Back to home

Clearance Document 02

Privacy Policy

Last updated: Pending legal review — Day 5 redline

This Privacy Policy explains how Hushfolk collects, uses, and shares personal data, and how you exercise your rights under the EU / UK General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act (“CCPA”). Hushfolk is the controller for personal data collected through hushfolk.com and the Command Centre dashboard. Contact our Data Protection Officer at privacy@hushfolk.com for any question or rights request.

1. What we collect

  • Account identifiers: the email address you sign in with, plus a Hushfolk-issued user ID. Stored on Supabase (profiles.email, profiles.id).
  • Identity vectors: the additional emails, phone numbers, and handles you register. Stored in RLS-protectedidentity_vectors rows; email breach details require per-inbox verification before unlock.
  • Optional onboarding PII: legal name, secondary emails, and social handles you submit during the briefing step. These columns (profiles.pii_legal_name,profiles.pii_emails, profiles.pii_socials) are encrypted client-side with AES-256-GCM before transmission.
  • Pre-auth scan targets: the email or handle you enter on the homepage scanner. Cached briefly in pending_scans so the funnel can carry the result into your Command Centre on first login. Deleted on profile hydration or after 30 days, whichever comes first.
  • Takedown intake (V1 concierge — see §5b): your full legal name and postal address, transmitted transiently to our privacy operator’s secure inbox. Not persisted on the takedown_requests table — only the broker name, status, and exposure evidence are retained server-side.
  • Billing data: Stripe customer ID and subscription state. We do not store card numbers; Stripe is the controller for payment-card data (PCI-DSS responsibility lives with them).
  • Scan output: breach alerts (Ghost engine), takedown history (Janitor engine), and your aggregate integrity score.
  • Logs and diagnostics:request timestamps, error fingerprints, and rate-limit bucket counters. PII is scrubbed by our redaction layer before any line reaches Sentry — see §4.
  • Marketing leads: if you submit your email to a free OSINT scan or a Vanguard waitlist CTA without creating an account, we store that email in marketing_prospects or interest_leads respectively.

2. Why we process it (lawful bases)

We rely on the GDPR Article 6 bases shown below, per processing activity. Where we rely on legitimate interest (Art. 6(1)(f)) we have documented a balancing test that we will share on request.

  • Account creation & authentication. Art. 6(1)(b) (contract performance). We need your email to issue one-time clearance codes and to bind your operator profile.
  • Breach surveillance (Ghost). Art. 6(1)(b) (contract) for paid tiers; Art. 6(1)(f) (legitimate interest in alerting you to breaches affecting accounts you registered with us) for free tiers.
  • Takedown filing (Janitor concierge). Art. 6(1)(b) (contract — you instruct us to dispatch the GDPR / CCPA letter on your behalf).
  • Payment processing.Art. 6(1)(b) (contract) and Art. 6(1)(c) (legal obligation — VAT & tax records).
  • Transactional email (welcome, breach alerts, takedown status, account erase OTP, account erased). Art. 6(1)(b) (contract — these emails are part of the service you are paying for).
  • Marketing & lead capture. Art. 6(1)(a) (consent). Withdrawable at any time at /dashboard/settings.
  • Security, abuse prevention, rate limiting. Art. 6(1)(f) (legitimate interest in service integrity).

3. Who we share it with (subprocessors)

We do not sell or rent personal data. We share only what is necessary with the subprocessors below. Each is bound by a Data Processing Agreement; transfers outside the EU / UK rely on Standard Contractual Clauses plus supplementary measures (see §7).

  • Supabase — primary database, authentication, storage. Region: EU (Frankfurt) primary, US (Oregon) failover.
  • Stripe — payment processing, subscription lifecycle, billing portal. Region: US (with EU representative).
  • Resend — transactional email delivery (welcome, breach alerts, takedown notifications, account erase). Region: US.
  • Vercel — application hosting. Region: US (with EU edge presence).
  • Upstash Redis — rate-limit bucketing on OTP and mutation endpoints. Region: US.
  • Inngest — background-job orchestration (scheduled rescans, scan retries). Region: US.
  • Have I Been Pwned (HIBP)— breach-corpus lookups for your registered email vectors (see §5c). Region: UK.
  • Sentry — error monitoring with PII scrubbing enforced at the SDK layer. Region: US.
  • Hushfolk privacy operator inbox— receives the plaintext takedown intake described in §5b. Region: EU (operator-controlled mailbox).
  • Named data brokers — when you request a takedown, the operator dispatches the erasure letter to the named broker. Jurisdiction varies by broker; the broker name is logged on thetakedown_requests row.

4. How we secure it

  • PII columns (pii_legal_name, pii_emails,pii_socials) are encrypted client-side with AES-256-GCM before upload.
  • Every Supabase table has Row Level Security enabled with default-deny; cross-operator reads are blocked at the database layer, not just the application layer.
  • The Stripe webhook handler is the only writer to billing columns and verifies every signature in constant time.
  • Sentry events pass through a redaction layer that strips emails, tokens, Stripe IDs, and OTP codes before transmission.
  • OTP rate-limit buckets are held in Upstash Redis keyed by IP and email; exceeded buckets return a generic error so we don’t confirm whether an email is registered.
  • Transactional emails contain no open-tracking pixels and no click-tracking redirects.

5. Engine-specific disclosures

5a. Ghost engine — breach surveillance

For each email or phone vector you register, the Ghost engine periodically queries our breach-data partners (HIBP, LeakCheck, XposedOrNot) and writes any matches to breach_alerts on your account. Only the vector value is sent to the partner; we never share your account email, name, or address with them. Findings are retained until you acknowledge them in the dashboard, plus 90 days for audit.

5b. Janitor engine — V1 concierge takedown contract

The wording in this paragraph is load-bearing for your informed consent. Read it carefully.

For V1, when you submit a takedown request, your full legal name and postal address are sent to our privacy team’s secure inbox so a human operator can draft and dispatch the GDPR / CCPA letter on your behalf. The address is purged from the inbox after dispatch. We do not retain a copy in our database. In V1.5 (Q3 2026) we will replace this with Evervault Dual Custody Tokenisation so even our operators never see plaintext.

The Janitor engine is not automated in V1. Every takedown is drafted and sent by a human privacy operator. Operator on-call SLA: takedown dispatch within 24 hours of submission. If a broker fails to respond within the GDPR-mandated 30 days, the request is escalated to theHOSTILE state and you are notified by email; the operator then triggers the legal escalation path.

5c. HIBP integration disclosure

The Have I Been Pwned breach corpus is queried with your registered email vectors only. HIBP is a UK-based data controller for the breach corpus itself. We send only the vector value (a SHA-1 prefix in the passwords API; the raw email for the breaches API). HIBP’s own privacy notice applies to that interaction.

6. How long we keep it (retention)

  • Operator profile (profiles): for as long as the account is active. After an erasure request: 30-day grace window, then the row and all child rows are deleted.
  • Identity vectors (identity_vectors): deleted with the parent profile, or earlier if you remove the vector via the Shield Armoury.
  • Breach alerts (breach_alerts): until you acknowledge them in the dashboard, plus 90 days for audit.
  • Takedown requests (takedown_requests): retained until status reaches NEUTRALISED, plus a 12-month audit window. Customer name and postal address arenever persistedon this table — see §5b.
  • Pending scans (pending_scans): deleted on profile hydration or after 30 days, whichever comes first.
  • Checkout intents (checkout_intents): 90 days for abandoned-cart retargeting, then deleted.
  • Marketing prospects (marketing_prospects): 24 months unless you opt out earlier via the unsubscribe link in any marketing email.
  • Interest leads / Vanguard waitlist (interest_leads): retained until the corresponding feature ships (V2 launch), then contacted once and deleted.
  • Logs & Sentry events: 30 days (Sentry) and 90 days (Supabase audit trail).

7. International transfers

Several subprocessors listed in §3 are based in the United States. Transfers from the EU / UK to the US rely on the European Commission’s Standard Contractual Clauses (2021/914/EU) plus supplementary measures (encryption-in-transit, encryption-at-rest, and the PII-encryption controls described in §4). A copy of the SCCs is available on request from privacy@hushfolk.com.

8. Your rights

8a. GDPR (EU / UK residents)

  • Art. 15 — Right of access. Download a JSON copy of every row associated with your account from /dashboard/settings (“Export my data”).
  • Art. 16 — Right to rectification. Most fields are editable directly in the Command Centre; for fields you cannot edit, file a request at /data-request.
  • Art. 17 — Right to erasure. Trigger the self-service flow at /dashboard/settings (“Erase my account”). You will receive an OTP to your registered email; once confirmed, all rows are purged after a 30-day grace window.
  • Art. 18 — Right to restrict processing. Email privacy@hushfolk.com.
  • Art. 20 — Right to data portability. The export in Art. 15 is delivered in a machine-readable JSON format.
  • Art. 21 — Right to object.For processing based on legitimate interest (§2). Email us; we honour the request unless we can show compelling legitimate grounds.
  • Right to lodge a complaint with your national supervisory authority (e.g. the UK ICO, the Irish DPC).

8b. CCPA (California residents)

  • §1798.100 — Right to know. Use the same export tool linked in Art. 15 above.
  • §1798.105 — Right to delete. Use the same erasure flow linked in Art. 17 above; the 30-day grace window applies and the request is honoured within 45 days of verification.
  • §1798.120 — Right to opt out of sale. Hushfolk does not sell personal information. There is nothing to opt out of.
  • §1798.125 — Non-discrimination. We do not deny service, charge different prices, or downgrade quality because you exercised a CCPA right.

9. Cookies

Hushfolk uses strictly-necessary cookies only — no third-party analytics, advertising, or marketing cookies at launch. Specifically:

  • auth-token / sb-*-auth-token — Supabase session cookies, required to keep you logged in. Lifetime: 60 minutes (access) / 7 days (refresh).
  • __hushfolk_consent— your cookie-banner consent state. Lifetime: 12 months. Cleared from the “Cookies” footer link.

10. Children

Hushfolk is not directed at children under 18. We do not knowingly collect personal data from anyone under 18; if you believe we have, contact privacy@hushfolk.com and we will delete it.

11. Changes to this policy

Material changes are announced by email to active operators at least 14 days before they take effect. The “Last updated” date at the top of this page reflects the most recent revision.

12. Contact

Data Protection Officer: privacy@hushfolk.com. General legal: legal@hushfolk.com.