Privacy
Privacy Policy
Effective date: 2026-07-07
1. Introduction & Scope
This Privacy Policy explains how Persoon.ai Inc. ("ShipReady Metrics", "we", "us") collects, uses, discloses, and safeguards personal data when you visit our websites, create an account, or use the ShipReady Metrics platform and related services (the "Services"). It applies to personal data we process as a controller — for example, account data and website-visitor data.
When a customer uses the Services to process personal data contained in their connected sources (for example, repository, cloud, or analytics data ingested through our connectors), the customer is the controller of that data and we act as a processor on their behalf. Our processing in that role is governed by the customer agreement and, where executed, a Data Processing Agreement (DPA) rather than by this Policy.
2. Personal Data We Collect
We collect the categories of personal data below, depending on how you interact with the Services. Connected-source content is processed under the customer agreement, not as data we collect for our own purposes.
| Category | Examples | Source |
|---|---|---|
| Account data | Name, work email, organization, role (admin / engineer / executive) | Provided by you or your administrator at signup |
| Authentication data | Hashed credentials, OAuth identifiers, SSO/SCIM attributes, multi-factor enrollment status | You, your identity provider, or OAuth provider |
| Usage, device & log data | Pages viewed, feature usage, IP address, browser/device type, timestamps, security and audit logs | Collected automatically (server logs and audit trail) |
| Marketing-site analytics | Page views and interaction data on our public marketing pages only (Google Analytics, Microsoft Clarity) — never on authenticated in-app pages | Collected on our public website, only after you consent where consent is required |
| Communications | Support requests, emails, and feedback you send us | Provided by you |
| Connector content (processor role) | Engineering data from sources you connect — repository names and metadata, cloud posture findings naming the affected resource, and derived metrics that contain personal identifiers: per-contributor breakdowns carry the author display name from your source system. Source code is never stored | Customer-connected sources (processed on the customer's behalf; source code is never stored) |
We do not currently process payments or collect payment-card data. If paid subscriptions are introduced, card details will be handled by a dedicated payment processor and never stored by us.
3. How We Use Personal Data
We use personal data to provide, secure, and improve the Services. Specific purposes include:
- Creating and administering accounts, organizations, and role-based access (admin, engineer, executive).
- Authenticating users and enforcing tenant isolation via row-level security.
- Delivering transactional and service email (for example, invitations, alerts, and digests) through our email provider.
- Operating AI-assisted features that summarize, score, or generate insights from customer data; inputs are sent to our AI subprocessor (Anthropic) solely to return a result and are not used to train third-party models.
- Monitoring, debugging, securing, and improving the Services, including aggregated and de-identified analytics.
- Communicating with you about support, security, and material changes to the Services.
- Complying with legal obligations and enforcing our agreements.
4. Legal Bases for Processing
Where the GDPR, UK GDPR, or similar laws apply, we rely on the following legal bases:
| Processing activity | Legal basis |
|---|---|
| Providing the Services under your agreement | Performance of a contract |
| Security, fraud prevention, and product improvement | Legitimate interests |
| Marketing emails and non-essential analytics (marketing pages only) | Consent (where required) |
| Tax and regulatory records | Legal obligation |
6. International Data Transfers
Our infrastructure and subprocessors process personal data primarily in the United States, and may process it in other regions. Where personal data is transferred across borders from jurisdictions that restrict such transfers, we rely on appropriate safeguards such as the EU Standard Contractual Clauses (and the UK Addendum where applicable) as made available through our subprocessors' data-processing terms.
7. Data Retention
We retain personal data for as long as needed to provide the Services and for legitimate business and legal purposes. Account data is retained for the life of the account and deleted or anonymized after account closure; security logs and audit-trail entries are retained per our internal retention schedule. Connector content processed on a customer's behalf is retained while the source remains connected and is deleted under the customer agreement on disconnection or account deletion.
8. Your Privacy Rights
Depending on your jurisdiction (for example, under the GDPR/UK GDPR or U.S. state privacy laws), you may have the right to access, correct, delete, port, or restrict processing of your personal data, to object to certain processing, and to withdraw consent. You may also have the right to lodge a complaint with a supervisory authority.
To exercise these rights — including requesting deletion of your account and personal data — contact us at info@persooninc.com. Signed-in users can also export a copy of their personal data directly from the app (Account → Download my data). Where we act as a processor for connected-source data, please direct requests to the relevant customer (controller); we will assist them as required. We will verify your identity before acting on a request and will respond within the timeframes required by applicable law.
9. Security, Children & Changes
We apply administrative, technical, and organizational safeguards designed to protect personal data, including encryption in transit (TLS) and at rest, role-based access controls, and append-only audit logging. For details on our security program, see our Trust & Security page. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
The Services are intended for business use and are not directed to children under the age of 16. We do not knowingly collect personal data from children.
We may update this Policy from time to time. Material changes will be communicated through the Services or by email, and the effective date above will be updated. Questions may be directed to Persoon.ai Inc. at info@persooninc.com.