← Back to privacy-first.app
✓ This policy is designed to score A+ on our own rubric
Privacy Policy.
privacy-first.app · Effective: April 28, 2026 · Last updated: May 12, 2026
The short version: We analyze privacy policies for you. To do that, we don't need to know who you are — and we don't try to find out. We collect no personal data, serve no ads, and sell nothing about you to anyone.
1. Who We Are
privacy-first.app is a free privacy policy analysis tool. When you enter a website or app name, our system reads that product's publicly available privacy policy and scores it against ISO/IEC 29100, the international standard for privacy frameworks. That's it.
2. What We Collect
We collect the minimum necessary to operate the service:
- Search queries — the app name or URL you submit, stored to power the weekly leaderboard. Queries are not linked to any identity.
- Hashed IP address — a one-way SHA-256 hash of your IP, used solely for rate limiting (10 requests per hour). The original IP is never stored. The hash cannot be reversed to identify you.
- Suggestions — if you voluntarily submit feedback, we store your message and optionally your email if you provide it.
We collect no names, no account information, no device fingerprints, no location data, no cookies, and no tracking pixels.
3. What We Do Not Collect
- No cookies — first-party or third-party
- No advertising identifiers
- No browser fingerprinting
- No session recordings or heatmaps
- No social login or third-party authentication
- No cross-site tracking of any kind
4. How We Use Data
Search queries are used exclusively to:
- Display the weekly “Most Searched,” “Best Scores,” and “Worst Scores” leaderboards
- Cache analysis results for 24 hours to reduce redundant processing
Hashed IPs are used exclusively to enforce the rate limit. They are not analyzed, aggregated, or shared.
Suggestion messages and optional emails are used exclusively to read and respond to feedback. They are not used for marketing.
5. Data Sharing & Sale
We do not sell, rent, trade, or share your data with any third party for any commercial purpose. Full stop.
The only external services we use are:
- Anthropic API — processes the privacy policy text you submit for analysis. Anthropic's data handling is governed by their privacy policy. We pass only the search query, not any user-identifying information.
- Supabase — our database provider, hosted in the United States. Stores anonymized search logs and cached analyses only.
- Vercel — our hosting provider. Handles web requests. Vercel may log standard server access logs (IP, timestamp, path) per their infrastructure practices.
- Upstash Redis — used for rate limiting only. Stores hashed IPs temporarily.
6. Data Retention
- Analysis cache — 24 hours, then expired and overwritten on next request
- Search log entries — rolling 7-day window for leaderboard; older entries are not actively deleted but are excluded from all queries and displays
- Hashed IPs (rate limit) — 1 hour sliding window, then automatically purged by Upstash
- Suggestions — retained until manually reviewed and deleted; email addresses are deleted upon request
7. Your Rights
Because we do not collect personal data linked to your identity, most data subject rights apply in a limited way. However:
- Access & deletion — if you submitted a suggestion with your email address, you may request to view or delete it by contacting us below.
- CCPA — California residents: we do not sell personal information. There is nothing to opt out of.
- GDPR — EU residents: our lawful basis for processing anonymized search queries is legitimate interest (operating the leaderboard). You may contact us with any concerns.
- COPPA — this service is not directed at children under 13. We do not knowingly collect any information from minors.
8. Security
All data is transmitted over HTTPS/TLS. Database access requires authenticated service-role credentials. IP addresses are hashed before storage using SHA-256 and are never stored in plaintext. We do not store payment information of any kind (the service is free).
9. Changes to This Policy
If we make material changes to this policy, we will update the “Last updated” date above. Because we have no user accounts or email list, we cannot notify you directly — we encourage you to check this page periodically if you use the service regularly.
10. Children
privacy-first.app is not directed at children under the age of 13. We do not knowingly collect personal information from children. If you believe a child has submitted information through our suggestion form, please contact us and we will delete it promptly.