Privacy Policy

APFCompliant (APFC, "we," "us," or "our") provides independent website compliance assessment and remediation services. We take privacy seriously — particularly because privacy compliance is our business. This policy explains what information we collect, how we use it, and your rights.

1. Information We Collect

We collect only what you provide directly when you contact us:

• Business name and website URL — to assess your compliance needs
• Your name and email address — to respond to your inquiry
• Phone number — optional, if you provide it
• Service interests and notes — to understand the scope of your request

We also collect your IP address solely for security and rate-limiting purposes (to prevent abuse of our contact form).

Compliance Assessment & Intake

When you submit a compliance assessment request or compliance help intake form, we collect:

• Business name, website URL, and contact information
• Name of the sender of any compliance notice (if applicable)
• Response deadline and statutes cited (CIPA, ADA/Unruh, VPPA)
• Your representative's name and email (if provided)
• Resolution service preference
• Any files you upload, such as compliance notices or supporting documentation (stored via Vercel Blob)
• Your IP address for abuse prevention and rate limiting

Payment Information

When you purchase remediation, resolution, or monitoring services, your payment is processed by Stripe, a PCI-compliant third-party payment processor. APFCompliant does not collect, store, or have access to your credit card number, debit card number, or full payment card details. We receive and store only: your name, email address, and order details (service purchased, amount, date). Stripe's privacy policy governs how they handle your payment data.

Resolution Services

If you engage our Full Resolution services, we process additional information in the course of facilitating compliance mediation. This includes: your signed Limited Authorization for Compliance Communication (LACC), correspondence records, settlement documentation, and Public Remediation Notice content. All communications are sent from team@apfcompliant.com and documented in our internal case management system.

Compliance Monitoring

If you subscribe to our Compliance Monitoring service, we conduct automated daily scans of your website (up to 10 pages) to monitor ongoing compliance status. Scan results, compliance grades, and change history are stored in our database and made available to you via your dashboard. Monitoring data is retained for the duration of your subscription plus 90 days after cancellation.

2. What We Do NOT Collect

We do not use tracking pixels, third-party analytics, advertising cookies, or any form of behavioral tracking on this website. Zero. Specifically:

• No Google Analytics or similar analytics services
• No Meta Pixel, TikTok Pixel, or advertising trackers
• No heatmapping or session recording tools
• No third-party marketing cookies
• No fingerprinting or cross-site tracking

3. Cookies

We use only essential cookies required for site functionality (session management for our secure admin area). We do not set marketing cookies, analytics cookies, or any third-party cookies on visitors to the public-facing website. If you make a purchase via Stripe Checkout, Stripe may set its own cookies during the payment process. These cookies are governed by Stripe's cookie policy.

4. How We Use Your Information

Your information is used solely to respond to your compliance inquiry and provide the services you requested:

• To review your website and prepare a compliance quote
• To contact you with our findings and recommendations
• To deliver the compliance remediation services you engage

We do not use your information for marketing, advertising, profiling, or any purpose unrelated to your compliance inquiry.

5. Information Sharing

We do not sell, rent, or share your personal information with third parties. Period.

• Service providers: We use Neon (encrypted database hosting) and Resend (transactional email) solely for operating this service. These providers process data only as needed to deliver the service.
• Stripe (PCI-compliant payment processing) — processes payment transactions only. APFCompliant does not receive or store your payment card details.
• Resolution communications: If you authorize us via a signed LACC to act as a communications intermediary, we will share factual compliance documentation (assessment results, remediation reports, compliance certificates) with the relevant parties. We will not share your payment information, personal financial data, or any information beyond what is specified in the LACC.
• No data brokers: We do not share data with advertising networks, data brokers, or analytics companies.
• Legal requirements: We may disclose information if required by law, but we will notify you to the extent permitted.

6. Data Storage and Security

Your data is stored in encrypted databases hosted in the United States (Neon Postgres). All data is transmitted over HTTPS with TLS encryption. We retain contact form submissions for 2 years from the date of submission, after which they are deleted. Order records and payment metadata (excluding card numbers) are retained for 7 years for accounting and tax compliance purposes. Monitoring data is retained for the duration of your subscription plus 90 days. Uploaded files (compliance notices, documentation) are stored in encrypted cloud storage (Vercel Blob) and retained until the associated case is resolved, after which they may be deleted upon request.

7. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• Right to Know: You can request what personal information we have collected about you
• Right to Delete: You can request deletion of your personal information
• Right to Correct: You can request correction of inaccurate personal information
• Right to Opt-Out of Sale: We do not sell your personal information. We never have and never will.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

To exercise any of these rights, email team@apfcompliant.com. We will verify your identity and respond within 45 days as required by law.

In the past 12 months, we have not sold any personal information, shared personal information for cross-context behavioral advertising, or disclosed personal information for a business purpose beyond what is described in this policy.

8. Do Not Track

Our website does not use tracking technologies, so there is no tracking to opt out of. We honor Do Not Track browser signals by default — because we don't track you in the first place.

9. Children's Privacy

Our services are designed for businesses, not individuals under 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected information from a child under 13, we will delete it immediately. If you believe a child has provided us with personal information, please contact us at team@apfcompliant.com.

10. International Users

Our services are based in the United States and intended for U.S. businesses. If you access our site from outside the United States, your information will be transferred to and processed in the United States.

11. Your Rights

You have the right to:

• Access the personal information we hold about you
• Delete your data at any time
• Correct inaccurate information

To exercise any of these rights, email us at team@apfcompliant.com. We will respond within 30 days.

12. Changes to This Policy

We may update this policy as our services evolve. When we make material changes, we will update the "Last Updated" date at the top of this page. Continued use of the site after changes constitutes acceptance of the updated policy.