Privacy Policy
The short version: We collect information you provide to generate your CMMC documentation. We use it to build your documents and communicate with you about compliance deadlines and updates. We don't sell your data. Payment is handled by Stripe. You can ask us to delete your data at any time.
01 Information We Collect
We collect information in several ways as you use MyCMMC.org:
- Quiz answers. When you complete the free CMMC Readiness Check, we collect your responses to plain-English questions about your operations, the type of data you handle, and your current compliance posture. We also collect your email address if you choose to receive a readiness report.
- Product intake answers. When you purchase and complete the product intake assessment, we collect detailed information about your IT environment, network architecture, user access controls, CUI data flows, and current security practices. This information is used exclusively to generate your CMMC documentation package.
- Contact information. When you contact us through the contact form, request more information, or communicate with our team, we collect your name, email address, company name, and any other information you provide.
- Payment information. When you purchase a MyCMMC documentation package, payment is processed by Stripe. We do not collect or store your credit card number, CVV, or full payment details on our servers. We receive a transaction confirmation and your billing name and email from Stripe.
- Usage data. We collect standard web analytics information including pages visited, time on site, browser type, and referring URLs. This data is aggregated and not linked to personally identifiable information.
02 How We Use Your Information
We use the information we collect for the following purposes:
- Generating your documentation. Intake assessment answers are used to generate your System Security Plan, policies, Plans of Action & Milestones, and other CMMC compliance documents. This is the primary purpose for which we collect detailed assessment data.
- Sending readiness reports. If you complete the free readiness check and provide your email address, we will send you a summary of your gap analysis results and estimated SPRS score.
- Practitioner review. When your package includes a practitioner review, your intake answers and generated documents are shared with a CMMC Registered Practitioner for quality review. Practitioners are bound by confidentiality obligations.
- Follow-up communications. Quiz lead data — including email addresses collected through the free readiness check — may be used to send follow-up communications about CMMC compliance resources, regulatory deadlines, and updates to the MyCMMC service. You can opt out of these communications at any time by clicking the unsubscribe link in any email or by contacting us directly.
- Customer support. Contact information is used to respond to your questions and support requests.
- Service improvement. Aggregated, anonymized usage data is used to improve the MyCMMC platform, intake questions, and documentation quality.
03 Data Sharing
We do not sell your personal data or intake assessment answers to third parties.
We share data only in the following limited circumstances:
- CMMC practitioners. For packages that include practitioner review, your documentation and relevant intake information is shared with a qualified reviewer. Practitioners operate under confidentiality agreements and may not use your data for any purpose other than reviewing your documentation.
- Payment processing. Payment transactions are handled by Stripe. By making a purchase, you are subject to Stripe's Privacy Policy. We share only the minimum information required to process your transaction.
- Legal requirements. We may disclose information when required by law, subpoena, or other legal process, or when we believe disclosure is necessary to protect the rights or safety of MyCMMC, our users, or others.
- Business transfers. If MyCMMC is acquired or merges with another company, your information may be transferred as part of that transaction. We will notify you via email if such a transfer occurs and your data will remain subject to this privacy policy.
04 Payment Processing
All payment processing for MyCMMC documentation packages is handled by Stripe, Inc. Stripe is a PCI-DSS Level 1 certified payment processor.
When you make a purchase:
- Your payment card details are entered directly into Stripe's secure payment form and are never transmitted to or stored on MyCMMC servers.
- MyCMMC receives a payment confirmation, your billing name, email address, and a masked card identifier from Stripe.
- Stripe's handling of your payment data is governed by Stripe's Privacy Policy and their data security practices.
05 Data Retention
We retain your information for as long as necessary to provide our services and comply with our legal obligations:
- Intake assessment data. Your intake answers and generated documents are retained for 3 years from the date of purchase. This allows you to access your documentation, request updates, or generate revised documents if your environment changes.
- Quiz lead data. Email addresses and quiz responses collected through the free readiness check are retained until you opt out of communications or request deletion.
- Contact records. Communications and support records are retained for 2 years.
- Payment records. Transaction records are retained for 7 years as required by financial regulations.
You may request deletion of your personal data at any time by contacting us at our contact page. We will delete your data within 30 days, except where retention is required by law.
06 Security
We implement reasonable technical and organizational measures to protect your information from unauthorized access, use, or disclosure. These include encryption in transit (TLS), access controls, and secure data storage practices.
We recognize that no internet service is completely secure. If you have reason to believe your account or data has been compromised, please contact us immediately at our contact page.
07 Your Rights
You have the following rights regarding your personal data:
- Access. You may request a copy of the personal data we hold about you.
- Correction. You may request correction of inaccurate or incomplete data.
- Deletion. You may request deletion of your personal data, subject to legal retention requirements.
- Opt-out. You may opt out of marketing communications at any time using the unsubscribe link in any email or by contacting us directly.
- Portability. You may request a copy of your intake assessment answers and generated documents in a portable format.
To exercise any of these rights, contact us at our contact page. We will respond within 30 days.
08 Cookies & Local Storage
MyCMMC.org uses browser local storage to save your quiz and intake assessment progress between sessions. This data is stored on your device and is not transmitted to our servers unless you complete the assessment and request a report.
We use standard analytics cookies to understand how visitors use our site. These cookies collect anonymous, aggregated data and cannot be used to identify you personally. You can disable cookies in your browser settings, though this may affect some site functionality.
09 Updates to This Policy
We may update this privacy policy from time to time as our service evolves or as legal requirements change. When we make material changes, we will update the "Last Updated" date at the top of this page and, where appropriate, notify active customers by email.
The most current version of this policy is always available at mycmmc.org/privacy.html.
10 Contact Us
For questions about this privacy policy, to exercise your data rights, or to report a privacy concern, please contact us through our contact page.
We will respond to all privacy inquiries within 30 days.