Privacy Policy

We collect the following categories of information:

• ·Account information: Your email address and company name when you sign up or join the waitlist.
• ·Vendor lists: The names of vendors you choose to monitor and the criticality tiers you assign them.
• ·Alert history: Security alerts, CVE matches, and outage events generated for your monitored vendors.
• ·Compliance reports: Audit report exports you generate within the platform.
• ·Usage data: Pages visited, features used, and session duration — collected via Google Analytics (see Cookie section below).
• ·Billing information: Handled directly by Stripe. We do not store full card numbers.

We use collected information to:

• ✓Deliver vendor monitoring, security alerts, and CVE notifications for your configured vendors.
• ✓Run AI-assisted triage to analyze whether an alert is relevant to your specific vendor configuration.
• ✓Generate SOC 2 and ISO 27001 compliance reports on demand.
• ✓Send transactional emails (alert notifications, billing receipts) via Resend.
• ✓Improve the product by analyzing aggregate, anonymized usage patterns.
• ✓Comply with legal obligations and prevent fraudulent use.

We do not sell your data, share it with third parties for their marketing purposes, or use your vendor lists or alert history for any purpose other than providing the service.

Gjall uses the Anthropic Claude API to analyze security alerts and generate triage summaries. When a CVE or outage alert is processed:

• ·We send the alert text, CVE metadata, and your vendor name to the Claude API.
• ·We do not send your company name, email address, or any internal business context.
• ·Per Anthropic's commercial API terms, your data is not used to train Anthropic's models.
• ·AI triage results are informational only. See our Terms of Service for the full AI disclaimer.

We use the following sub-processors to operate the service. Each is contractually bound to protect your data and process it only as directed:

• ·Alert logs: Retained for 90 days on Starter plans, 1 year on Enterprise.
• ·Customer account data: Deleted within 30 days of subscription cancellation upon request.
• ·Audit logs: Retained for 1 year to support compliance evidence.
• ·Billing records: Retained for 7 years per financial regulations.
• ·Waitlist submissions: Email and company name only; deleted within 12 months if no account is created.

We use Google Analytics 4to understand how visitors use Gjall. This service sets cookies to track page views and session data. We obtain your consent before loading analytics (see the cookie banner on your first visit). You can withdraw consent at any time by clearing your browser's local storage or using a browser extension.

We do not use advertising cookies, retargeting pixels, or third-party tracking beyond analytics.

Depending on where you are located, you may have the following rights over your personal data:

• ·Access: Request a copy of the personal data we hold about you.
• ·Deletion: Request erasure of your account and associated data.
• ·Export / Portability: Request your alert history and vendor list in JSON format.
• ·Correction: Request correction of inaccurate data.
• ·Objection: Object to processing based on legitimate interests.
• ·Withdraw consent: Withdraw analytics consent via the cookie banner at any time.

To exercise any of these rights, email privacy@gjall.io. We will respond within 30 days.

GDPR (EU/UK): If you are located in the European Economic Area or United Kingdom, the legal basis for processing your data is performance of a contract (service delivery), legitimate interests (security and fraud prevention), and consent (analytics). You have the right to lodge a complaint with your local supervisory authority.

CCPA (California): We do not sell personal information as defined by the CCPA. California residents may request disclosure of data collected, request deletion, and opt out of sale (which we do not conduct). Contact privacy@gjall.io to submit a verifiable consumer request.

We may update this Privacy Policy from time to time. When we make material changes, we will update the effective date above and notify active customers by email. Continued use of the service after the effective date constitutes acceptance.

Questions about this policy or your data? Contact our privacy team at privacy@gjall.io.