Privacy

What we keep, why, and for how long.

What we collect

  • Account info: email address, optional name for the e-signature, billing details handled by Stripe.
  • Case data: destination URLs, the platform you are reporting to, the text of your good-faith statement, and a hash of your e-signature with timestamp.
  • Perceptual hashes: a numeric fingerprint of the imagery, computed in your browser. The image bytes are never uploaded.
  • Compliance evidence: HTTP responses we receive while polling the destination URL during the 48-hour window. Optional headless screenshots, redacted.

What we never collect

  • The imagery itself. There is no upload path that accepts image bytes.
  • Your social security number, date of birth, or government ID.
  • Information about anyone other than you (we are a courier for your notice only).

How long we keep it

Cases default to 12-month retention, after which they are permanently deleted. You can opt to retain individual cases as litigation evidence (encrypted at rest, indefinite retention until you delete). You can delete your account at any time, which removes all case data within 30 days.

Who we share it with

The platform you are reporting to, by definition, receives your notice. Stripe processes your billing. We use Resend (or equivalent) for email delivery. We do not sell data, we do not run advertising, and we do not share data with marketing tools.

We use Vercel Web Analytics for anonymous interaction telemetry — pageviews and a small set of named events (button clicks, wizard step completions, purchase confirmations). No cookies, no IP storage, no fingerprinting, and no personal identifiers are sent. This tells us where users come from and where the funnel leaks, without identifying anyone.

Security

Encryption at rest, TLS in transit. Sensitive columns (your contact email used in the notice, your e-signature) are application-encrypted. Access is limited to a small set of on-call staff. We will publish post-incident reports to the transparency dashboard.

Your rights

Access, correction, and deletion at any time from your account page. California (CCPA), EU/UK (GDPR equivalent), and other state privacy regimes apply where relevant. Contact privacy@freetakeitdown.com.