Privacy Policy
Effective: 2026-05-09 Last updated: 2026-05-09
What this is
This Privacy Policy explains what information we collect when you use consumerdisputes.org (the "Service"), why we collect it, who we share it with, how long we keep it, and what choices you have. It applies to consumers, businesses, and visitors.
If you don't agree with how we handle information, don't use the Service.
Who we are
The Service is operated by Consumer Disputes LLC ("we," "us," "our"). Our mailing address is [your registered business address]. You can reach us at privacy@consumerdisputes.org.
What we collect
From everyone who visits
- IP address, approximate location derived from it, and timestamps of your visits
- Browser type, operating system, language, and device information
- Pages you view and links you click on the Service
- Referring URL (the page you were on before you came to us)
- Cookie identifiers (see our Cookie Policy)
When you create an account
- Email address (required, must be verified)
- Display name you choose (may be a pseudonym)
- Password (we store only a salted hash, never the raw password)
- For Business Accounts: business name, registered address, contact phone, role of person registering, verification information for the Claim process
When you post a Review
- The content of the Review (text, photos, ratings, structured fields)
- The business it is about
- The time you posted it and your IP at the time of posting
- Edits you make to the Review
When you participate in an Appeal
- Evidence you submit (documents, photos, written narrative)
- Your responses during the 14-day defense window (if you are the Reviewer)
- Communications with our Agents about the Appeal
When a Business pays a fee
- Billing name, billing address, last four digits of payment card, payment processor token
- Service Fee paid, date, and what the fee was for
We do not store full payment-card numbers. Stripe (our payment processor) handles those.
Information we receive from third parties
- Verification information from public business registries (state Secretary of State databases, FMCSA registrations for HVAC bootstrap, contractor licensing boards) used to bootstrap and verify business profiles
- Bot-detection signals from Cloudflare Turnstile
- Identity-fraud signals from our payment processor
Information we generate
- Detection-pipeline scores for your Reviews (bot likelihood, similarity to existing content, content classification)
- Audit-log entries for actions you take on the Service
- Analytics about your usage patterns
Why we collect it
We use the information we collect to:
- Provide the Service — display business profiles, accept Reviews, run Appeals, manage Business Accounts
- Verify identity — confirm Reviewers have valid email addresses, confirm Businesses have authority to claim profiles, prevent account takeover
- Detect and prevent abuse — block bots, identify coordinated review campaigns, enforce content standards, prevent fraud
- Communicate with you — account notifications, Appeal notices, support, transactional emails, legal notices
- Process payments — collect Service Fees through our payment processor
- Maintain audit records — keep an immutable record of state changes for legal defensibility (see Section 230 commentary in our Terms)
- Improve the Service — understand what works, find bugs, develop new features
- Comply with law — respond to lawful subpoenas, court orders, and regulatory requests
- Defend our rights — investigate violations of our Terms, enforce our policies, defend against legal claims
What we do not do with your information
These are commitments, not legal default behavior — we are saying we won't, and you can hold us to it:
- We do not sell personal information. Not under CCPA's "sale" definition, not under any state-law definition, not in any colloquial sense.
- We do not give a business your email address, name, or contact information because of a Review you posted, except as you specifically authorize. The Appeal process is mediated by us — the business never sees your contact info.
- We do not use your Reviews to train third-party AI models. We use them on our own platform; we don't sell them as training data.
- We do not retaliate against Reviewers by sharing their information with businesses, third-party data brokers, or anyone else.
- We do not use sensitive personal information for advertising. We don't do behavioral advertising at all.
Who we share it with
We share information only in these specific situations:
Service providers
We use third-party services to operate the Service. These vendors process information on our behalf under written data-processing agreements and may not use it for their own purposes:
- Cloud hosting and database — currently Vercel (hosting), Neon (database)
- Payment processing — Stripe
- Email delivery — Resend (currently)
- File storage — Cloudflare R2
- Bot / spam detection — Cloudflare Turnstile (content is screened against an internal banned-term list; no third-party AI moderation vendor)
- Background jobs — Inngest
- Observability — Sentry, Axiom (error and log data only)
A current list of service providers and what they handle is maintained at https://consumerdisputes.org/legal/vendors.
When you direct us to share
If you specifically authorize sharing — for example, by adding a CRM webhook for an Accredited Business — we share according to your authorization.
Public posting
Reviews, public Business responses, and similar content you submit publicly are visible on the Service. Your display name (which may be a pseudonym) is shown with public content; your email and other private profile information are not.
Legal compliance
We may disclose information if we have a good-faith belief that disclosure is required by law, including in response to subpoenas, court orders, or other legal process. We will:
- Verify the validity of the request before complying
- Limit disclosure to what is required by the request
- Notify the affected user before disclosure if not legally prohibited from doing so (this notice commitment is especially important for Reviewer privacy in the face of business-side subpoenas)
Business transfers
If we merge with, are acquired by, or sell substantially all assets to another company, your information may be transferred as part of that transaction. We will notify you and give you a chance to delete your account before any transfer takes effect.
Security and safety
We may share information if we have a good-faith belief that doing so is necessary to:
- Protect our property or rights, or the property or rights of others
- Protect a person from imminent physical harm
- Investigate or prevent a violation of our Terms
How long we keep it
Different categories of information have different retention periods.
| Information | How long |
|---|---|
| Account information (email, password hash) | While your account is open, plus 30 days after account deletion to allow account recovery |
| Reviews | Until you specifically request removal, even after account deletion (the Review's value to consumers persists; we honor deletion requests of your specific Review but the underlying audit-log entry is retained per below) |
| Audit-log entries | 7 years from the event, then automatically purged (this retention is required by our legal-defense posture and cannot be shortened on individual request) |
| Evidence files for Appeals | 7 years from the Decision, in immutable storage with Object Lock |
| Payment records | 7 years (tax and audit requirements) |
| Server logs (IP, timestamps, etc.) | 90 days for routine logs; up to 1 year for security-relevant logs |
| Cookies | See Cookie Policy for individual lifetimes |
| Email communications with us | 3 years from the last message |
| Backup copies | Backups follow the same schedule but may take up to 35 days additional to fully purge after deletion |
Your privacy rights
You have rights regarding your personal information, depending on where you live. We honor the following rights for all users, regardless of state:
- Access — request a copy of the personal information we have about you
- Correction — request that we correct inaccurate personal information
- Deletion — request that we delete personal information we hold about you
- Portability — request a copy of your information in a machine-readable format
- Objection — object to specific uses of your information
How to exercise these rights:
- Use the privacy controls in your account settings, or
- Email us at privacy@consumerdisputes.org with the subject line "Privacy Request"
We will respond within 45 days. If we need more time, we will tell you and explain why.
Verification
We need to confirm you are who you say you are before we act on a privacy request. We may ask for additional information to verify your identity.
Authorized agents
You may use an authorized agent to make a request on your behalf, with written authorization. We may verify the agent's identity and authority directly.
What we cannot delete
Some information cannot be deleted on request because we are required to keep it for legal, audit, or fraud-prevention reasons:
- Audit-log entries (7 years)
- Payment records (7 years)
- Records subject to legal hold
- Records necessary to defend against actual or anticipated litigation
We will tell you what we cannot delete and why, and we will delete what we can.
State-specific rights
California residents have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including the right to know what categories of information we collect, the right to opt out of "sale" or "sharing" (we don't sell or share for cross-context behavioral advertising — but you can affirmatively confirm this), the right to limit the use of sensitive personal information (we don't use it for unrelated purposes anyway), and the right to non-discrimination for exercising rights. California residents may use the same email above to exercise these rights, with the subject line "California Privacy Request."
Virginia, Colorado, Connecticut, Utah, Texas, Oregon, and other state residents have similar rights under their respective state privacy laws. We honor these rights through the same process.
Children
The Service is not intended for and is not directed to children under 18. We do not knowingly collect information from children under 18. If you believe we have collected information from a child under 18, contact us at privacy@consumerdisputes.org and we will delete it.
Security
We use industry-standard security practices:
- HTTPS for all traffic
- Encryption at rest for databases and file storage
- Salted password hashing
- Access controls based on role and least privilege
- Audit-logging of access to sensitive data
- Regular security testing
- Incident response process
No system is perfectly secure. If we have a security incident affecting your information, we will notify you as required by law and as appropriate to the nature of the incident.
International users
The Service is intended for use in the United States. We don't actively serve users outside the U.S. If you access the Service from outside the U.S., your information will be transferred to and processed in the U.S., and U.S. law will apply.
Cookies and tracking
See our Cookie Policy for details on cookies, similar technologies, and your choices. We do not use cross-site tracking for advertising purposes.
Changes to this Policy
We may update this Privacy Policy. If we make material changes, we will:
- Email account holders at the address on file
- Post a notice on the Service for at least 30 days before the change takes effect
- Update the "Last updated" date above
Your continued use of the Service after the effective date is your acceptance of the change.
Questions or complaints
For questions about this Policy or our privacy practices, contact us at privacy@consumerdisputes.org or write to us at [your registered business address].
If you believe we have not handled your privacy concern adequately, you can file a complaint with:
- The Federal Trade Commission (https://reportfraud.ftc.gov/)
- Your state Attorney General
- Your state's privacy regulator (for example, the California Privacy Protection Agency for California residents)