Legal

Privacy Policy

Last updated: February 9, 2026

episki, llc ("episki," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the episki platform at episki.app and our marketing site at episki.com (collectively, the "Service").

By using the Service, you consent to the practices described in this policy. If you do not agree, please do not use the Service.

1. Data We Collect

Account Data

When you create an account, we collect your name, email address, organization name, and role. If you sign up via a third-party provider (e.g., Google), we receive your profile information as authorized by that provider.

Customer Data

You may submit compliance-related content to the Service, including programs, assessments, controls, tasks, evidence files, questionnaire responses, and notes ("Customer Data"). You own your Customer Data. episki processes it solely to provide and improve the Service on your behalf.

Usage Data

We automatically collect information about how you interact with the Service, including pages visited, features used, timestamps, browser type, operating system, and IP address. This data helps us improve performance and user experience.

Communications

If you contact us via email, chat, or support, we retain the content of those communications to resolve your request and improve our support.

2. How We Use Your Data

We use the information we collect to:

  • Provide, maintain, and improve the Service.
  • Authenticate users and manage account access.
  • Process payments and manage subscriptions.
  • Send transactional communications (account confirmations, security alerts, billing notices).
  • Send marketing communications (with your consent, which you may withdraw at any time).
  • Monitor for abuse, fraud, and security threats.
  • Generate anonymized, aggregated analytics to improve the Service.
  • Comply with legal obligations.

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data under the following legal bases:

  • Contract: Processing necessary to perform our agreement with you (providing the Service, managing your account).
  • Legitimate interests: Improving the Service, preventing fraud, and ensuring security, where these interests are not overridden by your rights.
  • Consent: Marketing communications and non-essential cookies, which you may withdraw at any time.
  • Legal obligation: Processing required to comply with applicable laws.

4. Data Sharing and Third Parties

We do not sell your personal data. We share information only in the following circumstances:

  • Service providers: We use trusted third parties for hosting, payment processing, email delivery, analytics, and customer support. These providers are contractually obligated to protect your data and may only use it to perform services on our behalf.
  • Legal requirements: We may disclose data if required by law, regulation, legal process, or government request.
  • Business transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. We will notify you of any such change.
  • With your consent: We may share data when you explicitly authorize us to do so.

5. Data Retention

  • Account data: Retained for the duration of your account and up to 90 days following deletion, unless a longer retention period is required by law.
  • Customer Data: Retained during your subscription. Upon termination, you may export your data within 30 days. After that period, Customer Data may be permanently deleted.
  • Usage data: Retained for up to 24 months for analytics purposes, then anonymized or deleted.
  • Backups: Backup copies of data may persist for up to 30 days after deletion from active systems.

6. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

GDPR Rights (EEA, UK, Switzerland)

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Request correction of inaccurate or incomplete data.
  • Erasure: Request deletion of your personal data ("right to be forgotten").
  • Restriction: Request that we limit processing of your data in certain circumstances.
  • Portability: Receive your data in a structured, machine-readable format.
  • Objection: Object to processing based on legitimate interests or for direct marketing.
  • Complaint: Lodge a complaint with your local data protection authority.

CCPA Rights (California Residents)

  • Right to know what personal information we collect and how it is used.
  • Right to delete your personal information.
  • Right to opt out of the sale of personal information (we do not sell personal data).
  • Right to non-discrimination for exercising your rights.

To exercise any of these rights, contact us at hello@episki.com. We will respond within 30 days.

7. Cookies and Tracking

We use cookies and similar technologies to operate the Service and understand usage patterns. The types of cookies we use include:

  • Essential cookies: Required for the Service to function (authentication, session management).
  • Analytics cookies: Help us understand how users interact with the Service. We use privacy-focused analytics tools.
  • Customer support cookies: Used by our support widget to provide in-app assistance.

You can manage cookie preferences through your browser settings. Disabling essential cookies may impair the functionality of the Service.

8. International Data Transfers

episki is based in the United States. If you access the Service from outside the United States, your data may be transferred to, stored, and processed in the United States or other countries where our service providers operate.

For transfers from the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses approved by the European Commission or other legally recognized transfer mechanisms to ensure your data is protected.

9. Security Measures

We implement industry-standard security measures to protect your data, including:

  • Encryption of data in transit (TLS) and at rest.
  • Role-based access controls and least-privilege principles.
  • Regular security assessments and vulnerability management.
  • Audit logging of access and changes to Customer Data.
  • Incident response procedures for prompt identification and containment of security events.

While we take reasonable precautions, no method of transmission or storage is completely secure. We cannot guarantee absolute security of your data.

10. Children's Privacy

The Service is not intended for individuals under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at hello@episki.com and we will promptly delete it.

11. Data Processing Roles

Controller: episki acts as the data controller for account data and usage data we collect directly.

Processor: For Customer Data that you submit to the Service (compliance programs, assessments, evidence, etc.), episki acts as a data processor on your behalf. You remain the data controller for this content and are responsible for ensuring you have appropriate lawful basis to process any personal data contained within it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a prominent notice on the Service at least 30 days before the changes take effect. We encourage you to review this policy periodically.

13. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at:

hello@episki.com

episki, llc · Pennsylvania, USA