Last updated: April 24, 2026 · Effective: April 24, 2026
When you register, purchase a subscription, or contact us, we collect:
The Beezifi GRC platform is a data processor for compliance content you upload, including policies, evidence files, risk registers, audit records, and control documentation. This data belongs to your organization (the data controller). Beezifi processes it solely on your behalf under the terms of our Terms of Service and, where applicable, a Data Processing Agreement (DPA).
We may receive information from payment processors (Stripe), identity providers you connect for SSO, and publicly available sources to verify business information or prevent fraud.
We use collected information to:
We do not sell your personal information, use your compliance data for any purpose other than delivering the Services, or permit advertising networks to profile users of the platform.
Where the General Data Protection Regulation (GDPR) or UK GDPR applies, we rely on the following legal bases:
We do not sell, rent, or trade your personal information. We disclose information only as follows:
We engage vetted sub-processors — including cloud infrastructure (AWS), payment processing (Stripe), transactional email, and error monitoring — under written data processing agreements that restrict use to providing the contracted services.
Administrators within your tenant have access to account data and usage logs for users within their organization.
We may disclose information if required by law, subpoena, court order, or governmental authority, or when we believe in good faith that disclosure is necessary to protect our rights, prevent fraud, or respond to an emergency.
In connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred to the successor entity. We will notify you via email and/or prominent notice on the Services prior to your information becoming subject to a materially different privacy policy.
We may share aggregated, de-identified information that cannot reasonably be used to identify you with third parties for industry analysis, research, or similar purposes.
We retain personal information for as long as your account is active or as needed to provide the Services, comply with legal obligations, resolve disputes, and enforce our agreements. Tenant compliance data is retained for the duration of your subscription plus a 30-day grace period, after which it is securely deleted or returned upon request.
Log data and analytics are retained for up to 24 months. Billing records are retained for seven (7) years to comply with accounting and tax regulations.
You may request deletion of your account and personal information at any time (see Section 8). Deletion requests do not apply to data we are legally required to retain.
Beezifi implements commercially reasonable administrative, technical, and physical safeguards designed to protect your information from unauthorized access, alteration, disclosure, or destruction. These include encryption in transit (TLS 1.2+), encryption at rest (AES-256), access controls, audit logging, and regular security assessments.
Please review our Security Policy for details on our security program.
We use the following categories of cookies:
We do not use advertising cookies or cross-site tracking. You can manage cookies through your browser settings. Disabling strictly necessary cookies will prevent access to authenticated features.
Depending on your jurisdiction, you may have the right to:
To exercise any of these rights, contact us at privacy@beezifi.com. We will respond within 30 days (or the period required by applicable law). We may require verification of identity before processing requests. We will not discriminate against you for exercising your privacy rights.
The Services are intended for business use by persons aged 18 or older. We do not knowingly collect personal information from children under 13 (or under 16 where required by applicable law). If we learn we have inadvertently collected such information, we will delete it promptly. If you believe we have collected information from a child, contact us at privacy@beezifi.com.
Beezifi is headquartered in Lacey, Washington, USA. If you access the Services from outside the United States, your information may be transferred to and processed in the United States or other countries that may have different data protection laws than your country of residence.
For transfers from the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission or equivalent transfer mechanisms. You may request a copy of the applicable transfer mechanism by emailing privacy@beezifi.com.
The Services may contain links to third-party websites or integrations. Beezifi is not responsible for the privacy practices of those third parties. We encourage you to review the privacy policies of any third-party services you access through the platform.
Under the Washington My Health MY Data Act and the Washington Privacy Act (when applicable), Washington residents may have additional rights with respect to personal data. To submit a request or appeal a decision, contact privacy@beezifi.com. If you are not satisfied with our response, you may contact the Washington State Attorney General's office.
California residents may request disclosure of the categories and specific pieces of personal information we have collected, the purposes for which we use it, and any third parties with whom we share it. California residents also have the right to opt out of the "sale" or "sharing" of personal information. Beezifi does not sell or share personal information as defined by the CCPA/CPRA.
To exercise California privacy rights, contact privacy@beezifi.com or call us at the contact number on our website. We will not discriminate against you for exercising your CCPA rights.
We may update this Privacy Policy from time to time. Material changes will be communicated by updating the "Last updated" date above and, where required by law, by notifying you via email or in-platform notification at least 30 days before the change takes effect. Your continued use of the Services after the effective date constitutes acceptance of the updated policy.
For privacy-related questions, requests, or complaints:
If you are located in the EEA or UK and are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority.