Privacy Policy

Last updated: June 2026

This Privacy Policy describes how DiligenceIQ ("we," "us," or "our") collects, uses, and shares information when you use our website and services (the "Service"). It applies to visitors, subscribers, and beta participants.

1. Information we collect

Information you provide

• Email address when you request a PDF report by email, sign up for beta access, or contact us
• Beta / access keys you submit for redemption (we store redemption outcomes, not your key in analytics events)
• Payment-related data processed by Stripe (we receive subscription status and customer identifiers, not full card numbers)

Information collected automatically

• Session identifiers via httpOnly cookies (for example diq_session and entitlement cookies) used to recognize your browser, enforce usage limits, and apply paid or beta access
• Usage data such as organization EINs viewed, searches performed, batch runs, feature gates encountered, and subscription events — tied to your session id where needed for metering and product improvement
• Analytics events via PostHog (see below), including page views and product interactions
• Technical logs such as IP address, user agent, and timestamps in server and security logs (may be hashed or minimized where configured)

2. How we use information

We use collected information to:

• Operate and secure the Service
• Determine and enforce entitlement (free tier limits, paid subscriptions, beta access, and feature gating)
• Deliver PDF reports and process payments
• Meter usage (lookup caps and related alerts)
• Improve reliability, fix errors, and understand product usage
• Comply with law and respond to lawful requests

We do not use your email for unrelated marketing without your consent where consent is required by law.

3. Analytics (PostHog)

We use PostHog for privacy-oriented product analytics. PostHog may receive event names, page paths, session identifiers, and coarse device/browser metadata. We configure session replay to mask input fields so typed content (including emails and search queries) is not recorded in replays. Autocapture of arbitrary clicks is disabled.

You can limit tracking with browser privacy settings or extensions; some features may still require session cookies to function.

4. Cookies and similar technologies

We use cookies and similar storage for essential operation:

• Session cookie (diq_session): httpOnly, signed identifier so we can associate usage and entitlements with your browser without requiring an account password
• Entitlement cookie: httpOnly, signed flag indicating paid or beta access and related limits
• Analytics (PostHog): may use cookies or local storage in memory mode for event correlation; see PostHog's documentation for details

We do not use advertising or cross-site tracking cookies for third-party ad networks. Blocking essential cookies may prevent paid features, metering, or continuity across visits.

5. How we share information

We share information only as needed to run the Service:

• Service providers such as Stripe, Supabase, Resend (email), Anthropic (AI), PostHog (analytics), and infrastructure hosts under contractual obligations to protect data
• Legal and safety when required by law or to protect rights, safety, and integrity of the Service
• Business transfers in connection with a merger, acquisition, or asset sale, with notice where practicable

6. We do not sell your personal information

We do not sell, rent, or trade your personal information to data brokers or advertisers. We do not share personal information for cross-context behavioral advertising.

7. Data retention

We retain usage and entitlement records for as long as needed to operate subscriptions, enforce limits, resolve disputes, and meet legal obligations. Server logs are kept for a limited operational period. You may request deletion of contact information you provided by emailing us; some records may be retained where required by law or for legitimate business purposes (for example billing records).

8. Security

We use industry-standard measures including HTTPS, httpOnly cookies, signed session values, and access controls on backend systems. No method of transmission or storage is completely secure; we cannot guarantee absolute security.

9. Your choices and rights

Depending on where you live, you may have rights to access, correct, delete, or port personal information, or to object to certain processing. Contact us at duediligenceiq@gmail.com to exercise these rights. We will verify requests as permitted by law.

California residents may have additional rights under the CCPA/CPRA; we honor applicable opt-out and disclosure rights and do not sell personal information as defined by those laws.

10. Children

The Service is not directed to children under 13 (or under 16 in the EEA where applicable). We do not knowingly collect personal information from children.

11. International users

We operate from the United States. If you access the Service from other regions, your information may be processed in the U.S. and other countries where our providers operate.

12. Changes to this policy

We may update this Privacy Policy from time to time. We will post the revised policy on this page and update the "Last updated" date. Material changes will be described with reasonable notice where required.

13. Contact

Privacy questions or requests? Email duediligenceiq@gmail.com. See also our Terms of Service.