Last Updated on May 14, 2026
1. Introduction
Warrant, Inc. (“Warrant,” “we,” “us,” or “our”) is a software-as-a-service company that provides AI-powered marketing-compliance review and approval-workflow software (the “Platform” or “Warrant OS”) to organizations in regulated industries.
This Privacy Policy describes how we collect, use, share, retain, and protect personal information across two distinct contexts:
• Website Activities — when you visit, browse, or otherwise interact with our website at hellowarrant.com (the “Site”), including by submitting contact forms, subscribing to communications, scheduling demos, or engaging with our marketing materials.
• Platform Activities — when our customers (typically organizations such as banks, credit unions, asset managers, insurers, and law firms) and their authorized users access and use the Warrant Platform under a Cloud Services Agreement, Product Trial, Order Form, and where applicable a Data Processing Addendum.
These two contexts are governed by different legal arrangements and data flows, and this Policy addresses each separately. By using the Site or the Platform, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the terms set forth herein, do not use the Site or Platform.
2. Definitions
• “Customer” — an organization that has entered into a Cloud Services Agreement with Warrant for use of the Platform.
• “Customer Data” — any data, content, or information submitted to the Platform by a Customer or its authorized users, including marketing materials submitted for compliance review, brand guidelines, configured policy libraries, approval-workflow records, and audit-trail entries.
• “Personal Information” or “Personal Data” — information that identifies, relates to, describes, or is reasonably capable of being associated with a particular individual or household, as defined by applicable privacy law.
• “Platform” — the Warrant OS web application and associated services made available under a Cloud Services Agreement.
• “Site” — Warrant’s marketing website at hellowarrant.com and related subdomains.
• “Authorized User” — an individual authorized by a Customer to access and use the Platform on the Customer’s behalf.
3. Scope and Roles
3.1 Website Activities
For Website Activities, Warrant acts as the data controller for any Personal Information collected directly from website visitors. This means Warrant determines the purposes and means of processing that information.
3.2 Platform Activities
For Platform Activities, Warrant acts as the data processor (also called a “Service Provider” under California law) on behalf of the Customer, who is the data controller. The Customer determines the purposes and means of processing Customer Data submitted to the Platform; Warrant processes that data only on the Customer’s documented instructions, as set forth in the Cloud Services Agreement, Order Form, and any Data Processing Addendum.
For Authorized Users (typically the Customer’s employees or contractors who log in and use the Platform), Warrant collects limited account-related Personal Information (such as name, business email address, role, and authentication metadata) directly from the User during account provisioning and use. For this collection, Warrant acts as a controller for the limited purpose of providing access and supporting the user experience, and as a processor for any Customer Data the User submits.
4. Personal Information We Collect
4.1 Information Collected on the Site
We collect the following categories of Personal Information directly from website visitors:
• Contact Information — name, email address, phone number, organization name, job title, and country of residence, when you submit a contact form, schedule a demo, subscribe to a newsletter, request information, or otherwise interact with our marketing materials.
• Website Usage Information — IP address, browser type and version, operating
system, referring URL, pages visited, time spent on pages, links clicked, and other
website-interaction telemetry.
• Cookies and Similar Technologies — see Section 11.
4.2 Information Collected on the Platform
When Authorized Users access the Platform, we collect:
• Account Information — name, business email address, organization affiliation, role within the Customer organization, and authentication credentials (passwords are stored using industry-standard hashing; SSO credentials are not stored by Warrant).
• Authentication Metadata — login timestamps, IP address, browser/device used for the session, and multi-factor authentication status.
• Activity Data — actions performed within the Platform (content submitted, reviews initiated, decisions made, exports performed, integrations configured), recorded for the purpose of providing the service and supporting the audit trail.
Customer Data submitted to the Platform — marketing materials, brand assets, policy libraries, approval-workflow records, and audit-trail entries — is processed by Warrant on the Customer’s instructions, but is not collected from the Customer’s customers or end users by Warrant directly.
4.3 Information We Do Not Collect
Warrant does not require, ingest, or store regulated personal-data categories such as Social Security numbers, full payment-card numbers (PCI Primary Account Numbers), member-level non-public personal information (NPPI) under the Gramm-Leach-Bliley Act, protected health information (PHI) under HIPAA, or special categories of personal data under GDPR (racial or ethnic origin, religious beliefs, genetic data, biometric data, health data, sexual orientation, etc.). Customer agreements explicitly prohibit submission of such data into the Platform.
5. How We Use Personal Information
5.1 Use of Website Information
We use Personal Information collected on the Site for the following purposes:
• To respond to inquiries, provide requested information, and process demo requests.
• To send marketing communications about our products, services, and events (subject to opt-out).
• To improve the Site and analyze use trends.
• To detect, prevent, and address fraud, security issues, and abuse of the Site.
• To comply with applicable legal obligations.
5.2 Use of Platform Information
We use Personal Information collected through the Platform for the following purposes:
• To operate the service — including provisioning and managing user accounts;
authenticating Users; providing the AI-powered compliance review, approval workflow, audit-trail, and reporting features; and supporting Customer integrations.
• To maintain audit-trail and compliance records — for the benefit of the Customer and to support the Customer’s regulatory and examination obligations.
• To support and troubleshoot — when Customer Users request support, we use
account and activity data to diagnose and resolve issues.
• To improve service performance — through aggregated, de-identified usage data that does not identify any individual or any specific Customer.
• To detect and respond to security incidents — including unauthorized access, data exfiltration attempts, or other threats to the Platform.
• To comply with applicable legal obligations — including responding to lawful
regulatory requests and court ordered subpoenas.
5.3 AI Processing
The Platform uses Retrieval-Augmented Generation (RAG) to support compliance review. When a User submits content for review, that content is matched against tenant-scoped retrieval indexes containing the Customer’s configured policy library and reference materials, and a third-party large language model (Google Gemini API) generates findings grounded in the retrieved
policy/regulatory context.
• No model training on Customer Data. Warrant does not use Customer Data to train, fine-tune, or otherwise update the proprietary AI models that operate the Platform. The third-party LLM provider (Google) is contractually prohibited from using Customer Data to train its models, and inference calls are not retained by the provider beyond the API call.
• Per-tenant retrieval indexes. Each Customer’s retrieval index is logically isolated from every other Customer’s retrieval index. No Customer’s content is used to inform any other Customer’s AI behavior.
• Customer-controlled corpus. Customers control what content informs the AI within their tenant. Customer admins can prune, version, or wipe their tenant’s retrieval index on request.
• Human in the loop. AI outputs are recommendations only. Final compliance decisions are made by authorized Customer reviewers; the AI does not auto-approve, auto-publish, or auto-distribute content.
• Transparency. Each AI finding cites the specific policy or regulation in the Customer’s library and the reference examples that informed the suggestion.
5.4 Aggregated and De-Identified Information
We may use aggregated, de-identified information for any business purpose, including service improvement and benchmarking. Information is considered “aggregated” when it has been combined in a way that makes it impossible to associate with any individual or identifiable Customer; information is considered “de-identified” when it has been processed to remove direct and indirect identifiers and we maintain reasonable controls to prevent re-identification.
6. How We Share Personal Information
We do not sell Personal Information. We share Personal Information only as described below.
6.1 Service Providers and Sub-processors
We engage third-party service providers (“sub-processors”) to support the operation of the Site and the Platform. These sub-processors process Personal Information on our behalf, are bound by written agreements that include confidentiality and data-protection obligations, and are permitted to use Personal Information only to provide their services to Warrant.
Our current sub-processors with access to Customer Data on the Platform are:
• Amazon Web Services, Inc. — primary cloud infrastructure (compute, storage,
database, key management) located in AWS US-East-1, with backups replicated to AWS US-West-2 for business continuity. United States.
• Google LLC — large language model inference via the Gemini API. United States.
• Additional Qualified Vendors. From time to time, we engage qualified vendors — such as third-party security auditors, accountants, customer success analytics, insurers, and legal advisors — who may be granted limited, supervised access to our production environment and, where strictly necessary, to customer accounts, for the sole purpose of evaluating and advising Warrant, Inc. under a services contract that includes confidentiality provisions. These vendors are not permitted to use, disclose, or retain Customer Data for any purpose other than the engagement. A current subprocessor list is maintained on Warrant’s Trust Center at trust.hellowarrant.com.
We provide notice of material changes to our subprocessor list as required by the Cloud Services Agreement and applicable Data Processing Addendum.
6.2 Other Permitted Disclosures
We may share Personal Information:
• To comply with legal obligations — including responding to subpoenas, court orders, or other lawful government requests; cooperating with regulators; or as otherwise required by law.
• To protect rights and safety — to investigate and respond to suspected fraud, security incidents, or threats to the safety of any person.
• In connection with a corporate transaction — such as a merger, acquisition,
financing, or sale of assets, in which case the recipient will be bound to honor the
commitments set forth in this Privacy Policy.
• With your consent — for any other purpose disclosed at the time of collection or with your prior consent.
7. Data Retention
7.1 Customer Data
Customer Data is retained while the Customer’s account is in good standing. Following termination, Customer Data is retained for at least sixty (60) days to allow the Customer to restore the account or to export Customer Data, after which it is securely deleted unless a longer retention period is required by law, contract, or active legal hold.
Customers may request custom retention periods or place legal holds on Customer Data through their contractual relationship with Warrant.
7.2 Account Information and Audit Logs
Authorized User account records are retained while the Customer’s account is in good standing.
Audit logs and security records are retained for at least one (1) year, or longer if required by regulation, contract, or legal hold.
7.3 Website Information
Personal Information collected through the Site is retained for as long as necessary to fulfill the
purposes for which it was collected, including legitimate business purposes such as marketing, customer relationship management, fraud prevention, and legal compliance, unless a longer retention period is required by law.
8. Data Subject Rights
Subject to applicable law and the controller/processor framework described in Section 3, individuals may have the following rights with respect to Personal Information about them:
• Right of Access — to obtain confirmation of whether we process Personal Information about you and a copy of that information.
• Right of Rectification — to correct inaccurate Personal Information.
• Right of Erasure (“Right to be Forgotten”) — to request deletion of Personal
Information.
• Right of Portability — to receive Personal Information in a structured, commonly used, machine-readable format and transmit it to another controller.
• Right to Restrict Processing — to request limitation of how we process Personal
Information.
• Right to Object — to object to certain processing activities, including direct marketing.
• Right to Withdraw Consent — where processing is based on consent, to withdraw consent at any time.
• Right Not to be Subject to Automated Decision-Making — including profiling that produces legal or similarly significant effects, except where permitted by applicable law.
• California Residents — under the CCPA/CPRA, the right to know, the right to delete, the right to correct, the right to opt out of “sale” or “sharing” of Personal Information (we do not sell Personal Information), the right to limit use and disclosure of sensitive Personal Information, and the right to non-discrimination for exercising these rights.
8.1 How to Exercise Your Rights
For Personal Information that is part of Customer Data on the Platform, the Customer is the data controller and you should direct your request to the Customer in the first instance. Warrant will support the Customer in fulfilling its obligations as required by the Cloud Services Agreement and any applicable Data Processing Addendum.
For all other Personal Information processed by Warrant — including website-collected information and Authorized User account information — you may exercise your rights by contacting our Privacy Officer:
Privacy Officer: Austin Carroll, CEO • Email: privacy@hellowarrant.com
We will respond to verifiable requests within the timeframe required by applicable law (and in any event, within sixty (60) days for deletion requests). We may need to verify your identity before fulfilling certain requests. We will not discriminate against you for exercising your rights.
9. International Data Transfers
Warrant is a United States-based company. By using the Site or Platform, you acknowledge that
your Personal Information may be transferred to, stored in, and processed in the United States
Customer Data is processed in the United States (AWS US-East-1 with backups in AWS US-West-2).
If we transfer Personal Information from the European Economic Area, the United Kingdom, or other jurisdictions with cross-border transfer restrictions, we use appropriate safeguards as required by applicable law, including Standard Contractual Clauses where applicable.
10. Children’s Privacy
The Site and Platform are intended for use by adults in business contexts. We do not knowingly collect Personal Information from children under the age of 13. If we learn that we have collected Personal Information from a child under 13 without verifiable parental consent, we will delete it. If you are between the ages of 13 and 17, you may use the Site only with parental or guardian consent.
11. Cookies and Tracking Technologies
We use cookies and similar tracking technologies on the Site to operate, analyze, and improve the Site experience. Categories of cookies we use include:
• Strictly necessary cookies — required for the Site to function (e.g., authentication, session management).
• Analytics cookies — to understand how visitors interact with the Site (e.g., Google Analytics 4).
• Marketing cookies — to support contact-form submissions and lead-management workflows (e.g., HubSpot).
You can manage cookie preferences through your browser settings or, where required by law, through the cookie banner provided on the Site. Declining cookies may limit some Site functionality.
The Platform itself does not deploy advertising or third-party marketing trackers. The Platform uses first-party application telemetry solely for performance, error monitoring, and security purposes.
12. Information Security
We implement reasonable administrative, physical, technical, and organizational safeguards designed to protect Personal Information from unauthorized access, use, disclosure, alteration, and destruction. Key controls include:
• Encryption at rest using AES-256 across all data stores.
• Encryption in transit using TLS 1.2 or higher.
• Multi-factor authentication required for administrative and privileged access.
• Role-based access control with least-privilege defaults.
• Tenant isolation at the application layer.
• Continuous monitoring and threat detection.
• Annual third-party penetration testing.
• SOC 2 Type I attestation; SOC 2 Type II audit in progress.
A detailed description of our security program is available at trust.hellowarrant.com.
No system is completely secure. We cannot guarantee that Personal Information will never be subject to unauthorized access, alteration, or disclosure. We will provide notice of any breach of unencrypted Personal Information as required by applicable law and the Cloud Services Agreement.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, the Site, the Platform, or applicable law. The “Last Updated” date at the top of this Policy reflects the date of the most recent revisions.
If we make material changes that reduce your rights or protections, we will provide notice (such as by email to registered users, by a prominent notice on the Site or within the Platform, or as otherwise required by law) and, where required by law or contract, obtain your consent before the change takes effect.
Your continued use of the Site or Platform after the effective date of any revision constitutes your acceptance of the revised Privacy Policy
14. Coordination with Other Agreements
This Privacy Policy is intended to clarify Warrant’s data practices and shall not in any way modify or limit the legal effect of any Cloud Services Agreement, Order Form, Data Processing Addendum, Master Service Agreement, Terms of Service, or other agreement between Warrant and a Customer or User.
In the event of any conflict between this Privacy Policy and an executed Cloud Services Agreement (or related contract) with respect to Customer Data, the Cloud Services Agreement (or related contract) shall control as to that Customer Data.
15. Governing Law and Venue
This Privacy Policy is governed by and interpreted in accordance with the laws of the State of North Carolina, without regard to its conflict-of-laws rules. Any dispute relating to this Privacy Policy shall be resolved exclusively in the state or federal courts located in the State of North Carolina, and the parties consent to the personal jurisdiction of those courts.
16. Contact
We welcome your comments and questions about this Privacy Policy.
Privacy Officer: Austin Carroll, CEO
Email: austin@hellowarrant.com
General Inquiries: hello@hellowarrant.com
Privacy and Deletion Requests: privacy@hellowarrant.com
Mailing Address:
Warrant, Inc.
601 A Foster Street
Durham, NC 27701
United States
