This page explains what data Pelagos collects, how it is used, and what is shared with third parties. Our approach is straightforward: all customer data is treated as private by default. There is no opt-in data sharing, no privacy mode toggle, and no circumstances under which your compliance documents are used to train AI models.
For questions about data use or privacy, contact us at security@getpelagos.com. For our full privacy policy, see Privacy Policy. For details on our infrastructure and security practices, see Security.
What Data Pelagos Collects
Pelagos collects and stores the following types of data:
Account data
Your name, email address, organization name, and role. This is collected during registration and used to authenticate you and manage your access.
Compliance documents
The files you upload to Pelagos, including SMS manuals, procedures, policies, audit records, and any other compliance documentation. These are stored as files in Amazon S3 (Tokyo region) and as extracted content in our database.
Analysis results
KPI scores, gap findings, evidence mappings, dispute records, stage claims, and submission packages generated when you run compliance analysis. These are stored in our database and retained until you delete them.
Usage data
We use PostHog to collect anonymous product analytics, such as which features are used, page views, and session activity. This helps us understand how people use Pelagos and improve the product. PostHog does not see any document content or compliance data.
Error data
We use Sentry to capture application errors and performance issues. Sentry receives error traces and diagnostic information to help us identify and fix bugs. Sentry does not receive document content or compliance data.
Payment data
Billing and subscription management is handled entirely by Stripe. Payment information (such as credit card details) is collected and processed by Stripe directly. Pelagos does not store credit card numbers or payment credentials on our servers.
How Your Documents Are Processed
When you upload a document to Pelagos, it goes through several processing steps. Some of these steps involve sending content to AI providers.
On upload
- 1.The document file is stored in Amazon S3 in the Tokyo region.
- 2.Document content is parsed and text is extracted.
- 3.The document is chunked and embedded for search and retrieval.
- 4.The document type is classified (e.g., procedure, policy, manual).
Steps 2–4 involve sending document content to our AI providers (Anthropic and OpenAI) for processing. This happens automatically when a document is uploaded.
During compliance analysis
When you run analysis against a framework (TMSA, DryBMS, or SIRE), relevant document content is sent to our AI providers to evaluate compliance against framework requirements. The AI returns findings, which are stored in our database as your analysis results.
In both cases
- •Document content is sent to Anthropic and OpenAI via their APIs.
- •Both providers state in their API policies that data submitted via their APIs is not used to train their models. See Anthropic's policy and OpenAI's policy.
- •AI providers may temporarily process your data in memory to generate responses but do not persist it beyond the request lifecycle.
What We Store and For How Long
| Data type | Where stored | Retention |
|---|
| Account data | Supabase (database) | Until you delete your account |
| Document files | Amazon S3 (Tokyo) | Until you delete them |
| Extracted document content | Supabase (database) | Until you delete the document |
| Analysis results (KPIs, gaps, evidence) | Supabase (database) | Until you delete them |
| Disputes, stage claims, submissions | Supabase (database) | Until you delete them |
| Usage analytics | PostHog | Retained per PostHog’s policies |
| Error traces | Sentry | Retained per Sentry’s policies |
| Payment and billing data | Stripe | Retained per Stripe’s policies |
You can request full deletion of all your organization's data at any time. See our Security page for details on the deletion process.
What Third Parties See
Here is exactly what each third-party service can access:
Anthropic
Sees document content during pre-processing and compliance analysis. Does not store or train on API data per their stated policy.
OpenAI
Sees document content during pre-processing and compliance analysis. Does not store or train on API data per their stated policy.
AWS
Hosts our application and document file storage (S3). Sees document files and application traffic.
Cloudflare
Sits in front of our application as a reverse proxy. Sees request traffic in transit but does not store application data.
PostHog
Receives anonymous product usage events. Does not see document content, compliance data, or personally identifiable information beyond basic session data.
Sentry
Receives application error traces and diagnostics. Does not see document content or compliance data.
Stripe
Processes all payments and subscription billing. Sees payment information (credit card details, billing address). Does not see document content or compliance data. Stripe is PCI DSS Level 1 certified. See Stripe security.
Cookies
Pelagos uses the following types of cookies:
Essential cookies
Session and authentication cookies managed by Supabase. These are required for the application to function and keep you logged in.
Analytics cookies
PostHog sets cookies for session and user identification (e.g., a distinct ID to track usage patterns). These are used to understand product usage and improve Pelagos. No document content or compliance data is included.
Pelagos does not use marketing cookies, advertising cookies, or tracking pixels.
What We Will Never Do
- •We will never sell your data.
- •We will never use your documents to train AI models.
- •We will never share your compliance data with other customers.
- •We will never share document content with analytics or error tracking services.
Questions
If you have questions about how Pelagos handles your data, contact us at security@getpelagos.com.