Privacy Policy

Last updated: 15 June 2026 · Draft — to be reviewed by counsel before relying on it commercially.

1. Who we are

GovernOS (the “Service”) is provided by GovernOS Ltd. We are the controller of personal data submitted directly to us (account holders) and a processor of personal data submitted by you about third parties (directors, shareholders, beneficial owners, etc.).

2. What we collect

  • Account data: your name, email, role, hashed password, login activity.
  • Tenant data: entities, people, ownership, documents, filings, meetings — everything you enter to use the Service.
  • Usage data: logs, audit trail, performance and error telemetry.
  • Billing data: plan, subscription status; payments processed by our payment provider (we do not store card numbers).

3. How we use it

To provide and improve the Service, to authenticate you, to bill, to communicate operationally (reminders, security notices), to comply with law, and to produce internal aggregate analytics.

4. Lawful bases (GDPR / UK GDPR / UAE PDPL)

Performance of the contract with you; our legitimate interests in running a secure, reliable service; consent where you have given it; and legal obligations.

5. Sub-processors

  • Neon — managed Postgres hosting (data storage).
  • Vercel — application hosting and CDN.
  • Resend — transactional email.
  • Anthropic — AI features that you explicitly invoke (e.g. document extraction, AI compliance review).
  • DocuSign / Dropbox Sign — only when you connect your own licence and route signing through them.
  • Stripe — payments (when you subscribe to a paid plan).

We require sub-processors to provide appropriate technical and organisational measures.

6. International transfers

Our sub-processors operate primarily in the EU, UK, and the United States. Transfers from the EEA / UK rely on Standard Contractual Clauses or other appropriate safeguards.

7. Retention

We retain your tenant data while your account is active and for up to 30 days after cancellation, during which you may export. Audit logs may be retained longer where required by law. You may request earlier deletion at any time, subject to lawful retention obligations.

8. Security

Encryption in transit (TLS) and at rest; tenant isolation enforced at the application layer; secrets (e.g. connected DocuSign tokens) encrypted with AES-256-GCM; least-privilege access for our team. See the Security page.

9. Your rights

Subject to applicable law you may access, correct, port or delete your personal data, withdraw consent, and lodge a complaint with a supervisory authority. To exercise these rights email privacy@governos.co.

10. Cookies

See the Cookie Policy. We use a single httpOnly session cookie required for sign-in; we do not run third-party advertising trackers.

11. Children

The Service is not directed to children under 18.

12. Changes

Material changes will be notified at least 14 days before they take effect.

Privacy contact: privacy@governos.co.