CIOToolkitBack to home

Privacy Statement

Last updated May 19, 2026

CIOToolkit (“we”, “us”, “our”) provides decision-intelligence software for technology portfolio prioritization. This statement explains what information we collect when you use our website at ciotoolkit.com and the application at app.ciotoolkit.com, how we use it, the providers that help us operate the service, and the choices and rights you have. This statement is effective as of May 19, 2026.

Information We Collect

We collect information in the following categories:

  • Identifiers. Your name, email address, and any organization identifier provided by your identity provider, including Microsoft Entra ID, when you sign in.
  • Workspace content. Organization profiles, strategic objectives, project candidates, scores, and any documents you upload, stored so we can render the portfolio views you build.
  • Usage information. Request metadata such as timestamps, page paths, and error traces, used to operate the service, debug issues, and improve performance.
  • Internet activity. Aggregate page views measured by Vercel Web Analytics. This data is anonymous and is not tied to your account.

How We Use Information

We use the information above to:

  • Authenticate you and maintain your session.
  • Provide and improve the prioritization, scoring, and reporting features you use.
  • Communicate with you about your account, support requests, and material changes to the service.
  • Investigate and prevent fraud, abuse, and security incidents.

How We Share Information

We do not sell personal information. We share information only with the service providers that help us operate CIOToolkit, under written agreements that restrict their use of the data, and when required by law or to protect the rights and safety of users. The current providers are:

  • Supabase. Provides our managed Postgres database, authentication, and object storage.
  • Vercel. Provides application hosting and first-party web analytics for the marketing site.
  • Anthropic. Provides the large-language-model API used for our AI features.

Adding a new processor requires an update to this statement.

AI Features

Some features use Anthropic large language models to summarize, analyze, or suggest content. Prompts and responses are processed only for the immediate request. We do not allow your workspace content to be used to train third-party models, and we do not retain prompts or responses beyond the operational logs needed to debug failures.

You can review what an AI feature sees before sending it, and you remain responsible for whether to act on any AI-generated recommendation.

Cookies And Similar Technologies

We use only strictly necessary cookies, which are required to keep you signed in and to operate core service features such as preserving your active organization context. We do not use advertising, marketing, or cross-site tracking cookies, and we do not use local storage to fingerprint visitors.

Vercel Web Analytics does not set cookies; visitors are identified by a hash derived from the incoming request that is discarded after 24 hours, which means we cannot follow a visitor across sessions or days.

Data Retention

We retain workspace content for as long as your account is active. When you delete your account, we remove the associated workspace content from our production systems promptly, and residual copies in operational backups are removed within 30 days.

If we restore from backup during the 30-day window, any restored copy of your deleted content is removed again as part of the restoration runbook.

Your Rights

Depending on where you live, you may have rights to access the personal information we hold about you, correct it, request its deletion, export a copy, and contact us with questions or complaints. To exercise any of these rights, write to us at the address in the Contact section below.

We will respond within the time required by the applicable law and may need to verify your identity before acting on a request, in order to protect your information from unauthorized disclosure.

GDPR Rights (EU Residents)

CIOToolkit is the controller of the personal information processed under this statement for residents of the European Economic Area. We rely on the lawful bases of performance of a contract (to provide the service you have requested) and legitimate interest (to operate, secure, and improve the service) for the processing described above. Retention is governed by the Data Retention section. You have the right to lodge a complaint with your local supervisory authority if you believe your rights have not been respected.

CCPA Rights (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

  • The right to know what personal information we have collected about you.
  • The right to request deletion of your personal information.
  • The right to correct inaccurate personal information.
  • The right to opt out of the sale or sharing of personal information.
  • The right to limit the use and disclosure of sensitive personal information.
  • The right not to be discriminated against for exercising any of these rights.

We do not sell personal information.

Security

We use industry-standard administrative, technical, and physical safeguards to protect information we process. Traffic to our application is encrypted in transit with TLS, secrets are managed through our hosting provider rather than committed to source control, and access to production systems is limited to the people who need it to operate the service.

No service is perfectly secure, and we encourage you to use strong authentication and to report suspected vulnerabilities to us at the address in the Contact section below.

International Data Transfers

CIOToolkit operates from the United States, and the processors named above (Supabase, Vercel, Anthropic) may process personal information in the United States and other countries where they operate. For personal information transferred from the European Economic Area or the United Kingdom, we rely on Standard Contractual Clauses or an equivalent transfer mechanism approved by the relevant authorities, together with the supplementary measures required by our processors.

Children’s Privacy

The Service is not directed to children under the age of 16, and we do not knowingly collect personal information from children under 16. If you believe a child has provided personal information to us, please contact us at the address in the Contact section below and we will delete the information.

Changes

We may update this statement to reflect changes to the service, the providers we rely on, or applicable law. When we make material changes, we will update the “Last updated” date above and, where appropriate, notify you within the application.

We recommend reviewing this statement periodically. Continued use of the Service after a change takes effect indicates your acceptance of the updated statement to the extent permitted by applicable law.

Contact

Questions about this statement, our privacy practices, or any of the rights described above can be sent to hello@ciotoolkit.com.