Legal

Privacy Policy

Effective date: May 22, 2026  ·  Last updated: May 22, 2026

1. Introduction

Gideon Dynamics (“ITAR Screen,” “we,” “us,” or “our”) respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and share information when you use the ITAR Screen platform at itarscreen.com and app.itarscreen.com (the “Service”).

By using the Service, you agree to the collection and use of information as described in this Policy. If you do not agree, please discontinue use of the Service.

2. Information We Collect

2.1 Account and Organization Information

When you register, we collect your name (if provided), email address, organization name, and role within your organization. This information is required to create and administer your account.

2.2 Classification and Screening Data

To provide the Service, we collect the product names, product descriptions, technical specifications, intended end-use, and destination country you submit for classification. For denied-party screenings, we collect the party names and countries you submit. These submissions, and the AI-generated results associated with them, are stored as your screening record.

Note: You should not submit information classified under U.S. national security classification levels (e.g., SECRET, TOP SECRET) or Special Access Program (SAP) material to the Service. See Section 5 of the Terms of Service.

2.3 Payment Information

Payments are processed by Stripe, Inc. We do not store raw payment card numbers. We receive and store a customer identifier, subscription status, billing period dates, and high-level invoice data. Your full payment details are stored by Stripe subject to their privacy policy at stripe.com/privacy.

2.4 Usage and Technical Data

We automatically collect API call logs, request timestamps, response times, error codes, IP addresses, browser type, and device information. This data is used for security monitoring, rate limiting, and Service improvement.

2.5 Communications

When you contact us by email, we retain that correspondence. If you opt in to notifications, we retain your notification preferences and send transactional emails (match alerts, regulatory update digests, invoice notifications).

3. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and improve the Service, including generating AI-assisted classifications and screening results;
  • Maintain your audit trail and make it exportable on demand;
  • Process payments, manage subscriptions, and send billing communications;
  • Send transactional notifications you have opted into (watchlist match alerts, regulatory update digests);
  • Monitor for security threats, abuse, and unauthorized access;
  • Enforce our Terms of Service and comply with legal obligations;
  • Respond to your support requests and communications;
  • Generate aggregated, anonymized statistical data about Service usage (we do not sell or share individual records).

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area, our legal basis for processing your personal data is:

  • Contract performance — processing necessary to provide the Service you have contracted for;
  • Legitimate interests — security monitoring, fraud prevention, and Service improvement, where these interests are not overridden by your data protection rights;
  • Legal obligation — retention of audit records as required by applicable export control recordkeeping requirements;
  • Consent — for optional communications (e.g., regulatory update digests) where you have opted in.

5. Data Retention

We retain data for the following periods:

  • Classification and screening records: 10 years from the date of each determination. This retention period is designed to support ITAR recordkeeping obligations under 22 C.F.R. § 122.5 and best-practice compliance program guidance. Even after account closure, audit records are retained and available upon request for legitimate legal or regulatory purposes during this window.
  • Account and organization data: Retained while your account is active and for 3 years following account closure, after which it is deleted or anonymized.
  • Payment records: Retained as required by Stripe and applicable financial and tax regulations (typically 7 years).
  • Support communications: Retained for 3 years from last contact.
  • Technical/log data: Rolling 90-day retention for standard access logs; security incident logs may be retained longer.

6. Third-Party Service Providers

We share data with the following sub-processors to operate the Service. Each processes data only on our instructions and subject to data processing agreements with us:

Anthropic, PBC (Claude API)

Processes product descriptions and technical specifications to generate AI-assisted classification results. Anthropic’s API usage policy prohibits using API inputs to train their models by default. See anthropic.com/privacy for details.

Supabase, Inc.

Hosts our database, which stores account data, audit records, and classification history. Data is stored in the United States.

Stripe, Inc.

Processes payments and manages subscription billing. Stripe stores your full payment card information; we receive only tokens and billing metadata.

Resend, Inc.

Delivers transactional emails (match alerts, invoices, regulatory updates). Email addresses and content are shared with Resend solely to deliver messages you have opted into.

Upstash, Inc.

Provides Redis-based rate limiting. We store only organization IDs and request counters; no personal data or User Content is sent to Upstash.

We do not sell your personal data to any third party. We do not share your data with advertising networks or data brokers.

7. Data Security

We implement industry-standard security measures to protect your data, including:

  • Encryption in transit via TLS 1.2 or higher for all API and web traffic;
  • Encryption at rest for all database records via Supabase’s managed encryption;
  • Role-based access controls ensuring API keys and database access are limited to authorized services;
  • Org-scoped data isolation — one organization cannot access another’s records;
  • Audit logging of all API access.

No system is completely secure. In the event of a data breach affecting your personal information, we will notify you as required by applicable law.

8. Your Rights and Choices

8.1 Access and Portability

You may export your full classification and screening audit history at any time from the dashboard (Account → Export). For account data not available via self-serve export, contact privacy@itarscreen.com.

8.2 Correction

You may update your organization name and notification preferences from your account settings. For other corrections, contact privacy@itarscreen.com.

8.3 Deletion

You may request deletion of your account and personal data by contacting us. We will honor deletion requests subject to the following exceptions:

  • Classification and screening audit records are retained for 10 years as described in Section 5, even after account deletion, to support export control recordkeeping obligations. Retained records are isolated from active systems and not used for any commercial purpose.
  • Data we are required to retain under applicable law (e.g., financial records, legal holds).

8.4 Notification Opt-Out

You may adjust or disable notification emails at any time from Account → Preferences. You may not opt out of essential transactional emails related to your account security, billing, or service changes.

8.5 EEA and UK Users

If you are located in the EEA or UK, you have additional rights under GDPR/UK GDPR, including the right to object to processing, the right to restrict processing, and the right to lodge a complaint with your local supervisory authority. Contact us atprivacy@itarscreen.com to exercise these rights.

9. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the right to:

  • Know what personal information we collect, use, disclose, or sell;
  • Delete your personal information (subject to the exceptions in Section 8.3);
  • Correct inaccurate personal information;
  • Opt out of the sale or sharing of your personal information — we do not sell or share personal information for cross-context behavioral advertising.

To exercise these rights, contact privacy@itarscreen.com. We will not discriminate against you for exercising these rights.

10. Cookies and Tracking

We use only session cookies necessary to maintain your authenticated session in the application. We do not use tracking pixels, third-party analytics cookies, or advertising cookies. We do not participate in cross-site behavioral advertising.

11. International Data Transfers

Our services are operated in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States, where data protection laws may differ from those in your jurisdiction. By using the Service, you consent to such transfer. For EEA users, we rely on Standard Contractual Clauses (SCCs) where applicable for transfers from the EEA to the United States.

12. Children’s Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we learn we have inadvertently collected such information, we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you by email at least 30 days before they take effect and will update the “Last updated” date at the top of this page. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.

14. Contact Us

For privacy questions, data requests, or to exercise your rights, contact:

Privacy Officer, Gideon Dynamics
Email: privacy@itarscreen.com
General support: support@itarscreen.com