Pharos Auditor

Legal & Trust

Privacy Notice

Effective: April 2026 · Last reviewed: April 2026

This notice describes how Pharos Ventures, Inc. ("Pharos", "we") processes personal data through the Pharos Auditor platform ("Service"). It applies to visitors of our marketing site and to authorized users of paid or trial workspaces. For customers who are HIPAA-covered entities, our Business Associate Agreement (BAA) is the governing document for any PHI handling.

1. What we collect

  • Account data — name, work email, organization, password hash, MFA enrollment, role.
  • Tenant content — workpapers, findings, evidence files, audit plans, monitoring rules, Aria chat transcripts, and related metadata you put into the Service.
  • Usage telemetry — request paths, latencies, error codes, AI prompt tokens (counts only, not content), audit-log entries.
  • Device & network — IP address, user agent, approximate location derived from IP.

2. Why we process it

  • To provide, operate, secure, and improve the Service.
  • To satisfy audit-trail requirements (IIA Standard 14.6, SOX §404, HIPAA §164.312(b)).
  • To detect fraud, abuse, or violations of our Terms.
  • To communicate with you about the Service (transactional email only — no marketing without opt-in).

3. Legal bases (where GDPR applies)

Contract performance for account and tenant data; legitimate interest for security telemetry; legal obligation for audit retention; consent for optional analytics.

4. Who we share it with

We use a small set of sub-processors, all bound by data processing agreements:

  • Google Cloud (Cloud Run, Cloud SQL, GCS, Vertex AI, Cloud Logging, Secret Manager) — primary infrastructure; BAA covers all HIPAA workloads.
  • Microsoft (Azure AD) — identity provider for SSO + MFA.
  • Microsoft 365 (Graph API) — transactional email delivery (covered under our Microsoft BAA).
  • Anthropic (via Vertex AI only) — Claude model inference. Direct Anthropic API is not enabled in production.

We do not sell personal data. We do not share tenant content with other customers.

5. Retention

  • Tenant content: retained for the life of the subscription plus 30 days (to support recovery), unless a longer period is required by law or your BAA.
  • Audit trail: 7 years in the immutable GCS archive, per HIPAA breach-notification statute.
  • Backups: 30 days rolling + 7 days of PITR transaction log.

6. Your rights

Depending on your jurisdiction, you may have rights to access, correct, delete, or port your personal data, and to object to certain processing. To exercise these rights, email privacy@pharosventures.io. We respond within 30 days.

7. International transfers

Production data is stored in Google Cloud US regions (us-central1 primary, us-east1 DR replica). For customers outside the US, we rely on Standard Contractual Clauses where applicable.

8. Security

See our Security Overview for details.

9. Children

The Service is not directed to children under 16.

10. Changes

We'll update this notice when processing changes materially, and notify tenant administrators in-app at least 30 days in advance of the effective date.

11. Contact

Pharos Ventures, Inc. · Attn: Privacy Officer · privacy@pharosventures.io

This document is provided for transparency and is not a substitute for legal advice.