How PostureKit handles personal information.

This privacy policy explains how PostureKit handles personal information for people who visit the website, create or use a PostureKit account, participate in research, respond to questionnaire requests, receive shared questionnaire results, or contact us for support.

PostureKit is a questionnaire-led compliance posture and assurance platform. It helps organisations complete, request, snapshot, and share point-in-time security assurance responses. PostureKit is not an evidence repository, certification authority, real-time monitoring tool, or automated remediation service.

We collect information you or your organisation provide when using the app, including account details, organisation membership details, role and permission information, organisation domains, invitation and request recipient email addresses, questionnaire answers, optional internal notes, review and approval records, shared questionnaire snapshot records, vendor register entries, risk register entries, research form responses, consent records, and support messages.

We also collect limited operational information needed to run and secure the service, including audit events, authentication and session-related records from Clerk, rate-limit records based on hashed request traits, bounded user-agent information for public research submissions, timestamps, notification delivery records, and security reports such as Content Security Policy violation reports.

We do not intentionally collect or store evidence files, screenshots, certifications, policy documents, audit reports, logs supplied as evidence, or other sensitive evidence artefacts. Please do not enter sensitive evidence content into notes, forms, or support messages unless we have separately agreed a secure handling process.

We collect information directly from you when you create an account, join or administer an organisation, complete questionnaires, add vendor or risk records, submit research forms, accept questionnaire requests or shared results, invite members, send questionnaire requests, or contact us.

Some information is generated automatically as part of operating the service, such as audit events, security logs, notification delivery status, and rate-limit records. Authentication information is handled through Clerk. Transactional emails are sent through Resend. Application data is stored in a secured Neon Postgres database.

We use personal information to provide and secure PostureKit, authenticate users, manage organisations and memberships, enforce permissions, maintain tenant isolation, process questionnaire requests and submissions, create point-in-time snapshots, manage trust sharing, operate vendor and risk registers, send transactional notifications, respond to support requests, improve reliability, prevent abuse, maintain audit trails, and comply with legal or security obligations.

Research responses are used for product discovery and are kept separate from tenant-owned assurance records. Research routes are public so prospective interviewees and survey respondents can provide feedback without creating a PostureKit account.

PostureKit does not use advertising pixels, cross-site tracking, or individual behaviour profiling.

We use Vercel Web Analytics and Vercel Speed Insights to understand broad site usage and performance. Vercel Web Analytics stores anonymized data and does not use cookies. Vercel Speed Insights reports anonymous web performance measurements, such as Web Vitals, route, browser, device type, device operating system, network speed, country, SDK information, and event time. These tools are used to monitor site health and performance, not to identify individual visitors.

We disclose information only as needed to operate PostureKit, provide requested workflows, protect the service, or meet legal obligations. This may include disclosure to service providers that support hosting, database storage, authentication, transactional email, observability, security, and support operations.

Current core service providers include Vercel for hosting, analytics, speed insights, and scheduled jobs; Neon for database hosting; Clerk for authentication and user management; and Resend for transactional email.

Trust sharing discloses only completed questionnaire snapshot information that an authorised organisation member explicitly shares. A trust share does not grant access to the sender's tenant, private notes, future submissions, vendor records, risk records, evidence files, or internal assurance material.

PostureKit is designed with security as a product requirement. We use authenticated access, protected-by-default application routes, server-side authorization, organisation roles, tenant-scoped database access, PostgreSQL row-level security, audit events, hashed high-entropy tokens for invitation and request flows, rate limits for abuse-prone actions, same-origin checks for state-changing public form submissions, and strict browser hardening headers.

No internet service can guarantee absolute security. If we become aware of a security incident affecting your personal information, we will assess it and take appropriate steps in line with applicable obligations.

We keep personal information for as long as needed to provide the service, maintain auditability of assurance workflows, comply with legal obligations, resolve disputes, prevent abuse, and support legitimate security and operational needs.

Point-in-time questionnaire snapshots, audit events, membership history, shared-result records, and security-relevant workflow records may be retained to preserve the integrity of assurance decisions. If your organisation needs data deleted, corrected, exported, or retained for a specific period, contact us so we can assess the request against account, security, and legal requirements.

You may contact us to request access to, correction of, or deletion of personal information associated with you. We may need to verify your identity and your authority to act for an organisation before responding.

Some records may be controlled by your organisation rather than by you individually. Some records may also need to be retained for security, audit, legal, or legitimate operational reasons.

PostureKit uses cloud service providers to host and operate the service. Your information may be processed or stored in countries where those providers operate infrastructure or support functions.

We choose providers and product patterns that support secure operation of a trust platform, including access controls, tenant isolation, and evidence-minimising design.

We may update this policy when our product, service providers, or information-handling practices change. The effective date at the top of this page shows when this policy was last updated.

For privacy questions, access or correction requests, deletion requests, or complaints, contact support@posturekit.app. We will review your request and respond as soon as reasonably practicable.