Skip to main content

Legal · Plain-English policy

Privacy

Last updated: 2026-05-04

The short version

We don't track you across the web. We don't sell or share personal data. We collect the minimum needed to complete your purchase and deliver the product.

What we collect directly

  • Email address — when you subscribe, contact us, or purchase.
  • Page analytics — via PostHog (self-hosted, EU region). We collect page views, checkout clicks, and product interactions. PostHog data is retained 90 days and used only to improve our products. No cross-site tracking, no advertising profiles.
  • AI Website Revenue Audit inputs — your website URL and business context you submit. Used only to generate your report. Not shared, not retained beyond delivery.

SaaS application data (customer-owned database model)

For our SaaS applications (ComplianceOS, ShopOS AI, TireHub, BuildBuddy, RCA Tool): your customer data does not reside on our infrastructure. You connect your own Supabase database during onboarding. Your data stays on your Supabase instance. We access it only to operate the application software. We are not a data custodian for your customer records.

What our processors collect

Stripe processes payments. When you subscribe or purchase, Stripe receives your name, email, billing address, and payment details under their privacy policy. We receive only your name and email from Stripe after a transaction.

Cloudflare hosts our storefront and handles DDoS protection. Request metadata (IP, user-agent) is processed per Cloudflare's policy.

Railway hosts our application servers. Resend delivers transactional emails.

What we do not do

  • No third-party ad trackers or retargeting pixels.
  • No selling, renting, or sharing personal data with marketers or data brokers.
  • No automated profiling for decisions that affect you.
  • No retention of SaaS customer data — it stays in your database.

Your rights

Under GDPR (if you're in the EU/UK) and CCPA (if you're in California) you have the right to:

  • Request a copy of any personal data we hold about you.
  • Request correction of inaccurate data.
  • Request deletion of your data, subject to legal retention obligations (e.g. tax records our payment processor must keep).
  • Opt out of any data "sale" — not applicable here, we don't sell data.

To exercise these rights, email us (see homepage for contact). We respond within 30 days.

Data retention

  • Purchase records: 7 years (required for tax/audit compliance).
  • Support email threads: 2 years from last message.
  • Server request logs: 30 days, then purged.
  • Analytics page-view data: 90 days aggregated only.

Children

Our products are not directed at children under 13. We do not knowingly collect data from children. If you believe a child has submitted data, email us and we'll delete it.

Security and breach notification

We use encryption in transit (TLS), access controls, and continuous security monitoring to protect data we do hold. In the event of a security incident affecting your personal data or account, we will notify you by email within 72 hours of becoming aware, in accordance with applicable data protection law.

For SaaS applications using the customer-owned database model, your Supabase instance is governed by Supabase's own security practices and your contractual relationship with them.

Changes to this policy

We'll update the "Last updated" date and, for material changes, email customers who have purchased before the change. Past versions are available on request.

Contact

Morton Technology Consulting LLC. See the homepage footer for contact email.