Privacy Policy

Last updated: 6 April 2026

The short version: We collect your email if you sign up, what policies you've analysed (when you're signed in), minimal data if you try the analyser as a guest, and basic analytics so we know which features people use. We don't sell your data. We don't share it with advertisers. We don't track you across the web. That's it.

What we collect and why

If you create an account

Your email address — so we can contact you about your account and product updates. That's the only reason.

If you use the live analyser without an account

A one-way hash of your IP address, the current calendar month, and a date stamp — to enforce the one-free-analysis-per-calendar-month limit for guest users. The hash cannot be reversed to recover your IP address. These records are automatically deleted after 90 days. The policy text you paste is sent to Anthropic for analysis and is not stored on our servers.

If you use the live analyser while signed in

The policy text you paste and the results — so we can show you your analysis history and serve cached results faster for everyone. We store the analysis result, not the raw policy text. We also store a count of how many analyses you've run this month to enforce the fair-use limit (currently 5 per month). This count resets at the start of each calendar month.

The policy text you paste is sent to Anthropic's API to generate the analysis. Anthropic processes it under a zero data retention agreement — they do not store or train on text submitted via the API. See Anthropic's privacy policy for details.

If you request an analysis

The company name, policy URL, and optionally your email address — so we can prioritise analyses by demand and associate votes with repeat requests. You don't need to be signed in to submit. New curated write-ups appear on the leaderboard; we do not send automated emails when an analysis is published. If you provide an email, we don't add you to any mailing list.

If you follow a company for alerts

We store your user ID and the company slug you're following along with your notification preferences (policy changes, new content). We store a content fingerprint (hash) of the policy page for each followed company so we can detect when it changes. We send email notifications only for the types you've explicitly opted into.

If you use a labelled affiliate link

No extra personal data is collected by us for affiliate clicks. Some analysis pages and the site footer include clearly marked affiliate links to privacy-focused products. If you follow a link and the partner records a referral, they may process data under their own privacy policy; we do not receive your payment details or identity from them through the link itself. Affiliate relationships do not change our grades or editorial conclusions — see our About page.

If you make a voluntary contribution

Payment processing — handled entirely by Stripe. We never see or store your card number or payment details. Stripe gives us a confirmation that a payment was made. That's all.

When you use the site

Basic analytics — page views, which features you use, what device and browser you're on. We use this to understand what's working and what isn't. We use Vercel's built-in analytics for this. We don't use Google Analytics. We don't build advertising profiles.

Analysis page popularity — when you open a curated analysis page, we may record which company's page was viewed. If you're signed in, we may store your user ID with that event; if you're not signed in, we may store an anonymous session identifier supplied by your browser to avoid counting the same visit many times. We use this only for aggregate metrics (for example how often each analysis is read), not for advertising.

Automatically via our hosting

Server logs — Vercel (our hosting provider) temporarily logs IP addresses and request data as part of standard web hosting. We don't access these for tracking purposes.

What we don't collect

✗We don't collect your name, location, phone number, or contacts
✗We don't use cookies for advertising or tracking
✗We don't fingerprint your browser
✗We don't sell, rent, or trade your data to anyone
✗We don't let third parties put trackers on our site

Who has access to your data

Supabase

Database, authentication — Stores your account, signed-in analysis history, follow preferences, policy fingerprints for change detection, optional analysis-page metrics, and policy submissions

Vercel

Hosting, analytics — Serves the website, basic usage analytics

Anthropic

AI analysis — Processes policy text when you run an analysis (zero data retention agreement)

Have I Been Pwned

Breach data lookup — We query their public API at build time to show known data breaches for each company we analyse when a domain is configured. No user data is sent — only the company domain name.

Resend

Transactional email — Sends account confirmation emails and (if you opt in) policy change notifications

Stripe

Payment processing — Handles voluntary contributions — we never see your card details

That's the complete list. No data brokers. No ad networks. No unnamed "third-party partners."

Your rights

You can do any of these at any time by emailing us:

See your data — we'll send you everything we have on you
Delete your data — we'll remove your account and all associated data
Export your data — we'll send you a copy in a standard format
Unsubscribe — every email has an unsubscribe link

We respond to all requests within 7 days. No forms to fill out. No hoops to jump through.

Cookies

We use only essential cookies to keep you logged in. No tracking cookies. No third-party cookies. No cookie banner needed because we're not doing anything that requires your consent beyond basic functionality.

Data retention

Account data: Kept until you delete your account
Analysis history: Kept until you delete it or your account
Monthly usage count: Resets at the start of each calendar month; deleted when you close your account
Guest usage records (hashed IP + month): Automatically deleted after 90 days
Global daily analyser usage: Resets each calendar day; not tied to any user. Separate aggregate counts per day for guest and signed-in traffic (no personal data) — used to cap site-wide cost
Followed company preferences: Stored until you unfollow a company or delete your account
Policy content fingerprints (followed companies): Stored while you follow the company; removed when you unfollow or delete your account — used only to detect policy changes for notifications
Analysis page view records: Kept for aggregate analytics; contain the analysis slug and optionally your user ID (if signed in) or a session identifier from your browser
Policy submission emails: Deleted after we send the notification, or within 90 days if no analysis is published
Server logs: Automatically deleted by Vercel after 30 days

If you delete your account, your data is removed within 30 days. Genuinely removed — not "deactivated" while we keep everything in a backup somewhere.

Changes to this policy

If we change this policy, we'll email you about it before the changes take effect. We won't quietly update it and hope you don't notice. That's the kind of thing we built this tool to expose.

For the lawyers

This site is operated from Australia. We comply with the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs). If you're in the EU, we respect your rights under GDPR. If you're in California, we respect your rights under CCPA. Regardless of where you are, we treat everyone's data with the same standard of care.

Contact

Questions about your privacy? Email us: privacy-decoded@proton.me

How we'd grade ourselves

We ran this policy through our own tool

✓ Plain language, no legalese
✓ Minimal data collection
✓ No data sold or shared with advertisers
✓ Clear data retention periods
✓ Easy deletion process
✓ Notification before policy changes
✓ Complete list of third parties

This is what a privacy policy should look like. We hope more companies start writing theirs this way.