Privacy Policy

1. Introduction

Rivellum LLC, a Texas limited liability company doing business as ThornGrade ("ThornGrade," "we," "us," or "our"), is committed to protecting your privacy. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use our website at thorngrade.com, scanner.thorngrade.com, and all associated subdomains, applications, and services (collectively, the "Service").

By using the Service, you consent to the data practices described in this Privacy Policy. If you do not agree, please do not use the Service.

2. Information We Collect

2.1 Information You Provide Directly

• Account Information: Name, email address, company name, and password when you create an account.
• Assessment Responses: Answers to questionnaire questions, organization name, and other information you provide during the assessment process.
• Payment Information: Billing name, billing address, and payment card details. Payment card information is collected and processed directly by Stripe, Inc. and is never stored on our servers.
• Communication Data: Information you provide when contacting us via email, support requests, or other communications.
• Partner Information: If you join our affiliate or partner program: company details, tax information, payout preferences, and bank/payment account details.

2.2 Information Collected via Google OAuth (Scanner)

When you authorize the Google Workspace Security Scanner, we access the following data through Google's OAuth 2.0 API with read-only permissions:

• Google Drive: File sharing settings and permissions (public/shared files), file metadata (name, type, sharing status). We do NOT access file contents.
• Google Admin Directory: User list, organizational units, admin roles (for admin-authorized scans only).
• Google Marketplace Apps: List of installed third-party applications and their access scopes.

2.3 Information Collected Automatically

• Device and Browser Information: IP address, browser type and version, operating system, device type, screen resolution, and language preferences.
• Usage Data: Pages visited, time spent on pages, click patterns, assessment completion rates, and navigation paths.
• Cookies and Similar Technologies: See Section 7 (Cookie Policy) below.
• Referral Data: The URL that referred you to the Service, including affiliate or partner tracking identifiers.

3. How We Use Your Information

We use collected information for the following purposes:

3.1 Service Delivery

• Generate risk assessments, scores, and reports based on your responses
• Process payments and deliver purchased products
• Manage your account and provide customer support
• Perform Google Workspace security scans when authorized

3.2 Service Improvement

• Analyze usage patterns to improve the Service
• Develop new features, products, and services
• Generate de-identified, aggregated benchmarks and industry insights
• Train and improve our AI scoring models (using de-identified data only)

3.3 Communications

• Send transactional emails (purchase confirmations, reports, account updates)
• Send follow-up communications related to your assessment (if applicable to your tier)
• Send marketing communications (with your consent; you may opt out at any time)

3.4 Affiliate and Partner Program

• Track referrals and attribute sales to partners using cookies and referral identifiers
• Calculate and process partner commissions
• Provide partners with aggregated performance analytics (partners do NOT receive your individual assessment data unless you accessed the Service through their white-label portal)

3.5 Legal and Compliance

• Comply with legal obligations and respond to lawful requests
• Enforce our Terms of Service
• Protect against fraud, abuse, and unauthorized access
• Protect the rights, property, and safety of ThornGrade and its users

4. How We Share Your Information

We do NOT sell your personal information. We may share information in the following limited circumstances:

• Service Providers: We share information with trusted third-party providers who assist in operating the Service, including:
  • Stripe (payment processing)
  • Supabase (database and authentication)
  • Vercel (hosting and content delivery)
  • Google Cloud (OAuth APIs)
  • Email service providers (transactional emails)
  These providers are contractually obligated to use your information only as necessary to provide services to us.
• Partners (White-Label): If you access the Service through an authorized partner's white-label portal, that partner may have access to your assessment results and contact information as part of their client management. Your use of a partner portal is also subject to that partner's privacy policy.
• Aggregated/De-identified Data: We may share aggregated, de-identified data that cannot reasonably be used to identify you, for purposes including industry benchmarking and research publications.
• Legal Requirements: We may disclose information when required by law, regulation, legal process, or governmental request, including to comply with a subpoena or similar legal process.
• Business Transfers: In connection with a merger, acquisition, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on the Service of any change in ownership or uses of your information.
• With Your Consent: We may share your information for any other purpose with your explicit consent.

5. Data Retention

• Account Data: Retained for as long as your account is active. Upon account deletion request, we will delete your data within 30 days, except as required for legal or compliance purposes.
• Assessment Data: Assessment responses and results are retained for 2 years to allow you to access historical assessments and track progress. You may request earlier deletion.
• Payment Data: Transaction records are retained for 7 years as required by tax and financial regulations. Payment card details are stored only by Stripe.
• Google Workspace Scan Data: Raw scan data is processed in-memory and not permanently stored. Aggregated findings in your report are retained per the Assessment Data policy above.
• Cookies: See Section 7 for cookie retention periods.
• Aggregated Data: De-identified, aggregated data may be retained indefinitely.

6. Data Security

We implement reasonable technical and organizational measures to protect your information, including:

• Encryption in transit (TLS 1.2+) and at rest
• Secure authentication with bcrypt password hashing
• Role-based access controls
• Regular security assessments of our own systems
• Use of SOC 2-compliant infrastructure providers (Supabase, Vercel, Stripe)
• OAuth tokens encrypted and not stored permanently

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security. You use the Service at your own risk.

7. Cookie Policy

We use cookies and similar tracking technologies for the following purposes:

7.1 Essential Cookies

Required for the Service to function (authentication, session management, security). These cannot be disabled.

7.2 Analytics Cookies

Help us understand how users interact with the Service (page views, navigation patterns, feature usage). We may use third-party analytics providers.

7.3 Affiliate/Referral Tracking Cookies

When you arrive at the Service via an affiliate or partner referral link, a cookie is placed on your device to attribute your visit and any subsequent purchase to the referring partner. These cookies have a duration of 90 to 180 days depending on the partner tier. The cookie stores only a partner identifier and timestamp — it does NOT store personal information.

7.4 Managing Cookies

You can control cookies through your browser settings. Disabling cookies may limit your ability to use certain features of the Service. For affiliate tracking cookies, disabling them means referrals cannot be attributed to the partner who referred you.

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

8.1 All Users

• Access: Request a copy of the personal information we hold about you
• Correction: Request correction of inaccurate personal information
• Deletion: Request deletion of your personal information (subject to legal retention requirements)
• Data Portability: Request your data in a structured, machine-readable format
• Opt-Out of Marketing: Unsubscribe from marketing emails at any time using the link in any email

8.2 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to know what personal information is collected, used, and shared
• Right to delete personal information
• Right to opt-out of the sale of personal information (note: we do not sell personal information)
• Right to non-discrimination for exercising your privacy rights
• Right to correct inaccurate personal information
• Right to limit use of sensitive personal information

To exercise these rights, contact us at privacy@thorngrade.com. We will respond within 45 days.

8.3 EU/EEA/UK Residents (GDPR)

If you are located in the European Union, European Economic Area, or United Kingdom, you have rights under the General Data Protection Regulation (GDPR) including:

• Right to access, rectification, erasure, and data portability
• Right to restrict or object to processing
• Right to withdraw consent at any time
• Right to lodge a complaint with a supervisory authority

Our legal basis for processing is: (a) performance of a contract (providing the Service), (b) legitimate interests (improving the Service, security), and (c) your consent (marketing, Google OAuth).

8.4 Mexican Residents (LFPDPPP)

If you are located in Mexico, you have rights under the Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP), including ARCO rights (Access, Rectification, Cancellation, and Opposition). Contact us at privacy@thorngrade.com to exercise these rights.

9. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 18, we will take steps to delete such information promptly. If you believe we have inadvertently collected information from a child, please contact us at privacy@thorngrade.com.

10. International Data Transfers

Your information may be transferred to and processed in the United States, where our servers and service providers are located. If you are accessing the Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in a country that may not provide the same level of data protection as your home country. By using the Service, you consent to such transfers.

For EU/EEA/UK users, we rely on Standard Contractual Clauses (SCCs) and/or adequacy decisions as appropriate legal mechanisms for international data transfers.

11. Do Not Track

Some browsers include a "Do Not Track" (DNT) feature. We currently do not respond to DNT signals because there is no industry standard for how to interpret and respond to DNT signals. We will update this policy if and when a standard is established.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy with a new "Last Updated" date and, where required by law, by providing additional notice (such as an email notification). We encourage you to review this Privacy Policy periodically.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact: