Privacy Policy

Effective Date: March 27, 2026 · Last Updated: March 27, 2026

BlackSheep, LLC (“BlackSheep,” “we,” “us,” or “our”) is committed to protecting the privacy of our customers, their employees, and visitors to our website. This Privacy Policy explains how we collect, use, disclose, retain, and safeguard personal information when you use our cybersecurity compliance platform and website at www.goblacksheep.io(the “Service”).

This policy is designed to satisfy the requirements of SOC 2 Trust Services Criteria for Privacy (P1.1), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), and applicable state privacy laws including the Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), and other comprehensive state privacy statutes.

1. Categories of Personal Information We Collect

1.1 Information You Provide Directly

Account & Identity Data: Name, email address, job title, company name, and phone number when you register or are provisioned as a user.
Billing Data: Payment card information and billing address, processed through our PCI-compliant payment processor (Stripe). We do not store full card numbers on our servers.
Compliance Data: Policy documents, incident reports, risk assessments, vendor information, training records, and other materials you upload or create within the Service.
Communications: Messages, support tickets, and feedback you send to us.

1.2 Information Collected Automatically

Usage Data: Pages visited, features used, timestamps, and interaction patterns within the Service.
Device & Technical Data: IP address, browser type, operating system, device identifiers, and referring URLs.
Authentication Data: Login timestamps, session identifiers, and multi-factor authentication events (managed by our authentication provider, Clerk).
Security Event Data: Rate-limiting events, blocked requests, and security monitoring logs collected to protect the Service.

1.3 Information from Third Parties

Identity Provider Data: If you sign in via Google or another SSO provider, we receive your name, email, and profile picture as authorized by you.
Payment Processor: Stripe provides us with transaction confirmation, subscription status, and partial card details for billing records.

2. How We Use Your Information

We use personal information for the following business and commercial purposes:

Provide the Service: Operate, maintain, and deliver compliance management features, including policy management, incident tracking, training, and audit reporting.
Authentication & Security: Verify identity, enforce access controls, detect and prevent fraud, abuse, and unauthorized access.
Billing & Payments: Process subscriptions, invoices, and payment transactions.
Communications: Send service notifications, security alerts, system status updates, and respond to support inquiries.
Compliance & Legal: Maintain audit logs and records to satisfy regulatory requirements (SEC, FINRA) and our own SOC 2 obligations.
Improvement: Analyze usage patterns and performance metrics to improve the Service, fix bugs, and develop new features.

3. Legal Bases for Processing

Contract Performance: Processing necessary to deliver the Service under our terms of service.
Legitimate Interests: Security monitoring, fraud prevention, service improvement, and compliance with industry standards.
Legal Obligation: Maintaining records required by financial regulators and applicable law.
Consent: Where required by law, such as for optional marketing communications.

4. Categories of Third Parties & Disclosure

We do not sell personal information. We do not share personal information for cross-context behavioral advertising. We disclose personal information only as follows:

Category of Recipient	Purpose	Data Shared
Clerk (Authentication)	User authentication, SSO, session management	Name, email, profile image, login events
Stripe (Payments)	Payment processing, subscription management	Billing name, email, payment method
Neon (Database)	Data storage and processing	All Service data (encrypted at rest and in transit)
Vercel (Hosting)	Application hosting, CDN, serverless compute	IP address, request data, application logs
Resend (Email)	Transactional email delivery	Recipient email, message content

We may also disclose personal information:

To comply with a legal obligation, subpoena, court order, or regulatory request.
To protect the rights, safety, or property of BlackSheep, our users, or the public.
In connection with a merger, acquisition, or sale of assets (with prior notice to affected users).

5. Data Retention

We retain personal information only as long as necessary to fulfill the purposes described in this policy, comply with legal obligations, and support regulatory audit requirements. Our retention schedule includes:

Audit logs: 7 years (SEC/FINRA record-keeping requirements)
Incident records: 7 years
Compliance test results: 5 years
Training acknowledgments: 3 years
Risk assessments: 7 years
Security event logs: Per configured retention policy
Account data: Duration of the account plus 30 days after deletion request

Automated data retention enforcement runs on a scheduled basis. When retention periods expire, data is permanently deleted from our production systems and backups within 30 days.

6. Data Security

We implement administrative, technical, and physical safeguards to protect your personal information, including:

Encryption in transit: All data is transmitted over TLS 1.2+ (HTTPS).
Encryption at rest: Database storage is encrypted using AES-256.
Access controls: Role-based access control (RBAC), multi-factor authentication, and automated session timeouts.
Monitoring: Continuous security monitoring, bot detection, rate limiting, and anomaly detection.
Audit logging: Comprehensive, tamper-evident audit trail of all administrative actions.
Vulnerability management: Automated dependency scanning, code review requirements, and regular security assessments.
Incident response: Documented incident response plan with defined roles and notification procedures.

7. Your Privacy Rights

7.1 Rights Under California Law (CCPA/CPRA)

If you are a California resident, you have the following rights:

Right to Know: Request the categories and specific pieces of personal information we have collected about you, the sources, the business purposes, and the categories of third parties with whom we shared it.
Right to Delete: Request deletion of your personal information, subject to certain legal exceptions (e.g., regulatory record-keeping).
Right to Correct: Request correction of inaccurate personal information.
Right to Opt-Out of Sale/Sharing: We do not sell or share personal information for cross-context behavioral advertising. No opt-out is necessary.
Right to Limit Use of Sensitive Personal Information: We only use sensitive personal information as necessary to provide the Service.
Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.

To exercise these rights, contact us at privacy@goblacksheep.io. We will verify your identity before processing your request and respond within 45 days as required by law.

7.2 Rights Under Other State Laws

Residents of Virginia, Colorado, Connecticut, Texas, Oregon, Montana, Delaware, Iowa, New Hampshire, New Jersey, Nebraska, Maryland, Minnesota, and other states with comprehensive privacy laws have similar rights to access, correct, delete, and port their personal data, as well as the right to opt out of targeted advertising, profiling, and the sale of personal data.

We do not engage in targeted advertising, profiling for decisions that produce legal or similarly significant effects, or the sale of personal data. To exercise your rights under any applicable state law, contact us at privacy@goblacksheep.io.

If we deny your request, you may appeal by contacting us at the same address. We will respond to appeals within the timeframe required by your state’s law.

8. Cookies & Tracking Technologies

We use the following technologies:

Essential Cookies: Authentication session cookies required for the Service to function. These cannot be disabled.
Analytics: Vercel Analytics collects anonymous page view and performance data. No personal identifiers are tracked, and no cookies are set for analytics purposes.

We do not use third-party advertising cookies, social media tracking pixels, or cross-site tracking technologies.

9. Children’s Privacy

The Service is not directed to individuals under 16 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us at privacy@goblacksheep.io and we will promptly delete it.

10. Data Location

The Service is hosted in the United States. If you access the Service from outside the United States, your personal information will be transferred to and processed in the United States. By using the Service, you consent to this transfer.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised “Last Updated” date and, where required by law, by email. Your continued use of the Service after changes become effective constitutes acceptance of the revised policy.

12. Contact Us

If you have questions about this Privacy Policy, wish to exercise your privacy rights, or need to report a privacy concern, please contact us:

Email: privacy@goblacksheep.io
Mail: BlackSheep, LLC, Attn: Privacy, [Your Business Address]

For California residents: You may also designate an authorized agent to submit a request on your behalf. The agent must provide written proof of authorization.

13. CCPA Annual Metrics

As required by the CCPA, the following metrics cover the prior calendar year (January 1 – December 31, 2025):

Requests to know received: 0
Requests to delete received: 0
Requests to opt-out of sale: Not applicable (we do not sell personal information)
Mean response time: N/A

These metrics will be updated annually each January.