ARMORY
BEGIN
Legal

Privacy Notice

Last updated: May 14, 2026

1. Who we are

Armory Compliance ("Armory", "we", "us") provides a CMMC readiness platform for U.S. defense industrial base contractors. We are the data controller for the personal data we collect through the Service. Contact us at privacy@armorycompliance.com.

2. Personal data we collect

  • Account data: name, email address, hashed password or OAuth identifiers.
  • Company intake data: company name, CAGE code, NAICS codes, employee count, CUI handling status, and other compliance-context data you provide.
  • Uploaded documents: policies, procedures, screenshots, and other artifacts you upload as evidence.
  • Support communications: messages you send to us.
  • Usage and device data: log data, pages visited, feature interactions, IP address, browser type, device identifiers, and timestamps.
  • Cookies: essential cookies for session and authentication; see Section 8.

3. How and why we use it

  • To provide the Service — create accounts, run gap analyses, store evidence, generate exports (legal basis: contract performance).
  • To process payments — performed by our Merchant of Record, Paddle (legal basis: contract performance).
  • To secure the Service — detect fraud, abuse, and abuse of AI features (legal basis: legitimate interests).
  • To improve the Service — understand usage patterns and bug-fix (legal basis: legitimate interests).
  • To support you — respond to inquiries (legal basis: contract / legitimate interests).
  • To comply with law — when required by applicable law (legal basis: legal obligation).

4. AI processing

We send relevant intake data and document text to AI model providers (currently Google Gemini, via the Lovable AI Gateway) under data-processing agreements that prohibit using your content to train their general-purpose models. Do not upload data you are not authorized to share with a cloud AI processor.

5. Who we share data with

  • Paddle — our Merchant of Record for sale of the product, subscription management, payments, tax compliance, fraud prevention, and invoicing.
  • Hosting and infrastructure providers — Cloudflare and Supabase, which host our application and database.
  • AI model providers — as described in Section 4.
  • Email and analytics providers — to deliver transactional emails and understand product usage.
  • Professional advisers — legal, accounting, and audit advisers under confidentiality.
  • Authorities — when required by law, court order, or to protect rights, property, or safety.
  • In a corporate transaction — to a successor entity in connection with a merger, acquisition, or sale of assets.

We do not sell personal data.

6. Data retention

We keep account and Customer Content for as long as your account is active and for a reasonable period afterwards to support legal, audit, and security needs. You can request deletion at any time (Section 7). Backups are purged on a rolling schedule.

7. Your rights

Depending on where you live, you may have rights to access, correct, delete, or export your personal data, to object to or restrict processing, or to withdraw consent. To exercise these rights, email privacy@armorycompliance.com. We will respond within the time required by applicable law (typically within 30 days). You may also lodge a complaint with your local data-protection authority.

8. Cookies

We use essential cookies to keep you signed in and to remember your preferences. We may use limited first-party analytics cookies to understand product usage. You can manage cookies through your browser settings; disabling essential cookies will break sign-in.

9. Security

We use appropriate technical and organizational measures to protect personal data, including TLS in transit, encryption at rest for our database and storage, role-scoped access via row-level security, and least-privilege access for engineers. No system is perfectly secure; please notify us of any suspected vulnerability or breach.

10. International transfers

Our infrastructure is hosted in the United States. If you access the Service from outside the United States, your data will be transferred to and processed there. We rely on appropriate safeguards (e.g., Standard Contractual Clauses) where required.

11. Changes

We may update this Privacy Notice. Material changes will be communicated through the Service or by email. Continued use after a change means you accept the updated notice.

12. Contact

See also our Terms & Conditions and Refund Policy. Questions? Email privacy@armorycompliance.com.