Back to homepage

Privacy Policy

Last Updated: February 1, 2026 • Version 1.0

Privacy at a Glance

  • We never sell your personal data
  • We never train AI models on your workspace data
  • You can export and delete your data anytime
  • Your data is encrypted (AES-256 at rest, TLS in transit)

Introduction

ProofBase ("we," "us," "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

By using ProofBase, you agree to the collection and use of information in accordance with this policy.

1. Information We Collect

1.1 Information You Provide Directly

Account Information:

  • Email address (required for login)
  • Name
  • Company name (optional)

We use magic link authentication, so no password is required or stored.

Workspace Content:

  • Evidence references and descriptions
  • Policy documents you create or customize
  • Notes and implementation details
  • Status updates for readiness items
  • Any other data you enter into the Service

Important: We will NEVER use your workspace content to train AI models or share it with other users.

Waitlist Information:

  • Name and email address
  • Company name and stage
  • Expected SOC 2 timeline
  • How you heard about us
  • Additional notes

1.2 Information Collected Automatically

When you use ProofBase, we automatically collect certain information:

  • Usage Data: Pages visited, features used, time spent, actions taken
  • Device Information: IP address, browser type, operating system, device type
  • Cookies: Session cookies (essential), authentication tokens, preference cookies (optional)

1.3 Files You Upload

When you use the evidence file storage feature, we collect and store:

  • File content: Screenshots, documents, policies you upload
  • File metadata: Filename, size, upload date, file type
  • File organization: Which control each file is associated with

🔒 File Security & Privacy

We will NEVER:

  • • Use your uploaded files to train AI models
  • • Share your files with other ProofBase users
  • • Access your files without permission (except for support when requested)
  • • Sell or monetize your file data

2. How We Use Your Information

To Provide the Service

  • • Authenticate your identity
  • • Store your workspace data
  • • Generate exports and PDFs
  • • Process payments
  • • Provide customer support

To Improve the Service

  • • Analyze usage patterns
  • • Identify and fix bugs
  • • Develop new features
  • • Conduct research

Marketing Communications

You can always opt out:

  • Essential emails (cannot opt out): Login links, security alerts, billing notifications
  • Marketing emails (can opt out): Product updates, educational content, company news

3. How We Share Your Information

We DO NOT Sell Your Personal Data

We will NEVER sell, rent, or trade your personal information to third parties for marketing purposes. Period.

3.1 Service Providers We Use

We share data with trusted third-party providers who help us operate the Service:

Supabase

Infrastructure

Purpose: Database, authentication, file storage

Location: US-based servers

Data shared: Account info, workspace content

Privacy Policy →

Stripe

Payments

Purpose: Process subscription payments

Location: US and EU data centers

Data shared: Billing info (Stripe handles card data directly)

Note: We never see your full credit card number—Stripe handles all payment data

Privacy Policy →

Vercel

Hosting

Purpose: Web hosting and content delivery

Location: Global CDN

Data shared: Minimal (delivers web pages to your browser)

Privacy Policy →

All service providers are contractually obligated to protect your data and may only use it to provide services to us. We maintain a complete list at proofbase.com/subprocessors

4. Data Security

Encryption

  • • AES-256 encryption at rest
  • • TLS 1.2+ encryption in transit
  • • Encrypted database backups

Access Controls

  • • Role-based access control
  • • Multi-factor authentication
  • • Regular security audits

File Storage Security

Uploaded files are protected with:

  • Organization isolation: Row Level Security ensures you can only access your organization's files
  • Encryption at rest: AES-256 encryption on Supabase infrastructure
  • Encryption in transit: TLS 1.2+ for all uploads and downloads
  • Access controls: Only authenticated users in your organization can access files
  • Signed URLs: Download links expire after set time period
  • Automatic backups: Daily backups with 30-day retention

Security Limitations

Despite our efforts, no system is 100% secure. You are responsible for keeping your email account secure (used for magic links) and not sharing your account access.

Data Breach Notification

In the event of a data breach affecting your personal information, we will notify affected users via email within 72 hours and take immediate steps to address the breach.

5. Data Retention

Active Accounts

We retain your data as long as your account is active.

Cancelled Accounts

  • 90-day grace period: Your data is retained to allow for reactivation
  • After 90 days: All workspace data is permanently deleted
  • Account info: Retained for 1 year for billing/legal purposes

6. Your Privacy Rights

6.1 Rights Under GDPR (EU Users)

If you are in the European Union, you have the right to:

Access

Request a copy of your data

Rectification

Correct inaccurate data

Erasure

Request deletion of your data

Portability

Receive data in portable format

Restriction

Limit how we process your data

Object

Object to certain processing

6.2 Rights Under CCPA (California Users)

If you are a California resident, you have the right to:

  • Know what personal information we collect and how we use it
  • Access your personal information
  • Delete your personal information
  • Opt-out of sale of personal information (not applicable—we don't sell data)
  • Non-discrimination for exercising your rights

How to Exercise Your Rights

To exercise any privacy rights:

  1. Email us at: support@proofbasehq.com
  2. Subject line: "Privacy Rights Request - [Your Right]"
  3. Include your name, email, and specific right you're exercising

Response time: Within 30 days (GDPR) or 45 days (CCPA). We may request additional information to verify your identity before fulfilling requests.

7. Cookies and Tracking

Essential Cookies (Required)

Required for the Service to function. Cannot be disabled.

  • • Authentication (keep you logged in)
  • • Security (CSRF protection)
  • • Session management

Analytics Cookies (Optional)

Help us understand how you use the Service. You can opt out.

  • • Usage tracking
  • • Performance monitoring

Most browsers allow you to control cookies through settings. Disabling essential cookies may prevent you from logging in or using certain features.

8. Children's Privacy

ProofBase is not intended for users under 18 years of age. We do not knowingly collect personal information from children under 18.

If we become aware that we have collected data from a child under 18, we will delete it promptly and terminate the account.

9. Changes to This Privacy Policy

We may modify this Privacy Policy at any time. For material changes, we will notify you by email at least 30 days in advance and update the "Last Updated" date.

Continued use of the Service after changes take effect constitutes your acceptance of the updated Privacy Policy.

10. Contact Us

For any questions about this Privacy Policy, please contact us at:

Email: support@proofbasehq.com

Response times: General inquiries (2-3 business days) • Privacy rights requests (30-45 days) • Security issues (within 24 hours)

Last Updated: February 1, 2026 • Version 1.0

Terms of ServiceReturn Home