Privacy Policy

Effective date: April 13, 2026 | Last updated: April 13, 2026

Control171 ("we," "our," or "us") is a product of Harrison Ventures LLC, a Washington State limited liability company. This Privacy Policy describes how we collect, use, store, and protect your information when you use the Control171 platform at getsprs.com and control171.com (the "Service").

By using the Service, you agree to the collection and use of information in accordance with this policy.

1. Information We Collect

1.1 Account Information

When you create an account, we collect your name, email address, organization name, and password (stored as a cryptographic hash, never in plain text). We may also collect your job title and phone number if you provide them.

1.2 Organization Information

To provide CMMC compliance services, we collect information about your organization including company name, address, CAGE code, UEI number, employee count, CMMC target level, and industry classification. This information is provided voluntarily by you during the onboarding process.

1.3 Assessment Data

When you use the Service to conduct CMMC assessments, we store your control implementation responses, SPRS scores, implementation notes, Plan of Action and Milestones (POA&M) items, and System Security Plan (SSP) content. This data is stored in your organization's account and is not accessible to other organizations.

1.4 Evidence Files

You may upload documents, screenshots, and other files as compliance evidence. These files are encrypted at rest and stored in isolated, organization-specific storage. We do not access, review, or share your evidence files except as required to provide technical support at your explicit request.

1.5 Payment Information

Payment processing is handled entirely by Stripe, Inc. We do not store credit card numbers, bank account numbers, or other payment credentials on our servers. We receive from Stripe only the information necessary to manage your subscription: customer ID, subscription status, plan type, and billing email. Please refer to Stripe's Privacy Policy for details on how they handle payment data.

1.6 Usage Data

We collect standard web server logs including IP addresses, browser type, pages visited, and timestamps. We use this data to monitor service health, diagnose technical issues, and improve the platform. We do not sell or share usage data with third parties for advertising purposes.

1.7 AI Interaction Data

When you use AI-powered features (gap analysis, remediation plans, SSP generation), your prompts and the AI responses are logged for quality assurance and service improvement. We apply automated sanitization to remove potential Controlled Unclassified Information (CUI), contract numbers, and personally identifiable information before any data is sent to our AI provider (Anthropic). We do not send your evidence files, uploaded documents, or raw assessment data to any AI provider.

2. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the Control171 platform
• Process your CMMC assessments and generate compliance documents
• Calculate and track your SPRS score
• Manage your subscription and billing
• Send you service-related communications (account verification, subscription updates, security alerts)
• Provide customer support
• Monitor and improve the security and performance of the Service
• Comply with legal obligations

3. Information We Do Not Collect

Control171 is a compliance readiness tool, not a system that processes or stores CUI. We do not collect, process, or store Controlled Unclassified Information (CUI), Federal Contract Information (FCI), classified information, Social Security numbers, or government security clearance information. If you inadvertently upload files containing CUI to the evidence vault, you are responsible for ensuring that usage complies with your organization's CUI handling procedures.

4. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information or assessment data to third parties. We share information only in the following limited circumstances:

• Service providers: We use Supabase (database and authentication), Stripe (payment processing), Anthropic (AI features), and Railway/Cloudflare (hosting and CDN). These providers process data only as necessary to provide their services to us and are bound by their respective privacy policies and data processing agreements.
• Legal requirements: We may disclose information if required by law, regulation, legal process, or governmental request, including to meet national security or law enforcement requirements.
• Business transfer: If Harrison Ventures LLC is acquired, merged, or sells substantially all of its assets, your information may be transferred as part of that transaction. We will notify you via email and prominent notice on the Service before your information becomes subject to a different privacy policy.
• With your consent: We may share information with third parties when you have given us explicit consent to do so, such as when you grant assessor portal access to a C3PAO.

5. Data Security

We implement industry-standard security measures to protect your data:

• All data is encrypted in transit using TLS 1.2 or higher
• Data at rest is encrypted using AES-256
• Authentication is managed through Supabase with support for multi-factor authentication (TOTP)
• Row-Level Security (RLS) policies ensure that each organization can only access its own data
• Evidence files are stored in isolated, per-organization storage buckets
• Administrative access to production systems is restricted and logged
• We conduct regular security reviews of our platform

While we take reasonable precautions, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

6. Data Retention

We retain your account and assessment data for as long as your account is active or as needed to provide the Service. If you cancel your subscription, your data is preserved in read-only mode for 90 days, after which it is scheduled for deletion. You may request immediate deletion of your data at any time by contacting us.

Audit logs and AI interaction logs are retained for 12 months for quality assurance and security purposes.

Backup copies of data may persist in our backup systems for up to 30 days after deletion from the primary system.

7. Your Rights

You have the right to:

• Access: Request a copy of the personal information we hold about you
• Correction: Request correction of inaccurate information
• Deletion: Request deletion of your account and associated data
• Export: Export your assessment data, SSP documents, and evidence files at any time through the platform
• Restriction: Request that we limit processing of your data in certain circumstances

To exercise any of these rights, contact us at the address below. We will respond to requests within 30 days.

8. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect information from children. If you believe we have inadvertently collected information from a child, please contact us and we will promptly delete it.

9. Washington State Privacy

As a Washington State business, we comply with Washington's data breach notification requirements under RCW 19.255.010. In the event of a data breach affecting your personal information, we will notify affected individuals within 30 days of discovering the breach as required by Washington law.

10. Cookies and Tracking

We use essential cookies for authentication and session management. We do not use advertising cookies, tracking pixels, or third-party analytics that track you across other websites. We do not participate in ad networks or data broker programs.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the Service and updating the "Last updated" date. Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.