Privacy Policy

Effective: May 8, 2026

What we collect

• Account data: email address (for sign-in via Supabase), and any display name you set.
• Subscription / billing: Stripe customer ID, subscription status, plan tier, billing period. We do not store credit-card numbers — payment data is held by Stripe.
• Usage: which plans you unlock, when, and from which IP. Search queries, tags, and notes you create on plans.
• Analytics & advertising: we use Google Analytics 4, Google Ads conversion tags, Meta (Facebook) Pixel, LinkedIn Insight Tag, and PostHog product analytics to measure how visitors arrive, navigate, and convert. These tools set their own cookies and may receive your IP address, page URLs, and the conversion events listed below (signup completed, checkout started, subscription completed, credit pack purchased). We do not pass them your name, email, password, or financial data.
• Cookies: first-party session cookies for authentication, plus third-party cookies set by the analytics and advertising vendors above.

What we do not collect

• We do not sell your personal data to third parties.
• We do not access or store your contact lists, calendar, or other system data outside the Service.
• We do not pass your email, name, or financial data to ad networks or analytics vendors.

Data we surface about third parties

The Service displays information about retirement plans, plan sponsors, and individuals associated with those plans (e.g., named plan administrators, decision-makers, service providers). This data comes from two sources:

• U.S. Department of Labor Form 5500 filings — public-record data filed by employers under ERISA. This data is publicly disclosable per federal law.
• Apollo.io and similar B2B data providers — third-party-sourced professional contact information (titles, emails, phone numbers, LinkedIn URLs). We display this data only when you explicitly unlock it for a plan, in exchange for a credit.

Individuals named in third-party data may exercise rights to access, correct, or delete their information by contacting the original data provider (Apollo.io, etc.). We will also honor verified takedown requests directed to us — see "Your rights" below.

How we use data

• To provide the Service: authenticate users, process payments, deliver enrichments, render search results, and maintain your pipeline.
• To support customers and respond to inquiries.
• To improve the Service: aggregate usage analytics (no individual targeting), bug investigations, performance monitoring.
• To comply with legal obligations: tax reporting, fraud prevention, response to lawful subpoenas.

Service providers we share data with

• Stripe — payment processing.
• Supabase — authentication and database hosting.
• Vercel — application hosting and edge delivery.
• Resend — transactional email (welcome, receipts, low-balance alerts, password reset).
• Apollo.io — decision-maker contact lookup (we send the sponsor name and location to identify the right organization; we do not send your account data).
• Brave Search API — anonymous search queries to identify company domains.
• Google (Analytics 4 + Ads), Meta (Facebook) Pixel, LinkedIn Insight Tag, PostHog — measurement and ad attribution. These vendors receive page URLs, conversion events, IP addresses, and their own cookie identifiers as described above.

You can opt out of advertising-cookie tracking by enabling your browser’s "Do Not Track" setting, using a tracking-blocker extension (uBlock Origin, Privacy Badger), or visiting the vendor opt-out pages directly: Google Analytics, Meta, LinkedIn.

Each of these providers acts as a sub-processor under their own privacy commitments. We do not authorize them to use your data for their own purposes.

Retention

• Account data: retained while your account is active, plus 24 months after deletion for tax/audit purposes.
• Billing records: retained per legal requirement (typically 7 years).
• Plan unlocks and notes: retained until you delete them or your account is deleted.
• Server logs: 90 days.

Your rights

Depending on your jurisdiction (CCPA, GDPR, etc.) you may have the right to:

• Access the personal data we hold about you
• Correct inaccurate data
• Delete your data (subject to legal-retention obligations)
• Export your data in a portable format
• Opt out of any sale of your data (we do not sell data, so this is automatic)

To exercise any of these rights, email support@401khunter.com. Third parties whose data we display (i.e., named plan decision-makers) may request removal of their entry by emailing the same address.

Security

We use industry-standard security practices: TLS in transit, encrypted database at rest, role-scoped access control. No system is perfectly secure — if you suspect unauthorized access to your account, contact us immediately.

Children

The Service is not directed at, and we do not knowingly collect data from, anyone under 18.

International users

The Service is operated from the United States. If you access from outside the U.S., your data will be transferred to and processed in the U.S. By using the Service you consent to this transfer.

Changes

Material changes to this policy will be communicated via email or in-app notification at least 14 days before they take effect.

Contact

Privacy questions or requests: support@401khunter.com.