DRPV-02

Do you provide an end-user privacy notice about privacy policies and procedures that identify the purpose(s) for which personal information is collected, used, retained, and disclosed?

Explanation

This question is asking whether your organization provides a clear privacy notice to end-users that explains how you collect, use, store, and share their personal information. What this means: A privacy notice (often called a privacy policy) is a document that informs users about what personal data you collect, why you collect it, how you use it, how long you keep it, and who you share it with. It should be written in clear language and be easily accessible to users. Why it's being asked: This question appears in security assessments because: 1. Transparency about data practices is a fundamental privacy principle 2. Many privacy regulations (GDPR, CCPA, etc.) legally require organizations to provide privacy notices 3. Organizations need to demonstrate they're being open about their data handling practices 4. It shows you respect user privacy and give them information to make informed decisions How to best answer it: - Be honest about whether you have a formal privacy notice - Describe where users can find your privacy notice (website footer, during account creation, etc.) - Mention if your privacy notice covers all the required elements (collection, use, retention, disclosure) - Note any specific regulations your privacy notice complies with (GDPR, CCPA, etc.) - If you don't have a formal privacy notice, explain your plans to create one

Example Responses

Example Response 1

Yes, we provide a comprehensive privacy notice to all end-users Our Privacy Policy is accessible from the footer of every page on our website and is presented during the user registration process, requiring explicit acknowledgment before an account can be created The policy clearly identifies: (1) what personal information we collect and why; (2) how we use this information to provide and improve our services; (3) our data retention periods for different types of information; and (4) circumstances under which we may disclose information to third parties, including service providers and legal requirements Our privacy notice complies with GDPR, CCPA, and other applicable privacy regulations, and we review and update it quarterly to ensure continued compliance with evolving privacy laws.

Example Response 2

Yes, we maintain a detailed Privacy Policy that is prominently displayed during the onboarding process and is permanently available through our application's settings menu and website footer Our privacy notice is written in plain language and includes dedicated sections explaining: the types of personal information we collect (including usage data and optional demographic information); the specific business purposes for which we use this data (service delivery, analytics, and personalization); our retention schedules (typically 3 years after account closure for most data); and our disclosure practices (including our vetted third-party processors and aggregated analytics sharing) We also provide a simplified, layered version with key points highlighted for quick reference, with links to more detailed explanations Our privacy team reviews this notice biannually and updates it as our practices or applicable regulations change.

Example Response 3

No, we currently do not have a formal end-user privacy notice that comprehensively covers all aspects of our data handling practices While we do have some privacy information scattered throughout our Terms of Service, we recognize this does not constitute a proper privacy notice that clearly identifies the purposes for collection, use, retention, and disclosure of personal information We are actively working to address this gap and have engaged a privacy consultant to help us develop a compliant privacy notice We expect to have a comprehensive privacy policy implemented within the next 60 days, which will be prominently displayed on our website and during the user registration process In the meantime, we respond to any privacy-related inquiries from users on a case-by-case basis.

Context

Tab
Privacy
Category
Data Privacy

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron