Privacy Policy

RepShield (“we”, “us”, “our”) is operated by Daan Brummans, based in the Netherlands. We can be reached at support@repshield.app.

RepShield is a privacy-protection service that scans data broker databases and breach databases on your behalf, then sends legally binding deletion requests to those brokers.

We collect only the minimum data needed to provide the service:

• Account data: your email address (via Google OAuth or magic link sign-in).
• Profile data: full name, phone number, city, and country — provided voluntarily to improve scan accuracy.
• Scan results: breach records and data broker matches associated with your profile. These are fetched from third-party APIs (LeakCheck) and our broker database and stored in your account.
• Usage data: standard server logs (IP address, browser type, pages visited) retained for 30 days for security and debugging purposes.
• Payment data: if you subscribe, payments are processed by Stripe. We never see or store your card number; Stripe stores it subject to their own privacy policy.

We use your data exclusively to:

• Run data broker and breach scans against your profile.
• Send GDPR Article 17 / CCPA deletion requests to data brokers on your behalf.
• Track the status of removal requests and re-send if data reappears.
• Communicate with you about your account (scan results, removal updates, support).
• Process subscription payments.

We do not use your data for advertising, profiling, or any purpose other than the privacy-protection service you signed up for.

We process your personal data under the following legal bases:

• Contract performance (Art. 6(1)(b)): processing your profile and running scans is necessary to provide the service you requested.
• Legitimate interests (Art. 6(1)(f)): server logs for security and fraud prevention.
• Legal obligation (Art. 6(1)(c)): retaining transaction records as required by Dutch tax law.

We share your data only with:

• Supabase (database and authentication) — EU data residency, GDPR compliant.
• LeakCheck (breach API) — your email is sent to query their database; no data is retained by them per their terms.
• Stripe (payments) — name and email for billing; card data never touches our servers.
• Postmark (transactional email) — used to send removal request emails on your behalf.
• Render (API hosting) — our backend runs on Render infrastructure in the EU.

We never sell, rent, or share your data with advertisers, data brokers, or any other third parties.

• Account and profile data: retained while your account is active and deleted within 30 days of account deletion.
• Scan results: retained for the duration of your subscription and deleted upon account deletion.
• Billing records: retained for 7 years as required by Dutch tax law (invoices only — no card data).
• Server logs: 30 days.

If you are based in the EU/EEA, you have the following rights:

• Access: request a copy of all personal data we hold about you.
• Rectification: ask us to correct inaccurate data.
• Erasure: request deletion of your account and all associated data.
• Portability: receive your data in a machine-readable format.
• Restriction: ask us to stop processing your data while a dispute is resolved.
• Objection: object to processing based on legitimate interests.

To exercise any of these rights, email privacy@repshield.app. We will respond within 30 days. You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.

We use only essential, functional cookies — specifically the Supabase authentication session cookie required to keep you logged in. We do not use tracking cookies, analytics cookies, or advertising cookies.

All data is transmitted over HTTPS/TLS. Your profile and scan data is stored in Supabase with row-level security, meaning only your account can access your data. We follow industry-standard practices for access control, secret management, and dependency updates.

RepShield is not directed at children under 16. We do not knowingly collect data from anyone under 16. If you believe a child has created an account, contact us and we will delete it immediately.

We may update this policy to reflect changes in the service or legal requirements. We will notify you by email and update the “Last updated” date at the top. Continued use of the service after a change constitutes acceptance.

Questions? Email privacy@repshield.app.