Privacy Policy

Introduction

BindLedger, Inc. (“BindLedger,” “we,” “us,” or “our”) operates the bindledger.com website and the BindLedger platform (collectively, the “Service”). This Privacy Policy explains what personal information we collect, how we use and protect it, and what rights you have regarding that information. By using the Service you agree to the practices described here. If you do not agree, please do not use the Service.

Information we collect

We collect the following categories of personal information:

Account information. When you create an account or submit a lead-capture form we collect your email address, name, and organization name.

Domain and scan data. When you submit a domain through our readiness-check or scan workflows we collect the domain name and generate security configuration data by performing automated assessments of publicly observable internet-facing services associated with that domain, including email authentication records, TLS posture, certificate transparency data, and exposed services.

Connected environment data. If you connect a third-party environment such as a Microsoft 365 tenant, we access configuration data on a read-only basis solely to generate verification results and attestation evidence. We do not access mailbox contents, files, or messages.

Uploaded evidence. You may upload documents, screenshots, or other files as part of guided evidence-collection workflows. These uploads are stored as attestation evidence associated with your workspace.

Usage and device data. We automatically collect IP address, browser type, operating system, referring URL, pages visited, and interaction events through analytics tools. We do not use advertising cookies or third-party ad trackers.

Communications. When you contact us through our contact form or by email we retain the content of those communications along with your email address.

How we use your information

We use personal information for the following purposes:

Providing the Service. To perform security assessments, generate scan results, produce attestation evidence mapped to carrier requirements, and deliver reports.

Account management. To create and maintain your account, authenticate your identity, and manage workspace settings.

Product improvement. To analyze usage patterns, diagnose technical issues, and improve the accuracy and reliability of the platform.

Communications. To send transactional emails such as scan-result notifications, account alerts, and security advisories. We send marketing or product-update emails only when you have opted in, and you may unsubscribe at any time.

Legal compliance. To comply with applicable laws, regulations, legal processes, or enforceable governmental requests, and to protect the rights, property, and safety of BindLedger, our users, and the public.

Legal bases for processing

If you are located in the European Economic Area or the United Kingdom, we process your personal data under the following legal bases: performance of a contract (to deliver scan results and attestation services you have requested); legitimate interests (to improve and secure the Service, provided those interests are not overridden by your rights); consent (for marketing communications, which you may withdraw at any time); and compliance with legal obligations.

Cookies and analytics

We use a limited set of cookies and analytics tools to measure site performance and understand how users interact with the Service. We do not use advertising cookies, cross-site trackers, or sell data collected through cookies.

Essential cookies are required for the Service to function (authentication, session management) and cannot be disabled.

Analytics cookies collect aggregated, pseudonymous usage data such as pages visited, session duration, and feature adoption. You may opt out of analytics cookies through your browser settings or by using a Global Privacy Control signal, which we honor.

Data sharing and third-party service providers

We do not sell, rent, or trade your personal information. We share personal information only in the following circumstances:

Service providers. We engage third-party processors to provide cloud infrastructure, email delivery, analytics, and customer-support functionality. Each provider processes data only as necessary to perform its contracted service, is bound by written data-processing agreements that include confidentiality and security obligations equivalent to this policy, and is prohibited from using your data for its own purposes.

Legal requirements. We may disclose personal information if required to do so by law or in response to valid legal process, such as a subpoena, court order, or government request.

Business transfers. In the event of a merger, acquisition, reorganization, or sale of assets, personal information may be transferred as part of that transaction. We will notify you before your information becomes subject to a different privacy policy.

A current list of sub-processors, including their names, locations, and the services they provide, is available on request by contacting us through our contact form.

Data retention

We retain personal information only as long as reasonably necessary for the purposes described in this policy:

Account data (email, name, organization) is retained while your account is active and for up to 30 days after you request account deletion.

Scan results and attestation evidence are retained for the duration of your account plus one year to support insurance-renewal cycles and regulatory requirements, unless you request earlier deletion.

Connected environment data is retained only for the period necessary to generate verification results and is not stored beyond the completion of the assessment, unless you explicitly save it to your workspace.

Analytics data is retained in aggregated, pseudonymous form for up to 26 months.

Upon expiration of any retention period, data is permanently deleted or irreversibly anonymized using methods that prevent recovery.

Data security

We implement technical and organizational safeguards designed to protect personal information from unauthorized access, disclosure, alteration, and destruction. These include encryption of data in transit (TLS) and at rest, role-based access controls, regular security assessments, and incident-response procedures. Given the sensitivity of security-configuration data and attestation evidence, we treat these as high-sensitivity categories subject to heightened access controls and audit logging. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

International data transfers

BindLedger is based in the United States and data is processed and stored in the US. If you are located outside the US, your use of the Service involves the transfer of personal information to the US. For transfers of personal data from the European Economic Area or United Kingdom, we rely on Standard Contractual Clauses approved by the European Commission and the UK International Data Transfer Addendum, supplemented by technical measures including encryption and access controls. You may request a copy of the applicable transfer mechanism by contacting us.

Your rights

Depending on your jurisdiction, you may have some or all of the following rights regarding your personal information:

Access. Request a copy of the personal information we hold about you.

Correction. Request that we correct inaccurate or incomplete personal information.

Deletion. Request that we delete your personal information, subject to legal retention obligations.

Portability. Request a machine-readable export of your personal information.

Restriction and objection. Request that we restrict processing of your personal information or object to processing based on legitimate interests.

Withdrawal of consent. Where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us through our contact form. We will respond within 30 days. We will not discriminate against you for exercising your rights.

California residents

If you are a California resident, the California Consumer Privacy Act and the California Privacy Rights Act provide you with additional rights.

Right to know. You may request the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share it.

Right to delete. You may request deletion of your personal information, subject to certain legal exceptions.

Right to correct. You may request correction of inaccurate personal information.

Right to opt out. We do not sell personal information and do not share personal information for cross-context behavioral advertising. Because we do not engage in these practices, there is no need to submit an opt-out request, but we honor Global Privacy Control browser signals as a valid opt-out preference.

Non-discrimination. We will not deny you goods or services, charge different prices, or provide a different quality of service because you exercised your CCPA rights.

Categories collected in the prior 12 months. Identifiers (email address, name); internet or electronic network activity (usage data, IP address); professional or employment-related information (organization name); and inferences drawn from the above to provide security assessments.

To submit a verifiable consumer request, contact us through our contact form. We will verify your identity before fulfilling any request and respond within 45 days.

Automated decision-making

Our Service uses automated processing to analyze domain security configurations and generate risk assessments and attestation evidence. These automated processes evaluate publicly observable security indicators and produce scores and verification results. The outputs are informational and are not the sole basis for decisions that produce legal or similarly significant effects on individuals. You may request additional information about the logic involved in our automated processing, or request human review of any automated result, by contacting us.

Connected environment data

When you connect an environment such as a Microsoft 365 tenant, BindLedger accesses configuration data on a read-only basis. This data is used solely to generate verification results and attestation evidence. Connected environment data is not used for marketing, is not shared with third parties beyond the service providers necessary to operate the platform, and is not retained after the assessment is complete unless you explicitly save results to your workspace.

Children’s privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will promptly delete that information. If you believe a child has provided us with personal information, please contact us through our contact form.

Additional US state privacy rights

Residents of Colorado, Connecticut, Virginia, Oregon, Utah, Texas, and other states with comprehensive privacy laws may have additional rights similar to those described above, including the right to access, correct, delete, and obtain a portable copy of personal information, and the right to opt out of the sale of personal information (which we do not engage in) or targeted advertising (which we do not engage in). To exercise any state-specific right, contact us through our contact form. We will respond within the timeframe required by your state’s law. If we deny your request you may appeal by contacting us, and we will respond to your appeal within the legally required period.

Data breach notification

In the event of a security breach involving personal information, we will notify affected individuals and applicable regulatory authorities in accordance with applicable law. For California residents, notification will be provided within 30 days of discovery. Notifications will describe the nature of the breach, the categories of information affected, the steps we are taking in response, and the steps you can take to protect yourself.

Changes to this policy

We may update this policy from time to time. When we make material changes we will notify you by posting the updated policy on this page with a revised effective date and, where appropriate, by sending a notice to the email address associated with your account at least 30 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

Contact

If you have questions about this policy, wish to exercise your privacy rights, or need to report a data-protection concern, please contact us through our contact form. We aim to respond to all inquiries within 30 days.