Legal

Privacy Policy

Last updated · April 28, 2026 · Last reviewed · June 10, 2026 · Version 2.4

What we collect, what we do with it, and what we will never do with it. Written in plain English, with the legal precision on top.

§ 01

Plain-English summary

You're busy. Here's the short version, in five bullet points. Everything else on this page expands on these.

i

The short version

  • We collect the domains you scan, the email you sign up with, and standard product analytics.
  • We use that data to run scans, send you receipts, and improve the methodology.
  • We do not sell your data. Ever.
  • We do not train AI models on your data.
  • You can delete your account and your data at any time.
§ 02

What we collect

Account data. Email address, name (optional), passkey credentials, TOTP secret, organization name, billing details (handled by Stripe — we never see your card number).

Scan data. The domains you scan, the queries we generate, the responses we receive from third-party AI models, and the scores we derive. This is the core of the product.

Usage data. Pages viewed, features used, errors encountered, approximate location derived from IP, browser and device characteristics. We use PostHog (cloud-hosted product analytics) for first-party usage analytics and do not enrich this data with third-party advertising profiles.

§ 03

How we use it

We use the data we collect to operate, maintain, and improve misquoted. Specifically:

  • To run scans, generate reports, and deliver them to you.
  • To bill you, send receipts, and handle refunds.
  • To detect abuse, fraud, and security incidents.
  • To improve methodology in aggregate — never on identifiable individual data.
  • To send transactional emails (receipts, scan completion, alerts) and, if you opt in, marketing emails.
§ 04

Who we share it with

We share data only with sub-processors who help us run the service. See the full list of vendors at misquoted.ai/sub-processors. Each one is bound by a data-processing agreement and only sees the minimum data necessary for their function.

We do not sell, rent, or barter your data with any third party. We will disclose data when required by valid legal process, and we will fight overbroad requests.

§ 05

Cookies & tracking

We use a small number of first-party cookies for session management and CSRF protection, and PostHog product analytics to understand how the app is used. We do not use third-party advertising cookies, retargeting pixels, or cross-site trackers. To opt out of product analytics, email privacy@misquoted.ai and we will exclude your account.

§ 06

Retention

We keep your scan reports and account data for as long as your account is active. When you delete a workspace, we cancel its billing in the same step and flag the workspace for deletion; the data is then removed on our retention schedule rather than living on indefinitely.

We honor account-deletion requests within 30 days. Some records are kept longer where the law requires it (for example, billing and tax records), and aggregate, non-identifiable methodology signals may be retained — these can no longer be tied back to you.

§ 07

Your rights

Depending on where you live, you may have the right to access, correct, delete, or port your personal data, and to object to or restrict our processing of it. You can exercise these rights from your account settings or by emailing privacy@misquoted.ai. We respond to verified requests within 30 days.

EU/EEA, UK, and California residents have additional statutory rights under GDPR, UK-GDPR, and CCPA respectively. We honor all of them.

§ 08

Security

We encrypt data in transit with TLS, and the database and its backups are encrypted at rest by our managed database provider. Authentication is passkey-, magic-link-, and TOTP-based — there are no passwords to phish or leak. Sensitive administrative actions on an account are recorded in an audit log before they can proceed. See our security page for full details.

§ 09

International transfers

misquoted operates from the United States, and most of our infrastructure is U.S.-region. If you access the service from outside the U.S., your data will be transferred to and processed in the U.S. We rely on Standard Contractual Clauses for transfers from the EU/EEA and UK. See the DPA for the formal agreement.

§ 10

Children's privacy

misquoted is a B2B service not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe we have, contact us immediately and we'll delete it.

§ 11

Changes

We may update this policy. Material changes will be announced by email and on the homepage at least 14 days in advance. You can always see the current version date at the top of this page.

§ 12

Contact

For privacy questions, data-rights requests, or anything else covered here: privacy@misquoted.ai. A real person on our team reads that inbox.