This Data Privacy and Security Policy describes how ISCG Labs, Inc. ("ISCG," "we," "our," or "us") collects, uses, stores, protects, and discloses information when you use the Executive Protection Advance Survey platform ("Service"). We are committed to protecting the privacy and security of your data. This policy applies to all users of the Service within the United States.
When you create an account, we collect your email address and an encrypted password. These are stored on our cloud infrastructure (Supabase, hosted on US-based Amazon Web Services servers). We also collect MFA enrollment data (authenticator app registration) to secure your account.
All survey data you enter — including text, photos, voice recordings, route information, threat assessments, venue details, and any other content — is encrypted using AES-256-GCM encryption in your browser before it is transmitted to our servers. We do not have routine access to your plaintext survey data. The encryption key for each survey is generated locally in your browser.
Payment processing is handled entirely by Stripe, Inc. When you subscribe, your payment method details (credit card number, expiration date, billing address) are collected and processed directly by Stripe. ISCG does not receive, store, or have access to your full payment card number. We receive only a confirmation of payment status, subscription type, and transaction identifiers from Stripe.
When you use the Service, we automatically collect limited technical data including your IP address, browser type and version, device type, and session timestamps. This data is used solely for authentication, security monitoring, and maintaining your session. We do not use this data for tracking, profiling, or advertising.
The Service uses Google Maps for mapping, route planning, and Street View imagery within surveys. When you use mapping features, location queries (addresses, coordinates) are transmitted to Google's servers to render the requested content. ISCG does not independently track your physical location or maintain a history of your location queries outside of the encrypted survey data.
Google's collection and use of data received through the Maps Platform is governed by Google's Privacy Policy (https://policies.google.com/privacy) and the Google Maps Platform Terms of Service. ISCG does not control and is not responsible for Google's data practices.
We use collected information solely to: authenticate your identity and secure your account; store and synchronize your encrypted survey data across sessions and devices; enable collaboration features when you choose to share a survey with authorized teammates; process subscription payments through Stripe; send transactional communications (payment receipts, account notifications, security alerts); and maintain and improve the Service.
We do not use your information for advertising, marketing to third parties, behavioral profiling, or any purpose unrelated to providing the Service.
When you use the collaboration feature to share a survey with another subscriber, your email address and the shared survey's encryption key are transmitted to the collaborator's account to enable access. The collaborator can view and edit the shared survey data. Collaboration is available only between active subscribers. When you are invited as a collaborator, the survey creator's email address will be visible to you.
All survey data is encrypted using AES-256-GCM — the same encryption standard approved by the National Security Agency (NSA) for protecting classified information. Encryption occurs in your browser before data is transmitted. Each survey receives its own unique encryption key. Data in transit is additionally protected by HTTPS/TLS encryption.
Access to the Service requires account authentication with mandatory multi-factor authentication (MFA). MFA uses time-based one-time passwords (TOTP) generated by an authenticator app on your device, ensuring that a password alone is not sufficient to access your account.
Row-level security (RLS) policies enforce data isolation at the database level. Each user can only query their own records and records explicitly shared with them. These controls operate independently of the application layer, providing defense in depth.
The Service is hosted on Supabase, which operates on Amazon Web Services (AWS) infrastructure in the United States. AWS provides physical security, network security, and environmental controls for its data centers. Supabase provides database encryption at rest, automated backups, and secure authentication services.
Transparency is important to us. While survey data is encrypted before it leaves your browser, the encryption key for each survey is stored within our database infrastructure alongside the encrypted data. This means that the encryption keys are protected by our database access controls (row-level security, authentication, and infrastructure security), but they are not derived from a secret known only to you.
In practical terms: ISCG does not access your encryption keys or survey data in the ordinary course of business. However, in the event of a valid legal order (such as a court order or search warrant), or in the event of a database-level breach, it is technically possible for encrypted data to be decrypted using the stored keys. We disclose this so that you can make an informed decision about what information you store in the Service.
For detailed information about the circumstances under which ISCG may be compelled to produce encryption keys and encrypted data in response to legal process, please refer to Section 12 of the Terms of Service.
We do not sell, rent, trade, or share your personal information or survey data with third parties for marketing or commercial purposes.
We may disclose information in the following limited circumstances: to comply with valid legal process (subpoenas, court orders, search warrants) issued by courts of competent jurisdiction in the United States; to protect the rights, property, or safety of ISCG, our users, or the public; and to our Sub-Processors (Supabase, Stripe, Google Maps) solely to the extent necessary to provide the Service, as described in our Data Processing Agreement.
Any disclosure under this provision will be limited to the minimum information necessary to address the specific threat or harm identified, and will be documented internally. This provision does not authorize voluntary disclosure of encrypted survey data or encryption keys, which is governed exclusively by Section 12 of the Terms of Service.
The Service does not use traditional browser cookies for tracking. We use browser local storage to cache your encrypted survey data and authentication tokens for a seamless user experience. Specifically, local storage is used to: (a) cache encrypted survey data to enable offline access and reduce load times, (b) store authentication session tokens to maintain your logged-in state, and (c) store user interface preferences. No data stored in local storage is transmitted to third parties or used for tracking purposes. You may clear local storage through your browser settings at any time, though doing so will require you to re-authenticate. No third-party tracking cookies, advertising cookies, or analytics services are employed. We do not use Google Analytics, Facebook Pixel, or any similar tracking technology.
ISCG honors the privacy rights of all users under applicable state data protection laws. Depending on your state of residence, you may have rights including the right to know what personal information we collect, the right to delete your personal information, the right to correct inaccurate personal information, the right to opt out of the sale or sharing of personal information (ISCG does not sell or share personal information for cross-context behavioral advertising), the right to data portability, and the right to non-discrimination for exercising your rights.
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):
Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which the information is collected, the business purpose for collecting the information, and the categories of third parties with whom we share the information.
Right to Delete: You have the right to request that we delete personal information we have collected from you, subject to certain exceptions allowed by law.
Right to Correct: You have the right to request that we correct inaccurate personal information we maintain about you.
Right to Opt-Out of Sale: We do not sell your personal information. Because we do not engage in the sale of personal information, there is no need to opt out.
Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.
To exercise any of these rights, please contact us at contact@iscgconsulting.com. We will respond to verifiable requests within 45 days as required by law.
Categories of Personal Information Collected:
(a) Identifiers (email address, IP address, device identifiers) — collected to provide the Service; not sold or shared.
(b) Internet or electronic network activity (browser type, session timestamps, usage patterns) — collected for security and authentication; not sold or shared.
(c) Geolocation data (addresses and coordinates entered into surveys, IP-derived approximate location) — collected to provide mapping features; not sold or shared.
(d) Professional information (executive protection engagement details stored in surveys) — stored in encrypted form; not sold or shared.
(e) Financial information (payment status and transaction identifiers from Stripe; ISCG does not receive full payment card numbers) — collected to process subscriptions; not sold or shared.
Users residing in Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Indiana, Tennessee, and any other state with an enacted comprehensive data privacy law are entitled to exercise the rights provided under their respective state laws. To exercise any privacy right under applicable state law, contact us at contact@iscgconsulting.com. We will respond to verified requests within the timeframe required by the applicable statute, which in most states is 45 days with the possibility of a 45-day extension for complex requests.
ISCG does not sell, and has never sold, personal information of its users to any third party. This applies to all categories of personal information we collect, including account information, survey data, payment information, and technical data.
Your encrypted survey data is retained on our servers for as long as your subscription is active. There is no limit on how long your data can be retained while you maintain an active subscription. Upon cancellation of your subscription, all encrypted survey data, encryption keys, collaboration records, and account information are permanently and irreversibly deleted at the end of your current billing period. Once deleted, this data cannot be recovered by anyone, including ISCG. Active subscribers may delete individual surveys at any time through the Service.
Upon cancellation, technical data (IP addresses, session logs) associated with your account is retained for ninety (90) days for security and fraud prevention purposes, after which it is permanently deleted. Payment records and transaction history maintained by Stripe are subject to Stripe's own data retention policies and applicable financial record-keeping requirements. ISCG retains basic billing records (transaction amounts, dates, subscription history) for seven (7) years as required by applicable tax and financial reporting laws.
You may export individual surveys as PDF reports at any time through the Service. If you require your data in an alternative format, please contact us at contact@iscgconsulting.com and we will make commercially reasonable efforts to accommodate your request.
In the event of a data breach that affects your personal information, we will notify affected users without undue delay and in accordance with applicable state and federal law. Notification will include a description of the breach, the types of information involved, the steps we are taking to address the breach, and recommendations for actions you can take to protect yourself. Notification will be sent to the email address associated with your account. If the breach affects the security of your account credentials, we may also display a notification within the Service upon your next login.
The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal information from a child under 18, we will take steps to delete such information promptly.
Material changes to the categories of personal information collected, the purposes of processing, or the parties with whom information is shared will require your affirmative acknowledgment before taking effect. The Company may require you to accept the updated policy as a condition of continued access to the Service. All other changes will be communicated via email at least 30 days before taking effect, and your continued use after the effective date constitutes acceptance.
For questions about this policy, to exercise your privacy rights, or to report a security concern, please contact us at:
ISCG Labs, Inc.
Email: contact@iscgconsulting.com
Website: iscgconsulting.com
By using the Executive Protection Advance Survey, you acknowledge that you have read and understood this Data Privacy and Security Policy.