Privacy Policy

1. Information We Collect

1.1 Information You Provide

• Account Information: name (optional), email address, and account credentials (or authentication tokens) used to access the Services.
• Security Check Inputs: email addresses you submit for breach checks and related preferences (such as alert settings).
• Legacy Planning Inputs: digital asset details and beneficiary/trustee details that you choose to store (if you use legacy features).
• Support & Communications: messages you send via contact forms, email, or support channels.

1.2 Information We Collect Automatically

• Usage Data: pages viewed, features used, clicks, and general interaction patterns.
• Device & Connection Data: browser type, device identifiers, operating system, approximate location (derived from IP), and IP address.
• Security Logs: authentication events, login attempts, and audit logs to help protect accounts and prevent fraud.

1.3 Information from Third Parties

• Have I Been Pwned (HIBP): breach and paste exposure data used to display results for security checks (subject to HIBP terms).
• Payment Providers: subscription status and payment confirmation from payment processors such as Stripe (we do not store full card numbers).
• Analytics Providers: aggregated site analytics (for example, Google Analytics) to understand product usage and improve performance.

2. How We Use Your Information

• Provide, operate, and maintain the Services, including breach checks and user account functionality.
• Process subscriptions and manage billing status (via payment providers).
• Send important service messages, such as security notices, product updates, and administrative communications.
• Improve the Services, debug issues, and develop new features.
• Protect users and the platform, including fraud prevention, account security, and abuse detection.
• Comply with legal obligations and enforce our terms.

We do not sell your personal information. We do not use your data for targeted advertising without your consent.

3. Legal Bases for Processing (GDPR / UK GDPR)

If you are located in the European Economic Area (EEA) or the United Kingdom, we process personal data under the following legal bases:

• Contract: to provide the Services you request (account access, breach checks, subscriptions).
• Legitimate Interests: to secure, maintain, and improve the Services and prevent fraud (balanced against your rights).
• Consent: where required, such as optional marketing emails or certain cookies/analytics.
• Legal Obligations: to comply with applicable laws, regulations, and lawful requests.

4. Data Security

5. Data Retention

• Account Data: retained while your account remains active, and for a reasonable period afterward for security, support, and legal purposes.
• Security Check Data: retained only as needed to provide the requested results and to protect the platform (for example, rate limiting, abuse prevention, and troubleshooting).
• Legacy Planning Data: retained while you maintain the feature and subject to your instructions (when available), or until deletion is requested.
• Support Messages: retained as needed to resolve requests, improve support quality, and meet legal obligations.

When feasible, we de-identify or aggregate data for analytics and service improvement.

6. Cookies & Tracking Technologies

We use cookies and similar technologies to operate the Services, remember preferences, and understand performance. Cookies may include:

• Strictly Necessary Cookies: required for basic site functionality and security.
• Preferences Cookies: to remember settings (where available).
• Analytics Cookies: to understand usage and improve the Services (for example, Google Analytics).

You can manage cookies through your browser settings. Depending on your region, you may also see a cookie banner or consent mechanism where required by law.

If you use Google Analytics, you can also use Google’s opt-out tools available through your browser settings or Google’s official add-on.

7. Sharing of Information

We share information only as needed to provide and protect the Services, including:

• Service Providers: vendors that help operate the platform (hosting, analytics, email delivery, customer support).
• Payment Providers: to process payments and manage subscriptions (for example, Stripe).
• Legal & Safety: to comply with lawful requests, protect rights, enforce policies, and prevent fraud or abuse.
• Business Transfers: if we are involved in a merger, acquisition, financing, or sale of assets (with appropriate safeguards).

We do not sell personal information. We do not share personal information for cross-context behavioral advertising without consent.

8. International Data Transfers

ExposureShield may process information in the United States and other locations where our service providers operate. Where required, we use appropriate safeguards for international transfers (such as contractual protections).

9. Your Rights & Choices

You may have rights depending on your location, including:

• Access: request a copy of your personal information.
• Correction: request correction of inaccurate or incomplete information.
• Deletion: request deletion of your personal information, subject to legal exceptions.
• Portability: request export of information in a structured, commonly used format (where applicable).
• Opt-Out: opt out of non-essential communications (marketing emails) at any time.

9.1 California Privacy Rights (CCPA/CPRA)

If you are a California resident, you may have the right to:

• Know what personal information we collect, use, disclose, and share.
• Request deletion of personal information (subject to exceptions).
• Correct inaccurate personal information.
• Opt out of the “sale” or “sharing” of personal information (we do not sell personal information).
• Not be discriminated against for exercising your rights.

Do Not Sell/Share: ExposureShield does not sell personal information and does not share it for cross-context behavioral advertising without consent.

9.2 EEA/UK Rights

If you are in the EEA/UK, you may also have the right to object to processing and request restriction of processing in certain circumstances. You may lodge a complaint with your local data protection authority.

10. Children’s Privacy

The Services are not directed to children. We do not knowingly collect personal information from children under 13 (or under 16 in certain regions). If you believe a child has provided personal information, contact us and we will take steps to delete it.

11. Data Breach Notification

If we become aware of a security incident involving personal information, we will evaluate the incident and notify affected users and/or authorities as required by applicable law.

12. Third-Party Links

Our Services may link to third-party websites (for example, documentation, partner services, or educational resources). We are not responsible for the privacy practices of those third parties. Please review their policies before providing information.

13. Policy Updates

We may update this policy from time to time. If we make material changes, we will provide notice through the Services or by email (where appropriate). The “Last Updated” date reflects the most recent version.