Privacy Policy — NUL Systems

SUMMARY. Delphi Insights, Inc. ("we," "our," or "us") respects your privacy. This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and your rights regarding that information. We designed NUL Systems with privacy and compliance at its core, and we follow the same principles in how we handle your data. If you are located in the European Economic Area (EEA), United Kingdom, or California, you have specific rights described in Sections 9 and 10.

1. Who We Are

Delphi Insights, Inc. is a Delaware corporation and the operator of NUL Systems, a governance, risk, and compliance platform accessible at nulsystems.com. For purposes of data protection law, we are the data controller of personal information collected about our visitors and account holders, and the data processor of Customer Data submitted through the Service.

Contact: privacy@delphiinsights.us

2. Information We Collect

2.1 Information You Provide Directly

When you create an account or use the Service, we collect:

Account information: name, email address, company, job title, password (stored encrypted)
Billing information: payment card details (processed and stored by Stripe, not by us), billing address, tax identifiers where applicable
Customer Data: policy documents, transaction records, access request data, and any other content you upload or submit to the Service
Communications: messages you send to our support team, survey responses, and feedback

2.2 Information Collected Automatically

When you use the Service, we automatically collect:

Log data: IP address, browser type and version, operating system, pages visited, timestamps, and referring URL
Usage data: features used, actions taken, time spent, error reports
Cookies and similar technologies: see Section 7 for details

2.3 Information from Third Parties

We may receive information from authentication providers (if you sign in with a third-party service), payment processors (transaction confirmations), analytics providers, and publicly available sources used for enrichment or verification.

3. How We Use Information

We use the information we collect to:

Provide, operate, and maintain the Service
Process payments and manage subscriptions
Authenticate users and prevent fraud, abuse, or security threats
Send service-related communications (account notifications, security alerts, billing updates)
Send product updates, newsletters, and marketing communications (only with your consent, where required by law)
Improve the Service through analysis of aggregated and anonymized usage patterns
Respond to support requests and provide customer service
Comply with legal obligations and enforce our Terms of Service

4. Legal Bases for Processing (EEA / UK)

If you are located in the EEA or UK, we process your personal information under the following legal bases:

Contract: to provide the Service you have signed up for
Legitimate interests: to improve the Service, ensure security, and prevent fraud
Consent: for marketing communications and non-essential cookies (you may withdraw consent at any time)
Legal obligation: to comply with applicable laws and regulations

5. How We Share Information

We do not sell your personal information. We share information only in the following circumstances:

5.1 Service Providers

We share information with trusted third-party service providers who help us operate the Service, under contractual obligations of confidentiality and data protection. These include:

Stripe (payment processing)
Fly.io (application hosting and managed Postgres, US-East region)
Supabase (managed Postgres database)
Neo4j Aura (managed graph database for the policy graph)
Resend (transactional email delivery)

5.2 Legal Requirements

We may disclose information to comply with a valid legal process (subpoena, court order, law enforcement request), protect the rights, property, or safety of Delphi Insights, our users, or the public, or investigate suspected fraud or violations of our Terms.

5.3 Business Transfers

If we are involved in a merger, acquisition, financing, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change via email or a prominent notice on our website.

5.4 With Your Consent

We may share information for any other purpose with your explicit consent.

6. Data Retention

We retain personal information for as long as necessary to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements. Specifically:

Account information: retained for the duration of your account plus thirty (30) days after termination for export purposes
Customer Data: deleted within thirty (30) days of account termination, unless retention is required by law
Billing records: retained for seven (7) years for tax and accounting purposes
Log data: retained for up to twelve (12) months for security and diagnostic purposes

7. Cookies and Tracking Technologies

We use cookies and similar technologies to operate the Service, remember your preferences, analyze usage, and improve performance. You can control cookies through your browser settings, though disabling certain cookies may affect functionality. Where required by law, we will request your consent before setting non-essential cookies.

The types of cookies we use include: strictly necessary (for login and session management), functional (preferences), analytics (usage measurement), and where applicable, marketing (subject to consent).

8. Data Security

We implement commercially reasonable administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, disclosure, alteration, and destruction. These include encryption in transit (TLS), encryption at rest, access controls, regular security reviews, and monitoring. Details of our current security practices are available at our Security & Trust page. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.

9. Your Rights (EEA / UK / Global)

If you are located in the EEA, UK, or certain other jurisdictions, you have the following rights with respect to your personal information:

Access: request a copy of the personal information we hold about you
Correction: request that we correct inaccurate or incomplete information
Deletion: request deletion of your personal information
Restriction: request that we limit how we process your information
Portability: receive your information in a structured, machine-readable format
Objection: object to processing based on legitimate interests or for direct marketing
Withdraw consent: where processing is based on consent, you may withdraw it at any time
Lodge a complaint: with your local data protection authority

To exercise any of these rights, contact us at privacy@delphiinsights.us. We will respond within thirty (30) days. We may need to verify your identity before processing your request.

10. California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

The right to know what personal information we collect, use, disclose, and sell
The right to delete personal information we have collected from you
The right to correct inaccurate personal information
The right to opt out of the sale or sharing of personal information (we do not sell or share personal information as defined under CCPA/CPRA)
The right to limit the use of sensitive personal information
The right to non-discrimination for exercising your privacy rights

To exercise these rights, contact us at privacy@delphiinsights.us with the subject line "California Privacy Rights Request."

11. International Data Transfers

We are headquartered in the United States and process data in the United States. If you are accessing the Service from outside the United States, your information may be transferred to, stored, and processed in the United States. Where required by law, we rely on appropriate safeguards for international data transfers, including the European Commission's Standard Contractual Clauses (SCCs) and equivalent mechanisms.

12. Children's Privacy

The Service is not directed to children under the age of 16, and we do not knowingly collect personal information from children. If we learn that we have collected personal information from a child, we will delete it promptly. Parents or guardians who believe their child has provided personal information to us should contact us at the email address in Section 14.

13. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through a prominent notice on the Service at least thirty (30) days before the changes take effect. The "Last Updated" date at the top indicates when this Policy was most recently revised.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, contact us at:

Delphi Insights, Inc.

Privacy email: privacy@delphiinsights.us

Website: delphiinsights.us

End of Privacy Policy