Privacy Policy

Last updated June 21, 2026

This policy explains what information Attestly collects, why we collect it, how we handle it, and the choices and rights you have. We keep it in plain language on purpose.

Who we are

Attestly (“Attestly”, “we”, “us”) provides software that helps B2B teams answer security questionnaires by drafting responses from their own approved answer library. Attestly is operated from France and serves customers internationally. For any privacy question, contact us at hello@attestly.cloud.

Information we collect

We collect only what we need to run the service:

  • Account information — your name, work email, company name, and a securely hashed password. We never store your password in plain text.
  • Content you create or upload — the answers in your library, the questionnaires and questions you import, and the drafts Attestly generates for you.
  • Billing information — if you subscribe to a paid plan, payments are handled by Stripe. We never see or store your full card number; we keep only a Stripe customer reference and your subscription status.
  • Usage and device data — basic, privacy-friendly analytics (pages viewed, performance metrics) to keep the product fast and reliable. We do not build advertising profiles.

How we use your information

  • To provide, operate, and improve the Attestly service.
  • To generate question answers from your own library at your request.
  • To manage your account, plan, and billing.
  • To send service communications you need — for example, a password-reset link when you ask for one.
  • To keep the service secure and prevent abuse.

We do not sell your personal information, and we do not use your library content to train any AI model.

How AI processing works

Attestly drafts answers from your approved library. When you enable an AI provider (Anthropic or OpenAI), the relevant questions and the matching snippets from your own library are sent to that provider solely to generate a draft. Under those providers’ API terms, your content is not used to train their models. If you do not configure an AI provider, Attestly drafts answers using deterministic matching, and no content leaves our infrastructure for AI processing.

Sub-processors

We rely on a small set of reputable providers to run Attestly. Each is bound by its own data-protection commitments:

  • Neon — managed PostgreSQL database hosting (data stored in the EU, Frankfurt region).
  • Vercel — application hosting, delivery, and privacy-friendly analytics.
  • Stripe — payment processing for paid plans.
  • Anthropic and/or OpenAI — AI drafting, only when you enable a provider.
  • Hostinger — transactional email delivery (for example, password-reset emails).

Where your data is stored

Your account and content are stored in a PostgreSQL database hosted in the European Union (Frankfurt, Germany). Where data is transferred outside the EU/EEA — for example to a US-based sub-processor — that transfer is governed by appropriate safeguards such as the EU Standard Contractual Clauses.

Data retention

We keep your data for as long as your account is active. If you delete content, it is removed from our active systems. If you close your account, we delete or anonymize your personal data within a reasonable period, except where we must retain limited records to meet legal or accounting obligations.

Your rights

Depending on where you live, you have rights over your personal data. If you are in the European Economic Area or the United Kingdom (GDPR), you can request to access, correct, delete, restrict, or port your data, and object to certain processing. If you are in California (CCPA/CPRA), you can request to know what we collect, request deletion, and opt out of any “sale” of personal information — and we do not sell it. To exercise any right, email hello@attestly.cloud and we will respond within the time required by law.

Cookies

We use a single essential cookie to keep you securely logged in (an HttpOnly session cookie). We also use privacy-friendly analytics that do not rely on advertising cookies or cross-site tracking. Because we don’t use marketing cookies, there’s no advertising profile to opt out of.

Security

We encrypt data in transit and at rest, hash passwords, and isolate each organization’s data. Read more on our Security page. No system is perfectly secure, but we take protecting your data seriously.

Children

Attestly is a business tool and is not intended for anyone under 16. We do not knowingly collect data from children.

Changes to this policy

We may update this policy as the product evolves. When we make material changes, we’ll update the “last updated” date above and, where appropriate, notify you.

Contact

Questions about privacy? Email hello@attestly.cloud and we’ll help.