Privacy Policy

1. Who we are and how to reach us

PassProof ("we", "us", or "our") operates this website and the associated client portal, and is the organization accountable for the personal information collected through them — including when we entrust it to the service providers described below.

PassProof is a business name operated by Nikita Roskladka, a sole proprietor (jednoosobowa działalność gospodarcza) registered in Poland — NIP 5243068331, REGON 544258450 — with a registered business address at ul. Książkowa 9C/105, 03-134 Warszawa, Poland. We have designated a privacy contact responsible for our compliance with this policy; if you have a question, request, or concern about your personal information, email privacy@getpassproof.com and we will respond as promptly as we reasonably can.

2. The information we collect

Public forms. Through our free "Risk Snapshot" form we collect your name, work email, company name, approximate employee-count band, the website address (URL) you ask us to review, and any optional message. Through our "Start a project" brief form we collect your name, email, company, project type, current website, budget band, timeline, and the project details you describe.

Account and project records. If you become a client, we create an account and store the records needed to run your engagement: your name, email and (optionally) phone and company; your projects and their stage; tasks; invoices and their payment status; and any subscription (Care Plan) status. We authenticate you by a one-time sign-in link sent to your email (no password).

Messages and uploads. Our client portal includes an in-app chat. We store the messages exchanged and any photos or videos you upload (for example, screenshots related to your project). These files are kept in private storage and shared only with you and our team.

Payment information. When we invoice you, payment is processed by Stripe. Your card details are entered into and stored by Stripe — not by PassProof; we retain only billing metadata such as amounts, invoice and subscription status, and a Stripe customer reference.

Technical information. Our hosting provider records minimal server logs (such as IP address and browser user-agent) to keep the site secure and reliable. We do not build advertising or behavioural profiles, and we do not ask for sensitive data such as health or government-identifier information.

3. Why we collect it (purposes)

We identify our purposes at or before collection. We use public-form information to run a free preliminary assessment, prepare an indicative quote, and contact you with results. We use account, project, message and payment information to provide and manage the services you engage us for: delivering your project, communicating with you, tracking progress, issuing and collecting invoices, and operating any subscription you choose.

We use minimal server-log information only for security, fraud prevention, troubleshooting and reliability. We will not use your information for a new, unrelated purpose without your consent, unless a law permits or requires it.

4. Consent and your communications

When you submit a form or use the portal, you knowingly provide your information and consent to the uses described here, including the automated analysis and the cross-border processing explained below.

Transactional vs marketing messages. Account, sign-in (magic-link) and invoice emails are transactional messages necessary to provide the service you requested. If we ever send marketing or other commercial electronic messages, we will comply with Canada's Anti-Spam Legislation (CASL): we will rely on your express or implied consent, every message will identify us, and each will include an easy way to unsubscribe. You may withdraw consent at any time, subject to legal or contractual limits and reasonable notice.

5. Service providers (sub-processors)

We do not sell, rent, or trade your personal information. To deliver the website, the portal and our services, we rely on a small number of reputable providers who process limited information on our behalf and under our instructions:

• Supabase (database, authentication and file storage) — stores your account, project, message and uploaded-file data; its servers for our project are located in the European Union. • Stripe (United States) — processes card payments and stores card data, customers, invoices and subscriptions. • Anthropic PBC (United States) — operates the Claude AI used for the Risk Snapshot; the URL and form context you submit are sent to its API, and Anthropic does not use API submissions to train its models. • Google PageSpeed Insights (United States) — runs the automated accessibility/performance scan of the URL you submit. • Vercel (United States) — website and application hosting. • Web3Forms (when enabled) — delivers form inquiries to our inbox.

Each provider receives only what it needs for its function, and we choose providers that maintain recognized security and privacy practices.

6. Where your information is processed (outside Canada)

Because our providers operate in the United States and the European Union, your personal information is processed and stored outside Canada — most notably, our database and uploaded files are hosted with Supabase in the European Union, and payments are processed by Stripe in the United States. We disclose this so you can make an informed choice before you submit information or open an account.

While your information is handled in another country, it may be accessible to that country's courts, law enforcement and national-security authorities under their laws. We remain accountable for it under PIPEDA and Law 25, and we use contractual and technical measures (including the safeguards in Section 9) intended to give it a comparable level of protection wherever it is processed.

7. Cookies

We use only strictly necessary cookies. When you sign in to a client or admin account, our authentication provider (Supabase) sets a secure session cookie that keeps you logged in, plus a short-lived security cookie used during sign-in that is removed once you are signed in. That is all.

We do not use advertising, marketing, cross-site, analytics or profiling cookies, and we do not track you across sites. Your language preference is determined from your browser and the page address — not stored in a tracking cookie. Because we use only strictly necessary cookies, no cookie-consent banner is legally required; we show a brief notice for transparency. If we ever introduce non-essential (for example, analytics) technologies, we will update this policy and obtain your consent where the law requires it.

8. How long we keep your information

We keep personal information only as long as we reasonably need it. Public-form inquiries are kept while we respond and to maintain ordinary business records. Account, project and message data is kept for the duration of your engagement and a reasonable period afterward. Invoice and payment records are retained as required for tax and accounting purposes (commonly several years). Uploaded files are kept for the engagement and a defined window thereafter.

When information is no longer required and we are not legally obliged to keep it, we delete it or render it anonymous. Note that some records — for example, payment records held by Stripe — are also retained by that provider under its own legal obligations.

9. How we protect it, and breach notification

We use safeguards appropriate to the sensitivity of the information: encryption in transit (HTTPS); database row-level security that isolates each client's data so one client cannot access another's; private file storage served only through time-limited signed links; restricted internal access; and reputable providers with their own security programs. Card data is handled by Stripe, a PCI-DSS-compliant processor.

No method is perfectly secure, but we take reasonable technical and organizational steps to protect personal information against loss, theft, and unauthorized access, use or disclosure. We maintain a confidentiality-incident process: if a breach creates a real risk of significant harm, we will notify affected individuals and the appropriate authorities — the Office of the Privacy Commissioner of Canada and, for Québec residents, the Commission d'accès à l'information — consistent with PIPEDA and Law 25.

10. Your privacy rights

You may ask whether we hold personal information about you, access it, ask us to correct it if it is inaccurate, and (subject to legal or contractual limits) ask us to delete it or withdraw your consent to its continued use. Where required by Law 25, we can also help with portability of certain information.

To exercise these rights, email privacy@getpassproof.com. We may confirm your identity first, and we coordinate the request across our systems and providers (Supabase and Stripe). Some information — such as invoice records — may be retained where law requires. There is normally no charge to access your own information; we will tell you in advance of any minimal cost.

11. How to raise a concern

If you are not satisfied with how we have handled your personal information, please contact us first at privacy@getpassproof.com so we can make it right.

You may also complain to the Office of the Privacy Commissioner of Canada (OPC). If you are a Québec resident, or your matter is governed by Québec law, you may contact the Commission d'accès à l'information du Québec (CAI). Other provinces have their own regulators who may assist depending on your circumstances.

12. Children, and changes to this policy

Our services are intended for businesses and organizations. This website and portal are not directed to children, and we do not knowingly collect children's personal information. If you believe a child has provided us information, contact us and we will delete it.

We may update this policy to reflect changes in our practices or the law. We will revise the "Last updated" date above, and significant changes take effect when posted. Please review this page periodically.