Last updated: January 28, 2026
We collect information necessary to provide the evidence collection service:
| Data Type | Purpose | Retention |
|---|---|---|
| Account email & password hash | Auditor authentication | Until account deletion |
| Client email addresses | Send upload links and notifications | With request record (30 days) |
| Company names | Identify submissions | With request record (30 days) |
| Uploaded files | Deliver to requestor | 90 days (auto-deleted) |
| Saved templates | Reuse evidence request configurations | Until account deletion |
| Payment info | Process credit purchases (via Stripe) | Handled entirely by Stripe |
What we don't collect: We don't use analytics, tracking pixels, or advertising cookies. We don't collect device fingerprints or build user profiles. We never store plaintext passwords — only salted PBKDF2 hashes.
By design: When you use ProofRepo, evidence is shared between the requestor and client specified in each request. This is the core function of the service.
Service providers:
We never sell your data, share it with advertisers, or use it for purposes beyond providing the service.
| Data | Retention Period |
|---|---|
| Uploaded files | 90 days (automatic deletion via R2 lifecycle rules) |
| Request metadata | 30 days |
| Account data | Until the user deletes their account |
| Credit/billing records | 12 months (stored in account history) |
You can delete individual submissions immediately through the Pack Viewer, or request full account deletion by contacting us.
For more details, see our Security Practices page.
To exercise these rights, email [email protected]
We use minimal, essential cookies only: authentication tokens (keeping you signed in) and security tokens (preventing abuse). We don't use tracking cookies, advertising cookies, or third-party analytics.
We may update this policy occasionally. Material changes will be communicated via email or notice on our website. The "last updated" date at the top indicates when changes were made.