Privacy Policy

Last Updated: April 22, 2026

GOCO Security, Inc. ("GOCO," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website at gocosecurity.com (the "Site") and when you use our governance, risk, and compliance platform (the "Service").

GOCO Security, Inc. is incorporated in Utah, USA.

Please read this Privacy Policy carefully. By accessing or using our Site or Service, you agree to this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access the Site or use the Service.

1. Information We Collect

1.1 Information You Provide to Us

We collect information that you voluntarily provide when you:

• Submit the pricing form: Name, email address, company name, and any other information you choose to include in your inquiry
• Create an account: Name, email address, company name, and password
• Use our Service: GRC-related data including policies, controls, risks, compliance frameworks, evidence files, and other information you input into the platform

1.2 Information Collected Automatically

When you access our Site or Service, we automatically collect certain information, including:

• Device information: IP address, browser type, operating system
• Usage data: Pages visited, time spent on pages, links clicked, access times, referring website addresses
• Analytics: We use Google Analytics to understand how visitors use our Site

1.3 Information from Third Parties

We may receive information about you from:

• Stripe (our payment processor) for billing and subscription management
• Single sign-on providers if you choose to authenticate through a third-party service

2. How We Use Your Information

We use the information we collect for the following purposes:

Purpose	Description
Service Delivery	To provide, maintain, and improve our GRC platform and associated services
Account Management	To create and manage your account, authenticate users, and provide customer support
Communication	To send service updates, security alerts, technical notices, and respond to inquiries
Analytics	To understand how users interact with our Site and Service and improve user experience
Security	To detect, prevent, and address security incidents, fraud, and unauthorized access
Compliance	To comply with legal obligations, enforce our terms, and protect our rights

3. How We Share Your Information

We do not sell your personal information. We may share your information in the following circumstances:

3.1 Service Providers

We share information with third-party vendors who perform services on our behalf, including:

• Hosting: Microsoft Azure (web application hosting), Squarespace (marketing site)
• Payment processing: Stripe (subscription billing and payment processing)
• Analytics: Google Analytics (website usage analytics)

These service providers are bound by contractual obligations to keep information confidential and use it only for the purposes we specify.

3.2 Business Transfers

If GOCO is involved in a merger, acquisition, asset sale, or bankruptcy, your information may be transferred as part of that transaction. We will notify you via email and/or prominent notice on our Site of any change in ownership or uses of your personal information.

3.3 Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., court orders, subpoenas, or government regulations).

3.4 Protection of Rights

We may share information to enforce our Terms of Service, protect our rights and property, investigate fraud or security issues, or protect the safety of our users or the public.

4. Data Security

We implement appropriate technical and organizational security measures to protect your information, including:

• Encryption: Data in transit is encrypted using TLS 1.2 or higher; sensitive data at rest is encrypted using AES-256
• Access controls: Role-based access controls and multi-factor authentication for administrative access
• Infrastructure security: Industry-standard cloud security practices, regular security assessments, and vulnerability management
• Monitoring: Continuous monitoring for security events and anomalous activity
• Incident response: Established procedures for detecting, responding to, and recovering from security incidents

5. Data Retention

We retain your information as follows:

• Customer data: Retained indefinitely while you maintain an active account with us. If you request deletion of your data, we will delete it within 30 days of your request, except where we are required to retain it for legal or regulatory compliance purposes.
• Marketing site inquiries: Retained until you request deletion
• Analytics data: Governed by Google Analytics' retention settings (typically 14-26 months for event data)
• Legal hold: Data may be retained longer if required for legal proceedings, audits, or regulatory obligations

To request deletion of your data, please contact us at help@gocosecurity.com.

6. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal information:

6.1 General Rights

• Access: Request a copy of the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete information
• Deletion: Request deletion of your personal information, subject to legal and contractual obligations
• Portability: Request a copy of your data in a structured, machine-readable format
• Objection: Object to processing of your information for certain purposes
• Restriction: Request restriction of processing in certain circumstances
• Withdrawal of consent: Withdraw consent for marketing communications at any time

6.2 European Economic Area (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation (GDPR), including those listed in Section 6.1 above.

Legal basis for processing: We process your personal information based on:

• Contract performance (to provide our Service)
• Legitimate interests (to improve our Service, prevent fraud, ensure security)
• Consent (where required by law)
• Legal obligations (to comply with applicable laws)

6.3 How to Exercise Your Rights

To exercise any of these rights, please contact us at help@gocosecurity.com. We will respond to your request within 30 days (or as required by applicable law).

7. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to collect information about your use of our Site and Service. Cookies are small data files stored on your device.

Types of Cookies We Use:

• Essential cookies: Required for the Site and Service to function properly (e.g., session management, authentication)
• Analytics cookies: Google Analytics cookies help us understand how visitors interact with our Site

You can control cookie settings through your browser preferences. Note that disabling certain cookies may limit functionality of the Site or Service. For more information about Google Analytics and how to opt-out, visit https://tools.google.com/dlpage/gaoptout.

8. Third-Party Links and Integrations

Our Site and Service may contain links to third-party websites and integrate with third-party services. We are not responsible for the privacy practices of these third parties. We encourage you to read their privacy policies before providing any information.

9. Children's Privacy

Our Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete such information promptly.

10. International Data Transfers

GOCO is based in the United States, and our servers are located in the United States (Microsoft Azure). If you access our Service from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States.

For data transfers from the EEA, UK, or Switzerland to the United States, we rely on appropriate safeguards such as Standard Contractual Clauses or other legally recognized transfer mechanisms.

11. Do Not Track Signals

Some web browsers have a "Do Not Track" feature that signals to websites that you do not want your online activities tracked. Our Site does not currently respond to Do Not Track signals.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by:

• Posting the updated Privacy Policy on this page with a new "Last Updated" date
• Sending an email notification to registered users
• Displaying a prominent notice on our Site or within the Service

Your continued use of the Site or Service after any changes indicates your acceptance of the updated Privacy Policy.