Why shouldn't I just ask ChatGPT or Claude to compare IAM vendors?

LLMs hallucinate feature parity, their training data is 12-24 months behind rapid IAM vendor M&A, and they don't understand your specific active directory complexities. You cannot take a ChatGPT printout to a Board of Directors to justify a $1.2M software purchase. We sell a structured, 180-dimension methodology and a defensible audit trail.

Does an IAM vendor assessment really cost $75K?

The real cost isn't just the invoice — it's the total burn. Boutique firms charge $50K+ in fees. Running it in-house burns 300+ hours of senior engineering time. Whether consulting fees or internal salary burn, you're looking at a $75K+ investment in selection thrash. IAM Posture™ automates the 80% of manual data assembly that burns your team's most expensive hours.

How neutral is IAM Posture™'s IAM vendor comparison?

We are paid only by buyers. We do not sell vendor leads, sponsorships, or featured rankings. Vendors may provide factual evidence to correct scores but cannot buy their way up. If a vendor is acquired or changes pricing, we update the data within 48 hours.

What IAM vendors does IAM Posture™ score?

IAM Posture™ scores 52+ IAM, IGA, and PAM vendors across 180+ evidence points including Okta, Microsoft Entra, SailPoint, CyberArk, Ping Identity, BeyondTrust, Saviynt, One Identity, and many more.

Can I get a board-ready IAM vendor report?

Yes. The full Intelligence Report includes a board-ready shortlist, gap analysis, TCO projection, and an executive summary template to justify the selection to a CFO or CISO.

Privacy Policy — IAM Posture™

At IAM Posture™, privacy is not a checkbox — it is a core engineering requirement. We apply the same Zero-Trust principles to our data handling as we do to our identity assessments. This policy explains how we collect, process, and protect your data when you use our platform.

Data Controller

GreyBeard Intelligence

Boston, MA, USA

Contact: [email protected]

IAM Posture™ is a product of GreyBeard Intelligence ("we," "us," "our"). This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and what rights you have. We process data in accordance with the California Consumer Privacy Act (CCPA/CPRA), and where applicable, the EU/UK General Data Protection Regulation (GDPR).

1. Data We Collect

We collect the following categories of personal data:

1.1 Account & Identity Data

Collected when you register: full name, business email address, company name, job title, and account password (stored as a hashed credential via Supabase Auth). This data is necessary to create and manage your account.

1.2 Assessment Data

Data you provide through the LENS™ Assessment: your organisation's IAM maturity inputs, compliance requirements, budget range, team size, deployment model, and risk priorities. This data is used exclusively to generate your scored shortlist and IAM Verdict™ report. Where you use conversational assessment features or upload requirements documents, that content is transmitted to AI model inference providers (see Section 4) to generate analysis. We do not share your raw assessment responses with any other third party. We may use anonymised, aggregated versions of assessment data (with no personally identifiable information) to improve scoring accuracy across the platform — see Section 3.

1.3 Payment & Billing Data

Payment card data is collected and processed exclusively by Stripe, Inc. We do not store, access, or transmit raw card numbers. We receive only non-sensitive billing metadata from Stripe: subscription tier, payment status, and transaction timestamps.

1.4 Usage & Analytics Data

We collect anonymised usage data — pages visited, features used, session duration — via PostHog to understand how the platform is used and where it can be improved. We configure PostHog to respect Do Not Track signals and to anonymise IP addresses. No usage data is linked to your name or email address in PostHog.

1.5 Error & Diagnostic Data

We use Sentry to capture application errors and crashes. Error reports may include browser type, operating system, and the page where an error occurred. We configure Sentry to scrub personally identifiable information from error payloads before transmission.

1.6 Communications Data

If you contact us by email or submit a support request, we retain that correspondence to resolve your query and improve our service. Transactional and nurture emails are sent via Resend using your registered email address.

2. How We Use Your Data & Our Legal Basis

We process personal data only where we have a lawful basis to do so. The table below sets out each processing purpose and its basis.

Purpose	Data Used	Legal Basis
Provide the Platform and generate your IAM Verdict™ report	Account data, assessment data	Contractual necessity
Process payment and manage your subscription	Billing metadata (via Stripe)	Contractual necessity
Send transactional emails (report ready, account notices)	Email address	Contractual necessity
Send nurture and educational emails	Email address	Legitimate interest — you may opt out at any time
Improve scoring accuracy using anonymised assessment signals	Anonymised, aggregated assessment data only	Legitimate interest — no PII used
Monitor platform health and diagnose errors	Anonymised error and usage data	Legitimate interest
Comply with legal obligations	As required by applicable law	Legal obligation

3. Anonymised Data & Platform Improvement

We extract anonymised, aggregated signals from assessment responses — for example, "organisations in financial services frequently require FIDO2 support" — to identify gaps in our vendor research and improve scoring accuracy for all users.

This processing uses no personally identifiable information. Your name, email, company name, and individual assessment responses are never included in this aggregation. The output is statistical — it tells us about patterns across the user base, not about you specifically.

If you object to your anonymised assessment signals being used for this purpose, email [email protected] and we will exclude your data.

4. Sub-Processors & Data Transfers

We use the following third-party sub-processors to operate the Platform. Each is bound by a Data Processing Agreement and appropriate safeguards for international data transfers where applicable.

Where you use the LENS™ conversational assessment or upload requirements documents, that content is transmitted to AI model inference providers for analysis. These providers process your data solely on our instructions and are contractually prohibited from using it for their own model training or any other purpose.

Processor	Purpose	Location	Transfer Safeguard
Supabase, Inc.	Database, authentication, file storage	USA	DPA + Standard Contractual Clauses
Stripe, Inc.	Payment processing	USA	DPA + Standard Contractual Clauses
Resend, Inc.	Transactional & nurture email delivery	USA	DPA + Standard Contractual Clauses
PostHog, Inc.	Product analytics (anonymised)	USA	DPA + Standard Contractual Clauses
Sentry (Functional Software, Inc.)	Error monitoring (anonymised)	USA	DPA + Standard Contractual Clauses
Anthropic, PBC	AI language model inference for LENS™ assessment analysis and conversational features	USA	DPA + Standard Contractual Clauses

We do not sell, rent, or broker your personal data to any third party. We do not operate a data broker model.

5. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes described in this policy or as required by law.

Account & assessment data: Retained for the duration of your account plus 12 months after account closure, to allow for dispute resolution and legal compliance. After that period, data is permanently deleted.
Payment metadata: Retained for 7 years from the transaction date in accordance with US financial record-keeping requirements.
Report audit logs: Retained for 3 years from report generation to support accuracy dispute resolution.
Error and analytics data: Retained in Sentry and PostHog for 90 days on a rolling basis.
Email correspondence: Retained for 2 years from last contact.

You may request early deletion of your account data at any time — see Section 6.

6. Your Rights

Depending on your jurisdiction, you have the following rights regarding your personal data. To exercise any of these rights, email [email protected] or use the Data & Privacy section of your account settings. We will respond within 30 days.

6.1 Rights Available to All Users

Access: Request a copy of all personal data we hold about you, exported as a machine-readable file.
Rectification: Request correction of inaccurate or incomplete personal data.
Erasure (Right to be Forgotten): Request deletion of your account and all associated personal data. Deletion is processed within 30 days. Note: anonymised, aggregated data derived from your inputs cannot be individually identified and therefore cannot be deleted.
Opt-out of marketing: Unsubscribe from nurture and marketing emails at any time via the unsubscribe link in any email or via account settings.
Withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

6.2 Additional Rights for EU/UK Users (GDPR)

Restriction of processing: Request that we restrict processing of your data in certain circumstances (e.g. while a dispute is being resolved).
Data portability: Receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.
Object to processing: Object to processing based on legitimate interests. We will cease unless we can demonstrate compelling legitimate grounds that override your interests.
Supervisory authority: You have the right to lodge a complaint with your local data protection authority. For EU users, this is the relevant national DPA. For UK users, this is the Information Commissioner's Office (ICO) at ico.org.uk.

6.3 California Residents (CCPA / CPRA)

We do not sell your personal information. We do not share your personal information for cross-context behavioural advertising. PostHog analytics is configured to anonymise data and does not constitute a "sale" or "share" under CCPA/CPRA.

California residents have the right to:

Know what personal information we collect, use, disclose, and share (12-month lookback available on request)
Delete personal information we hold about you, subject to exceptions
Correct inaccurate personal information
Opt-out of the sale or sharing of personal information (not applicable — we do not sell or share)
Non-discrimination — we will not discriminate against you for exercising any CCPA right

Submit verifiable consumer requests to [email protected]. We will respond within 45 days as required by CCPA.

6.4 How We Handle Data Subject Requests (DSR Workflow)

When you submit a data subject request, we follow this process:

Acknowledgement (within 5 business days): We will acknowledge receipt of your request and confirm the identity verification method required.
Identity verification: We will ask you to verify your identity by sending the request from your registered email address. For access or portability requests, we may ask for additional confirmation.
Processing (within 30 days, or 45 days for CCPA): We will locate all personal data associated with your account across our systems and sub-processors, compile the relevant data, and complete the requested action (deletion, export, correction, or restriction).
Confirmation: We will notify you by email when the request has been completed, and confirm what data was affected.

Account deletion removes your account credentials, assessment inputs, and report history from our primary database within 30 days. Payment records are retained for 7 years as required by financial regulations (see Section 5). Anonymised, aggregated data derived from your inputs cannot be individually identified and is therefore excluded from deletion.

To submit a DSR, email [email protected] with the subject line "Data Subject Request — [type]" (e.g. "Data Subject Request — Deletion").

7. Cookies & Tracking Technologies

We use the following cookies and local storage technologies:

Strictly necessary: Supabase session tokens required for authentication. These cannot be disabled without breaking the platform.
Analytics (optional): PostHog first-party analytics cookies to understand feature usage. Anonymised. Can be declined via our cookie consent banner.
Error monitoring (optional): Sentry session replay and error tracking. Anonymised. Can be declined via our cookie consent banner.

We do not use advertising cookies, third-party tracking pixels, or retargeting technologies.

8. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or disclosure. These include:

All data in transit encrypted via TLS 1.2+
All data at rest encrypted in Supabase (AES-256)
Row-level security policies enforcing that users can only access their own data
No plaintext storage of passwords or payment card data
Access to production data restricted to essential personnel only

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users and relevant authorities as required by applicable law.

9. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to your registered address at least 14 days before taking effect. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the Platform after the effective date constitutes acceptance of the updated policy.

10. Contact

For all privacy-related enquiries, data subject requests, or to exercise any right described in this policy:

Email: [email protected]
Data Controller: GreyBeard Intelligence, Boston, MA, USA

We aim to respond to all privacy requests within 30 days. If your request is complex or you have made a large number of requests, we may extend this period by a further 60 days, in which case we will notify you of the extension and the reason.

Privacy Policy