ThemisIQ · Trust & Data

We know trust is everything.
Here is exactly how we earn it.

You are entering sensitive compliance data into ThemisIQ — emissions figures, workforce data, supplier relationships, AI systems. We take that responsibility seriously. This page explains exactly what we do with your data, what we never do, and what rights you have.

Questions? Contact us at privacy@themisiq.co

Our core data principles
1
Your data belongs to you
Everything you enter into ThemisIQ — your emissions data, workforce figures, supplier information, AI systems, financial data — belongs to you. We are custodians of your data, not owners. You can export it, delete it, or correct it at any time.
2
We never sell or share your data
ThemisIQ does not sell, rent, share, or license your data to any third party — ever. Your compliance data is not used for benchmarking products sold to others, not shared with industry bodies, and not disclosed to regulators on your behalf without your explicit instruction.
3
Your data is never used to train AI models
ThemisIQ uses AI to power certain features (framework classification, risk scoring, guidance). Your data is never used to train, fine-tune, or improve any AI model — including the models that power ThemisIQ features. Each session is processed in isolation.
4
Encrypted in transit and at rest
All data transmitted to and from ThemisIQ is encrypted using TLS 1.2+. All data stored in ThemisIQ is encrypted at rest using AES-256. Our infrastructure runs on Supabase (hosted on AWS) with SOC 2 Type II certified data centres.
5
Access controls — only you can see your data
ThemisIQ enforces row-level security — your data is technically isolated from other customers at the database level, not just by application logic. ThemisIQ staff cannot access your inventory data without your explicit request for support purposes.
What we collect
Account data
Name, email address, company name, role — used to create and manage your account.
Compliance data
GHG emissions figures, workforce data, supplier information, AI system descriptions, and other data you enter into ThemisIQ wizards — used solely to generate your compliance outputs.
Usage data
Which features you use, when you log in, which modules you access — used to improve the platform and provide support.
Payment data
Payment is processed by Stripe. ThemisIQ does not store credit card numbers or bank account details.
What we never collect
Sensitive personal data
ThemisIQ does not collect personal data about your employees beyond aggregate workforce metrics (headcount, pay bands). Individual employee data is never stored.
Third-party tracking
ThemisIQ does not use advertising trackers, third-party analytics pixels, or behavioural profiling tools.
Biometric or health data
ThemisIQ does not collect any biometric, health, or special category personal data.
How long we keep your data
Active account data
Kept for the duration of your subscription plus 12 months, to allow for year-on-year comparison reporting.
Deleted account data
When you delete your account, all compliance data is permanently deleted within 30 days. Account records are retained for 7 years for legal and tax purposes.
Support conversations
Support emails and chat logs are retained for 2 years.
Your rights
Access
You can request a full export of all data ThemisIQ holds about you at any time.
Correction
You can correct any inaccurate data directly in the platform or by contacting us.
Deletion
You can delete your account and all associated compliance data at any time from your account settings.
Portability
All compliance outputs are available as CSV exports — your data is never locked in a proprietary format.
Objection
You can object to any processing of your data that is not strictly necessary to provide the service.
Regulatory compliance
PIPEDA
Canada (federal)
ThemisIQ Compliance Inc. is a Canadian corporation. PIPEDA is our primary privacy law.
Quebec Law 25 (Bill 64)
Quebec, Canada
ThemisIQ complies with Quebec's enhanced privacy requirements including privacy impact assessments and breach notification.
GDPR / UK GDPR
European Union · United Kingdom
For customers in the EU and UK, ThemisIQ acts as a data processor. A Data Processing Agreement (DPA) is available on request.
CCPA / CPRA
California, USA
ThemisIQ does not sell personal information. California residents have the right to know, delete, and opt out of sale (not applicable as we do not sell data).
CASL
Canada
ThemisIQ complies with Canada's Anti-Spam Legislation for all commercial electronic messages.
Infrastructure & security
Hosting
Supabase on AWS (us-east-1) · SOC 2 Type II certified
Encryption in transit
TLS 1.2+ on all connections
Encryption at rest
AES-256 on all stored data
Authentication
Supabase Auth with email verification · MFA available
Access control
Row-level security — data isolated at database level
Payment processing
Stripe · PCI DSS Level 1 certified
Email
Resend · SOC 2 Type II certified
Frontend
Vercel · SOC 2 Type II certified
Questions about your data?
Contact our privacy team at privacy@themisiq.co. We respond within 2 business days. For data deletion requests, we act within 30 days.
Our methodologies →Full privacy policy →