Privacy Policy

Last updated: April 25, 2026

This policy explains how C-Suite HQ handles data during normal operation.

Access Requests (Pre-Account)

C-Suite HQ is invitation-only. If you submit the Request Access form on the sign-in page, we collect the following information solely to evaluate your request:

• Email address (required) — so we can reply if your request is approved.
• Full name (optional) — to address you personally.
• Your free-text answers to "why do you want access" and "how do you intend to use it".
• Technical metadata — your IP address, browser User-Agent string, and submission timestamp. This metadata is collected for abuse prevention (rate limiting, spam detection) and is included in the internal email sent to the operator for review.

By submitting the Request Access form, you consent to this collection and to the transmission of the submission to the operator's review inbox via email (Amazon SES).

Lawful basis: consent (you opt in by submitting the form) and our legitimate interest in vetting prospective users and preventing abuse.

What we do not do: we do not create an account from this submission, do not add you to any marketing list, and do not share the submission with third parties (other than AWS SES purely as the email transport).

Retention: approved requests are retained while the resulting account is active; declined or unanswered requests are retained for up to 12 months for abuse-prevention pattern matching, then deleted.

Your rights: you can request deletion or a copy of your submission at any time by emailing the operator (see Contact below).

Data Collected

C-Suite HQ may process message content, tool inputs/outputs, session metadata, token usage, and audit records needed for system operation and debugging.

When you create an account, we store your email address, display name, tenant association, and a hashed version of your password. Plaintext passwords are never stored.

Email Communications

C-Suite HQ sends emails to registered users for the following purposes:

• Security reminders — automated daily emails if your account is using a default password.
• Administrative notifications — messages sent by your tenant administrator (e.g. announcements, operational updates).
• Account actions — password resets and email verification when those features are enabled.

Emails are sent via Amazon Simple Email Service (SES) from the configured sending domain. Your email address is transmitted to AWS SES solely for delivery purposes.

Automated Processing

C-Suite HQ performs automated checks including daily scans for accounts using default passwords. These checks compare password hashes only and do not expose or log plaintext credentials.

Storage

Data can be stored in local files or configured persistent storage (PostgreSQL). Retention and backup behavior depend on your deployment settings.

Security

Operational controls include tool governance, audit logging, path restrictions, and bcrypt password hashing. You are responsible for infrastructure-level security, access control, and secret management.

Third-Party Services

When model providers or external tools are used, relevant request data may be sent to those services under your configured credentials. Email delivery is processed through AWS SES. C-Suite HQ does not sell or share personal data with third parties for marketing purposes.

Contact

For privacy questions, contact the project owner.