Privacy Policy

Provisum Corp. ("Provisum", "we", "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and share personal data when you use the Provisum platform and visit our website at provisum.io.

We act as a data processor for Customer Data uploaded to the platform and as a data controller for website visitor data and account information.

Account Information

When your organization creates accounts, we collect: name, email address, username, role assignment, and organization affiliation.

Customer Data (Processor Role)

Data you upload for role mapping, including: employee user IDs, department assignments, role names, permission sets, and organizational hierarchies. We process this data solely on your instructions to provide the Service.

Usage Data

We automatically collect: pages visited, features used, actions taken (audit log), session duration, browser type, and IP address. This data is used for security monitoring, service improvement, and support.

Website Visitor Data

When you visit provisum.io, we collect: name, email, company, and message content if you submit a contact or demo request form.

• Service delivery: Processing Customer Data to generate personas, map roles, analyze SOD conflicts, and manage approval workflows
• AI processing: Customer Data is sent to our AI provider (Anthropic / Claude) for persona generation and role mapping suggestions. Data is transmitted securely and is not used to train AI models
• Security: Monitoring for unauthorized access, enforcing rate limits, and maintaining audit trails
• Communication: Sending platform notifications, security alerts, and service updates
• Improvement: Analyzing usage patterns to improve the Service (aggregated, de-identified data only)

• Contract performance: Processing necessary to provide the Service per your subscription agreement
• Legitimate interests: Security monitoring, fraud prevention, service improvement
• Consent: Marketing communications and optional analytics (where applicable)
• Legal obligation: Compliance with applicable laws and regulations

We share personal data only with:

• Supabase (database hosting): AWS us-east-1 region — stores all platform data
• Vercel (application hosting): Serves the web application and API
• Anthropic (AI provider): Processes Customer Data for AI-powered features. Data is not used for model training
• Resend (email delivery): Sends transactional emails (invitations, notifications)
• Sentry (error tracking): Captures application errors for reliability monitoring. May include minimal user context

We do not sell personal data. We do not share data with advertising networks.

• Customer Data: Retained for the duration of your subscription plus 30 days for data export. Deleted upon request or 30 days after account termination
• Audit logs: Retained for 2 years for compliance purposes, then automatically purged
• Account information: Retained while the account is active. Anonymized upon deletion request
• Website form submissions: Retained for 2 years for sales follow-up, then deleted

We protect your data with:

• Encryption at rest (AES-256-GCM) and in transit (TLS 1.2+)
• Row-level security (RLS) ensuring tenant isolation at the database level
• Role-based access control with least-privilege principles
• Account lockout after 5 failed login attempts (5-minute cooldown)
• Comprehensive audit logging of all data access and changes
• Security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options)
• Database-backed rate limiting on API endpoints

For full details, see our Security Policy.

If you are in the EEA or UK, you have the right to:

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate data
• Erasure: Request deletion of your data ("right to be forgotten"). We support this via our data deletion API
• Portability: Export your data in a structured, machine-readable format (CSV, Excel)
• Restriction: Request we limit processing of your data
• Objection: Object to processing based on legitimate interests
• Withdraw consent: Where processing is based on consent, withdraw at any time

To exercise these rights, contact hello@provisum.io. We will respond within 30 days.

Customer Data is stored in AWS us-east-1 (Virginia, USA) via Supabase. For transfers from the EEA/UK to the US, we rely on Standard Contractual Clauses (SCCs) and our sub-processors' compliance certifications.

Enterprise customers requiring EU-only data residency should contact us to discuss dedicated EU region deployment.

The Provisum platform uses essential cookies for authentication (session JWT) and functionality (module context, demo preferences). We do not use advertising or tracking cookies.

The provisum.io website uses essential cookies only. No third-party analytics cookies are loaded without consent.

Enterprise customers can request a Data Processing Agreement (DPA) that covers our obligations as a data processor under GDPR Article 28. Contact hello@provisum.io or visit our DPA page.

The Service is not directed at individuals under 18. We do not knowingly collect personal data from children.

We may update this Privacy Policy periodically. Material changes will be communicated via email or in-app notification at least 30 days before taking effect.

For privacy inquiries: hello@provisum.io

Data Protection Officer: Available for Enterprise plan customers. Contact hello@provisum.io

If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority (e.g., the UK ICO at ico.org.uk).