Skip to main content
Legal

Privacy Policy

Last updated: April 22, 2026

Introduction

LukaGRC ("we," "our," or "us") is a Florida-based SaaS GRC platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform. It applies to the lukagrc.com website and all Services accessed through it.

We are committed to treating your compliance data as your confidential information. Our contractual promises about data handling are in Section 6 of our Terms of Service. This Privacy Policy explains the corresponding privacy practices.

Information We Collect

Account Information

When you create an account, we collect:

  • Name and email address
  • Company name and subdomain (optional)
  • Password hash (bcrypt with per-tenant salt + global pepper — we never see your plaintext password)
  • Billing information: card details are collected and stored by Stripe, not us. We retain only the non-sensitive customer and subscription identifiers Stripe returns.

Compliance Data

To provide our services, you may upload or generate within the platform:

  • Security policies, procedures, and standards
  • Evidence artifacts (reports, screenshots, configuration exports)
  • Risk registers, risk assessments, and findings
  • Vendor assessments and TPRM correspondence
  • Questionnaire responses and knowledge-base articles
  • Incident, vulnerability, and change-control records
  • Personnel data included in the above (names, titles, roles, access reviews)

Usage Information

We automatically collect:

  • Log data (IP addresses, browser type, access times, pages visited, HTTP status codes)
  • CDN and infrastructure access logs via CloudFront (retained 60 days in an encrypted S3 bucket with lifecycle expiry)
  • Feature usage and interaction patterns
  • Performance and error telemetry, including structured application logs
  • AI request metadata (token counts, cost) used to enforce your plan's quota — content of AI prompts/responses is not aggregated for analytics

We process infrastructure logs solely for security monitoring, abuse prevention, billing accuracy, and service improvement. Our legal basis is our legitimate interest in operating a secure platform (GDPR Article 6(1)(f)) and, where applicable, performance of our contract with you (Article 6(1)(b)).

How We Use Your Information

We use your information to:

  • Provide, operate, and maintain our platform
  • Process AI-powered analysis and recommendations
  • Improve and personalize your experience
  • Send security or compliance notifications when legally required
  • Respond to support requests
  • Prevent fraud and ensure platform security
  • Comply with legal obligations

AI Processing

LukaGRC uses AI to assist with document analysis, evidence classification, policy generation, questionnaire answering, and risk-register suggestions. AI inference runs within our AWS account via Amazon Bedrock using Anthropic Claude models.

We do not use your data to train AI models. Per Anthropic's Commercial API terms as delivered through AWS Bedrock, your prompts and the AI's responses are not used to train or improve Anthropic models. Your data does not leave our AWS environment for any training, product improvement, or analytics purpose with a third party.

AI inputs and outputs are logged within our own infrastructure for audit, abuse prevention, and billing accuracy, and are retained under the same deletion rules as the rest of your data (see Data Retention).

Data Security

We implement industry-standard technical and organizational security measures, including:

  • Encryption at rest (AES-256, AWS-managed keys) and in transit (TLS 1.3)
  • Logical multi-tenant isolation via mandatory tenant_id filter on every database query, enforced by code review and audit log
  • HttpOnly + Secure + SameSite cookies for session auth
  • Password hashing with bcrypt (cost 14) + global pepper; passwords checked against Have I Been Pwned at create and change time
  • Optional MFA (TOTP + passkeys / WebAuthn), per-tenant IP allowlisting, single sign-on via AWS Cognito
  • Audit chain on sensitive records using SHA-256 hash linking for tamper detection
  • Rate limiting, honeypot fields, and abuse-prevention guards on public endpoints
  • Cloud-hosted in AWS us-east-1 with CloudFront, WAF (AWS Managed Rules, SQLi, Known Bad Inputs, rate limiting), and encrypted EBS/S3 storage
  • Security-headers snippet applied to all responses (HSTS with 2-year max-age + preload, frame-ancestors, nonce-based CSP, COOP/CORP, referrer policy)

Our current security posture is published at lukagrc.com/security.

Data Sharing

We do not sell your personal information. We may share data with:

  • Sub-processors: We use the following sub-processors to operate the service. All are bound by data processing agreements:
    • Amazon Web Services (AWS) — cloud hosting, storage, and infrastructure (us-east-1)
    • Anthropic / AWS Bedrock — AI inference for GRC-related content generation and analysis
    • Stripe, Inc. — payment processing, subscription billing, invoice hosting, and tax calculation. Payment card data is collected and stored by Stripe directly and never touches our servers.
  • Legal Requirements: When required by law, subpoena, or to protect our rights
  • Business Transfers: In the event of a merger, acquisition, or sale of assets

All third-party providers are bound by confidentiality agreements and data processing agreements.

Data Retention

We retain your data for as long as your account is active. After account termination:

  • You retain read-only access and the ability to export your data for 30 days
  • We delete or anonymize primary copies of your tenant's personal data within 60 days of termination
  • Encrypted RDS snapshots cycle off their 7-day retention schedule and are then purged
  • CloudFront access logs age off after 60 days regardless of account status
  • Audit-log records may be retained longer where required by law or to investigate fraud

You can request deletion of personal data at any time by emailing hello@lukagrc.com. We will honor verified requests within 30 days.

Your Rights

Depending on your location, you may have rights under GDPR (EU/UK), CCPA/CPRA (California), or other privacy laws, including:

  • Access: receive a copy of the personal data we hold about you
  • Correction: have inaccurate data corrected
  • Deletion: request erasure ("right to be forgotten")
  • Restriction / Objection: limit or object to certain processing
  • Portability: receive your data in a structured, machine-readable format
  • Withdraw consent where processing is based on consent
  • Non-discrimination for exercising your rights (CCPA)
  • Lodge a complaint with your local supervisory authority (GDPR)

To exercise these rights, email hello@lukagrc.com. We will verify your identity before acting on requests involving personal data. We respond to requests within 30 days. There is no fee for reasonable requests.

Do Not Sell / Share My Personal Information: We do not sell or share (as those terms are defined under CCPA/CPRA) your personal data — there is nothing to opt out of, but you may still contact us to confirm this applies to your account.

International Data Transfers

LukaGRC is operated from the United States (Florida-based LLC, AWS us-east-1 infrastructure). If you access the Service from the EU, UK, or another region with data-transfer restrictions, your data is transferred to the United States for processing.

For such transfers we rely on:

  • EU Standard Contractual Clauses (SCCs, 2021 revision) available in our DPA
  • UK International Data Transfer Addendum where applicable
  • Supplementary measures including encryption, strict access controls, and transparent sub-processor disclosure

Cookies and Tracking

We use a minimal set of first-party cookies:

  • Session cookie (lukagrc_session) — required for login; HttpOnly, Secure, SameSite=Strict, 24-hour expiry
  • CSRF/session tokens as needed by authentication flows
  • Theme preference (light/dark) — localStorage, not a cookie

We do not use advertising, behavioral tracking, or cross-site tracking cookies. The public marketing site may load Google Analytics; the authenticated application does not. You can control cookie settings in your browser, though disabling session cookies prevents you from logging in.

Children's Privacy

LukaGRC is a B2B service and is not directed to individuals under 18. We do not knowingly collect information from children. If you believe we have inadvertently collected data from a minor, contact us and we will delete it.

Changes to This Policy

We may update this Privacy Policy from time to time. The current version is always available at this URL with the "Last Updated" date at the top. Continued use of the platform after the effective date of any change constitutes acceptance of the revised policy. We do not commit to actively notifying customers of changes outside of legally required notifications.

Contact Us

For privacy-related questions or to exercise your rights:

Email: hello@lukagrc.com