Privacy Policy

GuardMind, Inc. (“GuardMind,” “we,” “us,” or “our”) provides AI-powered video analytics and physical security software. This Privacy Policy (“Policy”) explains how we collect, use, disclose, and safeguard personal information when you:

• visit our website at guardmind.com;
• access our product at app.guardmind.com (the “Service”); or
• otherwise communicate or interact with GuardMind.

This Policy applies to information about (i) visitors to our websites, (ii) prospective and current customers and end users of the Service (“Users”), and (iii) personnel of business customers who interact with us. It does not apply to personal information appearing within video content uploaded by our customers, which is governed by Section 6 (Customer Content and Our Role as a Processor) and, where applicable, by a Data Processing Agreement between GuardMind and the relevant business customer.

1. Information We Collect

1.1 Information you provide

• Account information: name, email address, password (stored as a salted hash), company name, role, and phone number.
• Billing information: payment instruments are collected and processed directly by Stripe, our payment processor. We receive only the last four digits of the card, the card brand, the billing address, and transaction metadata.
• Communications: the content of emails, support tickets, demo requests, sales inquiries, and any other correspondence you send us.
• Customer Content: video files, images, and natural-language queries you upload to or generate within the Service. See Section 6.

1.2 Information collected automatically

• Device and usage data: IP address, browser type and version, operating system, referring URL, pages and features accessed, timestamps, session duration, and approximate location derived from IP address.
• Cookies and similar technologies:session and security cookies necessary for authentication, and—where you consent—functional, analytics, and marketing cookies. See Section 14.
• Logs: application logs, error logs, and access and audit logs generated by your use of the Service.

1.3 Information from third parties

• Identity providers: if you sign in through a third-party provider (e.g., Google), we receive the name, email address, and profile information your settings permit that provider to share.
• Payment processor: Stripe provides us with transaction status, payment metadata, and risk signals.
• Marketing, CRM, and enrichment tools: HubSpot and similar services may provide business contact information for prospects and customers.

We do not knowingly collect personal information from children under 16. The Service is intended for business use by individuals 18 years of age or older.

2. How We Use Information

We use personal information to:

• provide, operate, secure, and maintain the Service, including account creation, authentication, and access control;
• process video content you upload and return analytical results (object detection, scene description, search results, and similar outputs);
• process payments, manage credit balances, issue receipts, and prevent fraud;
• communicate with you regarding service announcements, security and billing notices, support inquiries, and (with your consent where required) product updates and marketing;
• evaluate, improve, develop, and benchmark the Service, including model quality assurance;
• comply with legal obligations, enforce our Terms of Service, and protect the rights, property, and safety of GuardMind, our users, and the public.

We do not use Customer Content to train our underlying machine-learning models unless you separately and explicitly opt in.

3. Legal Bases for Processing (EEA, UK, and Switzerland)

Where the General Data Protection Regulation (“GDPR”) or UK GDPR applies, we process personal information on the following legal bases:

• performance of a contract— to provide the Service under our Terms;
• legitimate interests— to secure, improve, and market the Service, where our interests are not overridden by your rights;
• consent— for marketing communications and non-essential cookies, where required by law;
• legal obligation— to comply with applicable laws.

You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

4. How We Share Information

We do not sell your personal information for money. We do not “share” personal information for cross-context behavioral advertising as that term is defined under California law. We disclose personal information only as described below.

4.1 Service providers and sub-processors

We engage trusted third parties to operate the Service. Each operates under a written contract that restricts their use of personal information and Customer Content to providing services to GuardMind. Our principal sub-processors are:

A current list of sub-processors is available at guardmind.com/subprocessors. Under our Data Processing Agreement, business customers receive reasonable advance notice before we engage a new sub-processor that processes their Customer Content.

4.2 Business transfers

If GuardMind is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, personal information may be transferred as part of that transaction, subject to standard confidentiality protections. We will notify you of any such transfer that materially changes how your information is handled.

4.3 Legal disclosures

We may disclose personal information when we believe in good faith that disclosure is required or permitted to comply with applicable law, a subpoena, a court order, or other valid legal process; to enforce our Terms; to protect the rights, property, or safety of GuardMind, our users, or others; or to respond to a verified emergency involving a risk of death or serious bodily injury.

4.4 With your direction

We share personal information with third parties when you direct us to do so, for example by enabling an integration.

5. Data Retention

We retain personal information only for as long as necessary to fulfill the purposes described in this Policy, unless a longer retention period is required or permitted by law. Specifically:

• Customer Content: retained for 30 days from upload, then permanently deleted via automated lifecycle policies on our cloud storage. Business customers may agree to a different retention period in writing.
• Account information: retained for the duration of your account, plus a reasonable period after closure for backup, audit, dispute resolution, and tax or accounting requirements (generally up to seven years for financial records).
• Billing records: retained as required by applicable tax and accounting law.
• Marketing contacts: retained until you unsubscribe or otherwise request deletion, subject to limited retention of suppression lists for compliance.
• Logs: application logs are typically retained for 90 days; security and audit logs for up to 12 months.

You may request deletion of your personal information at any time as described in Section 8.

6. Customer Content and Our Role as a Processor

When a User or business customer uploads video or other content to the Service, that content—together with any personal information visible within it—is “Customer Content.” With respect to Customer Content:

• the customer is the controller (under GDPR) or business (under California law); GuardMind is the processor or service provider;
• GuardMind processes Customer Content solely to provide the Service and on the customer's documented instructions;
• GuardMind does not sell or share Customer Content and does notuse Customer Content to train models without the customer's explicit opt-in;
• Customer Content is stored in encrypted form within Google Cloud Storage in U.S. regions;
• Customer Content is automatically and permanently deleted 30 days after upload, unless the customer configures a shorter retention period or has contractually agreed a different period with GuardMind;
• business customers may enter into our Data Processing Agreement, which governs the parties' respective obligations with respect to Customer Content.

Customers are solely responsible for ensuring they have all rights, notices, and consents necessary to upload and process Customer Content under applicable privacy, surveillance, biometric, employment, and other laws in the jurisdictions in which they operate and from which their footage originates.

7. Biometric Information

GuardMind does not perform facial recognition. GuardMind does not collect, capture, purchase, receive through trade, or otherwise obtain biometric identifiers—including scans of face geometry, retina or iris scans, fingerprints, voiceprints, or scans of hand geometry—as those terms are defined under the Illinois Biometric Information Privacy Act (740 ILCS 14/), the Texas Capture or Use of Biometric Identifier Act (Tex. Bus. & Com. Code § 503.001), the Washington biometric privacy statute (RCW 19.375), or analogous laws of other jurisdictions.

The Service uses general-purpose object-detection and appearance-based embedding techniques to track and group visual instances within an individual video session (for example, distinguishing a person wearing a red jacket from a person wearing a blue jacket across frames of the same video). These appearance embeddings:

• are derived from general visual features such as clothing and apparent shape, not from face geometry or other immutable physiological characteristics;
• are not used to identify any individual by name, and are not matched against any external identity database;
• are session-scopedto the customer's uploaded video and are deleted together with the underlying Customer Content under the 30-day retention policy described in Section 6;
• do not produce identifiers persistent across customers or across videos.

If you believe the Service is being used in a manner inconsistent with these representations, please contact us promptly at privacy@guardmind.com.

8. Your Privacy Rights

Depending on where you reside, you may have the following rights with respect to your personal information. These rights apply to personal information GuardMind holds about you as a User or contact; rights with respect to personal information contained within Customer Content should be directed to the relevant business customer, which is the controller of that information.

8.1 California residents (CCPA / CPRA)

California residents have the right to:

• know what categories and specific pieces of personal information we have collected about you, the sources, business or commercial purposes, and the categories of third parties to whom we disclose it;
• access a copy of your personal information in a portable format;
• delete personal information we have collected from you, subject to legal exceptions;
• correct inaccurate personal information;
• opt out of the sale or sharing of personal information (we do not sell or share as defined under California law);
• limit use and disclosure of sensitive personal information (we do not use sensitive personal information for purposes that would trigger this right);
• non-discrimination for exercising your rights.

Categories of personal information collected (CCPA disclosure)

In the past 12 months, GuardMind has collected the following categories of personal information about California residents:

• Identifiers (name, email, IP address, account ID): collected from you and automatically; disclosed to sub-processors listed in Section 4.1.
• Customer records (billing details, contact information): collected from you; disclosed to our payment processor and CRM provider.
• Commercial information (transaction history, credit purchases and usage): collected from your use of the Service; disclosed to our billing sub-processor.
• Internet and other network activity (usage logs, cookies, device data): collected automatically; disclosed to hosting and analytics sub-processors.
• Geolocation data (approximate, IP-derived): collected automatically.
• Inferences drawn from the above for product analytics, fraud prevention, and security.

We collect personal information for the business and commercial purposes described in Section 2. We do not knowingly collect sensitive personal information beyond account credentials. We do not knowingly sell or share the personal information of California residents under 16 years of age.

8.2 Other U.S. state residents

Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Florida, Iowa, Tennessee, Delaware, New Hampshire, New Jersey, Maryland, Minnesota, and other states with comprehensive privacy laws have rights similar to those described above, including the rights to access, correct, delete, port, and opt out of certain processing. Residents of certain states may also opt out of profiling that produces legal or similarly significant effects, and of targeted advertising (we do not engage in targeted advertising as defined under those laws).

8.3 EEA, UK, and Switzerland

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the rights of access, rectification, erasure, restriction of processing, data portability, and objection under GDPR and UK GDPR, as applicable. You also have the right to lodge a complaint with your local supervisory authority.

8.4 How to exercise your rights

Submit requests to privacy@guardmind.com. We will verify your request before responding, typically by confirming control of the account email address. You may designate an authorized agent to act on your behalf, subject to verification. We respond within the timeframes required by applicable law. We do not discriminate against you for exercising your rights.

8.5 Appeals

If we deny your privacy request and applicable law affords you an appeal right, you may appeal by replying to our denial email within the period specified in our response. We will inform you in writing of any action taken or not taken on the appeal and the reasons. If you remain dissatisfied, you may contact your state attorney general or, in California, the California Privacy Protection Agency.

9. Notice at Collection (California)

At or before the point of collection, California residents are notified that GuardMind collects the categories of personal information listed in Section 8.1 for the business and commercial purposes listed in Section 2. We retain personal information for the periods described in Section 5. We do not sell or share personal information as those terms are defined under the CCPA.

10. Automated Decision-Making

The Service applies machine learning to analyze video content and return analytical results. These outputs are tools to assist human review by our customers. GuardMind does not use Service outputs to make decisions about you that produce legal or similarly significant effects. Where customers use Service outputs in their own decision-making (for example, security or operational decisions), the customer is responsible for human review and for any decisions made on the basis of those outputs.

11. Security

We maintain administrative, technical, and physical safeguards designed to protect personal information against accidental or unlawful destruction, loss, alteration, or unauthorized disclosure or access. These include encryption in transit (TLS 1.2 or higher) and at rest (AES-256), role-based access controls, multi-factor authentication for privileged access, audit logging, and vendor risk management. No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security.

12. International Data Transfers

GuardMind is headquartered in the United States and processes personal information in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States, which may have data-protection rules different from those in your country. Where required by applicable law (including the GDPR and UK GDPR), we rely on Standard Contractual Clauses or other valid transfer mechanisms.

13. Children's Privacy

The Service is intended for business use by individuals 18 years of age or older. We do not knowingly collect personal information from children under 16. If you believe we have inadvertently collected information from a child, please contact privacy@guardmind.com and we will delete it.

14. Cookies and Tracking Technologies

We use the following categories of cookies and similar technologies:

• Strictly necessary— required for authentication, security, and core Service functionality; these cannot be disabled.
• Functional— to remember preferences (such as language).
• Analytics— to understand aggregate usage patterns and improve the Service.
• Marketing— used only where you have consented.

You may control non-essential cookies through your browser settings or, where available, through our cookie preferences interface. We honor Global Privacy Control (GPC) signals as an opt-out of sale or sharing for California residents and for residents of other states whose laws require us to honor universal opt-out mechanisms.

We do not respond to “Do Not Track” browser signals, because no industry consensus has been established for their interpretation. We do honor GPC.

15. Third-Party Links and Services

The Service and our website may contain links to third-party websites or integrate with third-party services. We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies before providing personal information.

16. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices or in applicable law. We will post the updated Policy with a new “Last updated” date and, for material changes, provide additional notice (such as by email to the address on your account or by an in-product notification) before the changes take effect.

17. Contact Us

For questions, requests, or complaints regarding this Policy or our handling of your personal information:

• Privacy contact: privacy@guardmind.com
• General contact: hello@guardmind.com
• Mailing address: GuardMind, Inc., 1900 Camden Avenue, Suite 101, San Jose, CA 95124, USA
• Phone: +1 (415) 727-8214

If you reside in the EEA, the UK, or Switzerland and have an unresolved concern, you have the right to lodge a complaint with your local data-protection supervisory authority.