Effective Date: January 10, 2025 Last Updated: January 10, 2025
This Data Protection Policy outlines how ProofFabric, operated by Latent Ventures LLC, protects personal data in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
1. Data Controller Information
Latent Ventures LLC is the data controller responsible for your personal data collected through ProofFabric.
Contact: support@prooffabric.com
2. Legal Basis for Processing (GDPR)
We process personal data under the following legal bases:
- Contract Performance: To provide our Service, create accounts, and fulfill subscriptions
- Legitimate Interests: To improve our Service, prevent fraud, and ensure security
- Consent: For optional data processing such as marketing communications
- Legal Obligation: To comply with applicable laws and regulations
3. Data Subject Rights
3.1 GDPR Rights (EEA/UK Residents)
If you are in the European Economic Area or United Kingdom, you have the right to:
- Access: Request a copy of your personal data
- Rectification: Correct inaccurate or incomplete data
- Erasure: Request deletion of your data ("right to be forgotten")
- Restriction: Limit how we process your data
- Portability: Receive your data in a structured, machine-readable format
- Objection: Object to processing based on legitimate interests
- Withdraw Consent: Withdraw consent at any time for consent-based processing
- Lodge a Complaint: File a complaint with your local data protection authority
3.2 CCPA Rights (California Residents)
If you are a California resident, you have the right to:
- Know: What personal information we collect and how it is used
- Delete: Request deletion of your personal information
- Opt-Out: Opt out of the sale of personal information (we do not sell personal information)
- Non-Discrimination: Not be discriminated against for exercising your rights
To exercise these rights, contact us at support@prooffabric.com. We will respond within 30 days (GDPR) or 45 days (CCPA).
4. Categories of Personal Data
We collect and process the following categories of personal data:
- Identifiers: Name, email, username, IP address
- Account Information: Profile data, avatar, social links
- Professional Information: Role, building experience, technical skills
- Financial Information: Stripe account connection (revenue ranges only)
- Internet Activity: Usage data, browser information, cookies
- Third-Party Account Data: GitHub repositories, Google auth tokens
5. Data Sharing and Disclosure
We do not sell your personal data. We share data only with:
- Service providers necessary to operate our Service
- Third-party integrations you explicitly authorize (GitHub, Stripe)
- Legal authorities when required by law
See our Privacy Policy for a complete list of service providers.
6. International Data Transfers
Personal data may be transferred to and processed in countries outside your jurisdiction, including the United States. For transfers from the EEA/UK, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions where applicable
- Binding Corporate Rules where available
You can request a copy of the safeguards in place by contacting us.
7. Data Retention
We retain personal data as follows:
| Data Type | Retention Period |
|---|---|
| Account Data | Duration of account + 30 days after deletion |
| Assessment Data | Up to 2 years (anonymized after 90 days) |
| Transaction Records | 7 years for legal and tax compliance |
| Logs and Analytics | 90 days for operational data |
Upon request, we will delete your data unless retention is required by law.
8. Security Measures
We implement comprehensive security measures to protect personal data:
8.1 Technical Measures
- Encryption of data at rest and in transit (TLS 1.2+)
- OAuth token encryption using Supabase Vault
- Rate limiting on API endpoints
- Input validation and sanitization
- Row-Level Security (RLS) database policies
- Regular security dependency updates
8.2 Organizational Measures
- Principle of least privilege for data access
- Employee confidentiality agreements
- Regular security awareness training
- Documented incident response procedures
9. Data Breach Response
In the event of a personal data breach:
- We will assess the breach within 24 hours of discovery
- We will notify the relevant supervisory authority within 72 hours where required (GDPR)
- We will notify affected individuals without undue delay if the breach is likely to result in high risk to their rights
- We will document all breaches, including facts, effects, and remedial actions
To report a security concern, contact us immediately at support@prooffabric.com.
10. Third-Party Processors
We use the following categories of third-party data processors:
| Category | Processors |
|---|---|
| Cloud Infrastructure | Supabase (database, auth, storage), Vercel (hosting) |
| Payment Processing | Stripe |
| AI Services | Anthropic (Claude API for report generation) |
| Analytics | PostHog |
| Screenshot Services | Browserless |
Each processor is contractually bound to protect personal data and process it only as instructed.
11. Automated Decision-Making
Our Service uses automated processing in the following ways:
- Assessment Scoring: Automated scoring based on your responses to determine your "path" (Builder, Scaffolder, Foundation)
- AI Report Generation: Claude API generates personalized reports based on assessment results
You have the right to request human review of automated decisions that significantly affect you.
12. Updates to This Policy
We may update this Data Protection Policy periodically. Material changes will be communicated through our website or email notification. The "Last Updated" date reflects the most recent version.
13. Contact and Complaints
For questions, requests, or complaints regarding data protection:
Data Controller: Latent Ventures LLC Email: support@prooffabric.com Website: prooffabric.com
If you are in the EEA/UK and are unsatisfied with our response, you have the right to lodge a complaint with your local Data Protection Authority (DPA).
If you are in California and wish to designate an authorized agent, please provide written authorization and contact us for verification procedures.