Legal

Privacy Policy

Effective date: March 22, 2026 · Last updated: March 22, 2026

KweliTrak ("KweliTrak," "we," "us," or "our") operates the KweliTrak platform, including the kwelitrak.com website, web application, APIs, and any related services (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our Service. Please read this policy carefully. By accessing or using the Service, you agree to the collection and use of information in accordance with this policy.

1. Information We Collect

1.1 Information You Provide to Us

We collect information that you voluntarily provide when you register for an account, create or modify your profile, use the Service, contact customer support, or otherwise communicate with us. This includes:

  • Account information: name, email address, password, organization name, and role.
  • Profile information: job title, phone number, profile photo, and communication preferences.
  • Assessment and audit data: client names, site addresses, contact information, infrastructure details, security findings, risk scores, compliance data, photos, documents, and any other content you enter into the platform.
  • Billing information: payment card details, billing address, and transaction history. Payment processing is handled by our third-party payment processor; we do not store complete credit card numbers on our servers.
  • Communications: messages sent through the Service, support requests, feedback, and survey responses.

1.2 Information Collected Automatically

When you access the Service, we automatically collect certain information, including:

  • Device and browser information: IP address, browser type and version, operating system, device type, screen resolution, and unique device identifiers.
  • Usage data: pages visited, features used, actions taken, timestamps, referring URLs, and session duration.
  • Location data: approximate geographic location based on your IP address.
  • Cookies and similar technologies: we use cookies, local storage, and similar tracking technologies to maintain sessions, remember preferences, and analyze usage patterns. See Section 7 below for more detail.

1.3 Information From Third Parties

We may receive information about you from third-party services that you integrate with KweliTrak, including RMM platforms, PSA tools, directory services (e.g., Active Directory, Azure AD), and payment processors. We may also receive information from publicly available sources and business data providers for account verification purposes.

2. How We Use Your Information

We use the information we collect for the following purposes:

  • Provide and operate the Service: create and manage accounts, process assessments and audits, generate reports, enable collaboration, and deliver the client portal.
  • Improve and develop: analyze usage patterns to improve existing features, develop new capabilities, and optimize performance.
  • Communicate with you: send transactional emails (account confirmations, audit invitations, portal notifications), respond to inquiries, and provide customer support.
  • Billing and payments: process payments, manage subscriptions, and send invoices and receipts.
  • Security and fraud prevention: detect, investigate, and prevent unauthorized access, abuse, fraud, and other illegal activity.
  • Compliance: comply with applicable laws, regulations, legal processes, and enforceable governmental requests.
  • Marketing (with consent): send product updates, newsletters, and promotional communications. You may opt out at any time.
  • Aggregate analytics: generate anonymized, aggregated insights about platform usage, industry trends, and benchmarking data that does not identify individual users or their clients.

3. How We Share Your Information

We do not sell your personal information to third parties. We may share your information in the following circumstances:

  • Service providers: we share information with third-party vendors who perform services on our behalf, including cloud hosting (Supabase, Vercel/Hostinger), payment processing (Stripe), email delivery, analytics, and customer support tools. These providers are contractually obligated to use your data only to perform services for us and in accordance with this policy.
  • Within your organization: information you enter into the Service is accessible to other members of your organization in accordance with the role-based access controls configured by your administrator.
  • Client portal recipients: when you share a client portal link, the designated recipients can view assessment progress, findings, and related data that you have made visible through the portal.
  • API and integrations: if you connect third-party services via our API or integrations, data may be shared with those services in accordance with your configuration.
  • Legal requirements: we may disclose information if required by law, subpoena, court order, or governmental regulation, or when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.
  • Business transfers: if KweliTrak is involved in a merger, acquisition, asset sale, or bankruptcy, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our website of any change in ownership or uses of your personal information.
  • With your consent: we may share information for other purposes with your explicit consent.

4. Data Storage and Security

4.1 Storage

Your data is stored on secure servers provided by Supabase (powered by AWS infrastructure). Data is stored in the United States unless otherwise specified. File attachments (photos, documents, reports) are stored in encrypted cloud storage buckets with access controlled by row-level security policies.

4.2 Security Measures

We implement appropriate technical and organizational measures to protect your data, including:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256).
  • Row-level security (RLS) policies ensuring data isolation between organizations.
  • Role-based access controls within each organization.
  • Regular security assessments and vulnerability monitoring.
  • Secure authentication via Supabase Auth with support for email/password and magic link sign-in.
  • API key authentication with scoped permissions for programmatic access.
  • Automated backups with point-in-time recovery.

While we strive to protect your personal information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to following industry best practices to protect your data.

5. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. Assessment and audit data is retained in accordance with the following guidelines:

  • Active accounts: all data is retained for the duration of your active subscription.
  • Canceled subscriptions: your data is retained for 90 days after cancellation to allow for reactivation, after which it is scheduled for deletion.
  • Account deletion: upon request, we will delete your account and associated personal data within 30 days. Certain data may be retained longer if required by law or for legitimate business purposes (e.g., billing records, fraud prevention).
  • Audit trail data: activity logs may be retained for up to 12 months for security and compliance purposes.
  • Backups: deleted data may persist in encrypted backups for up to 30 days before being permanently removed.

6. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access: request a copy of the personal information we hold about you.
  • Correction: request correction of inaccurate or incomplete personal information.
  • Deletion: request deletion of your personal information, subject to certain legal exceptions.
  • Portability: request a machine-readable copy of your data for transfer to another service.
  • Restriction: request that we restrict processing of your personal information under certain circumstances.
  • Objection: object to our processing of your personal information for direct marketing purposes.
  • Withdraw consent: where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days.

6.1 Account Controls

You may update, correct, or delete your account information at any time through your account settings. Organization administrators may manage team member access and data through the admin dashboard.

6.2 Communication Preferences

You may opt out of promotional email communications by clicking the "unsubscribe" link in any marketing email. Transactional communications (e.g., account notifications, audit invitations, billing alerts) cannot be opted out of while your account is active, as they are essential to the operation of the Service.

7. Cookies and Tracking Technologies

We use cookies and similar technologies for the following purposes:

  • Essential cookies: required for the Service to function, including authentication session cookies and CSRF protection tokens. These cannot be disabled.
  • Preference cookies: store your settings and preferences (e.g., sidebar state, theme, timezone).
  • Analytics cookies: help us understand how visitors interact with the Service so we can improve it. We may use third-party analytics services such as Google Analytics or Plausible.

Most web browsers allow you to manage your cookie preferences through browser settings. Disabling essential cookies may prevent you from using the Service.

8. Third-Party Services

The Service may integrate with or contain links to third-party websites, services, or tools. This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party service you connect to through KweliTrak. Key third-party services we use include:

  • Supabase: database hosting, authentication, and file storage.
  • Stripe: payment processing and subscription management.
  • Vercel / Hostinger: application hosting and content delivery.
  • Transactional email provider: account notifications and audit invitations.

9. Data Processing for Client Assessments

KweliTrak is designed for IT assessments, audits, and compliance reviews. As part of this process, you may enter information about your clients, their employees, their IT infrastructure, and their security posture into the Service. Important clarifications:

  • You are the data controller: for data about your clients that you enter into KweliTrak, you (or your organization) act as the data controller. KweliTrak acts as the data processor, processing this data on your behalf and in accordance with your instructions.
  • Your responsibility: you are responsible for ensuring that you have the necessary authority, consents, and legal basis to enter client data into the Service and to share assessment results through client portals or exported reports.
  • No unauthorized use: we will not access, use, or share your client assessment data except as necessary to provide and improve the Service, or as required by law.
  • Data Processing Agreement: enterprise customers may request a Data Processing Agreement (DPA) by contacting us at [email protected].

10. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take steps to promptly delete such information. If you believe that a child under 16 has provided us with personal information, please contact us at [email protected].

11. International Data Transfers

If you are accessing the Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States where our servers are located. Data protection laws in the United States may differ from those in your jurisdiction. By using the Service, you consent to the transfer of your information to the United States.

For users in the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on appropriate legal mechanisms for international data transfers, including Standard Contractual Clauses (SCCs) approved by the European Commission where applicable.

12. California Privacy Rights

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with additional rights regarding your personal information:

  • Right to know: you have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the sources of that information, our business purpose for collecting it, and the categories of third parties with whom we have shared it.
  • Right to delete: you have the right to request the deletion of personal information we have collected, subject to certain exceptions.
  • Right to opt out of sale: we do not sell personal information. If this changes, we will provide a "Do Not Sell My Personal Information" link.
  • Right to non-discrimination: we will not discriminate against you for exercising any of your CCPA/CPRA rights.

To exercise your rights under the CCPA/CPRA, contact us at [email protected].

13. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the rights described in Section 6, as well as the following:

  • Legal basis: we process your data based on one or more of the following legal bases: your consent, performance of a contract (providing the Service), compliance with legal obligations, or our legitimate interests (improving the Service, preventing fraud).
  • Supervisory authority: you have the right to lodge a complaint with your local data protection authority if you believe your rights have been violated.
  • Data Protection Officer: for GDPR-related inquiries, contact us at [email protected].

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will notify you by email (sent to the email address associated with your account) or by posting a prominent notice on our website at least 30 days before the changes take effect. Your continued use of the Service after the effective date of any updated Privacy Policy constitutes your acceptance of those changes.

We encourage you to periodically review this page for the latest information on our privacy practices.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

KweliTrak

Email: [email protected]

General support: [email protected]