This Privacy Policy explains how AfterCheck collects, uses, discloses, retains, and protects personal information when businesses and their teams use AfterCheck and when individuals submit feedback through an AfterCheck link.

AfterCheck is a business-to-business service. The business that uses AfterCheck is responsible for its customer relationship, including whether it has permission to contact a customer and what notice it gives that customer. AfterCheck processes feedback data to provide the service to that business.

In this policy, "AfterCheck," "we," "us," and "our" mean the person or entity that owns and operates the AfterCheck service from Saskatchewan, Canada. Legal ownership details may be updated before launch.

We collect only the information needed to run the service.

• Business user and workspace information: name, email address, authentication metadata, organization name, locations, public profile settings, branding settings, notification preferences, API key metadata, webhook endpoint metadata, and account activity.
• Feedback information: sentiment selection, response status, category, comment text, customer name, customer email, permission-to-contact selection, campaign or request context, external references, source and UTM attribution, timestamps, and neutral next-action clicks.
• Technical and security information: browser or device metadata, user agent, hashed IP or privacy-safe fingerprint values where used, request identifiers, security logs, rate-limit data, consent preferences, and error diagnostics.
• Support and legal communications: information you provide when you contact us for support, privacy requests, security reports, or account help.

AfterCheck is not intended for sensitive personal information such as health records, financial account numbers, government identification, children's data, or other highly sensitive information unless we expressly agree in writing that the service supports that use.

• Provide, secure, monitor, and improve AfterCheck.
• Authenticate users, manage organizations, and show workspace settings.
• Capture customer feedback, display it to the appropriate business workspace, and support follow-up workflows.
• Generate manual exports, API responses, webhook endpoint metadata, and integration records requested by a workspace.
• Send service, security, account, or notification emails only when the relevant delivery settings and provider configuration allow it.
• Detect misuse, protect service availability, troubleshoot errors, and maintain audit and security records.
• Comply with legal obligations, respond to lawful requests, and enforce our Terms of Service.

Businesses using AfterCheck are responsible for making sure their customer communications are lawful. This includes having the required consent or other legal basis to send feedback requests, identifying the sender, and providing any required unsubscribe or preference mechanism for commercial electronic messages.

AfterCheck may provide links, snippets, email notification infrastructure, and future integration features, but those tools do not replace the business's own obligations under Canada's Anti-Spam Legislation (CASL) or other applicable messaging rules.

AfterCheck uses necessary cookies and local storage for authentication, security, user preferences, consent choices, and product operation. Optional analytics or marketing scripts are disabled by default in the current configuration and should only load when configured and permitted by the applicable consent settings.

We do not use session replay in the current v0.1 product scope. Tracking pixels, marketing automation, and broader advertising integrations are not active by default.

We may share personal information with service providers that help us operate AfterCheck. Depending on the environment and enabled configuration, these may include:

• hosting, deployment, and application infrastructure providers;
• Supabase for database, authentication, and related services;
• Resend for transactional email delivery when email sending is enabled;
• Sentry for error monitoring and diagnostics;
• Upstash for rate limiting or related operational data;
• Svix for future outbound webhook delivery and signing when enabled;
• professional advisors, support vendors, or authorities where required for security, compliance, legal requests, or enforcement.

Modern SaaS infrastructure may process or store information outside Saskatchewan or Canada. When information is processed outside Canada, it may be subject to the laws of that jurisdiction.

We retain account, organization, feedback, request, response, export, integration, and security records for as long as needed to provide the service, maintain auditability, support customers, resolve disputes, prevent abuse, and meet legal obligations.

In v0.1, data export and deletion may require a support request rather than self-service deletion for every data type. When a deletion request is approved, we aim to remove or de-identify active service records within a reasonable period, subject to backups, logs, legal holds, fraud prevention, and security obligations.

Business customers can request access, correction, export, or deletion support for their workspace data. Individuals who submitted feedback through an AfterCheck link may contact the business that sent or published the link, or contact us and we will help route the request where appropriate.

Send privacy requests to support@aftercheck.io. We may need to verify identity and workspace authority before acting on a request.

AfterCheck uses technical and organizational safeguards appropriate for a pre-launch business SaaS product, including authenticated access, organization-scoped authorization, Supabase Row Level Security, hashed API keys, server-only provider secrets, transport security, sanitized logs, and environment-scoped configuration.

No system is perfectly secure. If we identify a privacy or security incident that creates a real risk of significant harm or otherwise triggers legal notice obligations, we will investigate and provide notices as required by applicable law.

AfterCheck is not directed to children and should not be used to knowingly collect children's personal information. Businesses must not use AfterCheck for children's data unless they have the required authority and written approval from AfterCheck.

We may update this policy as AfterCheck, its subprocessors, or its legal obligations change. The "Last updated" date shows when the policy was last revised. Material changes may be announced in the app, by email, or through another reasonable notice path.

Privacy and legal notices can be sent to support@aftercheck.io. AfterCheck's current operating jurisdiction for this draft is Saskatchewan, Canada.