Privacy Policy

Imara ("we", "our", or "us") operates the Imara Trust platform, a cybersecurity and compliance SaaS that helps organizations manage security programs, compliance frameworks, risk management, controls, evidence collection, and audit readiness. This Privacy Policy describes how we collect, use, disclose, and safeguard information when you use our website, platform, and related services. We process data both as a controller (for our own operations) and as a processor (when customers use the platform to manage their compliance and security data).

Account and registration data: name, email address, organization name, role, and credentials necessary for authentication and access management. Customer and organization information: company details, billing information, workspace configuration, and team structure. Business contact information: names and contact details of individuals who interact with us for sales, support, or partnership purposes. Security and compliance metadata: framework mappings, control status, assessment results, and audit trail data generated through platform use. Evidence and documentation: files, policies, and records that customers upload to the platform for compliance management, risk registers, and third-party assessments. Vendor and risk management records: information about third parties, vendors, and risk assessments that customers maintain within the platform. Analytics, telemetry, and monitoring data: usage patterns, feature adoption, performance metrics, error logs, and security event data to operate and improve our services. Integrations data: when customers connect third-party services (e.g., cloud providers, identity providers, ticketing systems), we may receive data necessary to support those integrations.

We process data to provide, operate, and improve the Imara Trust platform; to authenticate users and enforce access controls; to support compliance workflows, evidence management, and audit readiness features; to deliver customer support and communicate about the service; to detect and prevent fraud, abuse, and security incidents; to analyze usage and improve product functionality; to comply with legal obligations; and to enforce our agreements.

Where applicable under data protection law (e.g., GDPR), we rely on: contract performance for providing the platform; legitimate interests for security, analytics, and service improvement; consent where we expressly obtain it (e.g., marketing); and legal obligation where required by law.

We retain data for as long as necessary to provide the service, fulfill our contractual and legal obligations, and resolve disputes. Customer workspace data is retained according to the subscription term and applicable data processing terms. Upon account termination, we provide a reasonable period for data export and then delete or anonymize data in accordance with our retention schedule. Audit logs and security-relevant data may be retained longer where required for compliance or legal purposes.

We do not sell personal data. We may share data with: service providers and subprocessors who assist in platform operations (hosting, analytics, support, payment processing); professional advisors when necessary; law enforcement or regulators when required by law; and other parties with consent or at your direction.

We use subprocessors for infrastructure, analytics, monitoring, and support. Our subprocessor list is available upon request. We require subprocessors to meet appropriate security and data protection commitments. Enterprise customers may request a Data Processing Agreement (DPA) with subprocessor details.

Data may be processed in jurisdictions outside your country of residence. Where we transfer data from the EEA, UK, or other regulated regions, we implement appropriate safeguards such as Standard Contractual Clauses or equivalent mechanisms as required by applicable law.

We implement technical and organizational measures to protect data, including access controls, encryption in transit and at rest, logging and monitoring, and regular security assessments. We maintain SOC 2 Type II certification and adhere to industry standards. We do not disclose specific implementation details that could compromise security.

When using Imara Trust to manage compliance and security data, you act as a controller for the data you input. You are responsible for ensuring you have appropriate legal bases and consents for processing that data, for configuring access controls and user permissions appropriately, and for complying with applicable laws. We act as your processor for such data in accordance with our Data Processing Agreement where applicable.

Depending on your jurisdiction, you may have rights to access, rectify, erase, restrict processing, data portability, object to processing, and withdraw consent. To exercise these rights, contact [email protected]. We will respond within the timeframe required by applicable law. You may also have the right to lodge a complaint with a supervisory authority.

We use cookies and similar technologies for authentication, session management, analytics, and security. See our Cookie Policy for details.

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy and updating the "Last updated" date. For significant changes, we may provide additional notice by email or through the platform.

For privacy-related inquiries, data subject requests, or questions about this policy: Email: [email protected] Address: Hortolândia, SP, Brazil