PRIVACY POLICY

RuleWise Privacy Policy

Last Updated: February 18, 2025

1. Introduction

RuleWise Ltd, based in Guernsey, is committed to safeguarding the privacy and security of personal data collected through our services. As a provider of AI-driven governance, risk, and compliance (GRC) solutions, we adhere to the Data Protection (Bailiwick of Guernsey) Law, 2017 and the European General Data Protection Regulation (GDPR), ensuring compliance with the highest international data protection standards.

This Privacy Policy explains how we collect, use, store, and protect personal data and outlines your rights in relation to your personal data.

2. Data Controller and Contact Information

RuleWise Ltd is the data controller responsible for processing personal data in accordance with applicable laws.

For any privacy-related queries, please contact our designated Privacy Officer, Mort Mirghavameddin, at privacy@rulewise.com

3. Information We Collect

We may collect and process the following categories of personal data:

  • Identity & Contact Data: Name, email address, phone number, job title, company, and postal address.
  • Professional Data: Role, company affiliations, and regulatory status.
  • Usage Data: Interactions with our platform, login details, and analytics data.
  • Financial Data: Payment details related to subscriptions and invoices.
  • Technical Data: IP addresses, device identifiers, browser type, and operating system.

We do not collect or process special category data (e.g., sensitive health, biometric, or racial data) unless explicitly required by law.

4. Basis for Processing Personal Data

Under the Data Protection Law of Guernsey and GDPR, we process personal data based on the following lawful grounds:

  • Consent: Where you have given explicit consent for specific processing activities (e.g., marketing communications).
  • Contractual Necessity: Where processing is required to provide our services under contractual agreements.
  • Legal Obligation: Where we must process data to comply with regulatory or legal requirements.
  • Legitimate Interests: Where necessary to support our business operations, provided your rights and freedoms do not override these interests.

 

5. Purpose of Data Processing

We process your personal data for the following purposes:

  • Service Delivery: To provide and manage RuleWise SaaS services, including user authentication and feature customisation.
  • Billing & Transactions: To process payments, manage subscriptions, and generate invoices.
  • Communication & Support: To respond to enquiries, provide customer service, and issue service updates.
  • Regulatory Compliance: To meet legal obligations and assist financial regulators or institutions in fulfilling their compliance requirements.
  • Marketing & Analytics: To send promotional content where consent has been given and to improve our service through analytics insights.

We do not sell or rent personal data to third parties.

6. Data Sharing and Transfers

RuleWise does not sell or rent personal data. However, we may share information with trusted third-party service providers to facilitate our business operations. These service providers process personal data strictly within the scope required for delivering services to RuleWise, and where international data transfers occur, we ensure compliance with the Data Protection (Bailiwick of Guernsey) Law, 2017 and the GDPR through Standard Contractual Clauses (SCCs) or equivalent safeguards.

6.1 Third-Party Processors

To provide and improve our services, we rely on cloud-based providers and external platforms for essential business functions, including:

  • Cloud and Office Services:
    • Google Workspace (email, document storage, internal collaboration, meetings).
    • Zoho One (customer relationship management, Books, Campaigns, Desk, Expenses, People,  Sign, Sprints, Projects, etc.,).
    • Microsoft 365 & Azure (productivity, hosting, compliance-related tools).
  • AI & Large Language Model (LLM) Services:
    • OpenAI, Google, Anthropic, and other AI platforms (for compliance automation and regulatory intelligence).
  • IT Security & Infrastructure:
    • Hosting and cybersecurity providers that maintain the integrity of our services.
  • Payment Processing:
    • Financial transaction providers for secure payments and invoicing.

These third parties are required to adhere to data protection standards consistent with Guernsey and European law.

6.2 Legal & Regulatory Compliance

We may disclose personal data when required to:

  • Meet legal or regulatory obligations under applicable laws.
  • Assist financial regulators or law enforcement authorities in compliance-related investigations.
  • Protect RuleWise’s rights and enforce contractual terms.

6.3 International Data Transfers

Personal data may be processed outside of Guernsey, including within the United Kingdom (UK), European Economic Area (EEA), and the United States (US). We ensure appropriate safeguards for all international data transfers, including:

  • Standard Contractual Clauses (SCCs) and Data Processing Agreements (DPAs) with vendors.
  • Use of cloud providers that adhere to ISO 27001 or equivalent security standards.

 

7. Data Security

RuleWise employs robust security measures to protect personal data from unauthorised access, alteration, disclosure, or destruction. Our security framework aligns with industry best practices and regulatory requirements, ensuring compliance with GDPR and Guernsey’s data protection laws.

7.1 Security Measures

We implement technical and organisational safeguards, including:

  • Encryption:
    • Data is encrypted in transit and at rest using AES-256 and TLS 1.2/1.3 standards.
  • Access Controls:
    • Strict role-based access permissions limit exposure to authorised personnel.
    • Multi-factor authentication (MFA) is enforced for all administrative access.
  • Cloud Security & AI Compliance:
    • All third-party cloud platforms used by RuleWise must comply with ISO 27001 or SOC 2 security standards.
    • Any data processed using AI/LLM services is anonymised where applicable, ensuring compliance with privacy laws.
  • Network & Cybersecurity:
    • Firewall protection, intrusion detection, and continuous monitoring safeguard against cyber threats.
    • Regular security audits and penetration testing are conducted to identify and mitigate risks.
  • Incident Response Plan:
    • A dedicated response protocol is in place to address data breaches, ensuring timely mitigation and regulatory notification where required.

7.2 Data Minimisation & Retention

  • Personal data is only collected and retained for as long as necessary to fulfil contractual, legal, and regulatory obligations.
  • Once retention periods expire, data is securely deleted or anonymised.

     

    8. Data Retention

    We retain personal data only for as long as necessary to fulfil contractual, legal, and regulatory obligations:

    • Client & User Data: Retained for seven (7) years after service termination, in line with regulatory requirements.
    • Marketing Data: Retained until consent is withdrawn.
    • Technical Logs: Retained for twelve (12) months for security and diagnostic purposes.

    Once retention periods expire, data is securely deleted or anonymised.

    9. Your Data Protection Rights

    Under GDPR and Guernsey law, you have the following rights regarding your personal data:

    • Right to Access: Request access to personal data we hold about you.
    • Right to Rectification: Request correction of inaccurate or incomplete data.
    • Right to Erasure (“Right to be Forgotten”): Request deletion of your personal data, subject to legal retention obligations.
    • Right to Restrict Processing: Request that we limit the processing of your data under certain circumstances.
    • Right to Data Portability: Receive a copy of your personal data in a structured, machine-readable format.
    • Right to Object: Object to processing based on legitimate interests, including profiling and direct marketing.
    • Right to Withdraw Consent: Withdraw consent at any time where we rely on consent for processing.

    To exercise these rights, please contact privacy@rulewise.com

    If you believe we have not addressed your concerns, you may lodge a complaint with the Office of the Data Protection Authority (ODPA), Guernsey.

    10. Cookies and Tracking Technologies

    RuleWise uses cookies and tracking technologies to enhance user experience, improve security, and analyse service performance. These technologies may collect data such as IP addresses, device types, and browsing behaviour.

    10.1 Types of Cookies We Use

    • Essential Cookies:
      • Required for website functionality, security, and login authentication.
      • These cannot be disabled.
    • Analytics & Performance Cookies:
      • Used for tracking website interactions to improve our services.
      • Examples: Google Analytics, Zoho Analytics.
    • Marketing Cookies:
      • Used to tailor marketing efforts and track engagement with RuleWise content.
      • May be placed by LinkedIn, X (Twitter), Facebook, and YouTube when you interact with RuleWise content on these platforms.

    10.2 Social Media & External Tracking

    RuleWise engages with users on LinkedIn, X (Twitter), Facebook, and YouTube. These platforms may collect and process user data independently, in line with their respective privacy policies.
    Users are encouraged to review their social media privacy settings to manage their personal data preferences.

    10.3 Managing Cookies

    Users can manage cookie preferences by:

    • Adjusting browser settings to block or delete cookies.
    • Using browser extensions to limit tracking technologies.

    For more details on cookies and how we use them, visit: www.rulewise.com/cookies.

    11. Changes to this Privacy Policy

    We may update this Privacy Policy from time to time. The latest version will always be available at www.rulewise.com/privacy.

    • Last Updated: 18 February 2025

     

    12. Contact Us

    For any questions, concerns, or requests regarding your data, please contact:

     

    This Privacy Policy reflects RuleWise’s commitment to transparency, security, and compliance with Guernsey’s Data Protection Law and GDPR.