Privacy Policy

Privacy Policy

Last updated: February 25, 2026

At Riskitera we take the privacy of our users very seriously. This Privacy Policy describes how we collect, use, store, and protect the personal information you provide when using the Riskitera platform (riskitera.com).

1. Data Controller

The controller responsible for processing your personal data is:

• Company: Riskitera
• Domain: riskitera.com
• Contact email: contact@riskitera.com
• Scope: GRC+SOC cybersecurity SaaS platform

2. Data We Collect

We collect the following types of personal data:

2.1 Account Data

• Full name and email address provided during registration.
• Password (stored in encrypted form; never in plain text).
• Organisation or company you belong to.
• Role within the platform (analyst, administrator, etc.).

2.2 Usage Data

• Actions performed on the platform (creating incidents, alerts, reports, etc.).
• User settings and preferences.
• Audit log activity records.

2.3 Technical Data

• Access IP address.
• Browser type and version.
• Operating system and device type.
• Pages visited, date/time of access and session duration.

2.4 Cookies and Similar Technologies

We use session cookies, analytics cookies (Google Analytics), and product analytics cookies (MixPanel). Please refer to our Cookie Policy for more information.

3. Purpose of Processing

We process your data for the following purposes:

• Service delivery: Manage your account, authenticate you, and provide access to platform features.
• Security: Detect, prevent, and investigate fraudulent activity or unauthorised use.
• Product improvement: Analyse platform usage in aggregate to identify bugs and improve the user experience.
• Communications: Send service notifications, important updates, and, where you have consented, commercial communications.
• Legal compliance: Meet legal, regulatory, or competent authority requirements.

4. Legal Basis for Processing

The processing of your data is based on the following legal grounds under the General Data Protection Regulation (GDPR):

• Performance of a contract (Art. 6(1)(b) GDPR): We need your data to provide the contracted service.
• Consent (Art. 6(1)(a) GDPR): For analytics cookies and commercial communications, we request your explicit consent.
• Legitimate interests (Art. 6(1)(f) GDPR): For platform security and fraud prevention.
• Legal obligation (Art. 6(1)(c) GDPR): To comply with applicable regulations.

5. Cookies and Tracking Technologies

We use the following tracking technologies:

• Session cookies (GoTrue Auth): Required to maintain your authenticated session. Without them the service cannot function.
• Google Analytics: Web analytics tool for measuring traffic and user behaviour in an aggregated and anonymised form.
• MixPanel: Product analytics tool for understanding how platform features are used.

For more information, please see our Cookie Policy.

6. Data Retention

• Account data: Retained for as long as your account is active and for 5 additional years after cancellation, unless a longer period is required by law.
• Activity logs: Retained for 12 months from the date of generation.
• Analytics data: Per each tool configuration (Google Analytics: 14 months; MixPanel: 5 years).
• Cookies: As indicated in our Cookie Policy.

7. Your Rights

As a data subject, you have the right to:

• Access: Obtain confirmation as to whether we process your data and, if so, receive a copy.
• Rectification: Request correction of inaccurate or incomplete data.
• Erasure ("right to be forgotten"): Request deletion of your data when it is no longer necessary or you withdraw consent.
• Restriction of processing: Request that we temporarily suspend the processing of your data.
• Data portability: Receive your data in a structured, commonly used, machine-readable format.
• Objection: Object to processing based on legitimate interests.
• Withdrawal of consent: Withdraw consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.

To exercise any of these rights, write to us at contact@riskitera.com, indicating the right you wish to exercise and attaching a copy of your identity document.

You also have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD): www.aepd.es.

8. International Data Transfers

Some of our service providers are established outside the European Economic Area (EEA). In these cases, we ensure that the transfer is carried out with appropriate safeguards:

• Google LLC (Google Analytics): Established in the US. Transfer is made under Standard Contractual Clauses approved by the European Commission and the EU-US Data Privacy Framework.
• Mixpanel, Inc. (MixPanel): Established in the US. Transfer is made under Standard Contractual Clauses approved by the European Commission.

9. Security Measures

We implement the following technical and organisational measures to protect your data:

• Encryption in transit using TLS 1.2/1.3 for all communications.
• Encryption at rest for data stored in the database.
• Role-based access controls (RBAC) to restrict access to data.
• Periodic security audits and log review.
• Vulnerability management and continuous patching.
• Security incident response plan.

10. Children

The Riskitera platform is not directed to persons under the age of 16. We do not knowingly collect personal data from minors. If you are a parent or guardian and believe your child has provided us with information, please contact us at contact@riskitera.com so that we can delete such data.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email to the address associated with your account and/or through a prominent notice on the platform, at least 30 days before the changes take effect.

12. Contact

For any questions regarding the processing of your personal data, you can contact us at:

• Email: contact@riskitera.com
• Web: https://riskitera.com