Privacy Policy

Last updated: April 19, 2026

Governer ("we", "us", "our") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and share your information when you use our website at aigoverner.netlify.appand the Governer SaaS platform (collectively, the "Service").

1. Data Controller

The data controller responsible for your personal data is:

  • Entity: Governer (operating name)
  • Email: privacy@governer.dev
  • Address: Governer, Islamabad, Pakistan
  • Note: We are in the process of formal incorporation. Enterprise customers requiring a countersigned DPA with full legal entity details should contact us at legal@governer.dev.

2. Categories of Personal Data Collected

We collect the following categories of personal data:

2.1 Account Data

  • Full name
  • Email address
  • Password (hashed, never stored in plain text)
  • Profile picture (if provided via GitHub OAuth)

2.2 Usage Data

  • Pages visited and features used
  • Scan history and compliance reports
  • Device type, browser, operating system
  • IP address (anonymised after 30 days)

2.3 Code & Content Data

  • Source code uploaded for AI governance scanning
  • Website URLs submitted for compliance scanning
  • Scan results and violation reports

3. Legal Basis for Processing (GDPR Article 6)

We process your personal data under the following legal bases:

  • Consent (Art. 6(1)(a)): For optional marketing emails (you may opt out at any time).
  • Contract performance (Art. 6(1)(b)): To provide the Service you signed up for.
  • Legitimate interest (Art. 6(1)(f)): For security, fraud prevention, and service improvement.
  • Legal obligation (Art. 6(1)(c)): Where required by law.

4. Data Retention

  • Account data: Retained while your account is active, deleted within 30 days of account deletion.
  • Scan data & reports: Retained for 12 months, then automatically purged.
  • Uploaded source code: Processed in-memory and not persisted after scan completion.
  • Server logs: Retained for 14 days, then automatically deleted.

5. Third-Party Processors & Sub-Processors

We share data with the following processors who act on our behalf:

  • Supabase (Supabase Inc.):Authentication & database hosting — EU/US.
  • Netlify (Netlify Inc.): Website hosting — US.
  • OpenAI (OpenAI, L.L.C.): AI inference for compliance document quality assessment — US. Only anonymised legal document text (no personal data) is sent for analysis. OpenAI does not use API inputs for model training.
  • GitHub (Microsoft):OAuth authentication & repository access — US.

6. Your Rights (GDPR Articles 15–22)

As a data subject, you have the right to:

  • Access (Art. 15): Request a copy of all personal data we hold about you.
  • Rectification (Art. 16): Correct any inaccurate personal data.
  • Erasure (Art. 17):Request deletion of your personal data ("right to be forgotten").
  • Restriction (Art. 18): Restrict processing of your data in certain circumstances.
  • Data portability (Art. 20): Receive your data in a structured, machine-readable format.
  • Objection (Art. 21): Object to processing based on legitimate interest.
  • Automated decision-making (Art. 22): Not be subject to solely automated decisions. Our compliance scanning provides recommendations, not automated legal decisions.

To exercise any of these rights, use our Data Rights portal or email privacy@governer.dev. We will respond within 30 days (GDPR Article 12(3)).

7. CCPA / CPRA Rights (California Residents)

If you are a California resident, you additionally have the right to:

  • Know what personal information is collected and how it is used.
  • Request deletion of your personal information.
  • Opt out of the "sale or sharing" of personal information. We do not sell or share your personal data for cross-context behavioural advertising.
  • Limit the use of Sensitive Personal Information (SPI). We do not collect SPI as defined under CPRA §1798.140.
  • Non-discrimination for exercising your rights.

To exercise CCPA/CPRA rights, email privacy@governer.devwith subject line "CCPA Request" or use our Data Rights portal.

8. International Data Transfers

Your data may be transferred to and processed in the United States. Where transfers occur outside the EU/EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or the recipient's participation in adequate frameworks, to ensure your data is protected.

9. Security

We implement appropriate technical and organisational measures including encryption at rest (AES-256) and in transit (TLS 1.3), access controls, and regular security reviews. See our Security page for details.

10. Supervisory Authority

If you believe we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with your local Data Protection Authority. For EU residents, you can find your supervisory authority at edpb.europa.eu.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or an in-app notification at least 14 days before they take effect. Continued use of the Service after changes constitutes acceptance.

12. Contact

For any questions about this Privacy Policy or your personal data, contact us at: privacy@governer.dev