How does the free plan work?

Sign up and start using PrivaBase immediately. No credit card required. The Starter plan includes 1 compliance framework, 5 checks per month, policy generator, website scanner, and access to the compliance feed.

What compliance frameworks do you support?

We support 132 frameworks including GDPR, CCPA/CPRA, HIPAA, SOC 2 Type II, SOC 1, ISO 27001, PCI DSS, NIST, DORA, NIS2, 18 US state privacy laws, and international frameworks. You can also build custom frameworks.

How many integrations do you support?

Over 214 integrations across 12 categories including cloud infrastructure (AWS, GCP, Azure), identity (Okta, Google Workspace), DevOps (GitHub, GitLab), MDM (Jamf, Intune, Kandji), HR (Gusto, Rippling, BambooHR), and more.

All data is encrypted in transit (TLS 1.3) and at rest (AES-256). Evidence is stored in Supabase Storage with framework-level access controls. We never share your data with third parties.

Do you offer annual billing?

Yes, save 20% with annual billing on all paid plans.

Privacy Policy

Last updated: February 12, 2026

Spoon Seller LLC ("PrivaBase", "we", "us") is committed to protecting your privacy. This policy explains how we collect, use, and protect your information.

1. Information We Collect

Account Information

When you register, we collect your name, email address, and password (stored as a bcrypt hash). We never store plaintext passwords.

Usage Data

We collect API usage data (endpoints accessed, timestamps, response times) to provide the Service and improve performance. We use Google Analytics (GA4) for anonymous website analytics.

Compliance Data

Data you upload for compliance checks, documents, vendor assessments, and other features is your data. We process it only to provide the Service.

Diagnostic Data

When reporting issues, you may optionally share browser type, screen size, and timezone. This is only collected with your explicit consent.

2. How We Use Your Information

Provide, maintain, and improve the Service
Process transactions and send billing notifications
Send product updates and security alerts
Respond to support requests
Analyze usage patterns to improve the platform

3. What We Don't Do

We do not sell your data to third parties. Ever.
We do not use your compliance data to train machine learning models
We do not share your data with advertisers
We do not access your data except to provide the Service or as required by law

4. Data Security

All data is encrypted in transit (TLS 1.3) and at rest (AES-256). Passwords are hashed with bcrypt. API keys and sensitive tokens are SHA-256 hashed before storage. We implement rate limiting, CORS restrictions, and comprehensive access controls.

5. Data Retention

Account data is retained while your account is active. Upon deletion, your data is removed within 30 days. Audit logs may be retained for up to 7 years as required for compliance purposes.

6. Your Rights

Depending on your jurisdiction, you have the right to:

Access your personal data
Correct inaccurate data
Delete your account and data
Export your data in a portable format
Object to or restrict processing
Withdraw consent at any time

To exercise these rights, email privacy@privabase.com.

7. Third-Party Services

We use: Vercel (hosting), Supabase (database), Stripe (payments), Google Analytics (website analytics), and Resend (transactional email). Each has their own privacy policy and we only share data necessary for their service.

8. Cookies

We use essential cookies for authentication and session management. Google Analytics uses anonymous cookies. No advertising or tracking cookies are used.

9. International Transfers

Data is processed in the United States. Where we transfer personal data internationally, we implement appropriate safeguards including Standard Contractual Clauses (SCCs), encryption in transit and at rest, and data processing agreements with all sub-processors. We assess the data protection laws of destination countries and apply supplementary measures where necessary to ensure an essentially equivalent level of protection.

10. International Privacy Rights

PrivaBase serves customers globally. The following sections describe your additional rights and our obligations under specific regional privacy laws. These provisions apply in addition to the general rights described in Section 6 above.

10.1 United Kingdom — UK GDPR

If you are located in the United Kingdom, your personal data is protected under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. The Information Commissioner's Office (ICO) is the supervisory authority for data protection in the UK.

Lawful Bases for Processing

We process your personal data on the following lawful bases under Article 6 of the UK GDPR:

Contract: Processing necessary to perform our contract with you (providing the Service, managing your account)
Legitimate interests: Improving the Service, fraud prevention, and security (where these interests are not overridden by your rights)
Consent: Where you have given explicit consent (e.g., optional diagnostic data, marketing communications)
Legal obligation: Where processing is required to comply with applicable law

Your UK Data Subject Rights

Under the UK GDPR, you have the right to: access your personal data; rectification of inaccurate data; erasure ("right to be forgotten"); restriction of processing; data portability; object to processing based on legitimate interests; not be subject to automated decision-making; and withdraw consent at any time. We will respond to your request within one calendar month.

International Transfer Safeguards

Where your data is transferred outside the UK, we rely on UK International Data Transfer Agreements (IDTAs) or the UK Addendum to EU SCCs, as approved by the ICO. You may contact us to obtain a copy of these safeguards.

To exercise your rights or file a complaint, contact our privacy team at privacy@privabase.com. You also have the right to lodge a complaint with the ICO at ico.org.uk.

10.2 Australia — Privacy Act 1988

If you are located in Australia, your personal information is handled in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). The Office of the Australian Information Commissioner (OAIC) is the national regulator for privacy and freedom of information.

How We Comply with the APPs

APP 1 — Open and transparent management: This privacy policy sets out how we manage your personal information
APP 3 — Collection: We only collect personal information that is reasonably necessary for our functions and activities
APP 5 — Notification: We notify you of the collection of personal information at or before the time of collection
APP 6 — Use and disclosure: We only use or disclose personal information for the purpose for which it was collected, or a directly related purpose you would reasonably expect
APP 8 — Cross-border disclosure: Before disclosing personal information to overseas recipients, we take reasonable steps to ensure they comply with the APPs
APP 11 — Security: We take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access

Your Rights Under Australian Law

Under APPs 12 and 13, you have the right to request access to, and correction of, your personal information held by us. We will respond within 30 days. If we refuse a request, we will provide written reasons. You may also request that we adopt a pseudonym or remain anonymous where practicable.

To make a request or lodge a complaint, contact us at privacy@privabase.com. If you are not satisfied with our response, you may lodge a complaint with the OAIC at oaic.gov.au.

10.3 Canada — PIPEDA

If you are located in Canada, your personal information is protected under the Personal Information Protection and Electronic Documents Act (PIPEDA). The Office of the Privacy Commissioner of Canada (OPC) oversees compliance with PIPEDA.

PIPEDA Principles

We adhere to the ten fair information principles set out in Schedule 1 of PIPEDA:

Accountability: Our privacy team is responsible for our compliance with PIPEDA and can be contacted at privacy@privabase.com
Consent: We obtain your knowledge and consent for the collection, use, and disclosure of your personal information, except where permitted by law
Limiting collection: We limit the collection of personal information to what is necessary for the identified purposes
Limiting use, disclosure, and retention: Personal information is used only for the purposes for which it was collected and is retained only as long as necessary
Accuracy: We keep personal information as accurate, complete, and up-to-date as necessary
Safeguards: We protect personal information with security safeguards appropriate to the sensitivity of the information

Your Rights Under PIPEDA

You have the right to: access the personal information we hold about you; challenge its accuracy and have it amended; withdraw consent (subject to legal or contractual restrictions); and know how your information has been used and disclosed. We will respond to access requests within 30 days.

To exercise your rights, contact our Privacy Officer at privacy@privabase.com. If your concern is not resolved, you may file a complaint with the OPC at priv.gc.ca.

10.4 Brazil — LGPD

If you are located in Brazil, your personal data is protected under the Lei Geral de Proteção de Dados (LGPD, Law No. 13,709/2018). The Autoridade Nacional de Proteção de Dados (ANPD) is the supervisory authority responsible for overseeing compliance with the LGPD.

Legal Bases for Processing

Under Article 7 of the LGPD, we process your personal data based on the following legal bases:

Performance of contract: Processing necessary to execute and perform our service agreement with you
Legitimate interests: For product improvement, security, and fraud prevention, provided these do not override your fundamental rights and freedoms
Consent: Where you have provided free, informed, and unambiguous consent
Legal or regulatory obligation: Where processing is necessary to comply with applicable Brazilian law

Your Rights Under the LGPD

Under Article 18 of the LGPD, you have the right to: confirmation of the existence of processing; access to your data; correction of incomplete, inaccurate, or outdated data; anonymisation, blocking, or deletion of unnecessary or excessive data; portability of your data to another service provider; deletion of data processed with your consent; information about public and private entities with which your data has been shared; information about the possibility of denying consent and its consequences; and revocation of consent.

To exercise your rights, contact our Data Protection Officer (Encarregado) at privacy@privabase.com. You also have the right to petition the ANPD at gov.br/anpd.

10.5 South Africa — POPIA

If you are located in South Africa, your personal information is protected under the Protection of Personal Information Act, 2013 (POPIA). The Information Regulator is the independent body that oversees compliance with POPIA.

Conditions for Lawful Processing

We process your personal information in compliance with the eight conditions for lawful processing under POPIA:

Accountability: We ensure compliance with POPIA and take responsibility for personal information in our possession
Processing limitation: We process personal information lawfully, in a reasonable manner, and only with your consent or as otherwise permitted by law
Purpose specification: We collect personal information for specific, explicitly defined, and lawful purposes
Further processing limitation: We do not process personal information for purposes incompatible with the original purpose of collection
Information quality: We take reasonably practicable steps to ensure personal information is complete, accurate, and not misleading
Openness: We maintain documentation of all processing operations and notify you when collecting personal information
Security safeguards: We secure the integrity and confidentiality of personal information through appropriate technical and organisational measures
Data subject participation: You have the right to access, correct, and delete your personal information

Your Rights Under POPIA

Under POPIA, you have the right to: be notified that your personal information is being collected; request access to your personal information; request correction or deletion of your personal information; object to the processing of your personal information; not be subject to a decision based solely on automated processing; and submit a complaint to the Information Regulator.

To exercise your rights, contact our Information Officer at privacy@privabase.com. You may also lodge a complaint with the Information Regulator at inforegulator.org.za.

11. Children's Privacy

The Service is not directed to individuals under 16. We do not knowingly collect data from children.

12. Changes

We may update this policy. Material changes will be communicated via email. Continued use after changes constitutes acceptance.

13. Contact

Data Protection Officer: privacy@privabase.com

Spoon Seller LLC, United States