The policy
we score ourselves by.

The Privacy Beat is a privacy-policy analyzer that scores publicly available privacy policies against U.S. federal law. The service is operated from the United States and is currently in pre-formation status — the operating entity has not yet been incorporated.

This policy describes the data practices that are in effect today and that will become legally binding when the operating entity is formed. The technical architecture, retention windows, and third-party relationships described here are real and accurate at the time of publication.

We collect three categories of data, each with a specific purpose. Nothing else.

About the IP hash: we hash your IP address with a static salt (pb-salt-2026) before storing it. Hashing is a form of pseudonymization, not anonymization — a determined adversary with the salt and a list of candidate IPs could reverse-engineer the mapping. We treat the hashed IP as personal data and apply the same protections we apply to other categories.

We don't collect the following. If we ever start collecting any of them, we'll update this policy and notify users on the home page before the change takes effect.

• No accounts. There is no sign-up, no login, no password. We have nothing to associate your queries with you.
• No tracking cookies. We do not set cookies. Vercel (our web-hosting service) may set technical cookies for hosting and security; these are documented in Vercel's privacy policy.
• No analytics scripts. No Google Analytics, no Mixpanel, no Plausible, no anything. Server-side request counts only.
• No tracking pixels. No Meta Pixel, no LinkedIn Insight Tag, no third-party tracking pixels of any kind.
• No fingerprinting. We do not collect or use canvas fingerprints, font lists, screen-size profiling, or other device-identification techniques.
• No advertising. We do not run ads, host ad networks, or share data with advertisers.
• No personal identifiers. No names, no email addresses (unless you write to us), no phone numbers, no addresses, no demographic data.

Each category has a specific retention window. We don't keep anything longer than we need to.

Honest disclosure: the 90-day deletion of hashed IPs is currently performed manually. A scheduled deletion function in Supabase is on the roadmap and will be deployed in a future release. See the Transparency Report for the full roadmap.

The Privacy Beat is built on commercial infrastructure. The following vendors process data on our behalf. Each has its own privacy policy, which we link to so you can review them yourself.

• VercelWeb hosting · Edge network
  Hosts the website and serverless functions. Vercel processes your IP address and request metadata as part of normal HTTP traffic, and may set technical cookies for security and routing. Vercel Privacy Policy →
• SupabaseDatabase · Cache
  Stores cached analyses and the request log (hashed IP only). Hosted on AWS infrastructure in the United States. Supabase Privacy Policy →
• UpstashRate limiting
  Stores per-IP rate-limit counters with a 1-hour rolling expiration. We send Upstash a hashed IP only — never the raw IP. Upstash Privacy Policy →
• AnthropicLLM analysis
  Receives the privacy-policy text you submit and returns the structured analysis. Per Anthropic's commercial terms, prompts and outputs sent through the API are not used to train Anthropic's models. Anthropic Privacy Policy → · Commercial Terms →
• CloudflareDNS
  Provides DNS resolution for theprivacybeat.org. Our DNS records are configured as "DNS only" (not proxied), so Cloudflare does not see your traffic to the site — only the DNS lookup that resolves the domain to Vercel. Cloudflare Privacy Policy →
• GitHubSource code hosting
  Hosts the source repository for The Privacy Beat. GitHub does not process user traffic to the live site; it only receives our deployment commits. GitHub Privacy Statement →

We do not sell, rent, lease, or otherwise commercially share your data. Period.

The third-party vendors listed in § 05 process data on our behalf strictly for the purposes described — hosting, caching, rate limiting, and LLM analysis. They are bound by their own terms of service and privacy obligations. We do not allow them to use your data for their own marketing, training, or product development.

The only situation in which we would disclose data to a party not listed above is in response to a legally valid request — a search warrant, subpoena, or court order — that we cannot challenge. If we receive such a request, we will challenge it where there is a non-frivolous basis to do so. Because we do not collect personally identifying data, the practical scope of any disclosure is very limited.

Because we don't collect identifying information, most of the rights below are easier to exercise practically than legally — there is rarely anything to find or delete that's tied to you specifically. We commit to the following standards regardless.

1. Right to know. You can ask us what categories of data we hold that could be associated with you. We respond within 30 calendar days of receiving a verifiable request.
2. Right to deletion. You can ask us to delete any data we hold that could be associated with you. We respond within 30 calendar days. For hashed IPs, deletion happens by purging the row matching the hash you provide; we cannot reverse the hash for you, but you can supply your IP address and we will compute the hash and delete the matching row.
3. Right to correction. If you believe an analysis is wrong about a specific company's policy, you can request correction or removal of the cached result. We respond within 30 calendar days.
4. Right to portability. If we hold any data that's associated with you, you can request a copy in machine-readable format (JSON). We respond within 30 calendar days.
5. Right to object. You can object to any specific use of your data. We respond within 30 calendar days and will either honor the objection or explain in writing why we can't.
6. No retaliation. We will never refuse service, charge a different price, or degrade service quality because you exercised any right above.

All requests should be sent to the contact address in § 12. We will respond from the same address. If you don't receive a response within 30 days, follow up — we'd rather be reminded than miss a request.

Honest disclosure: we do not yet have a formal rights-request endpoint or workflow. Requests are handled manually by the operator. A formal endpoint with verification flow is on the roadmap. See the Transparency Report.

The Privacy Beat is built with security as a first-order concern, not an afterthought.

What we do

• HTTPS everywhere. All traffic to and from the site is encrypted in transit via TLS, terminated at Vercel's edge.
• Database access control. Our Supabase tables have Row Level Security (RLS) enabled with no public policies. The anonymous API key cannot read or write data; only the server-side service role can.
• API key isolation. Anthropic and Supabase service-role keys are stored as Vercel environment variables, never exposed to the client.
• Rate limiting. Per-IP rate limiting at 10 requests per hour prevents brute-force scraping and abuse.
• Server-side input construction. The LLM prompt is constructed server-side. Client-supplied messages are ignored to prevent cache poisoning and prompt injection from manipulating cached results.
• Minimal attack surface. No user accounts, no password storage, no payment processing, no PII collection means there's very little of value to steal.

What we have not yet done

We have not commissioned a third-party security audit, do not have a published vulnerability disclosure program, and do not yet have a formal incident response plan. These are on the roadmap. See the Transparency Report.

If you discover a security issue, please report it to the contact address in § 12 with the subject line "Security". We will respond within 5 business days.

If we discover a security breach affecting data covered by this policy, we will:

1. Investigate within 24 hours of discovery to determine the scope and nature of the breach.
2. Post a public notice on the home page within 72 hours of confirming a breach occurred, describing what happened, what data was affected, and what we're doing about it.
3. File required regulatory notices within applicable timelines (typically 30–60 days under federal and state law).
4. Publish a post-mortem within 30 days of remediation, describing the root cause and the steps we've taken to prevent recurrence.

Because we do not collect personally identifying data, the practical impact of any breach is significantly limited. The most sensitive information we hold is hashed IPs, which cannot be used to identify a specific user without additional context.

Honest disclosure: we do not yet have a documented incident response plan. The commitments above will be operationalized into a written runbook on the roadmap. See the Transparency Report.

The Privacy Beat is not directed to children under 13. We do not knowingly collect any data from children under 13.

Per our own Methodology page, we apply the Epic Rule to ourselves: a "not directed to children" disclaimer is not enough on its own. The reason we score well on this category despite the disclaimer is structural — our service does not collect personal information from any user, regardless of age. There are no accounts, no profiles, no behavioral advertising, no behavioral tracking. A child using the analyzer is not at greater data-protection risk than an adult, because we collect the same minimal amount from both.

If you are a parent or guardian and believe a child has provided personal information through any contact with us (for example, by writing to our contact address), please email us and we will delete the information within 30 days.

We will update this policy as our practices change. Material changes — anything that expands what we collect, reduces user rights, or adds a new third-party recipient — will be announced on the home page at least 30 days before they take effect, with a link to the previous version of the policy archived for comparison.

Non-material changes — typo fixes, clarifications, link updates — take effect immediately and are noted in the version history at the bottom of this page (to be added in a future update).

The version of this policy is shown in the meta panel at the top of the page.

For privacy questions, data-subject requests, security reports, or anything else related to this policy:

A dedicated privacy@theprivacybeat.org address is on the roadmap. Until then, the Gmail address above is the canonical contact.