Privacy Policy
Effective 15 June 2026.
This Privacy Policy explains how the business operating Disclosed ("Disclosed", "we", "us") handles personal data. It covers two groups: (1) account holders and visitors of our own website, for whom we are the controller; and (2) visitors of websites that embed our widget, for whom we generally act as a processor on behalf of our customer (the website operator) — see our Data Processing Agreement.
1. Who we are and how to contact us
Controller: the business operating Disclosed (disclosed.sh). For privacy questions, to exercise your rights, or to reach our data-protection contact, email privacy@disclosed.sh.
We have not appointed a Data Protection Officer, as we are not required to. If we become required to appoint an EU or UK representative under Article 27 GDPR, their contact details will be published here.
2. Personal data we collect
Account data (you provide it). When you create an account or organisation, our identity provider collects your name, email address, organisation name, and authentication data. We use this to create and secure your account.
Billing data (via our payment provider). Purchases are processed by Polar as Merchant of Record. Polar collects and processes your payment and billing details as an independent controller; we receive limited transaction and subscription information (such as plan, status, and invoices) and do not store your full payment-card details.
Usage and widget data. When the widget or SDK runs, we log disclosure events to operate the Service and produce tamper-evident records. By design these are minimised: an event records the type (for example, "shown" or "acknowledged"), locale, timestamp, a hashed representation of the page URL (not the URL itself), the configuration version, and the site key. The widget is designed not to collect website-visitor identifiers or other visitor personal data. We process IP addresses transiently for security and abuse-prevention (rate-limiting); we do not use them to build profiles.
Product analytics. We use privacy-focused analytics to understand how our own website is used. Where this involves non-essential storage on your device, we rely on consent (see Cookies, below).
Data received not from you (Article 14). Disclosure events about a customer's website visitors reach us through that customer's deployment of our widget, not from the visitor directly. For that processing the customer is the controller and we act as processor under the DPA; the categories of data are as described under "Usage and widget data" above, and the source is the customer's website.
3. Why we use it and our legal bases (GDPR Article 6)
- To provide the Service (accounts, the widget/SDK, dashboards, records, packs): performance of our contract with you.
- Security, abuse-prevention, and rate-limiting (including transient IP processing): our legitimate interests in keeping the Service secure and available, and those of our users.
- Product analytics and improvement: our legitimate interests in understanding and improving the Service, or your consent where required for non-essential cookies/analytics.
- Billing and tax: performance of our contract and compliance with legal obligations (handled with our Merchant of Record).
- Legal compliance and protecting our rights: compliance with legal obligations and our legitimate interests in establishing, exercising, or defending legal claims.
Where we rely on legitimate interests, we balance them against your rights; you may object as described below.
4. Who we share data with (recipients and sub-processors)
We share personal data with service providers who process it on our behalf, and with the payment provider as an independent controller:
- Clerk — authentication and account management.
- Convex — application database and backend (hosted in the EU, region eu-west-1).
- Vercel — website and application hosting and content delivery.
- Polar — payments and billing, as Merchant of Record (independent controller).
- DataFast — privacy-focused product analytics.
We may also disclose data where required by law, to enforce our terms, or in connection with a merger, acquisition, or sale of assets (subject to this Policy). We do not sell your personal data.
5. International transfers
Our application data is hosted in the EU (Convex, eu-west-1). Some providers listed above may process data outside the EEA/UK (for example, in the United States). Where they do, we rely on an appropriate safeguard — the European Commission's Standard Contractual Clauses, the EU-US Data Privacy Framework where the recipient is certified, or an applicable adequacy decision. You can request information about the safeguard for a given transfer by emailing privacy@disclosed.sh.
6. How long we keep it
We keep account data for as long as your account is active and as needed to provide the Service, then delete or anonymise it within a reasonable period unless a longer period is required for legal, tax, accounting, or dispute-resolution purposes. Disclosure-event records are retained to provide the tamper-evident trail for as long as your account uses the Service or as configured, subject to the DPA for customer-controlled data. Transient security data (such as IP used for rate-limiting) is kept only as long as needed for that purpose.
7. Your rights
Subject to applicable law, you have the right to: access your personal data; rectify inaccurate data; erase data; restrict or object to processing; data portability; and withdraw consent at any time (without affecting prior processing). To exercise these rights, email privacy@disclosed.sh. You also have the right to lodge a complaint with a data-protection supervisory authority in your country (in the EU/EEA) or with the relevant authority in your jurisdiction. For data we process on a customer's behalf (widget data), please direct requests to that customer (the controller); we will assist them as required.
Providing account data is necessary to use the Service; without it we cannot provide your account. We do not make decisions producing legal or similarly significant effects about you based solely on automated processing.
8. Cookies and similar technologies
Our website uses only strictly-necessary cookies to function. Our product analytics runs in a cookieless mode and sets no cookies or other non-essential storage on your device, so no consent banner is required. The embeddable widget likewise avoids non-essential device storage on your customers' visitors. If we ever introduce non-essential cookies or similar technologies, we will ask for your consent first, and you may withdraw it at any time.
9. US state privacy rights (California and similar)
If you are a California resident (or in a US state with comparable law), you have the right to: know and access the categories and specific pieces of personal information we collect, the sources, and the purposes; delete your personal information; correct inaccurate information; and opt out of any "sale" or "sharing" (as those terms are defined) and to limit use of sensitive personal information. We do not sell or "share" personal information for cross-context behavioral advertising, and we do not use sensitive personal information beyond providing the Service. You will not be discriminated against for exercising these rights. To exercise them, email privacy@disclosed.sh.
10. Security
We use appropriate technical and organisational measures, including encryption in transit, EU data residency for application data, access controls, and the tamper-evident hash-chaining that underpins our evidence records. No method of transmission or storage is perfectly secure; we cannot guarantee absolute security.
11. Children
The Service is for business use and is not directed to children. We do not knowingly collect personal data from children.
12. Changes
We may update this Policy. We will post the updated effective date and, for material changes, provide additional notice where appropriate.
13. Contact
Privacy questions or requests: privacy@disclosed.sh.
Disclosed provides compliance tooling and records; this document is not legal advice. Review it with your own counsel before relying on it.