Run a free scan
Legal

Privacy Policy

Last updated · April 28, 2026 · Version 2.4

What we collect, what we do with it, and what we will never do with it. Written in plain English, with the legal precision on top.

§ 01

Plain-English summary

You're busy. Here's the short version, in five bullet points. Everything else on this page expands on these.

i

The short version

  • We collect the domains you scan, the email you sign up with, and standard product analytics.
  • We use that data to run scans, send you receipts, and improve the methodology.
  • We do not sell your data. Ever.
  • We do not train AI models on your data.
  • You can delete your account and your data at any time.
§ 02

What we collect

Account data. Email address, name (optional), passkey credentials, TOTP secret, organization name, billing details (handled by Stripe — we never see your card number).

Scan data. The domains you scan, the queries we generate, the responses we receive from third-party AI models, and the scores we derive. This is the core of the product.

Usage data. Pages viewed, features used, errors encountered, approximate location derived from IP, browser and device characteristics. We use PostHog with anonymization enabled.

§ 03

How we use it

We use the data we collect to operate, maintain, and improve misquoted. Specifically:

  • To run scans, generate reports, and deliver them to you.
  • To bill you, send receipts, and handle refunds.
  • To detect abuse, fraud, and security incidents.
  • To improve methodology in aggregate — never on identifiable individual data.
  • To send transactional emails (receipts, scan completion, alerts) and, if you opt in, marketing emails.
§ 04

Who we share it with

We share data only with sub-processors who help us run the service. See the full list of vendors at misquoted.ai/sub-processors. Each one is bound by a data-processing agreement and only sees the minimum data necessary for their function.

We do not sell, rent, or barter your data with any third party. We will disclose data when required by valid legal process, and we will fight overbroad requests.

§ 05

Cookies & tracking

We use a small number of first-party cookies for session management and CSRF protection, and we use PostHog (self-hosted) for product analytics. We do not use third-party advertising cookies, retargeting pixels, or cross-site trackers. You can opt out of analytics at any time from your account settings.

§ 06

Retention

Scan reports are retained for the life of your account, plus 90 days after cancellation (read-only). After 90 days, identifiable scan data is archived to cold storage and anonymized for methodology purposes. Account data is deleted within 30 days of a deletion request, subject to any legal retention obligations (e.g. tax records).

§ 07

Your rights

Depending on where you live, you may have the right to access, correct, delete, or port your personal data, and to object to or restrict our processing of it. You can exercise these rights from your account settings or by emailing privacy@misquoted.ai. We respond to verified requests within 30 days.

EU/EEA, UK, and California residents have additional statutory rights under GDPR, UK-GDPR, and CCPA respectively. We honor all of them.

§ 08

Security

We encrypt data in transit (TLS 1.3) and at rest (AES-256). Authentication is passkey- and TOTP-based — there are no passwords to phish or leak. We log access to sensitive data, restrict it on a least-privilege basis, and review the audit log monthly. See our security page for full details.

§ 09

International transfers

misquoted operates from the United States, and most of our infrastructure is U.S.-region. If you access the service from outside the U.S., your data will be transferred to and processed in the U.S. We rely on Standard Contractual Clauses for transfers from the EU/EEA and UK. See the DPA for the formal agreement.

§ 10

Children's privacy

misquoted is a B2B service not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe we have, contact us immediately and we'll delete it.

§ 11

Changes

We may update this policy. Material changes will be announced by email and on the homepage at least 14 days in advance. You can always see the current version date at the top of this page.

§ 12

Contact

For privacy questions, data-rights requests, or anything else covered here: privacy@misquoted.ai. Our data protection officer is reachable at the same address.