Legal

Privacy Policy

Effective January 1, 2026

What we collect

Account information (name, email, password hash), company profile data you enter, assessment responses, and standard server logs (IP, user-agent, request timestamps).

What we don't collect

HEXDI does not store ITAR-controlled technical data, classified information, or controlled unclassified information beyond your compliance metadata. Do not upload such material to the platform.

How we use it

To operate the service, send transactional email (verification, password reset, follow-up notifications), and improve product reliability. We do not sell your data, ever.

Subprocessors

We use SendGrid (transactional email), Stripe (payments), and DigitalOcean (hosting). Each is bound by contractual data protection terms.

Encryption

All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Database backups are encrypted and retained for 30 days.

Your rights

You can request export or deletion of your account data at any time by emailing [email protected]. We respond within 30 days.

Questions? Email [email protected].