F
FineShield

Legal

Privacy Policy

We believe privacy is a right, not a feature. This policy explains exactly what we collect, why we collect it, and how you stay in control.

Effective date: February 27, 2026

01

Information We Collect

Information you provide directly

  • Account credentials — Your email address and the password you create. Passwords are hashed using bcrypt by Supabase Auth before storage. We never see your password in plaintext and cannot recover it.
  • Business profile — Your organization name, the trade type your business operates in (e.g., electrician, plumber, HVAC, roofer), and the US state where you operate. This information is used exclusively to provide your credential and license compliance tracking.
  • Payment information — If you subscribe to a paid plan, payment is processed by Paddle.com Market Limited, our Merchant of Record. We never receive, transmit, or store your full payment card number, CVV, or bank account details. Paddle handles all payment data under PCI DSS standards.

Information collected automatically

  • Authentication cookies and session tokens — Supabase Auth uses browser cookies and local storage to maintain your logged-in session. These are strictly necessary for the Service to function and cannot be disabled without logging out.
  • Basic usage data — Pages visited and features used within the app. This data is used solely to maintain and improve the Service. We do not share this data with advertising networks.

Information we do not collect

We do not collect your Social Security Number, Employer Identification Number (EIN), tax returns or filings, financial statements, or any government-issued identification numbers. Employee information (names and contact details) is collected only when you voluntarily add it to track credentials on their behalf.

02

How We Use Your Information

We use the information we collect for the following purposes:

  • Provide the Service — Generate your personalized compliance calendar, display upcoming deadlines, and present relevant penalty information based on your business profile.
  • Send deadline reminders — When you opt in to email alerts, we use your email address to deliver timely compliance reminders before important filing deadlines.
  • Process payments and manage subscriptions — Confirm purchases, issue receipts, and handle subscription renewals and cancellations through our payment processor.
  • Communicate with you — Respond to support requests, send service-related notices (such as changes to these policies), and provide security alerts.
  • Improve and develop the Service — Analyze aggregate, anonymized usage patterns to understand which features are most valuable and to fix issues.
  • Legal compliance — Fulfill our obligations under applicable law, respond to valid legal requests, and enforce our Terms of Service.

We do not use your information to build advertising profiles, sell targeted advertisements, or share data with data brokers.

03

Data Sharing and Third-Party Processors

We do not sell, rent, or trade your personal information. We share data only with the service providers necessary to operate FineShield, each bound by their own privacy policies and data protection agreements:

  • Supabase, Inc. — Our database and authentication infrastructure provider. Supabase stores your account credentials, organization profile, employee records, and credential data on our behalf. Supabase operates under SOC 2 Type II compliance and supports GDPR data residency options.
  • Paddle.com Market Limited — Our Merchant of Record and payment processor for paid subscriptions. Paddle acts as a co-controller for billing data and handles all payment card information directly. Their Privacy Policy governs how they process your payment data.
  • Resend, Inc. — Our transactional email delivery provider, used to send deadline reminders and service notifications. Resend processes your email address solely to deliver messages you have requested.
  • Law enforcement or government authorities — We may disclose information when required by applicable law, valid court order, or government regulation. Where legally permitted, we will notify you of such a request before disclosing.
  • Business transfers — In connection with a merger, acquisition, financing, or sale of all or part of our business, your information may be transferred to the acquiring entity. You will be notified by email and/or a prominent notice on our website in advance.
04

Cookies and Session Storage

FineShield uses cookies and browser local storage solely for authentication and session management. Specifically:

  • Auth session cookies — Set by Supabase Auth to keep you logged in between page visits. These expire when you log out or after a period of inactivity.
  • PKCE code verifier — A short-lived, cryptographically random value stored temporarily in session storage during the login flow to prevent authorization code interception attacks. It is cleared immediately after authentication completes.

We do not use tracking cookies, advertising cookies, cross-site analytics, or third-party social media pixels. You can remove all session data at any time by logging out or clearing cookies and site data for fineshield.co in your browser settings.

05

Data Retention

  • Account and profile data — Retained for the lifetime of your account. When you delete your account, we permanently delete your email address, organization profile, employee records, and credential data within 30 days.
  • Credential and document data — Employee credentials, license records, CE credit logs, and uploaded documents are retained until you delete them or delete your account.
  • Payment and billing records — Retained for 7 years from the date of the transaction, as required by applicable financial regulations. This data is held by Paddle as Merchant of Record.
06

Security

We implement technical and organizational measures designed to protect your personal information:

  • Encryption in transit — All data exchanged between your browser and our servers uses HTTPS/TLS 1.2 or higher.
  • Encryption at rest — Your data is stored in Supabase's encrypted PostgreSQL database infrastructure.
  • Row-Level Security (RLS) — Every database table enforces RLS policies so that each user's data is only accessible to that user's authenticated session. Even if a query were malformed, it could not return another user's records.
  • Password hashing — Passwords are processed exclusively by Supabase Auth using bcrypt. We never store, log, or transmit passwords in plaintext.
  • Principle of least privilege — Database write access uses a service role key stored only on our server-side scrapers. The app client uses a public anon key whose permissions are restricted by RLS.

No security system is perfect. If you discover a security vulnerability, please report it to security@fineshield.co and we will investigate promptly.

07

Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal information:

  • Access — Request a copy of the personal data we hold about you.
  • Correction — Request that we correct inaccurate or incomplete information.
  • Deletion — Request that we delete your account and associated personal data. We will fulfill deletion requests within 30 days, except where retention is required by law.
  • Portability — Request your data in a structured, machine-readable format (JSON or CSV).
  • Objection — Object to certain types of processing, such as processing based on legitimate interests.
  • Withdrawal of consent — Where processing is based on consent (such as marketing emails), you may withdraw consent at any time without affecting the lawfulness of prior processing.

California Residents (CCPA / CPRA)

California residents have the right to know what personal information we collect, the right to delete, the right to correct inaccurate information, the right to opt out of the sale or sharing of personal information (we do not sell or share your data), and the right to non-discrimination for exercising these rights.

EEA, UK, and Swiss Residents (GDPR)

Our legal bases for processing include: (a) performance of a contract — to provide the Service you signed up for; (b) legitimate interests — to maintain security, prevent fraud, and improve the Service; and (c) legal obligation — to comply with applicable law. You may also have the right to lodge a complaint with your local data protection supervisory authority.

To exercise any of these rights, email privacy@fineshield.co with the subject line "Privacy Rights Request". We will respond within 30 days. We may ask you to verify your identity before processing the request.

08

Children's Privacy

FineShield is a business compliance tool intended for adults operating businesses. The Service is not directed to, and we do not knowingly collect personal information from, individuals under the age of 18.

If we learn that we have inadvertently collected personal information from a minor, we will delete that information promptly. If you believe a minor has created an account, please contact us at privacy@fineshield.co.

09

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will:

  • Update the "Effective date" at the top of this page.
  • Send an email notification to the address associated with your account at least 14 days before the changes take effect.
  • Display a prominent notice within the app for the first 30 days after a material change.

Your continued use of FineShield after the effective date of a revised policy constitutes your acceptance of that policy. If you do not agree to the revised policy, you may delete your account before the changes take effect.

10

Contact Us

If you have any questions, concerns, or requests related to this Privacy Policy or how we handle your personal information, please contact us:

We aim to respond to all privacy-related inquiries within 5 business days, and to fulfill verified data subject requests within 30 calendar days.