Legal

Privacy policy

Last updated: 2026-04-24. Effective date: 2026-04-24.

1. Who we are

Safe to Publish (“Safe to Publish,” “we,” “us”) — a service operated by Zackary Trenholme as a sole proprietorship — provides software that helps Registered Investment Advisers review marketing material against the SEC Investment Adviser Marketing Rule (17 CFR § 275.206(4)-1). This policy explains what information we collect when you use Safe to Publish and what we do with it.

Contact: support@safetopublish.com

2. Information we collect

Account information. Email address, name, and authentication tokens, provided by our identity provider (Clerk) when you sign up.

Firm information. Firm name, CRD number, jurisdiction, and fiduciary standard you choose to enter in Settings.

Submitted content. Drafts you paste into the reviewer. We persist the draft body, the resulting flags, and the audit-event chain documenting your dispositions.

Usage and billing. Per-firm review counts and Stripe customer/subscription identifiers (for plan enforcement and invoice handling).

Server logs. Standard request logs (IP, user agent, request path, timestamps), retained for 90 days for security and abuse investigation.

3. How we use information

  • To run the review — your draft is sent to our reviewer model (Anthropic Claude) and matched against our rule corpus.
  • To produce and retain the audit log of every review and disposition for the retention window of your plan.
  • To enforce your plan's monthly review cap and bill you through Stripe.
  • To send transactional email about your account (for example, “you've used 80% of your reviews this month”).

We do not use your drafts to train any model. The reviewer call passes through Anthropic's Zero Data Retention configuration where available; see Section 5 for sub-processor details.

4. Legal basis

We process the information above to provide the service you have signed up for (contractual necessity), to comply with our own legal obligations (recordkeeping, invoicing), and where you have given consent (for example, optional marketing email).

5. Sub-processors

  • Anthropic — reviewer model inference (US region; ZDR enabled).
  • Voyage AI — embedding generation for the rule corpus (we don't send your drafts).
  • Clerk — authentication.
  • Stripe — billing and customer portal.
  • Resend — transactional email.
  • [Hosting provider — e.g. Vercel] — application hosting.
  • [Database provider — e.g. Supabase] — Postgres database.

A current list of sub-processors is maintained at /legal/sub-processors. We will provide thirty (30) days notice via email before adding a new sub-processor.

6. Data retention

Reviews and the associated audit-event chain are retained for the period set by your plan (currently one year for Solo, seven years for Practice and Firm — matching the Books and Records Rule 204-2 window). After that period the records are permanently purged on the first day of the following month.

Account information is retained until you delete your account, plus thirty (30) days for backup expiry.

7. Your rights

Depending on your jurisdiction (GDPR, CCPA/CPRA, and similar), you may have the right to access, correct, delete, or export the personal information we hold about you. To exercise any of these rights, email [insert privacy contact email] from the address on file. We will respond within thirty (30) days.

8. Security

Data is encrypted at rest using AES-256 and in transit using TLS 1.3. Database access is restricted to the application service principal. Reviewer model calls run with Anthropic Zero Data Retention enabled — drafts are not retained by the model provider.

9. International transfers

Our application and database are hosted in the United States. If you access Safe to Publish from outside the US, your information will be transferred to the United States for processing. Where required, we rely on Standard Contractual Clauses (or successor mechanisms) for transfers from the EEA, UK, and Switzerland.

10. Changes to this policy

We will post any material changes to this policy on this page and update the “Last updated” date. For changes that materially expand the categories of data we collect or the purposes for which we use it, we will additionally email account owners at least thirty (30) days before the change takes effect.

11. Contact

Questions about this policy: [insert privacy contact email]. For Data Protection Addendum requests, see the DPA page.