Privacy Policy — Greenflagged

Plain-English summary

If you only read one section

We collect what we need to run a check and bill you. We auto-delete reports after 30 days. We don't sell your data. We never tell the person you check. We are not a consumer reporting agency, and our reports cannot be used for employment, housing, insurance, or credit decisions.

This Privacy Policy explains what data Greenflagged collects, how we use it, how long we keep it, and your choices about it. By using Greenflagged, you agree to the practices described here.

What we collect

Information you give us directly

Account data: your email, name, and password (stored as a salted hash by our auth provider, Clerk).
Payment data: billing address and payment method, processed and stored by Stripe. We don't see or store your card number.
Search inputs: the name, location, phone number, email, social handle, or photo you provide to run a check.
Communications: any messages you send to our support email or replies you make to our transactional emails.

Information we collect about subjects of your check

To run a check, we look up information about the person you ask us to check, drawn exclusively from public sources:

Public court records (state and federal, last 7 years)
Public sex offender registries (national)
Public social profiles on platforms where the subject has chosen to be public (Instagram, TikTok, LinkedIn)
Phone carrier validation via Twilio Lookup (carrier name, line type — never the contents of any calls or texts)
Reverse image search results (where a photo appears on public web pages)

We do not perform face recognition. We do not subscribe to private data brokers. We do not access protected data sources, paid records databases, or anything that requires a regulated permissible purpose.

Information collected automatically

Usage data: pages viewed, links clicked, errors encountered. We use this to fix bugs and improve the product.
Device data: browser type, operating system, IP address (for security and abuse prevention). IP addresses are retained for 30 days unless tied to a security investigation.
Cookies: we use a small number of essential cookies for authentication and session management, plus a privacy-respecting analytics cookie set by PostHog. We do not use third-party advertising cookies.

How we use it

We use the data we collect for the following purposes:

To run the check you requested. Your search inputs are used to look up the subject and generate a report.
To deliver the report to you. We email you the report and store it in your account for 30 days.
To process payment. We send your billing details to Stripe to charge you for the check or your subscription.
To support and improve the product. We use anonymized usage data to fix bugs, prioritize features, and improve the report's accuracy.
To prevent abuse. We may use IP addresses, device fingerprints, and behavioral patterns to detect and block fraudulent activity.
To comply with the law. We may disclose data when required by valid legal process. We will not disclose any data outside that legal obligation.

What we do NOT do with your data:

We do not sell your data, ever, to anyone.
We do not share your search inputs or reports with advertisers.
We do not build profiles of users to retarget you elsewhere.
We do not use your data to train machine-learning models, ours or anyone else's.

How long we keep it

Different data has different retention windows:

Reports: auto-deleted 30 days after the check completes. Including any backup copies. We can't recover a report after 30 days, including for you.
Search inputs (the queries that generated reports): deleted alongside the report, after 30 days.
Account data (email, password hash, profile): kept for as long as your account is active. Deleted within 24 hours of you deleting your account.
Billing records: retained for 7 years to comply with tax and accounting requirements. Stripe stores payment-method data per their own retention rules.
IP and device logs: 30 days, unless tied to an active security investigation.
Communications with our support team: 2 years.

We share data with a small set of vendors who help us run the service. Each is bound by a Data Processing Agreement that limits what they can do with your data.

Stripe (payment processing) — stripe.com/privacy
Clerk (authentication and user accounts) — clerk.com/privacy
Vercel (web hosting) — vercel.com/legal/privacy-policy
Resend (transactional email delivery) — resend.com/legal/privacy-policy
PostHog (privacy-respecting product analytics) — posthog.com/privacy
Twilio (phone carrier validation) — twilio.com/legal/privacy
Neon (managed Postgres database) — neon.tech/privacy-policy
Enformion (identity records aggregation) — enformiongo.com/privacy-policy
IPQualityScore (email reputation scoring) — ipqualityscore.com/privacy-policy

We do not share data with any other third parties for any other purpose. We do not work with advertising networks, data brokers, or third-party analytics that build cross-site profiles.

Your rights

You can:

Access your data. View your account data and any active (within 30 days) reports in your account settings.
Export your data. Download a JSON archive of your account data and any active reports from your account settings.
Correct your data. Update your email, password, or billing details in your account settings.
Delete your account. Delete your account and all associated data from your account settings. We honor deletion requests within 24 hours.
Opt out of non-essential analytics. Disable PostHog analytics from your account settings (essential cookies for authentication remain).

If you live in California, the EU, or another jurisdiction with specific privacy laws, you have the following rights regardless of where Greenflagged is operated:

Right to know: request what data we hold about you and how we use it.
Right to access: receive a copy of your data in a portable, machine-readable format.
Right to correct: ask us to fix inaccurate data we hold about you.
Right to delete: request deletion of your account and all associated data.
Right to opt out of "sale" or "sharing": we don't sell your data and we don't share it with third parties for advertising. This protection applies automatically to every Greenflagged user.
Right to non-discrimination: we will not deny service, charge you more, or provide a different level of quality for exercising any of these rights.

To exercise any of these rights, email getgreenflagged@gmail.com with your request. We respond to verified requests within 30 days. If we need to verify your identity (to protect your data from someone impersonating you), we'll only ask for the minimum information needed.

The people you check

When you ask Greenflagged to look someone up, we look at information about that person that is already public. We do this without notifying them. Our reasoning:

The information was already public. We aggregate what was already accessible to anyone.
The 30-day TTL prevents Greenflagged from becoming a permanent surveillance dossier.
We never share who searched whom with the subject of a check, or with anyone else.

If you are a person who believes you have been the subject of a Greenflagged check, you can email us at getgreenflagged@gmail.com to ask whether any reports referencing you currently exist within the 30-day retention window. We will:

Search our records and confirm within 5 business days whether any active reports about you exist.
Tell you what categories of public data the report drew on (e.g. court records, social profiles, public photos).
Delete any active report about you on request, immediately, regardless of who paid to run it.

We will not disclose who searched for you. That information is protected to keep our users safe. After 30 days from the original check, all data about it is gone — including from our backups — so we can't help you with checks older than that window.

Security

We protect your data with industry-standard measures:

All connections use HTTPS / TLS in transit.
All data at rest is encrypted with provider-managed keys (Postgres, Stripe, Clerk).
Production access requires SSO + hardware-key MFA.
No raw payment card data ever touches our servers; Stripe handles all card data.
Passwords are stored as salted hashes by Clerk; we never see plaintext passwords.

No system is perfectly secure. If you discover a vulnerability, please email getgreenflagged@gmail.com with the subject line "Security" and we will respond within 72 hours.

Children's privacy

Greenflagged is intended for users 18 years of age or older. We do not knowingly collect data from anyone under 18. If you believe a child under 18 has created an account, please email us at getgreenflagged@gmail.com and we will delete the account.

Changes to this policy

We may update this Privacy Policy as Greenflagged evolves. When we do, we will:

Update the "Last updated" date at the top of this page.
Email all active users a summary of material changes at least 14 days before the change takes effect.
Maintain a public changelog of past versions linked from the footer.

Continued use of Greenflagged after a change means you accept the updated policy.

How to contact us

For questions about this Privacy Policy, your data, or anything else:

Email: getgreenflagged@gmail.com

All correspondence is handled by email. We aim to respond to all privacy-related inquiries within 5 business days.