Skip to content
Encor
HomePricingSign inStart free
Privacy

Plain-language privacy.

What we collect, where it goes, and what you can ask us to delete.

Last updated April 29, 2026

What we collect

We collect only what we need to run your readiness assessment and produce the artifacts you ask for.

  • Account. Email address and password hash from sign-up.
  • Workspace. Organization name, scope boundary, jurisdictions, organizational roles, and sensitive-use flags.
  • Assessment data. Your answers to readiness questions, AI system inventory entries (names, purposes, owners), risk register items, and Statement of Applicability decisions.
  • Evidence. Files you upload as evidence (policies, training records, audit logs, etc.).
  • Generated documents. The artifacts Encor produces from your inputs.

What we send to third parties

When you invoke an AI-powered feature (Polish, Draft, Explain, justification generation, and similar), the relevant context from your workspace is sent to OpenRouter, which routes it to Anthropic's Claude Haiku 4.5 model.

  • What gets sent. The legal entity name, scope boundary, organizational roles, jurisdictions, sensitive-use flags, AI system names and purposes, and the contents of the document being generated or polished.
  • Retention. OpenRouter retains request and response data for at most 30 days for abuse monitoring; we do not enable any longer retention setting.
  • Training. Output is not used to train any model.
  • No other vendors. No analytics, no advertising, no third-party tracking.

Where data lives

  • Postgres database. Supabase Postgres in theus-east-2AWS region.
  • Evidence files. Supabase Storage, same region.
  • No analytics tracking. We do not use Google Analytics, Segment, PostHog, or any similar service.
  • Backups. Standard Supabase point-in-time recovery; no data is exported off-platform.

Cookies

Encor uses one cookie: the Supabase authentication session cookie. It exists so you stay signed in. We set no analytics, advertising, or fingerprinting cookies.

Your rights

You can request export or deletion of your account and workspace data at any time. Email privacy@encorsys.com from the address on your account.

Deletion removes your account, organization records, assessment responses, generated documents, and evidence files. We complete deletion requests within 30 days.

Changes

If we change what we collect or where it goes, we update this page and bump the “Last updated” date. Material changes also trigger an email to your account address.

Contact

Questions or concerns? Email privacy@encorsys.com.