Privacy Policy

Last updated: April 4, 2026

This policy is subject to change. We will notify registered users of material changes via email.

1. Information We Collect

Compliance Documents

You may upload compliance-related documents such as SPRS assessments, CMMC certifications, System Security Plans (SSPs), Plans of Action and Milestones (POA&Ms), and other evidence. These documents are stored securely and subject to the access controls described below.

Usage Data

We collect standard usage data including page views, feature interactions, IP addresses, browser type, and timestamps. This data is used to improve the Platform and troubleshoot issues.

Payment Information

Payment details (credit card numbers, billing addresses) are collected and processed by Stripe. We do not store payment card data on our servers. We receive transaction confirmations and subscription status from Stripe.

2. How We Store Your Data

All data is stored on encrypted infrastructure hosted by DigitalOcean. Our database uses encrypted connections (TLS). Uploaded documents are stored in DigitalOcean Spaces (S3-compatible object storage) with server-side encryption. All data transfers between your browser and our servers are encrypted via HTTPS/TLS.

3. Document Visibility and Access Control

Your compliance documents and data are visible to:

Your company: All team members on your account can view your compliance data and documents.
Connected Prime contractors: Prime contractors who have an accepted connection with your company AND have you on an active project can view your compliance records and documents. This is the core functionality that enables supply chain compliance monitoring.

Your data is not visible to unconnected companies, the general public, or other subcontractors on the same project. Directory listings show only basic company information (name, CAGE code) and do not expose compliance documents.

4. Third-Party Services

We use the following third-party services to operate the Platform:

Clerk — Authentication and user management. Handles sign-in/sign-up flows and session management.
Stripe — Payment processing and subscription billing. Stores and processes payment card information.
Resend — Transactional email delivery for notifications (expiration alerts, invitation emails).
SAM.gov API — Federal contractor data lookup for directory enrichment. Publicly available government data.
Claude API (Anthropic)— AI-powered document processing for automated compliance verification. Document content may be sent to Anthropic's API for analysis. Anthropic does not use API inputs for model training.
DigitalOcean — Cloud infrastructure (compute, database, object storage, Kubernetes).

5. Data Retention

We retain your data for as long as your account is active. If you cancel your subscription, your data remains stored for thirty (30) days to allow for reactivation. After 30 days, we may delete your data. Upon account termination, you may request a data export by contacting us.

Audit logs (activity history) are retained for twelve (12) months for security and compliance purposes.

6. Your Rights

You have the right to:

Access your data at any time through the Platform
Correct inaccurate company or compliance information
Export your compliance data via CSV export features or by contacting support
Delete your account and associated data by contacting us
Control visibility by toggling your directory listing on or off

7. Cookies

We use essential cookies for authentication and session management (provided by Clerk). We do not use advertising or tracking cookies. No third-party analytics cookies are placed without your consent.

8. Children's Privacy

The Platform is designed for business use and is not directed at individuals under the age of 18. We do not knowingly collect personal information from children.

9. Contact

For questions about this privacy policy or to exercise your data rights, contact us at admin@flowdowndefender.com.