Privacy Policy

The data controller responsible for your personal data is MorPhoe Tech Inc., a California corporation. For privacy-related requests, data subject rights, or general support, contact us at contact@biznerva.com.

We collect information that you provide, that we obtain automatically, and from third parties.

2.1 Information you provide

• Account and profile: Name, email address, organization name, job title, role, and password (stored in hashed form).
• Organization data: Company details, industry, size, and other information you provide when setting up or managing your organization.
• Content and documents: Documents, records, training data, incident reports, compliance-related content, and other materials you upload or create within the Services.
• Communications: Messages to support, feedback, and correspondence you send us.
• Payment and billing: Billing address, payment method details (processed by our payment provider; we do not store full card numbers).

2.2 Information we collect automatically

• Device and browser data (e.g. IP address, browser type, operating system).
• Usage data (e.g. pages visited, features used, time spent) to operate and improve our Services.
• Log data (e.g. access times, referring URLs) for security and troubleshooting.

2.3 Information from third parties

We may receive information from identity providers (e.g. when you sign in with Google or Microsoft), from your organization administrator, or from partners who refer you, where permitted by law.

We use your information to:

• Provide, operate, maintain, and improve the Services.
• Authenticate you and manage your account and organization.
• Process transactions and send related notices.
• Send service-related and security communications.
• Respond to your requests and provide support.
• Analyze usage to improve our products and user experience.
• Send marketing communications where you have consented or where permitted (you may opt out at any time).
• Comply with legal obligations and protect our rights and the rights of others.
• Enforce our Terms of Service and other policies.

3.1 AI Data Processing

BizNerva uses AI services provided by Anthropic (Claude), OpenAI (GPT-4o), and Google AI (Gemini) to power compliance analysis features. Data is transmitted over encrypted (HTTPS/TLS) connections, and all providers process data under API terms that prohibit use for model training.

3.1a Pay Transparency Compliance Checker

Our job posting compliance checker analyzes job posting text for regulatory compliance with California pay transparency and labor law requirements. The job posting text and a system prompt containing compliance auditing instructions and applicable regulatory context (such as relevant California labor law requirements) are sent to AI providers (OpenAI, Anthropic, or Google AI, depending on availability). No personal identifiers such as names or emails are included. This feature is limited to 5 checks per month per organization. Data is sent over encrypted connections, and providers process it under API terms that prohibit use for model training.

3.1b AI Compliance Assistant

When you use the AI Compliance Assistant, the following data may be sent to Anthropic (Claude) for analysis:

• Organization context: Organization name, industry, employee count, jurisdiction, operating states, active compliance modules, and compliance posture summary. Personally identifiable information (user IDs, names, emails, phone numbers) is systematically redacted before transmission.
• Compliance data: Summaries of compliance plans, tasks, evidence items, incident records, training records, and regulatory controls relevant to your query. All personal identifiers are redacted from this data.
• Uploaded documents: When you attach files (PDFs, images, text files), their content is extracted and may be sent to Anthropic for analysis. Files are pre-screened for sensitivity — documents classified as "restricted" (containing SSNs, medical diagnoses, account numbers, or encryption keys) are blocked from AI processing entirely. PII patterns (emails, phone numbers, Social Security numbers, dates of birth, driver's license numbers, and credit card numbers) are redacted from file content before transmission.
• Conversation history: Your recent messages with the AI Assistant (up to 20 messages) are included for conversational context.

What is NOT sent to AI providers: Raw employee records, user authentication credentials, financial/payment data, encrypted PII fields, and internal audit logs are never transmitted to external AI providers.

Usage is credit-based per your subscription tier. You can review credit costs and usage history within the platform.

We do not control third-party AI providers' data practices beyond their respective API terms and cannot guarantee their compliance with their own terms. We recommend reviewing the privacy policies of our AI sub-processors. See our Data Processing Agreement for the full list of sub-processors.

Legal basis (EEA/UK): We process personal data based on contract performance, consent, legitimate interests (e.g. security, product improvement), and legal obligation, as applicable.

We may share your information with:

• Service providers: Hosting, analytics, email, payment processing, and support tools, under contract and only for the purposes we specify.
• Your organization: If you use the Services through an organization, admins may see account and usage information for that organization.
• Legal and safety: When required by law, to protect rights and safety, or to respond to valid legal process.
• Business transfers: In connection with a merger, sale, or acquisition, subject to the same privacy commitments.

We do not sell your personal information. We do not share it for cross-context behavioral advertising in a way that qualifies as a "sale" or "share" under the CCPA/CPRA, except as required by law.

Your information may be transferred to and processed in the United States and other countries where our service providers operate. For transfers from the EEA, UK, or Switzerland, we rely on adequacy decisions, Standard Contractual Clauses, or other lawful transfer mechanisms. You may request details relevant to your jurisdiction by contacting contact@biznerva.com.

We implement technical and organizational measures to protect your data, including encryption in transit (TLS) and at rest, access controls, and regular security assessments. No method of transmission or storage is 100% secure; we encourage you to use strong passwords and protect your account.

In the event of a data breach that may affect your personal information, we will notify you and applicable regulatory authorities as required by law, typically within seventy-two (72) hours of confirmed discovery. See our Data Processing Agreement for detailed breach notification procedures.

We retain your information for as long as your account is active or as needed to provide the Services, and as required by law. Specific retention periods:

• Account data: Retained while your account is active; deleted within 30 days of a confirmed deletion request.
• Login & security logs: 30 days (login attempts), 1 year (security events).
• Compliance records: Up to 5–7 years as required by regulation (e.g. OSHA, Cal/OSHA).
• Password reset codes: Automatically purged after 1 day.
• Expired invitations: Automatically purged after 90 days.

After account closure, we may retain certain anonymized data for legal, security, or dispute-resolution purposes.

You are responsible for understanding the data retention requirements applicable to your industry and jurisdiction. BizNerva retains compliance records for the periods stated above, but cannot guarantee that these periods satisfy all regulatory requirements for your specific situation. Upon account termination, records are retained for the applicable retention period or thirty (30) days, whichever is longer, unless a legal hold is in effect.

Depending on where you live, you may have the following rights:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete data.
• Erasure: Request deletion of your personal data, subject to legal and contractual exceptions.
• Restriction: Request restriction of processing in certain circumstances (e.g. while accuracy is contested).
• Portability: Request a portable copy of your data in a machine-readable format (where applicable).
• Object: Object to processing based on legitimate interests or for direct marketing.
• Withdraw consent: Where we rely on consent, you may withdraw it at any time.
• Complaint: Lodge a complaint with a supervisory authority (e.g. in your country of residence).

8.1 California Residents (CCPA/CPRA)

Under the CCPA/CPRA, California residents have the right to know, delete, correct, opt out of sale/sharing, limit use of sensitive personal information, and to non-discrimination. We do not sell or share personal information for cross-context behavioral advertising. We honor the Global Privacy Control (GPC) signal. For full details and a structured table of PI categories, see our Do Not Sell or Share My Personal Information page.

We will acknowledge your request within ten (10) business days and provide a substantive response within forty-five (45) calendar days of receiving your verified request, as required by California law.

To exercise your rights, contact us at contact@biznerva.com. We may need to verify your identity. You may also use in-product settings where available (e.g. profile, data export, account deletion).

We use cookies and similar technologies for authentication, security, preferences, and analytics. You can control cookies through your browser settings. Some features may not work correctly if you disable certain cookies. We do not use third-party tracking cookies or cross-site advertising cookies.

BizNerva is a business platform intended exclusively for adults. All users must be at least 18 years of age. We require age confirmation during account creation and do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently collected data from a minor, please contact us immediately at contact@biznerva.com and we will promptly delete it.

We may update this Privacy Policy from time to time. We will post the updated version on this page and update the "Last updated" date. For material changes, we will provide additional notice (e.g. email or in-app notice) where required by law. Your continued use of the Services after the effective date constitutes acceptance of the updated policy.

For questions about this Privacy Policy or our privacy practices, or to exercise your rights, contact us at contact@biznerva.com.