Legal

Privacy Policy

Effective date: April 23, 2026 · Last updated: April 23, 2026

This Privacy Policy explains how ShieldMyData ("ShieldMyData," "we," "us," or "our") collects, uses, discloses, and safeguards your personal information when you visit shieldmydata.io or use our data broker removal and privacy monitoring services (the "Services"). It also describes the rights and choices you have regarding your personal information.

Our core service requires us to act on your behalf to remove your personal information from third-party data broker databases. This inherently involves handling sensitive personal information — we take that responsibility seriously and limit collection to what is strictly necessary.

1. Information We Collect

1.1 Information you provide directly

We collect information you submit when you create an account, purchase a plan, or complete our intake form, including:

• Identity data: full name, including any middle name and past aliases, date of birth
• Contact data: email address, phone number, mailing address, ZIP code
• Authorization data: CCPA authorized-agent consent, TCPA SMS opt-in status, electronic signatures
• Transaction data: subscription tier, purchase history, refund or cancellation requests (payment card details are handled by Stripe — see §3)
• Communications: messages you send to support, survey responses

1.2 Information we collect automatically

• Device and log data: IP address, browser type and version, operating system, referring URL, pages viewed, timestamps
• Cookies and similar technologies: session cookies for authentication, analytics cookies to measure site performance, and advertising cookies to measure the effectiveness of campaigns
• Fraud signals: when you submit a form, we may evaluate IP reputation, proxy/VPN status, and bot signals via third-party fraud prevention services to block abusive traffic

1.3 Information from third parties

• Breach-database lookups: when you request a free scan, we query public and licensed breach-database APIs (such as Have I Been Pwned and equivalent providers) to identify whether your email or other identifiers appear in known data breaches
• Broker-exposure scans: we query people-search and data-broker indexes to determine where your information is currently exposed, so we can request its removal

2. How We Use Information

We use personal information for the following purposes:

• Service delivery: to create your account, process payment, generate your Privacy Audit, submit opt-out requests to data brokers on your behalf, and monitor for new exposures
• Communication: to send transactional messages (receipts, removal confirmations, breach alerts), service announcements, and — only with your consent — marketing communications
• Safety and fraud prevention: to verify that submissions are legitimate, detect misuse, and enforce our Terms
• Legal compliance: to respond to lawful requests, enforce our rights, and comply with applicable law
• Product improvement: to analyze aggregated, de-identified usage and improve the Services

We do not sell your personal information, and we do not use your personal information to train artificial intelligence or machine learning models.

3. How We Disclose Information

We disclose personal information only as described below. We do not sell your data.

3.1 Service providers (processors)

We share data with vendors who process information on our behalf under written contracts that restrict their use of the data to providing services to us:

• Stripe, Inc. — payment processing. Your payment card details are transmitted directly to Stripe and are never stored on our servers. See Stripe's privacy notice.
• GoHighLevel (HighLevel, Inc.) — customer relationship management and transactional messaging (email / SMS).
• Vercel Inc. — website hosting and serverless function execution.
• Fraud and breach intelligence providers — Have I Been Pwned, IPQualityScore (IPQS), Greip, and similar services used for breach lookups and fraud scoring.
• Analytics providers — aggregated measurement of campaign and site performance.

3.2 Data brokers and people-search sites (at your instruction)

As an authorized agent acting on your written authorization (typically under the California Consumer Privacy Act, Colorado Privacy Act, or comparable state law), we submit opt-out, deletion, and suppression requests to third-party data brokers on your behalf. These requests necessarily include enough information — such as your name, addresses, phone numbers, and date of birth — for the broker to identify and remove your record. This disclosure is the purpose of the Service.

3.3 Legal and safety disclosures

We may disclose information when we believe in good faith that disclosure is necessary to (a) comply with applicable law or a valid legal process, (b) enforce our Terms, (c) protect the rights, property, or safety of ShieldMyData, our users, or the public, or (d) detect, prevent, or address fraud, security, or technical issues.

3.4 Business transfers

If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, personal information may be transferred as part of that transaction, subject to standard confidentiality terms.

4. Method of Disclosure

Disclosures are made over encrypted channels (TLS 1.2 or higher) via:

• Secure API calls to our service providers (Stripe, GoHighLevel, fraud and breach APIs)
• Authenticated web forms on data broker privacy portals, where we act as your agent
• Signed postal and email correspondence to brokers who do not accept electronic opt-outs

5. Data Retention

We retain personal information only for as long as necessary to provide the Services, comply with legal obligations, resolve disputes, and enforce agreements. Specifically:

• Active accounts: retained while your subscription is active
• Cancelled accounts: account data retained for up to 24 months after cancellation to enable reactivation and to evidence past removal activity; core identifiers (name, DOB, address history) necessary to continue honoring broker suppression records may be retained longer
• Payment records: retained for 7 years to comply with tax and accounting requirements
• Logs: security and access logs retained for up to 12 months

You can request earlier deletion at any time (see §7).

6. Security Practices

We maintain administrative, technical, and physical safeguards designed to protect personal information, including:

• Encryption in transit (HTTPS / TLS 1.2+) for all connections to our site and APIs
• Encryption at rest for databases and backups held with our service providers
• Payment card data handled exclusively by Stripe under PCI DSS Level 1 certification — we never see or store full card numbers
• Principle-of-least-privilege access controls, audit logging, and multi-factor authentication for internal systems
• Annual review of our subprocessors and their security posture

No system is impenetrable. You should use a strong, unique password and contact us immediately if you suspect your account has been accessed without authorization.

7. Your Privacy Rights

7.1 California (CCPA / CPRA)

California residents have the right to:

• Know what personal information we collect, use, disclose, and sell/share (we do not sell)
• Request a copy of your personal information
• Request correction of inaccurate personal information
• Request deletion of your personal information
• Limit the use and disclosure of sensitive personal information
• Opt out of the sale or sharing of personal information (we do not sell or share for cross-context behavioral advertising by default)
• Non-discrimination — we will not deny service or change pricing for exercising your rights

7.2 Other U.S. states

Residents of states with comprehensive privacy laws — including Colorado, Connecticut, Utah, Virginia, Oregon, Texas, Delaware, Montana, Iowa, Tennessee, Indiana, New Hampshire, New Jersey, Minnesota, Maryland, and others as they come into effect — have comparable rights. We honor these rights to the extent required by the applicable state law.

7.3 How to exercise your rights

Submit a request to legal@shieldmydata.io from the email address associated with your account, or contact us via the address in §10. We verify requests by matching the email and, where necessary, by requesting additional information. We respond within the timeframes required by applicable law (generally 45 days).

7.4 Authorized agents

You may designate an authorized agent to make a request on your behalf. We will require written authorization and, in most cases, direct confirmation from you.

8. Cookies and Tracking Technologies

We use cookies and similar technologies for authentication, measurement, and — where applicable — advertising attribution. You can control cookies through your browser settings; blocking essential cookies will impair site functionality. We honor the Global Privacy Control (GPC) signal as an opt-out of sale/sharing where required.

9. Children's Privacy

The Services are not directed to children under 18, and we do not knowingly collect personal information from children under 18. If you become aware that a child has provided personal information to us, contact us and we will delete it.

10. Contact Us

11. International Users

The Services are operated from the United States and are intended for U.S. residents. If you access the Services from outside the United States, your information will be transferred to, stored, and processed in the United States, which may have data protection laws that differ from those of your country.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will revise the "Last updated" date above and, where appropriate, notify you by email or via the Services. Your continued use of the Services after changes become effective constitutes your acceptance of the revised policy.