Legal & Privacy

Privacy Policy

We built grc.engineering to help organizations manage compliance without the bureaucratic overhead. That philosophy extends to how we handle your information: simply, transparently, and with no surprises.

Last updated April 2026
Jurisdiction United States
Applies to grc.engineering (website)
Summary
  • We do not use tracking cookies or browser fingerprinting.
  • We do not collect or store personal data on our servers from anonymous visitors.
  • Browser localStorage is used only to save your tool preferences locally on your device.
  • If you submit your email address, it is stored by Buttondown (our newsletter provider) and used only to send you content you requested.
  • We use Cloudflare for DNS, CDN, and optional privacy-respecting analytics. Cloudflare does not sell data.
  • We do not sell, rent, or share your personal information with third parties for their own marketing purposes.
  • You can request deletion of your email at any time by emailing us or using the unsubscribe link in any message.
Section 01

Information We Collect

grc.engineering is a static website. There is no login system, no user accounts, and no database behind the pages you visit. As a result, the information we collect is minimal.

Information you provide voluntarily

The only personal information we receive is what you explicitly give us, specifically your email address if you submit one of the newsletter or waitlist forms on the site. We do not collect names, phone numbers, mailing addresses, or payment information through this website.

Information collected automatically

Like virtually all websites, certain technical information is transmitted to our hosting infrastructure when your browser loads a page. This includes your IP address, browser type, operating system, referring URL, and the pages you visit. This data is processed by Cloudflare as part of delivering the site and may be aggregated into anonymous analytics. We do not log or store raw IP addresses or personally identifiable request logs on any server we control.

No cookies for tracking. We do not set first-party cookies for analytics, advertising, or cross-site tracking. If Cloudflare sets a session cookie for security purposes (e.g., to mitigate bot traffic), that cookie is strictly functional and is governed by Cloudflare's privacy policy.
Section 02

LocalStorage Usage

Several interactive tools on this site — the SPRS Score Simulator, CMMC Readiness Quiz, Control Explorer, Cost Estimator, and others — save your selections and progress using the browser's localStorage API.

localStorage is fundamentally different from cookies:

  • Data is stored exclusively on your device, inside your browser's local storage.
  • It is never transmitted to our servers or any third party.
  • It does not expire automatically; it persists until you clear your browser data or we explicitly remove it.
  • It cannot be read by other websites (same-origin policy enforced by the browser).

The data stored is entirely tool-specific state: control selections, score inputs, quiz answers, and UI preferences such as dark/light mode. None of this data identifies you personally.

To clear localStorage for this site, open your browser's developer tools, navigate to Application > Local Storage > https://grc.engineering, and delete the entries. Alternatively, clearing your browser's site data for grc.engineering achieves the same result.

Note for compliance practitioners: Because localStorage is not transmitted off-device, it does not constitute "processing" of personal data under most privacy frameworks (GDPR, CCPA) when used exclusively for non-identifying functional state, as it is here.
Section 03

Email Communications

The site includes email capture forms for a newsletter and early-access waitlist. Submitting your email address constitutes your express consent to receive periodic communications from grc.engineering on topics including:

  • CMMC L2 and HIPAA compliance guidance and updates
  • Tool releases and feature announcements
  • Published research and framework change notifications
  • Occasional service or engagement offers from grc.engineering

Email addresses collected through these forms are transmitted to and stored by Buttondown, our email newsletter provider. Buttondown acts as a data processor on our behalf under a data processing agreement. Your email address is not shared with other third parties for their own marketing purposes.

You may unsubscribe at any time using the unsubscribe link included in every email we send, or by contacting us directly at the address listed in Section 8. We will process removal requests within 10 business days. Buttondown's privacy policy is available at buttondown.com/legal/privacy.

Forms may not yet be active. Some email capture forms on this site are currently placeholders pending integration with Buttondown. If a form does not produce a confirmation message, your submission may not have been received. Please email us directly if you would like to be added to the list.
Section 04

Third-Party Services

We use a small number of third-party services to operate and improve this website. Each is listed below with a summary of what it does and a link to its own privacy policy.

Service Purpose Data handling Privacy policy
Cloudflare DNS, CDN, DDoS protection, optional aggregate analytics No data sales cloudflare.com
Google Fonts Serves Sora and Fira Code typefaces IP only, transient policies.google.com
Buttondown Newsletter delivery and subscriber management No data sales buttondown.com

Cloudflare Analytics

We may use Cloudflare Web Analytics, which is a privacy-first analytics product. It does not use cookies, does not track individual users across sites, and provides only aggregate traffic metrics (page views, visitor counts by country, browser distribution). Individual page-view data is retained by Cloudflare for up to 30 days per their standard retention schedule.

Google Fonts

This site loads fonts from Google Fonts, which requires a request to Google's servers. Google may log your IP address as part of serving the font files; this log is transient and subject to Google's privacy policy. If this is a concern, modern browsers cache font files aggressively, so the request typically occurs only on your first visit. We have no control over Google's logging practices for this request.

No advertising networks

We do not use Google Ads, Meta Pixel, LinkedIn Insight Tag, or any other advertising tracking pixel. No retargeting, remarketing, or behavioral advertising data is collected from visitors to this site.

Section 05

Data Security

grc.engineering is delivered exclusively over HTTPS (TLS 1.2+), enforced at the Cloudflare edge. This encrypts all data in transit between your browser and the site. Because the site is static and we do not operate a server-side database for visitor data, the attack surface for data exfiltration is minimal.

The primary personal data we hold is email subscriber lists managed by Buttondown. Buttondown's security practices, including encryption at rest and access controls, are documented in their security documentation at buttondown.com/security.

No method of internet transmission or electronic storage is 100% secure. We take reasonable steps to protect the information we hold, but we cannot guarantee absolute security. If you believe your information has been compromised in connection with grc.engineering, please contact us immediately at the address in Section 8.

Consulting engagements. If you become a client of grc.engineering, any sensitive information shared during the engagement (CUI, ePHI, system architecture, credentials) is handled under a separate written engagement agreement with its own data handling and confidentiality provisions. This privacy policy governs the public website only.
Section 06

Children's Privacy

This website is directed to compliance and security professionals and is not intended for use by children under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at the address in Section 8 and we will delete it promptly.

Section 07

Changes to This Policy

We may update this privacy policy from time to time as the site evolves, new services are added, or applicable laws change. When we do, we will update the "Last updated" date at the top of this page. Material changes that affect how we use your personal information will be communicated to email subscribers in the next newsletter issue.

Continued use of the site after a policy update constitutes acceptance of the revised terms. If you disagree with a change, your recourse is to unsubscribe from communications and discontinue use of the site.

Prior versions of this policy are not archived publicly; if you need a historical copy for any reason, contact us and we will provide it if available.

Section 08

Contact Us

Questions, requests to delete your data, or privacy concerns should be sent to:

grc.engineering

United States — privacy and data requests

demo@signalplane.co

We aim to respond to all privacy inquiries within 5 business days. For data deletion requests (email subscribers), please allow up to 10 business days for complete removal from our systems and our email provider's records.

This policy is for informational purposes only and does not constitute legal advice. For authoritative guidance on privacy obligations applicable to your organization, consult a qualified privacy attorney.