Legal · Privacy Policy

Privacy Policy

Effective date: April 2026 · Version 1.0 · GDPR compliant · Controller: Srivantage, Eindhoven, Netherlands

1. Who is the data controller

Srivantage (KVK: 42027730), Eindhoven, Netherlands, is the data controller for personal data collected through our websites and products. Contact: [email protected].

2. Our core data architecture — what we do NOT collect

Srivantage products are architected with data sovereignty as a foundational principle. This means:

No tool input data is ever transmitted to Srivantage. Everything you enter into RegVanta or Capvanta — company details, assessment answers, strategy inputs, headcount, financial parameters — is processed exclusively within your browser and stored only in your browser's local storage.
No Srivantage server processes your assessment data. We have no server-side component that receives, logs, or stores your tool usage data.
No usage analytics on tool behaviour. We do not embed analytics trackers (Google Analytics, Mixpanel, or similar) within the tool files themselves.
No account required. You do not need to create an account to use any Srivantage product. We do not collect usernames, passwords, or account credentials.

3. What we do collect — and why

Data type	When collected	Purpose	Legal basis (GDPR)	Retention
Email address	Voluntarily provided via contact form, eval download, or demo booking	Responding to enquiries, sending product updates (if consented), fulfilling download requests	Legitimate interest / Consent	Until withdrawal of consent or 3 years from last interaction
Name and company	Voluntarily provided via contact or demo booking form	Personalising responses to enquiries and demo bookings	Legitimate interest	3 years from last interaction
Form submission content	Questions or messages submitted via contact forms	Responding to your enquiry	Legitimate interest	3 years from submission
IP address and access logs	Automatically by Cloudflare when visiting srivantage.com, capvanta.ai, or regvanta-ai.com	Security, fraud prevention, service delivery	Legitimate interest	Per Cloudflare's data retention policy (typically 30 days)

4. Third-party processors

Cloudflare (infrastructure and DNS)

Our websites are hosted on Cloudflare Pages and served via Cloudflare's global CDN. Cloudflare processes IP addresses and access logs as a data processor on our behalf. Cloudflare is certified under the EU-US Data Privacy Framework. See Cloudflare's Privacy Policy.

Formspree (contact forms)

Contact and demo booking forms on our websites use Formspree to process and forward form submissions to us by email. Formspree receives form submission data as a processor. See Formspree's Privacy Policy.

LLM providers (AI narrative enrichment — user-initiated only)

When a user chooses to use AI narrative enrichment, a prompt is sent directly from the user's browser to their chosen LLM provider. Srivantage infrastructure is not involved and receives no copy of this data.

Organisational users — where AI enrichment is used in a business or professional context, the organisation is solely responsible for: (a) ensuring compliance with its AI usage policies and data governance framework; (b) ensuring compliance with GDPR, the EU AI Act, and any applicable sector-specific regulation; (c) its contractual relationship with the chosen LLM provider. Srivantage is not party to that relationship and accepts no responsibility for any data protection, regulatory, or contractual consequence.

Individual users in personal capacity — where AI enrichment is used by an individual personally (not on behalf of an organisation), that individual bears full personal responsibility for their choice of LLM provider, any personal data transmitted, and compliance with all applicable laws. Srivantage makes no representation as to the suitability of any LLM provider for any individual's specific circumstances and accepts zero liability for any consequence of an individual's decision to use AI enrichment features.

Srivantage strongly recommends activating the company name masking feature to minimise identifying information in all AI prompts, regardless of user type.

YouTube (demo video)

Our website links to a demonstration video hosted on YouTube (Google LLC). When you click to watch the video, you are directed to YouTube where Google's privacy policy applies. We do not embed YouTube iframes that load tracking cookies automatically.

5. Cookies

Srivantage websites do not use marketing or analytics cookies. The only browser storage used is:

Session storage — used within tool files to remember UI state (e.g. dismissed announcement bars) for the duration of your browser session. This data is deleted when you close your browser tab.
Local storage — used within tool files to persist your assessment inputs and reports on your own device. This data never leaves your device and is under your control. You can clear it at any time via your browser settings.
Cloudflare cookies — Cloudflare may set technical cookies necessary for security and service delivery. These are strictly necessary and do not require consent under GDPR.

6. Your rights under GDPR

As a data subject within the European Economic Area, you have the following rights:

Right of access — request a copy of personal data we hold about you
Right to rectification — request correction of inaccurate personal data
Right to erasure — request deletion of your personal data ("right to be forgotten")
Right to restriction — request that we restrict processing of your personal data
Right to data portability — receive your data in a structured, machine-readable format
Right to object — object to processing based on legitimate interest
Right to withdraw consent — where processing is based on consent, withdraw it at any time

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens): autoriteitpersoonsgegevens.nl.

7. International transfers

Form submission data processed by Formspree may be transferred to servers outside the EEA. Formspree maintains Standard Contractual Clauses (SCCs) for such transfers. Cloudflare operates under the EU-US Data Privacy Framework. Where LLM providers are located outside the EEA, users are responsible for ensuring appropriate transfer mechanisms are in place under their organisation's data governance framework.

8. Data security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or disclosure. Given the browser-native architecture of our products, the primary security perimeter for assessment data is your own device and browser — we encourage users to follow standard device security practices.

9. Children's data

Srivantage products are intended for business use by adults aged 18 and over. We do not knowingly collect personal data from individuals under 18. If you believe we have inadvertently collected such data, contact us immediately at [email protected].

10. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal obligations. The effective date at the top of this document will reflect the most recent revision. For material changes, we will endeavour to provide notice via our website.

§ Overarching Protection Clause

Data sovereignty declaration and maximum liability limitation

Notwithstanding any other provision of this Privacy Policy or any other agreement, the following applies unconditionally and cannot be waived or modified:

Srivantage never processes your assessment data. The architecture of all Srivantage products is designed so that no assessment input, company data, strategy information, or regulatory response ever reaches Srivantage infrastructure. This is a technical fact, not merely a policy commitment. Any claim arising from alleged data processing by Srivantage of tool input data shall be void, as no such processing occurs.

User responsibility for third-party transmissions — absolute. Where a user initiates an AI narrative enrichment call: (a) an organisational user's responsibility is governed by their organisation's policies, contracts, and applicable regulation — Srivantage is not party to any of those; (b) an individual user in personal capacity bears full personal legal responsibility for that transmission, the data it contains, and all consequences. In neither case does Srivantage bear any responsibility, liability, or duty of care arising from the transmission or its consequences. This is not a limitation of liability — it is an accurate characterisation of Srivantage's technical position: the transmission does not pass through Srivantage infrastructure and Srivantage has no knowledge of, control over, or participation in it.

Maximum liability for privacy claims. To the fullest extent permitted by law, Srivantage's total liability for any privacy or data protection claim shall not exceed EUR 500 (five hundred euros) in aggregate. This ceiling applies regardless of the number of claims, claimants, or legal theories advanced.

This clause survives termination of any agreement between the parties and remains in effect indefinitely.

11. Contact

Srivantage
Eindhoven, Netherlands · KVK: 42027730
Email: [email protected]
Data Protection enquiries: [email protected]