Privacy Policy
Last updated: May 22, 2026
1. Introduction
2. Information We Collect
Account Information:
- Name, email address, phone number
- Organization name and business details
- Login credentials (passwords are hashed using bcrypt)
- Billing information (processed by Stripe — we do not store card numbers)
Client Data (uploaded by you):
- Client names, contact information, addresses
- Social Security numbers (last 4 stored in plain text; full SSN encrypted with AES-256-GCM)
- Credit reports and credit scores
- Dispute history and correspondence
- Documents (IDs, proof of address, agreements)
Payment Processing Data (Authorize.net):
- Your Authorize.net API credentials are encrypted with AES-256-GCM before storage
- Client credit card numbers are never stored — they are tokenized via Authorize.net Customer Profiles
- We store only the last 4 digits, card brand, and expiration for display purposes
3. How We Use Information
- To provide, maintain, and improve the Service
- To process your subscription payments
- To generate AI-powered dispute letters and credit analysis
- To send transactional emails (invoices, password resets, dispute updates)
- To provide customer support
- To comply with legal obligations
4. Data Security
We implement industry-standard security measures to protect your data:
- Encryption at rest: Sensitive data (SSNs, API credentials) is encrypted using AES-256-GCM
- Encryption in transit: All data is transmitted over HTTPS/TLS
- Password security: Passwords are hashed using bcrypt with salt
- Access control: Role-based access (Owner, Admin, Agent) limits who can view/modify data
- Multi-tenant isolation: Each organization's data is logically isolated at the database level
- PCI compliance: Credit card numbers are tokenized through Authorize.net and never stored on our servers
5. Data Sharing
We do not sell your data. We share data only with:
- Stripe: Our payment processor for SaaS subscription billing
- Authorize.net: Payment processing for your client transactions (only when you connect your own merchant account)
- Anthropic: AI processing of credit reports and dispute letter generation (data is not used for model training)
- Resend: Transactional email delivery
- Vercel: Application hosting and file storage
- Law enforcement: When required by valid legal process
6. Google User Data
DisputePro AI offers an optional feature that lets you connect your Google account so that emails you send to your own clients are delivered from your own address instead of ours. This section describes exactly what we access and how we use it.
What we request
- Your email address and basic profile (name, profile picture) — to identify the connected mailbox and display it in your settings
- Permission to send email on your behalf (
gmail.send) — to deliver messages you choose to send to your clients
What we do not do
- We never read, list, search, modify, or delete any message in your mailbox. The send-only permission we request does not technically permit it.
- We never send email except as the direct result of an action you take in the app, or an automation you configured yourself.
- We never send unsolicited or bulk marketing email from your account.
- We do not use Google user data for advertising, and we do not sell or transfer it.
- We do not use Google user data to develop, improve, or train generalized AI or machine learning models.
- No humans read your Google user data, except where required for security, to comply with law, or where you have given explicit consent for support.
Access tokens are encrypted at rest using AES-256-GCM and are used solely to deliver the messages you send. You can disconnect at any time from Settings → Integrations, which revokes our access and deletes our copy of your tokens. You may also revoke access directly at myaccount.google.com/permissions.
DisputePro AI's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
7. Data Retention
8. Your Rights
Depending on your jurisdiction, you may have the right to:
- Access the personal data we hold about you
- Correct inaccurate or incomplete data
- Delete your data ("right to be forgotten")
- Export your data in a portable format
- Opt out of marketing communications
- Restrict or object to data processing
To exercise these rights, contact us at privacy@disputepro.net.
9. Cookies & Analytics
10. Children's Privacy
11. California Privacy Rights (CCPA)
12. Changes to This Policy
13. Contact Us
For privacy questions or data requests:
Email: privacy@disputepro.net