§ 01
Universal Scoring
5 Categories · Federal Anchors
Truthfulness & Specificity
Anchor · 15 U.S.C. § 45 (FTC §5)
Exceptionally specific and transparent. Policy explicitly states what is collected (query input, analysis output, hashed IP), exact retention windows, all third-party vendors with links to their policies, and honest disclosures about current limitations. The "honest disclosure" callouts demonstrate unusual candor about operational gaps.
9/10
Data Minimization & Purpose Limitation
Anchor · 15 U.S.C. § 6801 (GLBA model)
Strong minimization posture. No accounts, no tracking cookies, no analytics scripts, no advertising, no fingerprinting. Data collection limited to three categories with clearly articulated purposes. IP addresses are hashed before storage. Purpose limitation is clear: each data type tied to specific operational need.
9/10
Individual Rights
Anchor · 15 U.S.C. § 1681 + HIPAA
Comprehensive rights framework: access, deletion, correction, portability, and objection rights with 30-day response commitment. No-retaliation guarantee included. Policy honestly acknowledges rights are easier to exercise practically given minimal data collection. Deduction for lack of formal rights-request endpoint and manual processing.
8/10
Security & Breach Handling
Anchor · HITECH 60-day standard
Solid security architecture: HTTPS, RLS-enabled database, API key isolation, rate limiting, server-side prompt construction. Breach notification commitments are specific (24hr investigation, 72hr public notice, 30-day post-mortem). However, policy acknowledges no third-party audit, no vulnerability disclosure program, and no formal incident response plan yet documented.
7/10
Children & Vulnerable Users
Anchor · 15 U.S.C. § 6501 (COPPA)
Policy addresses COPPA by stating service is not directed to children under 13 and no data is knowingly collected from them. Critically, the policy self-applies the "Epic Rule" and provides structural justification: no accounts, no profiles, no behavioral tracking means children face no greater risk than adults. Parental deletion mechanism included.
8/10
§ 02
Federal Overlays Triggered
1 statute-specific check
COPPA
15 U.S.C. §§ 6501-6506
Compliant
- Service does not collect personal information from any user, eliminating the primary COPPA risk vector.
- Policy explicitly addresses children under 13 with deletion mechanism for parental requests.
- Structural data minimization (no accounts, no profiles, no behavioral tracking) provides effective protection regardless of user age.
HIPAA · GLBA · FCRA · ECPA · TCPA · CAN-SPAM · VPPA
Not triggered
N/A
- Service is not a covered entity, financial institution, or consumer reporting agency. No marketing channels, no video content, no health or financial data flows.
▣ What This Means
What the analyzer surfaced about us.
- Unusually transparent "honest disclosure" callouts acknowledge operational gaps — manual deletion, no security audit, no formal rights endpoint.
- No tracking cookies, no analytics, no advertising, no accounts. Data collection limited to cached analyses and hashed IPs.
- All third-party vendors explicitly listed with direct links to their privacy policies.
- 90-day hashed IP retention with acknowledged manual deletion process pending automation.
- Pre-formation draft status means the policy is not yet legally binding on a corporate entity.
"The Privacy Beat practices what it preaches: no accounts, no tracking, no ads. Refreshingly honest about its operational gaps."
▣ Roadmap
What we're working on.
The gaps surfaced by this report are tracked and prioritized. Specifically:
- Hashed-IP deletion is moving to a scheduled job.
- A dedicated rights-request endpoint is in design.
- An incident response runbook is in draft.
- A third-party security audit is planned post-LLC formation.
We will update this s