Privacy

Privacy Policy

Effective date: 2026-07-07

1. Introduction & Scope

This Privacy Policy explains how Persoon.ai Inc. ("ShipReady Metrics", "we", "us") collects, uses, discloses, and safeguards personal data when you visit our websites, create an account, or use the ShipReady Metrics platform and related services (the "Services"). It applies to personal data we process as a controller — for example, account data and website-visitor data.

When a customer uses the Services to process personal data contained in their connected sources (for example, repository, cloud, or analytics data ingested through our connectors), the customer is the controller of that data and we act as a processor on their behalf. Our processing in that role is governed by the customer agreement and, where executed, a Data Processing Agreement (DPA) rather than by this Policy.

2. Personal Data We Collect

We collect the categories of personal data below, depending on how you interact with the Services. Connected-source content is processed under the customer agreement, not as data we collect for our own purposes.

CategoryExamplesSource
Account dataName, work email, organization, role (admin / engineer / executive)Provided by you or your administrator at signup
Authentication dataHashed credentials, OAuth identifiers, SSO/SCIM attributes, multi-factor enrollment statusYou, your identity provider, or OAuth provider
Usage, device & log dataPages viewed, feature usage, IP address, browser/device type, timestamps, security and audit logsCollected automatically (server logs and audit trail)
Marketing-site analyticsPage views and interaction data on our public marketing pages only (Google Analytics, Microsoft Clarity) — never on authenticated in-app pagesCollected on our public website, only after you consent where consent is required
CommunicationsSupport requests, emails, and feedback you send usProvided by you
Connector content (processor role)Engineering data from sources you connect — repository names and metadata, cloud posture findings naming the affected resource, and derived metrics that contain personal identifiers: per-contributor breakdowns carry the author display name from your source system. Source code is never storedCustomer-connected sources (processed on the customer's behalf; source code is never stored)

We do not currently process payments or collect payment-card data. If paid subscriptions are introduced, card details will be handled by a dedicated payment processor and never stored by us.

3. How We Use Personal Data

We use personal data to provide, secure, and improve the Services. Specific purposes include:

  • Creating and administering accounts, organizations, and role-based access (admin, engineer, executive).
  • Authenticating users and enforcing tenant isolation via row-level security.
  • Delivering transactional and service email (for example, invitations, alerts, and digests) through our email provider.
  • Operating AI-assisted features that summarize, score, or generate insights from customer data; inputs are sent to our AI subprocessor (Anthropic) solely to return a result and are not used to train third-party models.
  • Monitoring, debugging, securing, and improving the Services, including aggregated and de-identified analytics.
  • Communicating with you about support, security, and material changes to the Services.
  • Complying with legal obligations and enforcing our agreements.

5. How We Share Personal Data

We do not sell personal data. We share personal data only as described below:

  • Subprocessors: vetted vendors that host, secure, or support the Services — Supabase (database, authentication, and storage), Vercel (application hosting and content delivery), Resend (transactional email), Anthropic (AI features, on demand), GitHub (source connector, only when you connect it), and — on our public marketing pages only, consent-gated where required — Google Analytics and Microsoft Clarity (website analytics; these never run on authenticated in-app pages and never receive tenant data). The current list is also published on our Trust & Security page.
  • Within your organization: with administrators and other members of your tenant, according to the role-based access controls you configure.
  • Legal and safety: where required by law, regulation, legal process, or to protect rights, safety, and the integrity of the Services.
  • Business transfers: in connection with a merger, acquisition, or sale of assets, subject to the protections of this Policy.

Subprocessors are bound by contractual confidentiality and data-protection obligations consistent with this Policy.

6. International Data Transfers

Our infrastructure and subprocessors process personal data primarily in the United States, and may process it in other regions. Where personal data is transferred across borders from jurisdictions that restrict such transfers, we rely on appropriate safeguards such as the EU Standard Contractual Clauses (and the UK Addendum where applicable) as made available through our subprocessors' data-processing terms.

7. Data Retention

We retain personal data for as long as needed to provide the Services and for legitimate business and legal purposes. Account data is retained for the life of the account and deleted or anonymized after account closure; security logs and audit-trail entries are retained per our internal retention schedule. Connector content processed on a customer's behalf is retained while the source remains connected and is deleted under the customer agreement on disconnection or account deletion.

8. Your Privacy Rights

Depending on your jurisdiction (for example, under the GDPR/UK GDPR or U.S. state privacy laws), you may have the right to access, correct, delete, port, or restrict processing of your personal data, to object to certain processing, and to withdraw consent. You may also have the right to lodge a complaint with a supervisory authority.

To exercise these rights — including requesting deletion of your account and personal data — contact us at info@persooninc.com. Signed-in users can also export a copy of their personal data directly from the app (Account → Download my data). Where we act as a processor for connected-source data, please direct requests to the relevant customer (controller); we will assist them as required. We will verify your identity before acting on a request and will respond within the timeframes required by applicable law.

9. Security, Children & Changes

We apply administrative, technical, and organizational safeguards designed to protect personal data, including encryption in transit (TLS) and at rest, role-based access controls, and append-only audit logging. For details on our security program, see our Trust & Security page. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

The Services are intended for business use and are not directed to children under the age of 16. We do not knowingly collect personal data from children.

We may update this Policy from time to time. Material changes will be communicated through the Services or by email, and the effective date above will be updated. Questions may be directed to Persoon.ai Inc. at info@persooninc.com.