Privacy Policy

Last updated: 26 March 2026

Reinhold Technologies Ltd ("Reinhold", "we", "us", or "our") operates the Reinhold GRC platform at reinhold.io. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our services.

1. Data We Collect

1.1 Account Information

When you create an account, we collect your name, email address, organisation name, and role. Authentication is handled by our identity provider, Clerk, which may collect additional authentication metadata (e.g., login timestamps, IP addresses).

1.2 Usage Data

We automatically collect information about how you interact with the platform, including pages visited, features used, browser type, device information, and IP address. This data is used to improve the service and diagnose issues.

1.3 Compliance Data

You may upload or connect third-party integrations that provide compliance evidence, risk assessments, policies, and audit records. This data is stored and processed solely to provide the GRC service you have requested.

1.4 Integration Data

When you connect external services (e.g., AWS, Okta, GitHub), we collect and store encrypted credentials and the evidence data those services return. Credentials are encrypted at rest and never exposed in plaintext after initial configuration.

2. How We Use Your Data

• To provide, maintain, and improve the Reinhold platform
• To authenticate your identity and manage your account
• To collect and evaluate compliance evidence on your behalf
• To generate reports, dashboards, and compliance assessments
• To send service-related notifications (e.g., evidence collection alerts, account changes)
• To respond to support requests and communicate with you
• To detect, prevent, and address technical issues and security threats
• To comply with legal obligations

3. Data Storage and Security

Your data is stored in PostgreSQL databases hosted by Neon (neon.tech), with encryption at rest and in transit. The application is served via Cloudflare Workers, providing edge-level DDoS protection and TLS termination. Integration credentials are encrypted using AES-256-GCM before storage.

We implement industry-standard security measures including role-based access control, row-level security, audit logging, and regular security assessments.

4. Third-Party Services

We use the following third-party services to operate the platform:

• Clerk — Authentication, user management, and session handling. See Clerk's Privacy Policy.
• Neon — Managed PostgreSQL database hosting. See Neon's Privacy Policy.
• Cloudflare — CDN, DNS, DDoS protection, and Workers runtime. See Cloudflare's Privacy Policy.

We do not sell your personal data to any third party. Data is shared with third parties only as necessary to provide the service or comply with legal requirements.

5. Cookies and Tracking

Reinhold uses strictly necessary cookies for authentication and session management. We do not use advertising cookies or third-party tracking pixels. Clerk may set additional cookies for authentication purposes.

6. Data Retention

We retain your account data for as long as your account is active. Compliance evidence and audit records are retained for the duration specified by your organisation's retention policy, or 7 years by default to meet common regulatory requirements. You may request earlier deletion subject to applicable legal obligations.

7. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you
• Rectify inaccurate or incomplete data
• Request deletion of your personal data
• Restrict or object to processing of your data
• Data portability — receive your data in a structured, machine-readable format
• Withdraw consent where processing is based on consent

To exercise any of these rights, contact us at privacy@reinhold.io. We will respond within 30 days.

8. International Transfers

Your data may be processed in jurisdictions outside your country of residence. Where data is transferred internationally, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) or equivalent mechanisms.

9. Children's Privacy

Reinhold is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us and we will promptly delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Your continued use of the service after changes constitutes acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

Reinhold Technologies Ltd
Email: privacy@reinhold.io