Privacy Policy

Last updated: March 31, 2026

Your privacy matters. This policy explains what data we collect, why we collect it, and how you can control it. RedFlag is committed to handling your data responsibly.

1. Information We Collect

Information you provide

Account data: Email address and password (hashed with bcrypt — we never store your plain-text password)
Text you analyze: The conversation text you submit for analysis
Contact messages: Name, email, and message content when you contact us
Payment info: Billing details are processed by Stripe. We store only your Stripe customer ID and subscription status — never your card details

Information collected automatically

Usage data: Number of scans performed today (to enforce plan limits)
IP address: Used for rate limiting and abuse prevention
Analytics: Page views and feature usage via Google Analytics 4 (anonymized)

2. How We Use Your Information

Provide and improve the RedFlag service
Send account-related emails (email verification, password resets)
Process payments and manage subscriptions
Enforce usage limits per your plan
Prevent abuse and maintain service security
Respond to support requests
Analyze aggregate usage patterns to improve the product

    We do not sell your personal data. We do not share your text submissions with third parties except Anthropic (our AI provider) to perform the analysis you request.
  

3. Text You Analyze

When you submit text for analysis, it is sent to Anthropic's API to generate results. Anthropic's privacy policy governs their handling of API inputs.

Premium users' scan results are saved to your account (so you can review them on your Dashboard). Free and Pro users' text is not persistently stored by us after the analysis is returned.

Do not submit text containing sensitive personal information (SSNs, financial account numbers, medical records) — there is no need to do so to get a useful analysis.

4. Data Retention

Account data: Retained while your account is active. Deleted upon request.
Saved scans (Premium): Retained until you delete them from your Dashboard.
Support messages: Retained for up to 2 years for quality assurance.
Anonymous usage data: Reset daily; IP-based rate limit logs are not retained beyond 24 hours.

5. Third-Party Services

Anthropic: Powers AI text analysis. Privacy policy
Stripe: Processes payments. Privacy policy
Google Analytics: Aggregate usage analytics (anonymized). Privacy policy. You can opt out via browser extensions.
Gmail (SMTP): Used to send transactional emails (verification, password reset).

6. Your Rights

Depending on your location, you may have the following rights:

Access: Request a copy of the personal data we hold about you
Correction: Ask us to correct inaccurate data
Deletion: Request deletion of your account and associated data
Portability: Receive your data in a machine-readable format
Objection: Object to certain uses of your data
Withdrawal of consent: Withdraw consent where processing is based on consent

To exercise these rights, contact us. We will respond within 30 days.

7. Cookies and Tracking

We use localStorage (not cookies) to store your JWT authentication token client-side. We do not use tracking cookies for advertising. Google Analytics may set cookies for analytics purposes — you can block these with standard browser tools or extensions.

8. Security

We implement security measures including:

Passwords hashed using bcrypt (never stored in plain text)
JWT tokens for session management
Rate limiting on all sensitive endpoints
HTTPS (when deployed in production)
Sensitive files (users.json, .env) never served via HTTP

No method of transmission or storage is 100% secure. If you discover a security vulnerability, please contact us responsibly.

9. Children's Privacy

RedFlag is not directed to children under the age of 13. We do not knowingly collect personal information from children. If you believe we have inadvertently collected such information, please contact us immediately.

10. GDPR (European Users)

If you are located in the European Economic Area, our legal basis for processing your data is: contract performance (providing the service), legitimate interest (security, abuse prevention), and consent (analytics). You have the right to lodge a complaint with your local supervisory authority.

11. CCPA (California Residents)

We do not sell personal information. California residents have the right to know what personal information we collect and to request deletion. To exercise these rights, contact us.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users via email of material changes. The "Last updated" date at the top reflects when this policy was last revised.

13. Contact

For privacy-related questions or to exercise your rights, please contact us.