Privacy Policy

DeData Privacy Labs (“DeData,” “we,” “us,” or “our”) is a Delaware C-Corporation operating the dedatalabs.org platform. This Privacy Policy explains how we collect, use, share, retain, and protect personal information you provide when you use the Service. It is incorporated by reference into our Terms of Service.

Data Controller (EEA/UK). For users in the EEA, UK, or Switzerland, DeData Privacy Labs is the data controller of the personal information you provide. Contact: privacy@dedatalabs.org.

Account information. When you create an account: email address, hashed password, account creation timestamp.

Personal information for removals (PII). To submit opt-outs to data brokers we collect: full legal name, current and prior mailing addresses, phone numbers, email addresses, and, only where a broker requires it, date of birth. This is encrypted at rest with AES-256 using customer-isolated keys.

Sensitive Personal Information (SPI) — concrete inventory. CCPA §1798.140(ae) defines SPI categories. Below is exactly which DeData processes:

• Government-issued IDs (SSN, driver's license, passport): NO.
• Financial account / payment info: YES — handled by Stripe; we receive last-4 + brand only.
• Precise geolocation (within 1,850 ft / 564 m): NO.
• Racial or ethnic origin: NO.
• Religious or philosophical beliefs: NO.
• Union membership: NO.
• Genetic data: NO.
• Biometric identifiers (used for unique identification): NO.
• Health, mental, or physical condition data: NO.
• Sexual orientation or sex-life information: NO.
• Contents of mail, email, or messages where DeData is not the intended recipient: NO. Inbound support emails you send us are processed only to provide the support response.

Right to limit SPI use (CCPA §1798.121). You may limit our use and disclosure of SPI to what is reasonably necessary to provide the service you requested. To exercise this right, log in and visit /settings → Privacy and toggle Limit SPI use. The toggle takes effect immediately and is recorded in your account audit log.

Payment information. We never see your card number. Stripe processes payment and returns to us only billing email, customer ID, last-4, and card brand for receipts.

Technical / log data. IP address (truncated for analytics), user-agent, login timestamps, and audit-log entries for security and abuse triage. Support for Global Privacy Control (GPC) and Universal Opt-Out Mechanism (UOOM) signals is on our roadmap.

Information we do NOT collect. We do not collect government-issued ID numbers, bank account numbers, biometric identifiers (other than DV-program pseudonyms you explicitly provide), location data, advertising IDs, or contacts/calendar from your device.

• To submit opt-out / deletion / do-not-sell requests to data brokers on your behalf.
• To rescan brokers and detect re-listings.
• To send you transactional email (verification, receipts, removal updates, account events).
• To detect and prevent fraud, abuse, and unauthorized account access.
• To comply with legal obligations (subpoenas, audits, statutory retention).
• To improve broker coverage in aggregate — never tied back to individual identities.

We do not sell your personal information.“Sell” and “share” are used here as defined by CCPA/CPRA.

We share personal information only with the third parties strictly necessary to deliver the Service. The full, current list is published at /legal/subprocessors. As of the date above, this includes:

• Stripe — payment processing.
• Hosting / database provider — Postgres hosting and encrypted backups.
• Transactional email provider — verification, receipts, dunning notices.
• Proxy / network providers — outbound routing for broker scans (transient PII pass-through during scan; not persistently stored).
• Error / audit telemetry (Sentry) — with PII scrubber applied; we never ship raw user data to error tracking.

We require every subprocessor to sign a DPA (Data Processing Agreement) and to commit to SCCs for any cross-border transfer.

Data brokers. The whole point of the Service is to disclose the minimum identifying information necessary to a data broker so they can remove you from their database. By using the Service you authorize this disclosure, on your behalf, under CCPA §1798.135 and equivalent state statutes.

Encryption. PII is stored using AES-256 at rest with customer-isolated keys held in a KMS-style escrow. Transport is TLS 1.2+ end-to-end. Card data never touches our servers (Stripe-tokenized).

Access control. Production database access is restricted to a small number of named operators, all of whom have MFA enforced (NIST 800-63B AAL2). All write operations against your data are audit-logged.

Breach response. In the event of a personal-data breach requiring notification under GDPR Art. 33, CCPA §1798.150, or any state breach-notification law, we will notify affected users within the statutory window and post a public incident report.

No system is unbreakable.You acknowledge that no security control is absolute and that DeData’s security obligations are limited to those described above and in the Terms of Service.

Account-active. While your account is active, we retain your PII as long as we need it to keep submitting removals on your behalf.

Account deleted. When you delete your account from Settings, we schedule full erasure within 30 days. After that window, only a tombstone record (account ID, deletion timestamp) is retained for anti-abuse and audit purposes.

Removal records. For audit and re-listing detection we retain hashed broker-correspondence metadata (request type, status, timestamp) for up to 24 months after account closure. These records do not contain raw PII.

Legal hold. If we are subject to a legal hold, subpoena, or statutory retention rule, we will retain the minimum data required to comply, no longer.

DeData honours all rights granted by your state of residence (or, for EU/UK/Swiss residents, by GDPR). The matrix below names each statute, the rights it grants, and where to learn more from your state Attorney General. Rights you can always exercise: access, correction, deletion, portability, opt-out of sale/sharing, opt-out of targeted advertising, opt-out of profiling for solely-automated significant decisions, and appeal of any denied request.

7.1 California — CCPA / CPRA

Statute: California Consumer Privacy Act, Cal. Civ. Code §1798.100 et seq., as amended by the CPRA.
Rights: know, access, correct, delete, data portability, limit use of Sensitive Personal Information (§1798.121), opt-out of sale and sharing (§1798.120), opt-out of automated decision-making, appeal denials, non-discrimination for exercising rights.
More information: California Attorney General — CCPA.

7.2 Virginia — VCDPA

Statute: Virginia Consumer Data Protection Act, Va. Code §59.1-575 et seq.
Rights: access, correct, delete, data portability, opt-out of sale, opt-out of targeted advertising, opt-out of profiling in furtherance of decisions producing legal or similarly significant effects, appeal denials within 60 days (§59.1-577(C)).
More information: Virginia Attorney General — Data Protection.

7.3 Colorado — CPA

Statute: Colorado Privacy Act, Colo. Rev. Stat. §6-1-1301 et seq.
Rights: access, correct, delete, data portability, opt-out of sale, opt-out of targeted advertising, opt-out of profiling, appeal denials (§6-1-1306(3)). Colorado recognises the Universal Opt-Out Mechanism (UOOM).
More information: Colorado Attorney General — Colorado Privacy Act.

7.4 Connecticut — CTDPA

Statute: Connecticut Data Privacy Act, Conn. Gen. Stat. §42-515 et seq.
Rights: access, correct, delete, data portability, opt-out of sale, opt-out of targeted advertising, opt-out of profiling, appeal denials (CTDPA §6).
More information: Connecticut Attorney General — CTDPA.

7.5 Utah — UCPA

Statute: Utah Consumer Privacy Act, Utah Code §13-61-101 et seq.
Rights: access, delete, data portability, opt-out of sale, opt-out of targeted advertising. (UCPA does not include correction or appeal rights.)
More information: Utah Attorney General — Consumer Privacy.

7.6 Texas — TDPSA

Statute:Texas Data Privacy and Security Act, Tex. Bus. & Com. Code §541.001 et seq.
Rights: access, correct, delete, data portability, opt-out of sale, opt-out of targeted advertising, opt-out of profiling, appeal denials.
More information: Texas Attorney General — Data Privacy.

7.7 Florida — FDBR

Statute: Florida Digital Bill of Rights, Fla. Stat. §501.701 et seq.
Rights: access, correct, delete, data portability, opt-out of sale, opt-out of targeted advertising, opt-out of profiling, opt-out of voice/facial recognition processing. (FDBR applies only to controllers above a high revenue threshold; we honour its rights for all Florida residents regardless.)
More information: Florida Attorney General — Privacy.

7.8 Oregon — OCPA

Statute: Oregon Consumer Privacy Act, Or. Rev. Stat. §646A.570 et seq.
Rights: access (including the specific list of third parties to whom data was disclosed — broader than other state laws), correct, delete, data portability, opt-out of sale, opt-out of targeted advertising, opt-out of profiling, appeal denials.
More information: Oregon Department of Justice — Privacy.

7.9 Other US states

Residents of Iowa (ICDPA), Montana (MCDPA), New Hampshire (NHDPA), New Jersey (NJDPA), Delaware (DPDPA), Indiana (INCDPA), Tennessee (TIPA), Maryland (MODPA), Minnesota (MCDPA), Rhode Island (RIDTPPA), Nebraska (NDPA), and Kentucky (KCDPA) have analogous comprehensive privacy statutes. We honour the rights granted by your state of residence; contact privacy@dedatalabs.org and reference your state to exercise them.

7.10 EEA / UK / Switzerland — GDPR & UK GDPR

You have the rights of access, rectification, erasure, restriction, portability, and objection under GDPR Articles 15–22 and equivalent UK provisions. The legal basis for processing is your consent (Art. 6(1)(a)) or, where necessary to perform the Service, the contract you have with us (Art. 6(1)(b)). You may lodge a complaint with your local supervisory authority — find yours at EDPB members.

7.11 Appeal Process

If we deny your privacy-rights request, you may appeal within sixty (60) days by emailing privacy@dedatalabs.org with the subject Appeal: <request id>. We will respond within sixty (60) days with our appeal decision and the reasoning behind it. If your appeal is denied, you may file a complaint with your state Attorney General using the link in the row for your state above. This process satisfies VCDPA §59.1-577(C), CPA §6-1-1306(3), CTDPA §6, and equivalent state-law appeal requirements.

7.12 How to exercise these rights

Email privacy@dedatalabs.org with the subject Privacy Rights Request, or use Settings → Account → Delete or Settings → Account → Export. We respond within 45 days (CCPA and most state laws) or 30 days (GDPR). Where a state statute permits a 45-day extension on notice, we will notify you before extending. Exercising any of these rights is free of charge and we will not discriminate against you for doing so.

DeData enforces a tiered age policy:

• Under 13: account creation refused entirely (COPPA, 15 U.S.C. §6501 et seq.).
• 13–15: verifiable parental consent required before any PII is collected or any removal is dispatched.
• 16+: open enrolment.

If we learn we have collected information from a child under these thresholds without proper consent, we will delete it promptly.

We use a small number of strictly-necessary cookies (session token, CSRF token) and, with your consent, anonymous product-analytics cookies. We do not use advertising cookies. Full detail at /cookies. You can revoke analytics consent any time from the cookie banner or Settings → Privacy.

Our infrastructure is hosted in the United States. For users in the EEA, UK, or Switzerland, transfers are made under Standard Contractual Clauses (SCCs) or, where applicable, a Data Privacy Framework certification.

We may update this Privacy Policy. Material changes will be announced by email at least 14 days before they take effect. The “Last Updated” date at the top of this page reflects the most recent change.

privacy@dedatalabs.org for privacy questions, rights requests, and supervisory-authority complaints.

Postal address. Written legal notices and certified mail should be sent to:

DeData, Inc.
1209 Orange Street
Wilmington, DE 19801
USA