Privacy Policy for DataFog, Inc.

Effective May 12, 2025

1. Who We Are

DataFog, Inc. (DataFog, we, our, or us) is a Delaware C-corporation that sells cloud-based software for detecting, anonymizing, and managing sensitive data inside documents. Our business address is 1209 Orange St., Wilmington, DE 19801, USA.

2. Scope

This policy explains how we collect, use, share, and protect information when you:

visit datafog.ai or any sub-domain;
sign up for an account;
upload files or otherwise use our software-as-a-service (SaaS) platform; or
interact with us through email, social media, or events.

3. The Information We Collect

Category	Examples	Source
Account info	Name, email, password hash, billing address	You
Content	Documents, images, or other files you upload for scanning	You
Usage data	Pages visited, features used, click-streams, error logs	Automatic
Device data	Browser type, IP address, device/OS identifiers	Automatic
Payment data	Last four digits of card, expiry, postal code	Stripe, Paddle, or similar processor
Marketing data	Newsletter opt-ins, ad campaign tags	You / Cookies

We do not knowingly collect data from children under 13.

4. Why We Use Your Data

Purpose	Legal basis*
Provide and secure the service	Contract
Perform scans and return results	Contract
Improve features, models, and accuracy	Legitimate interest
Detect abuse, fraud, or security incidents	Legitimate interest
Send transactional emails (e.g., password resets)	Contract
Send product updates or marketing (you can opt out)	Consent / Legitimate interest
Comply with law, subpoenas, or audits	Legal obligation

*If you reside in the European Economic Area (EEA), our legal bases under the GDPR are shown in the right-hand column.

5. Sharing & Disclosure

We share data only when needed:

Cloud hosting & edge delivery – Cloudflare (global)
Analytics – Plausible (EU) and internal log aggregation
Payment processors – Stripe or Paddle (PCI-DSS compliant)
Sub-processors for AI inference – GPU providers inside the U.S./EU
Corporate events – If we sell, merge, or reorganize, data may transfer
Legal – When required by law or to protect rights, safety, or property

We never sell personal information.

6. Cookies & Similar Tech

We use first-party cookies for session management and security. Analytics cookies are cookieless or pseudonymous. You can control cookies through your browser settings.

7. Data Retention

Uploaded files – deleted automatically 30 days after processing, unless you choose a shorter window in your dashboard.
Account, billing, and log data – kept as long as you hold an account, then archived for up to seven years to meet tax and audit rules.
Anonymized aggregates may be kept indefinitely.

8. Security

Data is encrypted in transit (TLS 1.3) and at rest (AES-256). Access to production systems requires MFA and least-privilege roles. We run regular penetration tests and maintain a written incident-response plan.

9. International Transfers

We rely on the EU–US Data Privacy Framework and standard contractual clauses for transfers outside your jurisdiction. Our primary data center is in the United States.

10. Your Rights

Jurisdiction	Rights you can exercise
EEA / UK (GDPR)	Access, rectify, erase, restrict, object, data portability, lodge complaint with supervisory authority
California (CPRA)	Know, delete, correct, opt-out of "sharing," limit sensitive data, no retaliation
Virginia, Colorado, Connecticut, Utah	Access, correct, delete, opt-out of targeted ads or sale
Texas (TDPSA, July 1 2024) & Delaware (DPDPA, Jan 1 2025)	Access, correct, delete, data portability, opt-out of sale/ads, appeal denials
Maryland (Online Data Privacy Act, Oct 1 2025)	Similar rights; stricter opt-out signal requirements

You can make a rights request from inside your account or by emailing privacy@datafog.ai. We'll verify your identity and respond within the time limits set by law.

11. Do-Not-Track & Global Privacy Control

Our site honors the Global Privacy Control (GPC) signal where legally required. We do not track users for behavioral advertising.

12. Third-Party Links

Our site may link to other websites. Their privacy practices are their own.

13. Changes to This Policy

We'll post any changes here and update the "Effective" date. Significant changes will be announced by email or in-app.

14. Contact Us

Data Protection Officer

DataFog, Inc.

1209 Orange St., Wilmington, DE 19801, USA

privacy@datafog.ai