Privacy Policy

ProofStack is operated by Xpand Digital (DirectRank LLC, Miji Australia Pty Ltd — collectively "Xpand", "we", "us"). This Privacy Policy explains how we collect, use, share, and retain personal data.

For privacy questions or requests: privacy@xpanddigital.io.

We process two categories of personal data:

2.1 Account holders (you)

• Identity: name, work email, profile picture.
• Authentication: hashed password or magic-link tokens (handled by Supabase Auth).
• Billing: name, email, address, payment-method last-4 and brand (full card data is held by Stripe; we never see it).
• Usage: API requests, page views, IP address, user-agent, audit events (sign-in, plan change, export, etc.).

2.2 Prospect contacts (third parties you research)

• Business contact information collected from public sources (Google Maps, public profiles, business websites) and licensed providers (Apollo, SpyFu, Perplexity).
• Mystery-shop interactions: inquiry text submitted, callback timing, transcripts produced by GoHighLevel call recording.

[Lawyer: this section is the load-bearing one for GDPR/CCPA. Make sure the lawful basis below covers every data category above.]

• To provide and improve the Service.
• To authenticate you and protect your account.
• To process payments and prevent fraud.
• To respond to support requests.
• To send transactional emails (billing, security, product updates you opt into).
• To comply with legal obligations and enforce our Terms.

• Contract: account creation, billing, providing requested features.
• Legitimate interest: security, fraud prevention, product improvement, processing prospect data for B2B outreach.
• Consent: marketing emails, optional analytics, non-essential cookies. You can withdraw consent at any time.
• Legal obligation: tax records, responses to lawful requests.

We share personal data only with sub-processors who help us run the Service. Each is bound by contract to use the data only on our instructions and to protect it appropriately.

• Supabase (database + auth + storage; AWS-hosted, US/EU regions).
• Vercel (hosting, edge runtime, logs).
• Stripe (payment processing).
• Sentry (error monitoring).
• Anthropic, Perplexity (AI processing of business descriptions, transcripts, and outreach drafts).
• Apify, SpyFu, BrightData (sourcing of publicly available business data).
• GoHighLevel, Instantly, ElevenLabs, HeyGen (outbound communication infrastructure).

A current list of sub-processors is available on request. We do not sell personal data.

Our primary infrastructure is in the United States. If you are in the EEA, UK, Switzerland, Australia, or another region with cross-border transfer restrictions, your data will be transferred under appropriate safeguards (Standard Contractual Clauses, UK IDTA, or equivalent). Contact us for a copy of the applicable transfer mechanism.

• Account data: retained while your account is active and up to 90 days after closure (for billing and audit), then deleted.
• Customer Data (your prospect lists, mystery-shop records): retained per your plan. Hot retention 1–2 years, cold archive up to 3 years, then deletion.
• Audit logs: 1 year hot, 2 years cold.
• Backups: rolling 30-day backups of the entire database; included data is overwritten on schedule.

We use industry-standard administrative, technical, and organizational measures to protect personal data, including encryption in transit (TLS 1.2+), encryption at rest, Row-Level Security in the database, per-organization encrypted credential storage via Supabase Vault, role-based access controls, signed webhooks, and audit logging. No system is perfectly secure; we do our best.

Subject to your region, you may have rights to:

• Access the personal data we hold about you.
• Correct inaccurate data.
• Delete your data (right to erasure / right to be forgotten).
• Restrict or object to processing.
• Portability — receive your data in a machine-readable format.
• Withdraw consent at any time (where consent is the legal basis).
• Lodge a complaint with a supervisory authority.

Account holders can export their data at any time via Settings → Account or by emailing privacy@xpanddigital.io. Account holders can request deletion via the same channels; we will action within 30 days.

Prospect contacts whose data we hold may request access, correction, or deletion by emailing privacy@xpanddigital.io with verification of identity.

We use strictly necessary cookies for authentication (Supabase Auth session) and CSRF protection. We use functional cookies for in-product preferences (workspace switcher, sort order). We do not use third-party advertising cookies or cross-site trackers. You can manage non-essential cookies via the consent banner.

The Service is not intended for individuals under 18. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will delete it.

Material changes will be communicated by email or in-product notice at least 30 days before they take effect. The "Effective" date at the top of this page indicates the current version.

Privacy questions, DSR requests, or complaints: privacy@xpanddigital.io.

For EU/EEA inquiries, we will appoint an Article 27 representative as required by Article 27 GDPR. [Lawyer: required if we have substantial EU users without an EU establishment.]