Privacy Policy

Effective July 6, 2026

What we collect

  • Account data: email, name (optional), hashed password.
  • Search profiles: names and states you enter for yourself or family members, plus claim statuses, amounts, and notes you record. This is sensitive by nature - it stays in your account, scoped to you by row-level security, and is never shared or sold.
  • Billing data: handled by Stripe. We store only Stripe customer and subscription identifiers, never card numbers.
  • Usage data: standard server logs (IP address, user agent) kept for security and debugging.

What we don't do

We do not search government databases on your behalf, so your search subjects are never transmitted to any agency by us - you run those searches yourself on the agency's site. We do not sell or rent personal data, run ads, or share your family's information with data brokers. Ever.

Every processor that touches your data

  • Supabase — database and authentication hosting.
  • Stripe — payment processing.
  • Resend — reminder and account emails.
  • Vercel — application hosting (when deployed).
  • Cloudflare — network/CDN when a tunnel or proxy is in front of the app.

Each processor receives only what it needs for its job, under its own privacy terms. If this list changes, this policy is updated first.

Cookies

Session cookies keep you signed in. No cross-site tracking cookies, no ad pixels, no analytics beacons.

Your rights (GDPR, UK GDPR, CCPA, and similar)

Wherever you live, you can access, correct, export, or delete your personal data, object to or restrict processing, and (where applicable) lodge a complaint with your supervisory authority. California residents additionally have the right to know, delete, correct, and opt out of "sales" or "sharing" (we do neither), without discrimination for exercising those rights. To exercise any right, email support@worthback.app from your account address — we respond within 30 days. Deleting a search profile deletes its claims immediately; account deletion is available from Settings.

Retention and security

Account data lives as long as the account, then is erased within 30 days of a deletion request. Server logs rotate within 90 days. Passwords are hashed by Supabase Auth, transport is TLS everywhere, and row-level security scopes every database row to its owner.

Children

The service is not directed at children under 13 and we do not knowingly collect their data. If you believe a child has created an account, email us and we will delete it.

Changes

Material changes are emailed to account holders 14 days ahead. Contact: support@worthback.app, Capped Out Labs LLC.