Privacy Policy

1. About This Policy

1.1 Who we are

The Political Transparency Project ("PTP," "we," "us," "our") is operated by PolTraPro LLC, an Arizona limited liability company with a principal mailing address at Service-of-process address available on written request via PolTraPro@proton.me.

1.2 What this Policy covers

This Privacy Policy describes the personal information PTP collects, uses, and shares in connection with:

• The PTP public website at poltrapro.com and its subdomains (the "Site");
• The PTP Commercial API at api.poltrapro.com and *.poltrapro.com/api/v1/* (the "API");
• Email communications, including newsletter digests, watchlist alerts, and account notifications;
• The developer waitlist and (when launched) developer portal at poltrapro.com/developers and poltrapro.com/portal.

This Policy does not cover:

• Personal information about politicians, candidates, contributors, lobbyists, and other persons engaged in public political activity, displayed on the Site as primary-source political data. That information is governed by § 4 (below) and by the news/publication exception to 52 U.S.C. § 30111(a)(4) recognized by 11 C.F.R. § 104.15.
• Third-party websites or services that link to or from the Site or API. Their privacy practices are their own.

1.3 Effective date and changes

This Policy is effective on the date above. Material changes will be posted to this page with a revised "Last revised" date and communicated by email to subscribers at least 30 days before they take effect, except where applicable law requires shorter notice (e.g., security incidents). Continued use of the Site or API after the effective date of a change constitutes acceptance.

---

2. Information We Collect — Information You Provide Directly

2.1 Email subscription

When you submit your email address via the footer newsletter signup, an in-product subscription form, or any equivalent input on the Site, we collect:

• Your email address
• The timestamp of your subscription
• The source of the subscription (which page or form you used)
• Your subscription preferences (categories, frequency, candidates of interest if you set them)

2.2 Watchlist

When you create a watchlist, we collect:

• Your email address (used as the watchlist identifier)
• The candidates, committees, or topics you choose to follow
• Notification frequency and channel preferences
• The timestamps of watchlist creation, modification, and deletion

2.3 Developer waitlist / API account

When you join the developer waitlist or (when active) create an API account:

• Your name
• Your email address
• Your organization (optional, free-text)
• Your intended use case (free-text)
• Your country of operation (for export-control screening)
• For paid tiers: billing information processed by our payment processor (we do not store full card numbers; see § 6.1)

2.4 Communications with us

If you contact us via email, a contact form, or any equivalent channel:

• The contents of your message
• Your email address
• Any identifying information you choose to include

2.5 Survey or research participation

If you voluntarily participate in any user research, survey, or interview we offer:

• Your responses
• Any identifying information you provide
• (Optional) recording of the session if you consent in advance

2.6 Public submissions

We do not currently host user-generated content, comments, or forums on the Site. If we add these in the future, this Policy will be updated and any user-generated content will be governed by a separate Community Policy.

---

3. Information We Collect Automatically

3.1 Server logs

Our servers automatically log each request to the Site and API:

Logs are not used to track individual users across the Site or to build advertising profiles.

3.2 Analytics

We use Vercel Analytics (or an equivalent privacy-respecting analytics provider) to collect aggregate usage data such as page views, referrers, browsers, and device types. This service is configured to:

• Not use third-party cookies
• Not assign persistent visitor identifiers
• Not collect IP addresses in identifiable form
• Not enable cross-site tracking

If you exercise the Global Privacy Control (see § 11) or use a privacy-protective browser (e.g., Brave, Firefox with strict protection), analytics calls are honored as opt-outs where the provider supports the signal.

3.3 Cookies and similar technologies

We use a minimal set of cookies and similar technologies for essential Site function:

We do not use:

• Third-party advertising cookies
• Cross-site tracking cookies
• Pixel tags from social networks
• Fingerprinting techniques
• Session-replay tools

If you reject non-essential cookies (via your browser settings, a Site cookie banner if deployed, or the Global Privacy Control), we will respect that choice. Some Site functionality may be limited if strictly necessary cookies are also blocked.

3.4 Information we do NOT collect

We do not knowingly collect:

• Information from children under 13 years of age (see § 13 — COPPA)
• Precise geolocation (we do not request browser geolocation)
• Biometric identifiers
• Government-issued ID numbers
• Health, medical, or genetic information
• Financial account numbers (we use a third-party payment processor for paid API tiers — see § 6.1)
• Special Category data under GDPR (race, ethnicity, religion, sexual orientation, etc.) about Site users
• Sensitive personal information as defined under California Civil Code § 1798.140(ae), other than as inherent in the email-based newsletter subscription

If you inadvertently send us any of the above, please email PolTraPro@proton.me and we will delete it.

---

4. Information About Political Figures, Candidates, Contributors, and Committees

The Site displays detailed information about persons engaged in public political activity, including:

• Candidates for federal, state, and local public office;
• Elected officials and their voting records;
• Persons making campaign contributions disclosed under federal or state campaign finance laws (typically those who contribute $200 or more to a federal committee, or analogous thresholds to state committees);
• Members of Congress and their disclosed financial transactions under the STOCK Act;
• Political committees, super PACs, 501(c)(4) organizations engaged in political activity, and lobbying-registered firms and clients;
• Federal lobbyists registered under the Lobbying Disclosure Act.

4.1 Source of this information

This information is drawn from primary public records, including:

4.2 Legal basis for displaying this information

PTP displays this information in reliance on:

• Federal Election Campaign Act news/publication exception, 11 C.F.R. § 104.15(b): use of information from FEC reports in "newspapers, magazines, books, or other similar communications" is permitted where the principal purpose is informational, not solicitation or commercial. The Second Circuit in FEC v. Political Contributions Data, Inc., 943 F.2d 190 (2d Cir. 1991), construed "other similar communications" to include database publications.
• First Amendment protection for the publication of truthful information about matters of public concern, see Smith v. Daily Mail, 443 U.S. 97 (1979); Bartnicki v. Vopper, 532 U.S. 514 (2001).
• Fair report privilege, recognized in most U.S. jurisdictions, immunizing accurate reports of official government proceedings and records from defamation liability.
• State-law equivalents, including state-level news/publication exceptions where applicable.

PTP does not use this information to solicit political contributions, conduct commercial donor prospecting, or for any purpose that would violate 52 U.S.C. § 30111(a)(4), analogous state laws, or PTP's editorial standards.

4.3 Not "consumer personal information" under state comprehensive privacy laws

PTP's position is that information about political figures published in the exercise of the Site's editorial function is not "personal information" or "personal data" within the meaning of state comprehensive consumer privacy laws (CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA, TDPSA, OCPA, MCDPA, ICDPA, TIPA, DPDPA, NJDPA, NHPA, NDPA, MCDPA-MN, MODPA, ICDPA-IN, KCDPA, RIDTPPA, FDBR, and others) as those laws apply to the consumer-business relationship. This position rests on:

• The "publicly available information" exclusion from "personal information" in CCPA Cal. Civ. Code § 1798.140(v)(2) and analogous exclusions in other state laws (most state comprehensive privacy laws exclude information lawfully obtained from federal, state, or local government records);
• The editorial/publication purpose of the display, which falls outside the consumer-business transactions those laws regulate;
• The categorical First Amendment protection of editorial publication of truthful information about public figures and matters of public concern.

Fallback position. If counsel or a regulator concludes that any of the laws above applies to a portion of PTP's politician-related data, PTP will, as a matter of practice rather than legal concession:

• Honor reasonable access, correction, and deletion requests from any individual whose information appears on the Site, to the extent compatible with the Site's editorial integrity and the First Amendment;
• Maintain a notice and takedown process consistent with the editorial corrections process described in PTP's Editorial Standards & Methodology Statement;
• Not sell or share politician/donor data within the meaning of any applicable state law.

4.4 Donor and contributor data — specific note

We display individual contributor names, employer/occupation, contribution amounts, and contribution dates as published in FEC and state campaign finance filings. We do not display home addresses, telephone numbers, or other identifiers that would not appear on a publicly filed disclosure form.

Use of this information for solicitation of contributions, commercial donor prospecting, or any commercial purpose is prohibited by the Site Terms of Service § 4.4 and the Commercial API Acceptable Use Policy § 3. Violation of those provisions may result in suspension of access and is independently prohibited by federal and state law (52 U.S.C. § 30111(a)(4); analogous statutes in Hawaii, Kansas, Maine, Michigan, Minnesota, Pennsylvania, Wisconsin, and other states with state-level prohibitions).

---

5. How We Use Personal Information

5.1 Operational uses (Site and API)

• Operate, maintain, monitor, and improve the Site and API
• Provide watchlist alerts, newsletter emails, and other notifications you have requested
• Provide and bill paid API tiers
• Issue, rotate, suspend, or revoke API keys
• Enforce rate limits and detect abuse
• Send transactional emails about your subscription or account
• Respond to inquiries, support requests, and feedback
• Aggregate usage data for capacity planning and product improvement (non-identifiable form)

5.2 Security and fraud prevention

• Detect, investigate, and prevent abuse, fraud, security incidents, and violations of our Terms of Service, API Terms of Service, or Acceptable Use Policy
• Investigate and respond to denial-of-service traffic, automated scraping, credential stuffing, and similar threats
• Audit administrative actions for security purposes

5.3 Legal compliance

• Comply with subpoenas, court orders, regulatory requests, and other valid legal process
• Comply with the Children's Online Privacy Protection Act (COPPA), CAN-SPAM, the Telephone Consumer Protection Act (TCPA), federal export-control laws, and applicable state laws
• Enforce our Terms of Service, API Terms of Service, Acceptable Use Policy, and other agreements
• Protect rights, property, or safety of PTP, our users, or any third party

5.4 What we do NOT do

We do not:

• Sell your personal information to any third party
• "Share" your personal information for cross-context behavioral advertising as defined under CCPA/CPRA, VCDPA, CPA, or similar laws
• Engage in profiling that produces legal or similarly significant effects about you
• Use your personal information to train artificial intelligence models, whether generative or otherwise
• Disclose your personal information to data brokers, marketing intermediaries, or advertising networks
• Use your personal information to identify your physical location beyond IP-level approximation for security
• Combine your Site or API personal information with publicly available political data to identify you as a political donor, voter, or activist, unless you have explicitly identified yourself in that capacity

5.5 Anonymization and aggregation

We may anonymize or aggregate personal information so that it can no longer be reasonably associated with you, and use such anonymized or aggregated information for any lawful purpose. Anonymized and aggregated data is not subject to this Privacy Policy.

---

6. How We Share Information

6.1 Service providers (subprocessors)

We share personal information with vendors that process information on our behalf, subject to contractual restrictions limiting their use of your information to providing services to us:

6.2 Legal process and law enforcement

We may disclose personal information when we believe in good faith that disclosure is necessary to:

• Comply with a subpoena, court order, or other valid legal process
• Comply with a request from a federal, state, or local law enforcement or regulatory agency
• Enforce our Terms of Service, API Terms of Service, or Acceptable Use Policy
• Protect rights, property, or safety of PTP, our users, or any third party

Notice to affected users. Unless we are legally prohibited from doing so, or unless we determine in good faith that notice would create a risk of harm or obstruct a lawful investigation, we will notify affected users before responding to legal process. We commit to:

• Reviewing each request for legal sufficiency under applicable law
• Refusing to comply with requests we believe in good faith are facially defective, overbroad, or unconstitutional
• Pursuing legal challenge where appropriate
• Publishing an annual transparency report (when audience and request volume justify it) summarizing requests received and our responses

6.3 Business transfers

If PTP is acquired, merges with another entity, or transfers substantially all of its assets, your personal information may transfer to the acquirer. The acquirer will be bound by this Privacy Policy or a successor policy that provides equivalent protection, and you will be notified of any material change.

6.4 With your consent

We may share personal information for other purposes with your explicit prior consent. Examples might include co-publishing a research finding with academic collaborators with attribution to you, with your prior approval.

6.5 We do not sell or share personal information

We do not sell personal information for monetary or other valuable consideration. We do not share personal information for cross-context behavioral advertising. The Global Privacy Control opt-out (see § 11) is honored as a matter of policy notwithstanding that we do not engage in either practice.

---

7. Your Rights and Choices

7.1 Rights honored universally

Regardless of which state you reside in or whether you are covered by a comprehensive privacy law, you have the following rights with respect to personal information PTP holds about you:

7.2 Verification

To protect your information from unauthorized access, we may need to verify your identity before fulfilling a request. Verification typically consists of:

• For account holders: confirmation via the email address associated with your account
• For non-account-holders (e.g., newsletter subscribers): a confirmation email to the address that submitted the request, with a confirmation link
• For requests received through an authorized agent: agent's authorization documentation

We will not require you to create an account to exercise a right.

7.3 Authorized agents

You may designate an authorized agent to make requests on your behalf. The agent must provide written documentation of authority, and we may verify directly with you that you authorized the request. California Civil Code § 1798.130 and analogous state-law standards apply.

7.4 Response times

If we cannot honor a request (e.g., a deletion request that conflicts with a billing-record retention requirement, an access request that would compromise the privacy of others, a deletion request from a journalist regarding our editorial sources, etc.), we will tell you why within the response window.

7.5 Non-retaliation

We will not retaliate against you for exercising any privacy right. If we cannot honor a request, we will explain why; we will not deny services, charge different prices, or provide a different quality of service based on your exercise of these rights.

---

8. Data Retention

We retain personal information only as long as necessary for the purposes for which it was collected, except as required by law.

We will not retain personal information longer than necessary for the purposes above, and we will delete or anonymize it when the retention period ends.

---

9. State-Specific Notices

PTP honors the rights described in § 7 for all users regardless of state of residence. The following sections describe how state-specific laws apply and any state-specific contact information.

9.1 California — CCPA/CPRA

Coverage threshold: Cal. Civ. Code § 1798.140 — applies to businesses meeting any of: (a) $26.625M annual gross revenue (2026 CPI-adjusted), (b) processing personal information of 100,000+ CA consumers/households, (c) 50%+ revenue from sale/sharing of PI. PTP does not currently meet (a) or (c) and may or may not meet (b); we apply CCPA-equivalent rights to all California residents regardless of threshold as a matter of practice.

Categories of personal information we collect, sources, and purposes (per Cal. Civ. Code § 1798.130):

Sale / sharing. We do not sell personal information for monetary or other valuable consideration. We do not share personal information for cross-context behavioral advertising.

Notice of right to opt-out. California residents have a right to opt out of "sale" or "sharing." Because we do not engage in either, the opt-out is preserved as a matter of law. To submit a request: email PolTraPro@proton.me or use the Global Privacy Control (§ 11).

Notice of right to limit use of sensitive personal information. California residents have a right to limit use of "sensitive personal information" (Cal. Civ. Code § 1798.140(ae)). PTP does not collect sensitive personal information from Site users. The right is preserved as a matter of law.

California "Shine the Light" (Cal. Civ. Code § 1798.83). California residents may once per year request a list of the personal information categories disclosed to third parties for direct marketing purposes. PTP does not disclose personal information to third parties for direct marketing purposes.

Authorized agent. California Civ. Code § 1798.130 permits an authorized agent to make requests on your behalf. Agents must provide documentation of authority.

9.3 Texas — TDPSA (Texas Bus. & Com. Code Ch. 541)

Coverage: TDPSA has no consumer or revenue threshold. It applies to any person who (1) conducts business in Texas or produces a product or service consumed by Texas residents, AND (2) processes or engages in the sale of personal data, EXCEPT for SBA-defined small businesses (which is treated separately).

PTP's posture: PTP is currently structured as a single-member sole proprietorship / pending LLC with no employees and revenue below SBA small-business thresholds, and as such may qualify for the SBA small-business exemption. However, that exemption does not shield sale of "sensitive personal information" defined under Tex. Bus. & Com. Code § 541.001(28), and PTP does not engage in sale of sensitive personal information in any case.

Sensitive data note. Texas defines "sensitive data" to include "personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status." Political affiliation is not within Texas's sensitive-data definition. PTP does not collect any sensitive data from Site users in any case.

Texas resident rights: Same as § 7.1 universal rights. To exercise: PolTraPro@proton.me.

Texas Data Broker Act (Tex. Bus. & Com. Code Ch. 509). PTP is not registered as a Texas data broker. PTP relies on the "principal source of revenue" qualifier in the Texas definition.

9.4 Nebraska — NDPA

Coverage: NDPA applies to persons that process or sell personal data of Nebraska residents, EXCEPT SBA-defined small businesses. Same posture as Texas: PTP currently qualifies for the SBA small-business exemption; that exemption does not shield sale of sensitive data.

Nebraska resident rights: Same as § 7.1. To exercise: PolTraPro@proton.me.

9.5 Virginia — VCDPA (Va. Code § 59.1-575 et seq.)

Coverage threshold: processing personal data of 100,000+ VA consumers, OR 25,000+ VA consumers with 50%+ revenue from sale of PI. PTP does not currently meet either threshold; rights are honored as a matter of practice.

Virginia resident rights: access, correction, deletion, portability, opt-out of targeted advertising / sale / certain profiling. To exercise: PolTraPro@proton.me.

9.6 Colorado — CPA (C.R.S. § 6-1-1301 et seq.)

Coverage threshold: 100,000+ CO consumers, OR 25,000+ with any revenue from sale of PI. Rights honored as a matter of practice.

Colorado-specific: the Universal Opt-Out Mechanism (UOOM) is required to be honored. PTP honors the Global Privacy Control as a UOOM signal (§ 11).

9.7 Connecticut — CTDPA (Conn. Gen. Stat. § 42-515 et seq.)

Coverage threshold: 100,000+ CT consumers, OR 25,000+ with 25%+ revenue from sale. Note: thresholds drop substantially July 1, 2026; verify post-amendment text.

Connecticut-specific: UOOM (including GPC) is honored.

9.8 Utah — UCPA (Utah Code § 13-61)

Coverage threshold: $25M+ revenue AND (100,000+ UT consumers OR 25,000+ with 50%+ revenue from sale). PTP does not currently meet.

9.9 Iowa — ICDPA (Iowa Code Ch. 715D)

Coverage threshold: 100,000+ IA consumers, OR 25,000+ with 50%+ revenue from sale. Rights honored as practice.

9.10 Montana — MCDPA (Mont. Code § 30-14-2801 et seq.)

Coverage threshold: 25,000+ MT consumers, OR 15,000+ with 25%+ revenue from sale (lowered by SB 297 effective 10/1/2025). Lower threshold means PTP may be covered if PTP publishes data on more than 25,000 Montana donors or politicians. Verification needed.

9.11 Oregon — OCPA (ORS 646A.570 et seq.)

Coverage threshold: 100,000+ OR consumers, OR 25,000+ with 25%+ revenue from sale. Rights honored as practice.

Oregon Data Broker Act (ORS 646A.594). PTP is not registered as an Oregon data broker.

9.12 Tennessee — TIPA (Tenn. Code § 47-18-3201 et seq.)

Coverage threshold: $25M+ revenue AND (175,000+ TN consumers OR 25,000+ with 50%+ revenue from sale). PTP does not currently meet.

9.13 Delaware — DPDPA (Del. Code tit. 6 § 12D)

Coverage threshold: 35,000+ DE consumers OR 10,000+ with 20%+ revenue from sale. Low threshold; verification needed.

9.14 New Jersey — NJDPA (N.J.S.A. 56:8-166.4)

Coverage threshold: 100,000+ NJ consumers OR 25,000+ with any revenue from sale. Rights honored as practice.

9.15 New Hampshire — NHPA (RSA Ch. 507-H)

Coverage threshold: 35,000+ NH consumers OR 10,000+ with 25%+ revenue from sale. Low threshold.

9.16 Minnesota — MCDPA (Minn. Stat. Ch. 325O)

Coverage threshold: 100,000+ MN consumers OR 25,000+ with 25%+ revenue from sale. Rights honored as practice.

Minnesota-specific: unique right to question profiling decisions.

9.17 Maryland — MODPA (Md. Comm. Law § 14-4601)

Coverage threshold: 35,000+ MD consumers OR 10,000+ with 20%+ revenue from sale. Low threshold. Strictest data-minimization standard in the U.S. ("reasonably necessary" standard).

9.18 Indiana — INCDPA

Coverage threshold: 100,000+ IN consumers OR 25,000+ with 50%+ revenue from sale. Effective January 1, 2026.

9.19 Kentucky — KCDPA

Coverage threshold: 100,000+ KY consumers OR 25,000+ with 50%+ revenue from sale. Effective January 1, 2026.

9.20 Rhode Island — RIDTPPA

Coverage threshold: 35,000+ RI consumers OR 10,000+ with 20%+ revenue from sale. Effective January 1, 2026. Unique requirement to identify third parties to whom data is sold.

9.21 Florida — FDBR (Fla. Stat. § 501.701)

Coverage: $1 billion+ global revenue + specific industry triggers. PTP is not covered.

9.22 Nevada — NRS 603A

Coverage: sale of personal information to data brokers. PTP does not sell personal information; Nevada opt-out is preserved as a matter of law.

9.23 Vermont — Data Broker Act (9 V.S.A. § 2446-2447)

Coverage: persons that knowingly collect and sell "brokered personal information" of consumers with no direct relationship. PTP is not registered as a Vermont data broker. Vermont's statute explicitly excludes information "lawfully made available to the general public from federal, State, or local government records"; PTP relies on this exclusion to the extent it applies.

9.24 Other states without comprehensive privacy laws

Residents of states without comprehensive privacy laws may still email PolTraPro@proton.me with any privacy concern. We will respond and honor reasonable requests as a matter of practice.

---

10. International Notice (EEA, UK, Switzerland)

10.1 GDPR-equivalent rights

If you are a resident of the European Economic Area, the United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation (GDPR) and equivalent national laws to:

• Access the personal data we hold about you
• Rectify inaccurate or incomplete personal data
• Erase ("right to be forgotten") your personal data, subject to journalistic and freedom-of-expression exceptions
• Restrict processing of your personal data
• Object to processing, including direct marketing
• Port your personal data in a machine-readable format
• Withdraw consent at any time
• Lodge a complaint with your national data protection authority

To exercise these rights: email PolTraPro@proton.me.

10.2 Lawful bases for processing

We process personal data of EEA/UK/Switzerland residents under the following lawful bases:

10.3 Journalism exception

The publication of personal data about politicians, candidates, contributors, and committees on the Site is conducted "solely for journalistic purposes" within the meaning of GDPR Article 85 and equivalent national derogations. PTP relies on the journalistic exception as the lawful basis for processing this information.

10.4 International data transfers

PTP is operated from the United States. Personal data of EEA/UK/Switzerland residents is transferred to and processed in the United States by PTP and its subprocessors. Transfers rely on:

• Standard Contractual Clauses (SCCs) as adopted by the European Commission, in place with each subprocessor;
• UK International Data Transfer Agreement (IDTA) or UK Addendum to SCCs;
• Swiss SCCs as adapted for Swiss data protection law;
• Supplementary technical and organizational measures (encryption in transit and at rest, access controls).

10.5 EU/UK Data Protection Officer

PTP has not appointed a Data Protection Officer (DPO) because PTP does not currently meet the Article 37 thresholds for mandatory DPO appointment. Privacy inquiries from EEA/UK/Switzerland residents should be directed to PolTraPro@proton.me.

10.6 EU/UK representative

PTP has not appointed an EU or UK representative under GDPR Article 27 or the UK GDPR equivalent because PTP does not currently exceed the offering-of-goods-or-services threshold to EEA/UK residents in a regular and systematic manner.---

11. Do Not Track, Global Privacy Control, Universal Opt-Out Mechanisms

11.1 Global Privacy Control (GPC)

PTP honors the Global Privacy Control browser-based opt-out signal as a request to opt out of "sale" or "sharing" of personal information under California, Colorado, Connecticut, Oregon, New Jersey, Minnesota, and any other state that recognizes a UOOM. Because PTP does not engage in either "sale" or "sharing," the GPC opt-out is honored as a matter of policy alignment with privacy posture rather than because we engage in those practices.

11.2 Do Not Track (DNT)

PTP does not currently respond to legacy "Do Not Track" browser signals. There is no industry consensus on the meaning of DNT, and the W3C working group on DNT has been disbanded. PTP's privacy posture (no third-party tracking, no advertising cookies, no cross-context behavioral advertising) is materially equivalent to honoring DNT.

11.3 Other UOOMs

PTP will honor other Universal Opt-Out Mechanisms recognized by applicable state law as they emerge, including any UOOM specifications adopted by the Colorado Department of Law, the California Privacy Protection Agency, or analogous state regulators.

---

12. Data Security

12.1 Safeguards

PTP uses industry-standard administrative, technical, and physical safeguards to protect personal information, including:

• Encryption in transit — TLS 1.3 for all Site and API traffic
• Encryption at rest — where supported by our subprocessors (Vercel, Supabase, Stripe all support)
• Access controls — principle of least privilege, role-based access for administrative functions, multi-factor authentication on administrative accounts
• Secret rotation — periodic rotation of API keys, database credentials, and service-role tokens (per PRDNewest § 10)
• Audit logging — administrative actions are logged with user identification, timestamp, and action
• Security scanning — dependency vulnerability scanning, secret-detection on code commits, periodic security reviews
• Backups — automated daily backups with 35-day rolling retention
• Incident response plan — documented procedures for detection, containment, recovery, and notification
• Vendor due diligence — subprocessors undergo review for security posture and data protection contracts (DPAs) before onboarding

12.2 No security is perfect

No method of internet transmission or electronic storage is completely secure. While we strive to protect your information, we cannot guarantee absolute security. If you have reason to believe your interaction with us is no longer secure, please contact us immediately at PolTraPro@proton.me.

12.3 Breach notification commitment

If we discover a security incident that affects your personal information, we will:

• Notify affected users without undue delay, and consistent with applicable breach-notification law (e.g., 30 days under most state laws; 72 hours to supervisory authority under GDPR)
• Notify applicable regulators within the time required by law
• Cooperate with law enforcement investigations
• Provide affected users with information about the nature of the breach, the categories of personal information affected, steps we have taken in response, and steps you can take to protect yourself
• Where appropriate, provide credit monitoring or identity-theft protection services consistent with state breach-notification statutes

---

13. Children's Privacy (COPPA)

The Site is not directed to children under 13 years of age, and we do not knowingly collect personal information from children under 13. If you are under 13, please do not provide any information to us.

If you believe a child under 13 has provided personal information to us, please email PolTraPro@proton.me and we will delete it.

We comply with the Children's Online Privacy Protection Act (COPPA), 15 U.S.C. § 6501 et seq., and the Federal Trade Commission's implementing rule at 16 C.F.R. Part 312.

---

14. Accessibility of This Notice

This Privacy Policy is published online in HTML at poltrapro.com/privacy. We will provide this Policy in an alternative accessible format (e.g., plain text, audio recording) upon request from any user with a disability that prevents access to the standard format. Contact PolTraPro@proton.me.

---

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will:

• Post the updated Policy with a revised "Last revised" date
• For material changes, notify subscribers and account holders by email at least 30 days before the change takes effect, except where applicable law requires shorter notice
• Provide a summary of material changes at the top of the updated Policy for one year after the change

Continued use of the Site or API after the effective date of a change constitutes acceptance.

If you do not agree to a material change, you may close your account and request deletion of your personal information consistent with § 7.

---

16. Contact Information