Privacy Policy

Effective Date: January 1, 2026

1. Overview

MOORLI VendorRiskDiagnostic (“we,” “our,” or “us”), a product of MOORLI LLC, is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard information when you use our website and automated audit service (the “Service”). By using MOORLI VendorRiskDiagnostic, you agree to this Privacy Policy, along with our Terms of Service and Disclaimer.

2. Information We Collect

a. Information You Provide: Email address used for Google Sign-In or email/password authentication via Firebase Authentication, and any information you send us by email. MOORLI VendorRiskDiagnostic does not store your account passwords in its application database. Payment details are processed by Stripe (we do not store full card numbers).

b. Domain List & Audit Outputs: The domains you submit for scanning, the resulting scores/grades/findings, and generated report files (HTML/PDF/PPT where applicable).

c. Public Infrastructure & Related Internet-Facing Data: To generate your audit report, our automated engine queries publicly accessible DNS, lightweight public-web validation endpoints, registration context, and related internet configuration signals for the domains you upload (e.g., SPF/DMARC/MTA-STS/DNSSEC/MX, registration-age context, and selected external corroboration signals). This process relies on publicly available internet-facing data.

d. Provider-agnostic: We do not ask for, require, or collect access to vendor email accounts or internal systems. We do not need to know “who the provider is,” and we do not market the Service as a way to identify or track vendors’ providers.

e. No Sensitive Personal Data: We do not intentionally collect sensitive categories of personal information.

3. How We Use Your Information

  • Authenticate your account and grant access to your purchased reports.
  • Generate, store, and deliver your vendor email risk assessment.
  • Process payments and receipts via Stripe.
  • Provide technical support related to report generation.
  • Improve system performance, reliability, and security.

We do not sell, rent, or share your personal information for advertising.

4. Data Storage and Security

All data is processed and stored on Google Cloud (Firebase, Firestore, Cloud Storage) with encryption in transit and at rest. Access is restricted to authorized personnel and controlled service accounts.

5. Data Access

Zero-Access Policy: MOORLI VendorRiskDiagnostic operates on public-facing DNS and internet configuration signals. We do not request, require, or have access to your private email servers, inboxes, or internal employee data, and we do not log into third-party vendor systems.

6. Payments

Transactions are handled by Stripe, a PCI DSS–compliant processor. We do not store card or bank details.

7. Sharing of Information

We do not sell, rent, or lease your personal data for advertising. We share information only with essential service providers for core functions:

  • Hosting and Payments: Google Cloud (for hosting/storage) and Stripe (for payment processing).
  • Legal Compliance: To comply with a valid legal request or to protect our rights and property.

8. Cookies and Analytics

We may use essential cookies to maintain your session and authentication state. We may also use analytics tools to understand how users interact with the Service. These tools collect anonymized usage data (pages visited, time on site) and do not track you across other websites.

You can disable cookies in your browser settings, though this may affect functionality.

9. Data Retention

MOORLI VendorRiskDiagnostic retains data as follows:

  • The Static Report File: Generated report files may be stored for 90 days in secure cloud storage to allow dashboard access and downloads. After that period, report files may be automatically deleted.
  • The Audit Record: Audit metadata (e.g., user ID, domain list, risk scores, timestamps) is retained to show audit history in your dashboard unless you request deletion (subject to legal requirements and backup retention).
  • Backups & Logs: Limited backups and security logs may persist for a reasonable period for reliability and fraud/security purposes.

10. Your Rights

Depending on your jurisdiction, you may have certain rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request correction of inaccurate data.
  • Deletion: Request deletion of your data (subject to legal retention requirements).
  • Portability: Request your data in a portable format.
  • Opt-out: We do not sell personal data. If you are a California resident under CCPA, you have the right to know what data we collect and to request deletion.

To exercise any of these rights, contact support@moorli.io. We will respond within 30 days (or as required by applicable law).

11. Children's Privacy

Our Service is not directed to individuals under the age of 18.

12. International Data Transfers

Your data may be processed on servers located in the United States.

13. Changes to This Policy

We may update this policy periodically; the latest version will be posted here.

14. Contact

Questions? Email support@moorli.io.