Legal

Privacy Policy

Last updated April 18, 2026

Summary

We collect only what we need to run the Service. We do not sell your data. Third-party services we use (authentication, payments, email, analytics) have their own privacy policies, linked below.

If you want something deleted or exported, email tom@startvest.ai.

Who is collecting the data

Startvest LLC, a Service-Disabled Veteran-Owned Small Business in Hampstead, NC, operates www.adacompliancedocs.com and the paid compliance documentation platform.

What we collect

From marketing-site visitors (no account)

• Email address if you download a template or join the waitlist.
• Your company name and situation description if you provide them in a form.
• Basic analytics: pages viewed, approximate location, device type, referrer. Collected via Google Analytics 4. We do not track individuals across other websites.
• Standard web server logs: IP address, user agent, request timestamp. Retained for up to 90 days for security and debugging.

From account holders (paid platform)

• Email, name, and Microsoft Entra user identifier for sign-in.
• Organization details you provide: legal name, website URLs, team member emails.
• Everything you enter into the compliance logs: audit findings, remediation entries, training attendees, vendor details, feedback reports, incident notes, policy/statement text.
• Payment information is collected and stored by Stripe, not by us. We receive only a non-sensitive customer ID and subscription status from Stripe.

From feedback widget submissions (end users of your sites)

When a user submits accessibility feedback through the widget you embed on your website, we receive: their self-reported name and email (optional on their side), the page URL, barrier description, assistive technology in use, IP address, and user agent. This data is stored in your organization’s account and is not shared with other customers.

Why we collect it

• To provide the Service you are paying for.
• To send you account-related email (receipts, billing notices, critical product updates).
• To produce the compliance documentation you request.
• To diagnose problems and improve the platform.
• To prevent abuse and secure our systems.

What we do not do

• We do not sell your data.
• We do not share your customer data with other customers.
• We do not use your audit findings or compliance records to train AI models or build aggregate datasets without your permission.
• We do not track you across other websites.

Third parties we use

We use the following services to operate the platform. Their privacy policies apply to their portions of your data.

• Microsoft Azure — hosting, database, Key Vault, Entra External ID authentication, Communication Services email delivery. (Microsoft privacy statement)
• Stripe — subscription billing and payment processing. We do not store card data. (Stripe privacy policy)
• Google Analytics 4 — anonymous traffic analytics on the marketing site only. (Google privacy policy)
• Anthropic — if you use the “Polish with AI” feature on incident response drafts, the draft text is sent to Anthropic’s Claude API to generate polished output. We do not send any of your other compliance data. (Anthropic privacy policy)
• GitHub — if you connect the GitHub webhook, merged PR metadata is delivered to our platform and turned into change-management log entries. No repo code is transmitted. (GitHub privacy)

Where your data lives

Primary production data is stored in Microsoft Azure SQL in the East US region. Email attachments and connection strings are stored in Azure Key Vault. Backups are retained per Azure SQL defaults and are not separately exported off-platform.

Retention

• Marketing lead emails: retained until you unsubscribe or request deletion.
• Account data: retained while your subscription is active and for 30 days after termination, during which you can export. After 30 days we may delete it.
• Server logs: 90 days.
• Stripe billing records: retained per Stripe’s retention rules, typically 7 years for tax and fraud-prevention reasons.

Your rights

Regardless of your jurisdiction you can:

• Export your account data via the Service’s built-in export tools (HTML, PDF, CSV, email).
• Request correction of inaccurate information.
• Request deletion of your account and its associated data.
• Opt out of marketing email at any time (link in footer of every such email).

California residents have specific rights under the CCPA. EU / UK residents have specific rights under GDPR. We honor all such rights by default as described above. To exercise them, email tom@startvest.ai.

Children

The Service is not intended for anyone under 18. We do not knowingly collect data from children. If you believe a child has used the Service, email us and we will delete their data.

Security

We use industry-standard practices: HTTPS everywhere, Azure Key Vault for credential storage, Microsoft Entra External ID for authentication, minimal data collection, least-privilege access. We do not claim to be SOC 2 certified. We will be transparent if our controls change.

If you discover a security issue, please email tom@startvest.ai directly. We will respond within 72 hours.

Changes to this policy

We will post updates at this URL and change the “Last updated” date above. Material changes will be announced by email to account holders at least 30 days in advance.

Contact

Startvest LLC, Hampstead, NC. Email: tom@startvest.ai.