Privacy Policy

Status â€” DRAFT, not yet in force. Starting language for counsel review, with placeholders marked [[FILL: â€¦]]. Do not publish until A&C, LLC formation completes, the entity ratifies this policy, and counsel finalizes. See 00-README-launch-gate.md. Last revised: 2026-06-24.

Effective date: [[FILL: effective date â€” set at publication]]

Should It Launch is an automated production-readiness audit for websites, operated by A&C, LLC (“Should It Launch,” “we,” “us,” “our”). This policy explains what we collect, the roles we play with respect to different kinds of data, why we process it, how long we keep it, and the choices and rights you have.

We serve customers in the United States. We do not knowingly target users in the EU or UK, and this policy is written for US data-protection law. Two regimes are most relevant: the Maryland Online Data Privacy Act (MODPA), because we operate from Maryland, and the California Consumer Privacy Act, as amended (CCPA/CPRA), to the extent it applies to California residents who use the service. We honor the consumer rights described below regardless of your state, to the extent they apply to you.

The two roles we play with your data

How we treat data depends on what kind it is:

For your account and how you use the service, we are the controller. We decide why and how we process your email, name, audit history, billing reference, and technical logs.
For the content captured from a site you audit, we act as a processor on your behalf. A capture (the rendered HTML and audit snapshot of a target site) can contain content and data belonging to that site â€” which may be a third party who is not our user. We process captures only to produce and deliver the audit you requested. We do not mine, analyze for our own purposes, sell, or otherwise use captured site content, and we delete captures after 30 days (see Retention). If you are an agency auditing a client’s site, you are responsible for having the right to submit that site to us; our Data Processing Addendum governs that relationship.

What we collect

Account details. Your email and name, and a hashed password handled through our third-party authentication provider. We never store your password in readable form.
Sites you submit. The URL you ask us to audit, and â€” for a full audit â€” a capture of what loaded: the rendered HTML and the audit result. If we detect a secret (an API key or token) in a capture, it is redacted and never written to storage in readable form. Captures are deleted after 30 days.
Audit results. The findings, scores, and verdicts for your audits, kept on your account so you can see history and trends.
Payment details. Payments run through Stripe. We store a Stripe customer/subscription reference and your plan. We never see or store your card number.
Free-scan data. The free scan needs no account. To enforce a daily limit and prevent abuse, we count requests per IP address. An IP address can be personal data under US privacy law, so we disclose this use here even though no account is involved: we process it on the basis of our legitimate interest in rate-limiting and securing the service, we do not use it to identify you, and the free scan does not render your site.
Technical data. Standard request information (IP address, user agent, timestamps) used to operate and secure the service.

How we use what we collect

To run your audits and show you results and reports;
To bill you and manage your subscription;
To send monitoring and regression alerts if you enable monitoring;
To keep the service secure, enforce limits, and prevent abuse;
To respond to your support requests.

We do not sell your personal data, we do not “share” it for cross-context behavioral advertising, and we do not use it for advertising or cross-site tracking.

We use a small number of third-party service providers to run the service. They process data only to provide their service to us:

Cloudflare â€” hosting, database, object storage, and the headless rendering that performs an audit.
Stripe â€” payment processing.
Google PageSpeed Insights â€” performance measurement. The URL you submit for audit is sent to this service to retrieve performance data.

Our current sub-processors and their purposes are listed at [[FILL: domain]]/sub-processors. We may also disclose data where the law genuinely requires it (for example, a valid legal request), and in connection with a merger or acquisition, in which case we will continue to protect your data under this policy.

International data

We operate from and serve the United States. Our service providers may process and store data in the United States and, in Cloudflare’s case, on global infrastructure to deliver the service. We do not direct the service to the EU or UK.

How long we keep it

Captures: deleted after 30 days, automatically.
Audit scores and verdicts: kept on your account until you delete the account.
Account data: kept until you delete your account.
Billing ledger: retained in anonymized form for accounting and tax integrity. After you delete your account, the ledger entry retains only an opaque, orphaned identifier with no personal data attached.

We follow a data-minimization principle consistent with MODPA: we collect and retain only what is reasonably necessary and proportionate to provide the audit service you requested.

Your rights and choices

You can view your audits and account while logged in, and you can delete your account and its data from settings or by emailing [[FILL: privacy contact email]]. Deleting your account removes your audits, captures, and report links, and keeps only the anonymized billing-ledger entries described above.

Depending on where you live, you may also have some or all of the following rights with respect to your personal data:

To know / access the personal data we hold about you;
To correct inaccurate personal data;
To delete your personal data;
To data portability (receive your data in a portable form);
To opt out of sale or of “sharing” for targeted advertising â€” note we do neither;
To appeal a decision we make on your request (MODPA).

For California residents (CCPA/CPRA): to the extent the CCPA applies to you, you have the rights to know, delete, correct, and to opt out of sale/sharing (we do not sell or share), and the right not to receive discriminatory treatment for exercising your rights. We do not use or disclose sensitive personal information for purposes that would trigger the right to limit its use.

To exercise any right, contact [[FILL: privacy contact email]]. We will verify your request against your account and respond within the time required by applicable law. You may use an authorized agent where the law allows.

How we protect your data

Encrypted in transit (TLS).
Renders run sandboxed.
Our fetcher is hardened against requests to internal networks (SSRF protection).
Any secret we detect in a capture is redacted and never stored in readable form.
Captures are deleted on the 30-day schedule above.

No method of transmission or storage is perfectly secure, but we maintain administrative, technical, and physical safeguards appropriate to the data we handle.

Cookies

We use a single essential cookie to keep you signed in. We do not use advertising or cross-site tracking cookies. See our Cookie Notice at [[FILL: domain]]/cookies.

Children

The service is intended for professional use and is not directed to children. We do not knowingly collect personal data from anyone under 18, and we do not knowingly collect personal data from children under 13 as defined by the Children’s Online Privacy Protection Act (COPPA). If you believe a child has provided us personal data, contact us and we will delete it.

Changes and contact

We will update this policy as the service changes, and will revise the “effective date” above when we do. Questions or requests:

A&C, LLC [[FILL: registered business address]] [[FILL: privacy contact email]]