CriteriaBot CriteriaBot
Sign In Sign Up

Privacy Policy

Last updated: May 23, 2026

Your data is your data - not ours. This policy describes what we collect, why we collect it, and your rights regarding that data. We will never sell your personal information.

What We Collect and Why

Identity and access

When you sign up we ask for your email address and a password. We use this to authenticate you and to send you essential account-related communications. We will not use your email for marketing without your consent.

Billing information

If you subscribe to a paid plan, your payment details are submitted directly to our payment processor (Stripe) and never touch our servers. We store the last 4 digits of your card, billing address, and transaction history for invoicing and support purposes.

Content and criteria you submit

We store the content bodies and criteria you submit so we can evaluate them and return verdicts. Content bodies are encrypted at rest at the application level. We retain this data for as long as your account is active. If you delete your account, it is purged within 60 days.

API usage

We log API requests (endpoint, response code, timestamp, IP address) for security, rate-limiting, and debugging. We do not log request or response bodies beyond what you explicitly submit as content.

Website analytics

We collect basic browsing data (browser, OS, referring URL, pages visited) for product analytics. This data is not tied to your identity unless you are signed in.

When We Access or Disclose Your Information

  • To provide the Service. We use third-party infrastructure providers (hosting, database, email) to operate CriteriaBot. These processors only have access to the data necessary to perform their function.
  • To help you with support. We will ask for your explicit consent before accessing your account data for support purposes.
  • To investigate abuse. Accessing account data to investigate potential abuse is a measure of last resort.
  • When required by law. We will only disclose data if compelled by a legally binding order from a US authority. We will notify you before complying unless prohibited by law.
  • In an acquisition. If CriteriaBot is acquired or merges with another company, we will notify you before your data is transferred or becomes subject to a different policy.

Your Rights

  • Right to know. You can ask what personal data we hold about you at any time.
  • Right of access. You can request a copy of your personal data.
  • Right to correction. You can update your account information at any time from your settings.
  • Right to erasure. You can delete your account, which triggers deletion of your personal data within 60 days.
  • Right to portability. You can export your criteria and verdict history from your account settings.
  • Right to object. You can object to how we process your data by contacting us directly.

To exercise any of these rights, email us at privacy@criteriabot.io.

How We Secure Your Data

All data is encrypted in transit via TLS. Database backups are encrypted at rest. Content bodies are encrypted at the application level before being written to the database. API keys are stored as digests and never logged in plaintext.

Data Retention

We retain your data for as long as your account is active. Upon cancellation, your content is deleted within 60 days and your account data (email, billing history) is retained for up to 7 years as required for financial recordkeeping, then deleted.

Location of Data

CriteriaBot is operated in the United States. If you are located outside the US, your data will be transferred to and stored in the US. By using the Service you consent to this transfer.

Changes and Questions

We may update this policy as needed. We will notify you of significant changes via the email address on your account and by updating the date at the top of this page.

Questions? Email privacy@criteriabot.io.

Adapted from the Basecamp open-source policies / CC BY 4.0.