Privacy Policy

Last updated: June 14, 2026

Introduction

Skopos, Inc. (“Skopos”, “we”, “us”, or “our”) operates the Skopos vendor risk management platform. This Privacy Policy explains how we collect, use, store, and share information when you use our platform, visit our website, or otherwise interact with our services.

Information We Collect

We collect the following categories of information:

• Account information — your name, email address, organization name, and role within your organization.
• Vendor risk data — questionnaire responses, risk assessments, evidence documents, and other materials uploaded by clients in the course of vendor reviews.
• Usage analytics — information about how you interact with the platform, including pages visited, features used, and actions taken.
• Device and browser information — IP address, browser type and version, operating system, and device identifiers.
• Marketing & attribution data — when you arrive from a marketing campaign, advertising click identifiers (LinkedIn’s li_fat_id and Google’s gclid) and UTM campaign parameters (utm_source, utm_medium, utm_campaign, etc.). We collect these only with your consent (see the Cookie Policy and the legal basis described below).
• Cookies and similar technologies — including browser localStorage; see our Cookie Policy for the full list and categories.

Sensitive personal information. Skopos does notcollect statutorily-defined “sensitive personal information” (such as precise geolocation, government identifiers, health, biometric, or racial/ethnic data) through cookies or similar technologies. The marketing and analytics data we capture is limited to UTM parameters and the li_fat_id / gclid advertising identifiers described above, so the sensitive-data opt-in requirements of various U.S. state privacy laws do not apply to that processing.

Children’s privacy. The Skopos Platform is a business-to-business product intended for use by organizations and their personnel. It is not directed to children, and we do not knowingly collect personal information from anyone under the age of 16. If we learn that we have inadvertently collected such information, we will delete it.

How We Use Your Information

We use the information we collect to:

• Provide, operate, and improve the Skopos Platform.
• Authenticate users and manage access controls.
• Process vendor assessments and generate risk reports.
• Communicate with you about your account, platform updates, and support requests.
• Monitor platform usage for security and performance purposes.
• Comply with applicable legal obligations.

Data Storage and Security

We take the security of your data seriously. Our infrastructure and practices include:

• Data is hosted on Amazon Web Services (AWS) in United States regions.
• We use administrative, technical, and organizational safeguards designed to protect data against unauthorized access, disclosure, alteration, and destruction.
• Data is encrypted in transit using TLS and protected at rest using cloud-provider encryption controls.
• Multi-tenant architecture with access controls designed to separate customer environments and limit access to authorized users.
• We periodically review and improve our security program as the Service evolves.

Data Sharing

We do not sell your personal information or your clients' data to data brokers. We share information only in the following circumstances:

• Sub-processors — we use trusted third-party services to operate the platform, including AWS (infrastructure, transactional email via SES), Stripe (payment processing), and Mixpanel (product analytics).
• Advertising partners — when you have granted Marketing consent and arrive from an ad, we disclose advertising click identifiers to the relevant advertising platform to measure ad effectiveness: LinkedIn (via the li_fat_id first-party click identifier) and Google (via the gclid click identifier). This is limited to conversion and ad-effectiveness measurement; we do not provide these partners with your account or vendor-risk data.
• Legal requirements — when required by law, regulation, legal process, or enforceable governmental request.
• With your consent — when you have given explicit consent to share specific information.

A complete list of sub-processors is available upon request by contacting privacy@infragil.com.

Legal Basis & Consent

We process account information and vendor-risk data to provide the service under our contract with your organization, and to comply with legal obligations. We process analytics and marketing/attribution data on the basis of your consent only. Analytics and Marketing cookies are off by default; we capture this data only after you opt in through our consent management banner, and you can withdraw consent at any time. See our Cookie Policy for the categories and controls.

Data Retention

We retain personal information and Customer Data for the duration of your active subscription and for up to 90 days following termination or expiration, unless a shorter period is required by your agreement or a longer period is required by law, dispute resolution, security investigation, or other legal obligation. Audit logs and security records are retained on the same 90-day post-termination schedule unless we are legally required to preserve them longer. You may request deletion of your data at any time, subject to any legal retention obligations that may apply.

Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Access — request a copy of the personal information we hold about you.
• Correction — request that we correct inaccurate or incomplete information.
• Deletion — request that we delete your personal information.
• Portability — request a machine-readable copy of your data.
• Restriction of processing — request that we limit how we use your data.
• Objection — object to our processing of your personal information.

For EU data subjects (GDPR): You have additional rights under the General Data Protection Regulation, including the right to lodge a complaint with your local supervisory authority.

For California residents (CCPA/CPRA): You have the right to know what personal information is collected, the right to request deletion, and the right to opt out of the sale or sharing of personal information for cross-context behavioral advertising. To exercise this right, visit our Do Not Sell or Share My Personal Information page. We also honor the Global Privacy Control (GPC) signal automatically — if your browser or extension signals GPC, we will treat it as an opt-out of sale/sharing without requiring any additional action.

International Transfers

Your data is processed and stored in the United States. If you are located outside the United States, your information will be transferred to and processed in the US. For transfers from the European Economic Area, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission to provide appropriate safeguards. Copies of our SCCs are available upon request.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. If we make material changes, we will notify you via email or through an in-app notification prior to the changes taking effect. We encourage you to review this policy periodically.

Contact Us

If you have questions about this Privacy Policy or wish to exercise any of your rights, please contact us at:

privacy@infragil.com
Skopos, Inc.
Houston, TX