Legal

Privacy policy

Last updated: 2026-05-22. Effective date: 2026-05-22.

1. Who we are

Safe to Publish (“Safe to Publish,” “we,” “us”) — a service operated by Zackary Trenholme as an Ontario sole proprietorship — provides software that helps Registered Investment Advisers review marketing material against the SEC Investment Adviser Marketing Rule (17 CFR § 275.206(4)-1). This policy explains what information we collect when you use Safe to Publish and what we do with it.

Contact: support@safetopublish.com

2. Information we collect

Account information. Email address, name, and authentication tokens, provided by our identity provider (Clerk) when you sign up.

Firm information. Firm name, CRD number, jurisdiction, and fiduciary standard you choose to enter in Settings.

Submitted content. Drafts you paste into the reviewer. We persist the draft body, the resulting flags, and the audit-event chain documenting your dispositions.

Usage and billing. Per-firm review counts and Stripe customer/subscription identifiers (for plan enforcement and invoice handling). Payment-card data is held by Stripe; it does not transit our systems and we cannot see it.

Support communications. The contents of any email you send to support@safetopublish.com and any messages submitted via in-app support forms. We retain these for as long as needed to respond and to keep a record of the support history, then prune on a rolling basis.

Operational logs.Standard HTTP request logs (IP, user agent, request path, timestamps) are captured by our hosting provider for short-term operational use — incident response and abuse investigation. Their retention depends on the hosting plan and is generally shorter than the retention windows that apply to other categories of data described in this policy. Error reports are forwarded to Sentry and retained per Sentry's own retention policy.

3. How we use information

  • To run the review — before any draft leaves our infrastructure, the application substitutes detected personal identifiers (Social Security numbers, email addresses, US phone numbers, and dates of birth) with same-length placeholders, then sends the redacted draft to our reviewer model (Anthropic Claude) for matching against our rule corpus. The placeholders are reversed only when results are rendered back to you.
  • To produce and retain the audit log of every review and disposition for the retention window of your plan.
  • To enforce your plan's monthly review cap and bill you through Stripe.
  • To send transactional email about your account (for example, trial expiry notices and billing confirmations).

We do notuse your drafts to train any model. Drafts sent to the Anthropic reviewer model are retained by Anthropic for up to 30 days for trust & safety monitoring, then deleted. See Section 5 for sub-processor details.

4. Legal basis

Each purpose described above corresponds to a specific legal basis (relevant to GDPR and the analogous "purpose" framework in U.S. state privacy laws):

  • Running the review and producing the audit log — contractual necessity to deliver the service you signed up for.
  • Audit-log retention and advisory-marketing recordkeeping — legal obligation (to support your Books and Records Rule 204-2 obligations, and to keep our own records of the service we provided).
  • Plan enforcement and billing — contractual necessity, plus legal obligation for tax and invoicing.
  • Transactional email about your account — contractual necessity (so you can operate the service you paid for).
  • Optional analytics and marketing cookies— your consent (see Section 7).

5. Sub-processors

We use a small number of third-party sub-processors to operate the service — for authentication, hosting, billing, transactional email, model inference, embedding generation, error monitoring, and analytics. The current list, including the categories of data each receives and the regions in which they operate, is maintained at /legal/sub-processors. We will provide thirty (30) days notice by email before adding a new sub-processor.

6. Data retention

Reviews and audit log. Reviews and the associated audit-event chain are retained for the period set by your plan (currently one year for Solo, seven years for Practice and Firm — matching the Books and Records Rule 204-2 window). After that period the records are permanently purged on the first day of the following month.

Account closure.A firm administrator (a user whose role grants the “Delete firm” capability) may close the firm's account from Settings → Data handling. On closure we cancel any active Stripe subscription, sign existing users out at next sign-in, and mark the firm as deleted; firm-identifying personal data on user records is purged within thirty (30) days, with an additional thirty (30) days for backup expiry. Reviews and the audit-event chain are retained for the remainder of the plan's retention window after closure, to satisfy the Books and Records Rule. Export your audit log and content as PDF/CSV from the Audit page before closing the account if you need an offline copy.

7. Cookies and similar technologies

We use a small number of cookies and similar local-storage entries:

  • Strictly necessary. Sign-in session (Clerk), CSRF tokens, and payment-flow state (Stripe). These cannot be disabled because the service cannot function without them.
  • Analytics (optional, off by default). Google Analytics 4 and PostHog, used to count page views and understand which pages help. Loaded under Google Consent Mode v2 with all granular consent flags denied until you accept; no analytics cookies are set unless you opt in.
  • Marketing (optional, off by default). Google Ads conversion measurement (including Enhanced Conversions for Web) is active for our paid search campaigns. When you submit a form on this site (e.g., the waitlist signup) andyou have granted marketing consent, the email address you provided is hashed (SHA-256) in your browser before transmission and sent to Google LLC alongside a conversion event. The plaintext email is never shared with Google. We configure Google Ads to use this hashed identifier solely to attribute the conversion to a Google account holder for conversion measurement, not for ad personalization, audience building, or other downstream uses. You can withdraw consent at any time via the “Cookie preferences” link in the site footer; no further hashed data will be shared after that point.

Your preferences persist in your browser's local storage; clearing site data will reset them.

8. Your rights

Depending on your jurisdiction (including, where applicable, the California Consumer Privacy Act as amended by the California Privacy Rights Act, GDPR, and similar regimes), you may have the right to access, correct, delete, or export the personal information we hold about you, and to opt out of certain uses. To exercise any of these rights, email support@safetopublish.com from the address on file. We will respond within forty-five (45) days, except where a shorter statutory deadline applies. You may also submit a request through an authorized agent, in which case we may require written proof of your authorization and may also ask you to confirm the request directly.

Identity verification. To protect you from unauthorized access, we may require additional information to verify your identity before responding, in proportion to the sensitivity of the request. We will not use verification information for any other purpose.

Filing a complaint.If you have an unresolved concern about how we handle your personal information, you may contact the U.S. Federal Trade Commission, your state Attorney General's office, or — for residents of jurisdictions with a dedicated data-protection regulator — the relevant supervisory authority.

9. Children's data

Safe to Publish is a business-to-business service for Registered Investment Advisers and is not directed to children under sixteen (16). We do not knowingly collect personal information from children. If you believe a child has provided us personal information, please contact support@safetopublish.com and we will delete it promptly.

10. Notice for California residents

This section supplements the rest of this policy with the disclosures required by the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the “CCPA”). It applies to California residents whose personal information we process.

Categories of personal information collected in the past twelve (12) months. Mapped to the CCPA's enumerated categories:

  • Identifiers — name, email address, account identifier, IP address, Clerk authentication identifier.
  • Internet or other electronic network activity — request logs, page views, feature-usage events (when you grant analytics consent).
  • Commercial information — Stripe customer and subscription identifiers, plan, and usage counts. Payment-card data is held by Stripe and never transits our systems.
  • Professional or employment-related information — firm name, CRD number, jurisdiction, fiduciary standard you enter in Settings.
  • User-generated content — drafts submitted to the reviewer, flag dispositions, and audit-event metadata. Drafts may incidentally contain identifiers of third parties named in marketing copy.
  • Inferences — we do not derive consumer profiles or behavioral inferences from your information.

Sensitive personal information.We do not collect sensitive personal information as defined by the CCPA. Where a draft you submit incidentally contains a Social Security number, the value is auto-redacted before any model call (see Section 3) and we do not use it to infer any characteristic about you. Accordingly, we do not provide a separate “Limit the Use of My Sensitive Personal Information” link.

Sources. Personal information is collected directly from you (when you sign up, submit a draft, or update settings) and is automatically generated by your interaction with the service (request logs, audit events). We do not purchase personal information from data brokers.

Business or commercial purposes.We use the categories above for the purposes described in Section 3 of this policy. We disclose personal information only to the sub-processors listed at /legal/sub-processors, solely to operate the service.

Sale or sharing. We do not sell personal information. We do not share personal information for cross-context behavioral advertising,with the limited exception of the Google Ads “Enhanced Conversions” measurement described in Section 7, which operates only after you grant marketing consent and transmits a hashed identifier to Google for conversion measurement only — not for ad personalization or audience building.

Your California rights.

  • Right to know — request the categories and specific pieces of personal information we have collected about you.
  • Right to delete— request deletion of personal information we hold about you, subject to the recordkeeping exemptions described in Section 6 (Books and Records Rule 204-2).
  • Right to correct — request that we correct inaccurate personal information.
  • Right to opt out of sale or sharing— we do not sell or share for cross-context behavioral advertising. You may withdraw your consent to Google Ads conversion measurement at any time via the “Cookie preferences” link in the site footer.
  • Right to non-discrimination — we will not deny service, charge a different price, or provide a different level or quality of service because you exercise any of these rights.

To exercise any of these rights, follow the process described in Section 8. We will respond within forty-five (45) days as required by the CCPA, with one extension of up to forty-five (45) additional days where reasonably necessary and on notice to you.

Retention.We retain personal information for the periods described in Section 6. Reviews and the audit-event chain are retained for the plan-defined Books and Records Rule window; account-identifying personal information is purged within 30 days of firm closure (with an additional 30 days for backup expiry).

“Shine the Light” (California Civil Code § 1798.83).We do not disclose personal information to third parties for those third parties' direct marketing purposes.

11. Notice for Canadian residents

Safe to Publish is operated by Zackary Trenholme, an Ontario sole proprietor, so our handling of personal information is also subject to the Personal Information Protection and Electronic Documents Act (“PIPEDA”) where it applies. To request access, correction, or deletion of personal information we hold about you, or to challenge our compliance with PIPEDA, email support@safetopublish.com. If your concern remains unresolved, you may also contact the Office of the Privacy Commissioner of Canada.

12. Security

Data is encrypted at rest using AES-256 and in transit using TLS 1.3. Database access is restricted to the application service principal. Drafts sent to the Anthropic reviewer model are retained by Anthropic for up to 30 days for trust & safety monitoring, then deleted; they are not used to train any model.

13. International transfers

Our application is hosted in the United States (Vercel). Our primary database is hosted in Canada (Supabase, ca-central-1). Some sub-processors process data in the United States — see /legal/sub-processors for the per-vendor breakdown. If you access Safe to Publish from outside North America, your information will be transferred to the United States or Canada for processing. Where required, we rely on Standard Contractual Clauses (or successor mechanisms) for transfers from the EEA, UK, and Switzerland.

14. Changes to this policy

We will post any material changes to this policy on this page and update the “Last updated” date. For changes that materially expand the categories of data we collect or the purposes for which we use it, we will additionally email account owners at least thirty (30) days before the change takes effect.

15. Contact

Questions about this policy: support@safetopublish.com. For Data Protection Addendum requests, see the DPA page.