texas	Texas Data Privacy and Security Act (TDPSA)	Access, delete, correct, opt-out of sale/targeted advertising, data portability	Email privacy@autosam.io — 45-day response
Connecticut	Connecticut Data Privacy Act (CTDPA)	Access, delete, correct, opt-out of sale/targeted advertising, data portability	Email privacy@autosam.io — 45-day response
Nevada	Nevada SB 220	Right to opt out of the sale of covered information	Email privacy@autosam.io — 45-day response

If your state is not listed above but has enacted a consumer privacy law, you may still contact privacy@autosam.io to submit a privacy request.

9. Do not sell statement

AutoSAM does not sell personal data. For additional requests related to this statement, see Do Not Sell My Personal Information.

10. Children's privacy

AutoSAM is a business-to-business service and is not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe that a minor has provided personal data to AutoSAM, please contact us at privacy@autosam.io and we will promptly delete such information.

11. Your right to lodge a complaint

If you are a resident of the EU/EEA and believe that AutoSAM has processed your personal data unlawfully, you have the right to lodge a complaint with your national data protection supervisory authority. A list of EU Data Protection Authorities is available at edpb.europa.eu. UK residents may contact the Information Commissioner's Office (ICO) at ico.org.uk.

12. Policy changes

We may update this Privacy Policy over time. Material updates will be reflected on this page with an updated effective date.