Privacy Policy

This Privacy Policy describes how DirtySouthAlpha LLC, doing business as Gridlock ("Gridlock," "we," "us," or "our"), collects, uses, stores, discloses, and protects information when you access or use our website at lockthegrid.com and our cybersecurity SaaS platform (collectively, the "Service").

By using the Service, you consent to the data practices described in this policy. If you do not agree, please do not use the Service.

1. Information We Collect

1.1 Account Information

When you create an account, we collect information you provide directly:

• Email address — used as your unique identifier and for account communications
• Display name — your name as you choose to provide it
• Organization name — the company or organization you represent
• Organization details — industry, team size, and similar profile information collected during onboarding
• Password — stored as a salted hash; we never store plaintext passwords

1.2 Payment Information

When you subscribe to a paid plan, payment is processed by Stripe, Inc., our authorized payment processor. We do not store your full credit card number, CVV, or bank account details on our servers. We receive only limited transaction information from Stripe (such as the last four digits of your card, billing postal code, and subscription status) to manage your account.

1.3 Usage Data

We automatically collect certain information when you use the Service:

• Feature usage patterns and interaction logs (e.g., which agents you run, scans initiated)
• Performance metrics and error reports for debugging and improvement
• Browser type, operating system, and device type
• IP address at the time of access
• Login history, session duration, and authentication events

1.4 Security Scan Results

As a security platform, the Service processes data generated by your use of our tools:

• Security scan results (vulnerability findings, open ports, DNS records, SSL configuration)
• Threat detection outputs and alert data generated by our AI agents
• Compliance audit results and framework assessment data (NIST, CIS Controls, HIPAA, SOC 2 readiness)
• MSP lead generation data produced by our MSP Hunter agent (when used)

This data is generated by the Service based on your instructions and is stored in your account. You retain full ownership of all scan results and data produced through your use of the Service. We process this data solely to deliver the security services you've subscribed to.

1.5 Information We Do Not Collect

For clarity, Gridlock does not:

• Scan, monitor, or collect data from your internal networks or endpoints unless you explicitly configure an integration
• Access your clients' systems or data
• Collect payment card details directly (all handled by Stripe)
• Track you across other websites

2. How We Use Your Information

We use the information we collect for the following purposes:

• Service provision: Creating and managing your account, delivering the security monitoring, threat detection, compliance auditing, and MSP tools that make up the Service
• Security monitoring: Processing scan results and threat data to generate alerts, reports, and recommendations through our AI agents
• Service improvement: Analyzing aggregated, anonymized usage patterns to improve agent performance, fix bugs, and develop new features
• Communication: Sending service-related notifications (security alerts, account notices, billing updates, feature announcements). You can opt out of non-essential communications at any time
• Billing and support: Processing payments, managing subscriptions, and responding to support requests
• Legal compliance: Complying with applicable laws, regulations, and legal processes
• Security of the Service: Detecting, preventing, and addressing fraud, abuse, and security threats to the platform

We do not use your personal data for advertising, sell it to data brokers, or use it for any purpose unrelated to operating and improving the Service.

3. Data Storage and Hosting

All application data and databases are hosted on self-hosted servers operated and maintained by DirtySouthAlpha LLC. Your data remains on infrastructure under our direct control. We do not rely on third-party cloud platforms for primary data storage.

Our servers are physically located in datacenters within the United States. If you are accessing the Service from outside the United States, your data will be stored on and transmitted to U.S.-based servers. By using the Service, you acknowledge and consent to this data transfer.

Database backups are maintained to protect against data loss and are stored in secure, access-controlled locations.

4. Third-Party Sharing and Subprocessors

We do not sell, rent, or trade your personal data. We share data with third parties only as described below:

4.1 Service Subprocessors

4.2 Legal Requirements

We may disclose your information if required to do so by law, in response to a valid legal process (such as a subpoena, court order, or government request), or if we believe in good faith that disclosure is necessary to:

• Comply with applicable law or legal process
• Protect the rights, property, or safety of Gridlock, our users, or the public
• Investigate or prevent suspected fraud, security breaches, or violations of our Terms of Service

We will notify you of any legal request for your data unless prohibited by law or where the request is an emergency.

4.3 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, user data may be transferred to the acquiring entity. We will notify you via email and/or a prominent notice on our website before your data becomes subject to a different privacy policy.

5. Data Retention

We retain your data only for as long as necessary to fulfill the purposes described in this policy:

• Account data: Retained while your account is active and for 60 days after account termination or cancellation, after which it is deleted unless you request earlier deletion
• Security scan results: Retained for the duration of your subscription. You can delete individual scan results at any time from your dashboard
• Application and server logs: Retained for 90 days, then automatically purged
• Database backups: Retained for 30 days, then overwritten or permanently deleted
• Billing records: Retained as required by applicable tax and accounting regulations (typically 7 years) to comply with legal obligations

You may request earlier deletion of your data at any time by contacting [email protected] (see Section 7). Where we have a legal obligation to retain certain data (such as billing records), we will inform you of this limitation.

6. Security Measures

As a cybersecurity company, we take the security of your data seriously. We implement the following measures:

• Encryption in transit: All connections to the Service are secured with TLS 1.2 or higher (HTTPS)
• Encryption at rest: Database and backup data is encrypted at rest using AES-256 encryption
• Access controls: Administrative access to production systems is restricted to authorized personnel and logged
• Password security: Passwords are salted and hashed using bcrypt. We do not store plaintext passwords
• Infrastructure security: Servers are kept up to date with security patches. Firewall rules restrict unnecessary access
• Application security: Input validation, CSRF protection, and rate limiting are implemented across the platform
• Self-hosted infrastructure: All data resides on servers under our direct operational control, reducing third-party exposure

We do not currently hold SOC 2, ISO 27001, or similar third-party security certifications. We continuously work to improve our security posture and may pursue certifications as the company grows.

While we implement reasonable safeguards, no system is completely secure. We cannot guarantee the absolute security of your data. In the event of a data breach that affects your personal information, we will notify affected users within 72 hours in accordance with applicable breach notification laws.

7. Cookies and Tracking Technologies

Gridlock uses essential cookies only for the operation of the Service. We do not use third-party tracking cookies, advertising cookies, or marketing analytics pixels.

• Session cookies: Used to authenticate your session and keep you logged in. These are temporary and expire when you close your browser or after a period of inactivity
• CSRF tokens: Short-lived cookies used to prevent cross-site request forgery attacks
• Preference cookies: Store your UI preferences (such as theme or layout settings) for a better experience

We do not use Google Analytics, Meta Pixel, Hotjar, or any third-party tracking or analytics scripts on our platform. We do not participate in cross-site tracking or retargeting advertising.

8. Your Rights

You have the following rights regarding your personal data. These rights apply regardless of your location, though some rights have additional specifics under GDPR (Section 9) and CCPA (Section 10).

• Access: You can request a copy of all personal data we hold about you
• Correction: You can request correction of inaccurate or incomplete personal data
• Deletion: You can request deletion of your personal data, subject to legal retention requirements (e.g., tax records)
• Export: You can export your account data, including scan results and settings, in a machine-readable format (JSON or CSV) from your dashboard or by request
• Objection: You can object to certain processing of your data, such as the use of your data for non-essential communications
• Restriction: You can request that we restrict the processing of your data in certain circumstances

How to exercise your rights: You can manage most of these through your account settings. For any request, contact [email protected]. We acknowledge all requests within 5 business days and respond substantively within 30 calendar days. If we cannot fulfill your request within that timeframe, we will explain why and provide an estimated resolution date.

We will not discriminate against you for exercising any of these rights.

9. GDPR Compliance (EEA, UK, and Switzerland)

This section applies to individuals in the European Economic Area (EEA), the United Kingdom, and Switzerland who are protected by the General Data Protection Regulation (GDPR) or the UK GDPR.

9.1 Lawful Basis for Processing

We process your personal data under the following lawful bases:

• Contract performance (Article 6(1)(b) GDPR): Processing your account information, scan results, and usage data to provide the Service under our Terms of Service
• Legitimate interests (Article 6(1)(f) GDPR): Processing usage data to improve our Service, detect fraud, and maintain platform security, where these interests do not override your rights
• Legal obligation (Article 6(1)(c) GDPR): Retaining billing records and responding to legal processes
• Consent (Article 6(1)(a) GDPR): Where you have given explicit consent for a specific processing activity (e.g., receiving marketing emails)

9.2 Additional GDPR Rights

In addition to the rights in Section 8, you have the following rights under GDPR:

• Right to erasure ("right to be forgotten"): You can request deletion of your personal data. We will erase it without undue delay unless we are required to retain it for legal compliance, defense of legal claims, or other lawful reasons. Where data has been made public, we will take reasonable steps to inform controllers processing copies
• Right to data portability: You can request your personal data in a structured, commonly used, machine-readable format (JSON or CSV), and you have the right to transmit this data to another service provider where technically feasible
• Right to withdraw consent: Where processing is based on consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal
• Right to restrict processing: You may request we limit how we process your data in certain circumstances, such as while you contest the accuracy of your data
• Right to object to processing: You may object to processing based on legitimate interests, and we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests
• Rights related to automated decision-making: Our AI agents provide recommendations and analyses, but we do not make fully automated decisions that produce legal or similarly significant effects about you. You may request human review of any AI-generated output

9.3 Data Protection Officer

Under GDPR, we are not currently required to appoint a formal Data Protection Officer (DPO) based on the nature and scale of our processing activities. However, we take data protection seriously and have designated a privacy contact for all GDPR-related matters:

9.4 International Data Transfers

Our primary infrastructure is located in the United States. If you are in the EEA, UK, or Switzerland, your personal data will be transferred to the U.S. We rely on the following mechanisms for such transfers:

• Standard Contractual Clauses (SCCs): Where applicable, we rely on the European Commission's Standard Contractual Clauses for the transfer of personal data to third countries
• Adequacy decisions: Where the destination country has been deemed to provide an adequate level of data protection by the relevant authority

By using the Service, you acknowledge and consent to the transfer of your data to the United States under these mechanisms.

9.5 Supervisory Authority

If you are unsatisfied with our response to a data protection concern, you have the right to lodge a complaint with a supervisory authority in your jurisdiction, such as your national Data Protection Authority (DPA) within the EEA, or the Information Commissioner's Office (ICO) in the UK.

10. CCPA — California Consumer Privacy Act

This section applies to California residents as required by the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).

10.1 Categories of Personal Information Collected

In the preceding 12 months, we have collected the following categories of personal information:

• Identifiers: Name, email address, IP address, account ID
• Commercial information: Subscription tier, billing records, transaction history
• Internet activity information: Feature usage patterns, interaction logs, browser/device type
• Professional information: Organization name, industry, job role
• Inferences: Security risk assessments and recommendations generated from scan data

10.2 Your CCPA Rights

As a California resident, you have the right to:

• Right to know: Request disclosure of the categories and specific pieces of personal information we have collected about you, the purposes of collection, and the third parties with whom we have shared it
• Right to delete: Request deletion of your personal information, subject to certain exceptions (e.g., information needed to complete a transaction, comply with law, or detect security errors)
• Right to correct: Request correction of inaccurate personal information we maintain about you
• Right to opt out of sale/sharing: We do not sell or share your personal information for cross-context behavioral advertising. There is currently nothing to opt out of. If this ever changes, we will provide a clear "Do Not Sell or Share My Personal Information" link
• Right to limit use of sensitive personal information: Request that we limit our use of sensitive personal information to uses necessary to perform our services
• Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA rights

10.3 How to Exercise CCPA Rights

To submit a CCPA request, contact us at [email protected] with the subject line "CCPA Request." We will verify your identity before processing your request. You may also designate an authorized agent to submit requests on your behalf, provided we can verify their authorization.

We respond to verifiable CCPA requests within 45 calendar days. If we need more time, we will notify you and extend by an additional 45 days.

Notice at collection: We collect the categories of personal information listed above at the time of account creation and during use of the Service. For each category, the purpose of collection and the source of the information are described throughout this policy.

We have not sold any personal information in the preceding 12 months and do not intend to do so.

11. Children's Privacy

The Service is not intended for use by individuals under the age of 13 and is not directed at children. We do not knowingly collect personal data from children under 13 years of age.

If we discover that we have collected personal data from a child under 13, we will delete that information promptly. If you believe a child under 13 has provided us with personal data, please contact us at [email protected].

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes:

• We will update the "Effective" date at the top of this page
• We will notify registered users via email at least 30 days before the changes take effect
• We may display a prominent notice within the Service

Your continued use of the Service after changes become effective constitutes acceptance of the updated policy. We encourage you to review this page periodically.

13. Contact Us

For privacy-related inquiries, data subject requests, or to exercise any of your rights:

We aim to acknowledge all privacy inquiries within 5 business days and provide a substantive response within 30 calendar days.