Purview

Privacy Policy

Last updated: March 30, 2026

1. Introduction

Purview ("we," "us," or "our") is a multi-state privacy compliance platform for small and medium businesses. This Privacy Policy describes how we collect, use, share, and protect your information when you use our website and services at getpurview.com.

As a privacy compliance company, we hold ourselves to the highest standards of data protection. We are transparent about every piece of data we collect and every third-party service that processes your information. This policy covers all users of the Purview platform, including visitors who take our compliance quiz, registered account holders, and team members added to organization accounts.

This policy is effective as of March 30, 2026. By using Purview, you acknowledge that you have read and understand this Privacy Policy. If you do not agree with our practices, please do not use the platform.

2. Information We Collect

2.1 Account Information

When you create a Purview account, we collect your email address and a password. If you sign up using Google OAuth, we receive your email address and basic profile information from Google. Passwords are never stored in plaintext — authentication is managed by Supabase Auth, which stores only cryptographic hashes.

2.2 Organization Information

To provide accurate compliance assessments, we collect information about your business, including:

  • Business name
  • Industry classification
  • State of incorporation
  • Annual revenue range
  • Employee count range
  • Consumer data volume estimates
  • Data practices (whether you sell or share data, process sensitive data, use tracking pixels, use automated decision-making, collect visitor data)
  • Sensitive data types processed (if applicable)

2.3 Quiz Responses

When you take our compliance assessment quiz — whether or not you create an account — we collect your answers to determine which state privacy laws may apply to your business. Quiz submissions are stored with a session identifier. If you later create an account, your quiz submission is linked to your organization.

2.4 Compliance Data

As you use the dashboard, we store your compliance assessment results, requirement statuses (not started, in progress, compliant, non-compliant), compliance scores, and any privacy policy documents generated through the platform.

2.5 Usage Data

We collect standard usage data including pages visited, features used, and interaction patterns. This data is collected through Vercel Analytics and is used to improve the platform experience. We do not use third-party advertising trackers.

2.6 Payment Information

Payment processing is handled entirely by Stripe, Inc. When you subscribe to a paid plan, your payment card details are collected and processed directly by Stripe. We do not receive, store, or have access to your full card number. We receive only a confirmation of payment status, the last four digits of your card, and your Stripe customer ID for account management purposes.

2.7 Audit Logs

We maintain audit logs of significant account actions, including account creation, subscription changes, compliance status updates, policy generation events, and profile modifications. These logs are used for security, debugging, and to maintain the integrity of your compliance records.

3. How We Use Your Information

We use your information for the following purposes:

  • Compliance assessments: Your organization information and quiz responses are used to determine which state privacy laws apply to your business and to calculate risk scores and compliance status.
  • Privacy policy generation: When you generate a privacy policy, your organization name, industry, state of incorporation, and data practice information are sent to Anthropic's Claude API to produce a customized policy document. See Section 4 for details on this data sharing.
  • Payment processing: Your email address and subscription selection are shared with Stripe to process payments and manage your billing.
  • Transactional emails: Your email address is used to send account-related communications including welcome emails, payment confirmations, subscription changes, and quiz results via our email provider Resend.
  • Service improvement: Aggregated, de-identified usage data is used to improve the platform, fix bugs, and prioritize new features.
  • Security and integrity: Audit logs and account activity are monitored to detect unauthorized access and maintain the integrity of compliance data.

4. How We Share Your Information

We share your information only with the third-party service providers necessary to operate the platform. We do not sell your personal information. We do not share your data with advertisers or data brokers.

4.1 Anthropic (Claude API)

When you use the privacy policy generation feature, we send your organization name, industry, state of incorporation, applicable state laws, and data practice flags (such as whether you sell data, process sensitive data, or use automated decision-making) to Anthropic's Claude API. This data is used solely to generate your privacy policy document. Anthropic's data retention policies apply to this processing — for details, see Anthropic's privacy policy at anthropic.com.

4.2 Stripe

Your email address, subscription plan selection, and payment method details are processed by Stripe for billing purposes. Stripe acts as an independent data controller for payment data. For details on Stripe's data practices, see Stripe's privacy policy at stripe.com/privacy.

4.3 Resend

Your email address and name are shared with Resend to deliver transactional emails, including welcome messages, payment confirmations, subscription updates, and quiz results. Resend processes this data solely to deliver emails on our behalf.

4.4 Vercel

The Purview platform is hosted on Vercel. Vercel processes request data (IP addresses, user agent strings, and page requests) as part of hosting and content delivery. Vercel Analytics provides aggregated usage metrics. For details, see Vercel's privacy policy at vercel.com/legal/privacy-policy.

4.5 Supabase

All application data — including account information, organization details, compliance assessments, and generated policies — is stored in a PostgreSQL database hosted by Supabase. Supabase provides database hosting, authentication services, and Row Level Security enforcement. Supabase processes this data as a data processor on our behalf. For details, see Supabase's privacy policy at supabase.com/privacy.

4.6 Legal Requirements

We may disclose your information if required to do so by law, court order, or government regulation, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, the safety of others, or to investigate fraud.

5. Data Retention

We retain your data according to the following schedule:

  • Account and organization data: Retained while your subscription is active and for 30 days after account deletion to allow for recovery.
  • Quiz submissions (non-users): Quiz responses from visitors who do not create an account are retained for 90 days, then automatically deleted.
  • Compliance assessments and requirement statuses: Retained while your account is active. Deleted upon account deletion.
  • Generated privacy policies: Retained while your account is active. You may export your policies at any time.
  • Audit logs: Retained indefinitely for security and compliance record-keeping purposes.
  • Payment records: Stripe retains payment records in accordance with its own data retention policies and applicable financial regulations.

6. Security

We implement commercially reasonable technical and organizational measures to protect your data, including:

  • Row Level Security (RLS): All database tables containing organization-specific data are protected by PostgreSQL Row Level Security policies, ensuring that each organization can only access its own data.
  • Encrypted connections: All data in transit is encrypted using TLS/SSL. Database connections use encrypted channels.
  • Authentication security: Passwords are hashed using industry-standard algorithms via Supabase Auth. Session tokens are managed with secure, HttpOnly cookies with appropriate SameSite and Max-Age attributes.
  • No PII in logs: Application logs do not contain personally identifiable information. Audit logs record action types and entity IDs, not raw personal data.
  • Input sanitization: All user inputs are validated and sanitized. Generated policy content is processed through DOMPurify to prevent cross-site scripting attacks.

No system is perfectly secure. While we take extensive precautions to protect your data, we cannot guarantee absolute security. If you believe your account has been compromised, contact us immediately at privacy@getpurview.com.

7. Your Privacy Rights

Depending on your state of residence, you may have specific privacy rights under applicable state laws. Below is a summary of the rights available under major state privacy statutes. To exercise any of these rights, contact us at privacy@getpurview.com.

7.1 California (CCPA/CPRA)

California residents have the right to: know what personal information we collect and how it is used; request deletion of their personal information; request correction of inaccurate personal information; opt out of the sale or sharing of personal information (note: we do not sell or share personal information for cross-context behavioral advertising); and limit the use of sensitive personal information. We will not discriminate against you for exercising your CCPA/CPRA rights.

7.2 Colorado (CPA)

Colorado residents have the right to: access their personal data; correct inaccuracies in their personal data; delete their personal data; obtain a portable copy of their personal data; and opt out of the processing of personal data for targeted advertising, sale, or profiling in furtherance of decisions that produce legal or similarly significant effects. You may appeal our decision regarding a rights request by contacting us at privacy@getpurview.com.

7.3 Connecticut (CTDPA)

Connecticut residents have the right to: access their personal data; correct inaccuracies; delete personal data; obtain a copy of their personal data in a portable format; and opt out of the processing of personal data for targeted advertising, sale of personal data, or profiling. You may appeal a denial of your rights request within a reasonable period after receiving our decision.

7.4 Virginia (VCDPA)

Virginia residents have the right to: confirm whether we are processing their personal data and access that data; correct inaccuracies in their personal data; delete personal data provided by or obtained about them; obtain a copy of their personal data in a portable and readily usable format; and opt out of the processing of personal data for purposes of targeted advertising, sale of personal data, or profiling. You may appeal our decision by contacting us at privacy@getpurview.com.

7.5 Other States

Residents of Utah, Iowa, Indiana, Tennessee, Montana, Texas, Oregon, Delaware, New Hampshire, New Jersey, Nebraska, Maryland, Minnesota, Rhode Island, Kentucky, and other states with comprehensive privacy laws may have similar rights to access, correct, delete, and port their personal data, as well as rights to opt out of certain processing activities. We honor all valid consumer rights requests in accordance with applicable law.

7.6 Exercising Your Rights

To submit a privacy rights request, email us at privacy@getpurview.com with the subject line "Privacy Rights Request." Include your name, email address associated with your account, the specific right you wish to exercise, and your state of residence. We will verify your identity before processing the request and respond within the timeframe required by applicable law (typically 45 days, with a possible extension of an additional 45 days for complex requests).

If we deny your request, we will provide an explanation and information about how to appeal the decision where applicable.

8. Children's Privacy

Purview is a business-to-business service designed for use by business professionals. We do not knowingly collect personal information from children under the age of 13. If we become aware that we have inadvertently collected personal information from a child under 13, we will take steps to delete that information as quickly as possible.

If you are a parent or guardian and believe that your child has provided personal information to Purview, please contact us at privacy@getpurview.com so that we can take appropriate action.

9. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. For material changes — such as new categories of data collection, new third-party data sharing, or changes to your privacy rights — we will provide at least 30 days' advance notice via email to the address associated with your account.

Non-material changes, such as clarifications or formatting updates, may be made without advance notice. The "Last updated" date at the top of this page will always reflect the date of the most recent revision. We encourage you to review this policy periodically.

10. Contact Us

If you have questions about this Privacy Policy, your personal data, or wish to exercise your privacy rights, please contact us at:

Purview
Email: privacy@getpurview.com

For general inquiries about our Terms of Service, please see our Terms of Service.

This Privacy Policy is provided for informational purposes. Purview provides legal information, not legal advice. Consult a qualified attorney for guidance specific to your situation.