Legal

Privacy Policy

Last updated: April 9, 2026

Redan Compliance, Inc. (“Redan,” “we,” “us,” or “our”) operates the forensic compliance platform available at redancompliance.com. This Privacy Policy explains how we collect, use, store, and protect your information when you use our services.

1. Information We Collect

Account information. When you create an account, we collect your name, email address, firm name, and role. This information is required to provision your firm's workspace and manage user access.

Firm data. Data you upload to the platform — marketing materials, evidence files, CCO determination records, vendor due diligence questionnaires, and training records — is your firm's data. We process it on your behalf as a data processor.

Usage data. We collect log data including pages visited, actions taken, timestamps, and IP addresses to maintain service integrity and support your account. This data is used for security monitoring and product improvement.

Cookies and analytics. We use PostHog for product analytics, configured to mask personally identifiable input data. We use functional cookies required for authentication and session management.

2. How We Use Your Information

We use the information we collect to: provision and operate your firm's workspace; authenticate users and enforce access controls; provide customer support; send transactional emails (account notifications, security alerts); and improve the platform.

We do not sell your data. We do not use your firm's compliance data to train machine learning models without explicit written consent.

3. Data Storage and Security

Your data is stored on Supabase (PostgreSQL on AWS us-east-2) and served via Vercel's global edge network. Data is encrypted at rest (AES-256) and in transit (TLS 1.2+).

WORM compliance. Evidence files, audit log entries, and CCO determination records are stored as INSERT-only (Write Once, Read Many). Once written, these records cannot be altered or deleted — this is an architectural property of the platform, not just a policy. This behavior is enforced at the database policy layer and is a feature, not a limitation. It mirrors the forensic record standards that SEC examiners expect.

We are pursuing SOC 2 Type II certification (company-level audit, Q4 2026 target). Our infrastructure providers — Supabase, Vercel, and AWS — are independently SOC 2 Type II certified.

4. Data Retention

We retain your account data for as long as your subscription is active and for a reasonable period thereafter to comply with legal obligations. Evidence files and audit records stored under WORM policies are retained for the life of your account and cannot be selectively deleted.

Upon account termination, we will provide a data export upon request within 30 days. After 90 days following termination, account data may be permanently deleted from production systems.

5. Third-Party Service Providers

We use the following third-party services to operate the platform:

  • Supabase — database, authentication, and file storage
  • Vercel — application hosting and edge delivery
  • PostHog — product analytics (inputs masked)
  • Sentry — error monitoring (PII scrubbed before transmission)

Each provider has been selected for their data security posture and compliance certifications.

6. Your Rights (GDPR / CCPA)

If you are located in the European Economic Area or California, you have rights regarding your personal data, including the right to access, correct, or request deletion of your personal account information (subject to WORM constraints on forensic records, which cannot be deleted by design).

To exercise these rights, contact us at privacy@redancompliance.com. We will respond within 30 days.

7. Children's Privacy

Redan is a business-to-business compliance platform intended for use by investment adviser firms and their employees. We do not knowingly collect personal information from anyone under the age of 18.

8. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify account administrators by email of material changes at least 30 days before they take effect. Continued use of the platform after the effective date constitutes acceptance of the updated policy.

9. Contact

For privacy-related inquiries, contact us at: privacy@redancompliance.com