Case studyFortune 100: 80% less compliance workRead the Story
RiskWatch
Legal · Privacy

Privacy Notice

How RiskWatch International collects, uses, shares, and protects personal data, plus your rights as a data subject under the EU and UK General Data Protection Regulation (GDPR) and as a consumer under the California Consumer Privacy Act (CCPA / CPRA). We have written this notice in plain English so you can read it once and understand what we do with your data.

Effective 2026-05-14GDPR + CCPA alignedprivacy@riskwatch.com

1. Introduction

This Privacy Notice explains how RiskWatch International ("RiskWatch", "we", "us", or "our") collects, uses, shares, and protects personal data when you visit our website at riskwatch.com, request a demo, submit a form, subscribe to our marketing communications, or use the RiskWatch risk and compliance management platform.

This notice applies to personal data we process as a data controller. Where we process personal data on behalf of a customer (for example, when a customer uses our platform to manage their own risk and compliance programs), we act as a data processor and our customer is the controller. Our processing in that capacity is governed by the Data Processing Addendum (DPA) in our customer contracts, not by this notice.

Effective date: 2026-05-14.

2. Who we are

RiskWatch International is a risk and compliance management software company founded in 1993. Our registered office is located in Sarasota, Florida, and we operate a development center in Hyderabad, India.

Registered office:
RiskWatch International
1680 Fruitville Rd, # 535
Sarasota, FL 34236
United States

Privacy contact: privacy@riskwatch.com
General legal contact: legal@riskwatch.com

Phone: 941-500-4525 (office), 800-360-1898 (toll-free, US). [review with legal: confirm phone numbers before launch].

3. Personal data we collect

We collect the following categories of personal data, framed using the CCPA categories so it is clear what falls in scope:

  • Identifiers. Full name, business email address, work phone number, employer name, job title, and IP address.
  • Professional or employment information.Your role, seniority, department, industry, company size, and the regulatory frameworks you are responsible for. This is typically collected so we can route your inquiry to the right specialist.
  • Internet or other electronic activity information. Pages you view on our site, the date and time of your visit, referring URL, browser type, device type, operating system, and cookie identifiers.
  • Geolocation data. Approximate location derived from your IP address (city, region, country). We do not collect precise GPS location.
  • Commercial information. Records of the forms you submit (demo requests, contact, checklist downloads, free-trial signups), the resources you download, and any messages you send to us.
  • Inferences. A buying-stage or qualification score derived from the above signals. We do not use this for automated decisions that have a legal or similarly significant effect on you.

We do not intentionally collect special categories of personal data (race, religion, health, political opinions, biometric data, etc.) through our marketing site. If you choose to send us such data in a free-text field, please do not.

4. How we collect personal data

We collect personal data through three channels:

  • Directly from you. When you fill in a form on our site, email us, call us, attend a webinar, meet us at a conference, or sign a contract.
  • Automatically through cookies and analytics.When you visit our site, we and our analytics providers set cookies and similar technologies that record your activity on the site. See section 11 for details and how to manage these.
  • From third parties. We may receive business-contact data from data-enrichment vendors, conference organizers, partners who refer you to us, and public sources (such as LinkedIn or a company website) so that we can complete a profile started by a form submission. [review with legal: list named enrichment vendors once procurement is final].

Under GDPR Article 6, every processing activity needs a legal basis. The four bases we rely on are:

  • Contract (Art. 6(1)(b)). Where we need to process your data to deliver the RiskWatch platform under your subscription, respond to a quote or RFP, or fulfil a free-trial.
  • Legitimate interests (Art. 6(1)(f)). Where we contact business prospects in roles likely to evaluate risk and compliance software, where we run web analytics to improve our site, and where we monitor for fraud and abuse. Our legitimate interest is balanced against your rights and you can object at any time (see section 10).
  • Consent (Art. 6(1)(a)). Where you opt in to a marketing newsletter, or where required by law for certain cookies. You can withdraw consent at any time without affecting prior lawful processing.
  • Legal obligation (Art. 6(1)(c)). Where we must retain records for tax, audit, anti-fraud, or regulatory-reporting reasons.

6. How we use personal data

We use personal data to:

  • Deliver and operate the RiskWatch platform, including authentication, provisioning, and tenant administration.
  • Process subscriptions, quotes, renewals, invoices, and payment.
  • Send transactional and service messages (account changes, security alerts, billing notices, SLA notifications).
  • Send marketing communications about our products, events, and resources, where you have consented or where a legitimate-interest balancing test supports it. Every marketing message includes a one-click unsubscribe link.
  • Personalize what we show you on the site and tailor our follow-up so we do not spam you with content you have already seen.
  • Protect the platform and our users against fraud, credential stuffing, spam, scraping, and other abuse.
  • Comply with our legal obligations, respond to lawful requests from public authorities, and enforce our terms.

7. Sharing of personal data

We share personal data only with carefully selected third-party service providers (often called "subprocessors"), under written contracts that require them to protect the data and process it only on our instructions. The current categories of subprocessors are:

  • Cloud hosting. Amazon Web Services (AWS), primary region US-East, secondary region EU-Frankfurt for EU customers.
  • Form and workflow automation. Make.com, used to route form submissions from our website into our CRM and ticketing system. [review with legal: confirm Make.com is the final choice].
  • Email service providers. Transactional email (account, billing, SLA messages) and marketing email, delivered through industry-standard providers. [review with legal: list named ESP once contracted].
  • Analytics. Web analytics that report aggregated usage of our website (sessions, page views, referrers). [review with legal: confirm analytics vendor].
  • Customer Relationship Management. A CRM system that stores sales-pipeline records linked to your contact details. [review with legal: confirm CRM vendor].

We publish the named, current subprocessor list at /security/ and update it whenever we add, remove, or replace a subprocessor. We do not sell personal data, and we do not share personal data for cross-context behavioural advertising as those terms are defined under the CCPA / CPRA.

We may also disclose personal data: (a) to a successor entity in a merger, acquisition, or asset sale, (b) to professional advisors (lawyers, auditors, accountants) under a duty of confidentiality, and (c) when required by law, court order, or to protect the rights, property, or safety of RiskWatch, our customers, or others.

8. International data transfers

RiskWatch is headquartered in the United States, with a development center in India. We primarily host customer data in AWS US-East. For EU and UK customers who select an EU tenant, we host in AWS EU-Frankfurt and personal data stays in the EEA at rest.

Where we transfer personal data out of the EEA, the UK, or Switzerland to a country that does not have an EU adequacy decision, we rely on the European Commission's Standard Contractual Clauses (SCCs, Commission Decision 2021/914) or the UK International Data Transfer Addendum, supplemented where appropriate by additional technical and organizational measures (encryption in transit and at rest, access logging, least-privilege access control).

If you would like a copy of the safeguards we use for a specific transfer, write to privacy@riskwatch.com and we will share the relevant clauses (commercial details redacted).

9. Data retention

We retain personal data only as long as we need it for the purposes set out in this notice, including any legal, accounting, or reporting requirements.

  • Customer-relationship data. Retained for the life of the customer relationship and for a further seven (7) years after termination, to support audit, tax, and dispute-defense obligations. [review with legal: confirm 7-year post-termination retention against state retention statutes].
  • Prospect and marketing data. Retained while you remain engaged (open emails, visit the site, attend events) and for up to twenty-four (24) months after your last engagement, after which we anonymize or delete the record.
  • Web analytics. Aggregated for up to twenty-six (26) months, after which raw event data is deleted.
  • Security and audit logs. Retained for up to twelve (12) months, longer where required for incident response.

When the retention period ends, we delete or anonymize the data so it can no longer be associated with you.

10. Your privacy rights

Rights under GDPR (EU and UK residents)

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights under GDPR Articles 15 to 22:

  • Right of access (Art. 15). Ask whether we process your data and obtain a copy.
  • Right to rectification (Art. 16). Have inaccurate data corrected.
  • Right to erasure (Art. 17). Ask us to delete your data, subject to legal-retention exceptions.
  • Right to restriction (Art. 18). Limit our processing in specified circumstances.
  • Right to data portability (Art. 20).Receive your data in a structured, machine-readable format and have it transmitted to another controller.
  • Right to object (Art. 21). Object to processing based on legitimate interests or to direct marketing.
  • Rights related to automated decision-making (Art. 22). We do not make decisions based solely on automated processing that produce legal or similarly significant effects on you.

You also have the right to lodge a complaint with your supervisory authority (in the UK, the Information Commissioner's Office at ico.org.uk; in Ireland, the Data Protection Commission at dataprotection.ie; or the supervisory authority in your country of residence).

Rights under CCPA / CPRA (California residents)

If you are a California resident, you have the following rights:

  • Right to know what personal information we collect, use, disclose, and (if applicable) sell or share.
  • Right to delete personal information we hold about you, subject to legal-retention exceptions.
  • Right to correct inaccurate personal information.
  • Right to opt out of the sale or sharing of personal information for cross-context behavioural advertising. RiskWatch does not sell or share personal information in this sense, so there is nothing to opt out of, but you can still send us a request to confirm this.
  • Right to limit the use of sensitive personal information. We do not collect sensitive personal information for our marketing site.
  • Right to non-discrimination. We will not deny, charge differently, or provide a different level of service because you exercised a privacy right.

You may exercise these rights yourself or use an authorized agent. To submit a request, email privacy@riskwatch.com with the subject line "Privacy Request" and the request type. We respond within the timelines required by law (one month under GDPR, forty-five days under CCPA, each extendable once where the request is complex). We verify your identity before acting on a request.

11. Cookies and tracking

Our website uses cookies and similar technologies for three purposes:

  • Essential cookies. Required for the site to function (session management, form submission, fraud protection). These do not require consent.
  • Analytics cookies. Help us understand how visitors use the site so we can improve it. These run on consent in regions that require it.
  • Advertising cookies. If we run paid campaigns, advertising cookies measure campaign performance and may personalize the ads you see on other websites. These run on consent in regions that require it.

You can manage your cookie preferences through the cookie banner the first time you visit the site, and you can revisit your choices at any time through your browser settings. We honour the Global Privacy Control (GPC) signal as an opt-out of sale or sharing under the CCPA. [review with legal: confirm if a dedicated /cookie-policy/ page will be published and link to it here].

12. Children's privacy

Our website and platform are designed for business use by adults. We do not knowingly collect personal data from children under the age of 16. If you believe a child has provided us with personal data, please contact privacy@riskwatch.com and we will delete it.

13. Changes to this notice

We review this notice at least annually and update it when our practices change. When we make a material change, we will post the updated notice on this page with a new effective date. Where the change is significant (for example, a new purpose of processing or a new category of subprocessor), we will give you reasonable advance notice by email or through an in-product banner.

14. Contact for privacy requests

For any privacy question, data-subject request, or complaint:

Email: privacy@riskwatch.com
General legal: legal@riskwatch.com

Postal address:
RiskWatch International
Attn: Privacy
1680 Fruitville Rd, # 535
Sarasota, FL 34236
United States

If you are in the EU or UK and require a local representative under GDPR Article 27, contact us at the address above and we will share the representative's contact details. [review with legal: confirm whether an Art. 27 representative has been appointed].

15. Last updated

This Privacy Notice was last updated on 2026-05-14. Earlier versions are available on request.

Have a privacy question?

Write to privacy@riskwatch.com with your request. We respond within the timelines required by GDPR and CCPA, and we verify your identity before acting on a request.

Request a Demo