Privacy Policy

1. Introduction

This Privacy Policy describes how SettlePoint Pro (“we,” “us,” “our”) collects, uses, shares, and protects information when you use our settlement negotiation tracking service at settlepoint.io (the “Service”). This policy applies to all users of the Service. By using the Service, you consent to the practices described in this policy.

2. Information We Collect

2.1 Information You Provide Directly

• Account information: Email address and password (password is hashed using bcrypt before storage; we cannot see or recover your password)
• Payment information: Processed by Stripe. SettlePoint does not store credit card numbers, bank account details, or full payment credentials. We receive and store only your Stripe customer ID and subscription status.
• Matter data: Matter names, party names (Party A/Party B designations), negotiation rounds (offers, brackets, midpoints, spreads), round notes, matter notes, settlement amounts, and settlement dates
• Sharing configuration: Share link permissions, optional passwords (stored as bcrypt hashes only), and expiration preferences
• Email recipients: Email addresses you provide when sending negotiation reports via the email feature

2.2 Information Collected Automatically

• Usage data: Pages visited, features used, and timestamps
• Device information: Browser type, operating system, and screen resolution (via standard HTTP headers)
• IP addresses: Collected by our infrastructure providers (Vercel, Supabase) in server logs
• Cookies: Session cookies for authentication (Supabase auth tokens stored in HTTP-only cookies). We do not use third-party tracking cookies.

2.3 Information from Third Parties

We receive payment status and subscription information from Stripe. We do not use social login or any third-party authentication providers.

3. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the Service (storing matters, calculating midpoints, generating reports)
• Process payments and manage subscriptions via Stripe
• Send transactional emails when you initiate them (email reports, password resets, account confirmations) via Resend from noreply@send.settlepoint.io
• Provide AI-powered negotiation analysis when you request it (see Section 4)
• Respond to support requests and communicate with you about your account
• Detect and prevent fraud, abuse, or violations of our Terms of Use
• Improve the Service based on usage patterns

We do NOT sell, rent, or trade your personal information to third parties. We do NOT use your negotiation data for advertising purposes.

4. AI-Powered Analysis and Data Processing

When you use AI analysis features, your matter data (party names, offers, brackets, midpoints, and related negotiation data) is sent to Anthropic's Claude API for processing. Anthropic processes this data according to its own API terms of service; data sent via the API is not used to train Anthropic's models. AI analysis results are stored in our database associated with your matter.

AI analysis features are entirely optional. You can use all other features of the Service without triggering any data transfer to Anthropic.

5. Data Sharing and Disclosure

5.1 User-Initiated Sharing

• Share links: When you create a share link, the specified matter data becomes accessible to anyone with the URL (and password, if set)
• Email reports: When you send an email report, the specified matter and round data is transmitted to the recipient email address via Resend

5.2 Third-Party Service Providers

We share data with the following service providers, who access data only as necessary to perform their services:

• Supabase: Hosts our database and authentication system (SOC 2 Type II certified)
• Stripe: Processes payments (PCI DSS compliant)
• Resend: Delivers transactional emails
• Vercel: Hosts and serves the web application
• Anthropic: Processes AI analysis requests (when initiated by you)

5.3 Legal Requirements

We may disclose your information if required by law, subpoena, court order, or government request. We may also disclose information when we believe disclosure is necessary to protect our rights, safety, or property, or the rights, safety, or property of others.

5.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, user data may be transferred as part of the transaction. We will notify you of any such transfer and any changes to this Privacy Policy.

6. Data Security

We implement commercially reasonable security measures to protect your data:

• Encryption in transit: All data transmitted between your browser and our servers is encrypted using HTTPS/TLS
• Encryption at rest: Data stored in our database is encrypted at the database level by Supabase
• Row Level Security (RLS): PostgreSQL policies ensure users can only access their own data through the application
• Password hashing: User passwords and share link passwords are hashed using bcrypt

In the interest of transparency, you should be aware of the following limitations:

• The Service is not end-to-end encrypted. Authorized administrators can technically access the database for support and maintenance.
• SettlePoint itself is not SOC 2 certified (our database provider, Supabase, is SOC 2 Type II certified).
• The Service is not HIPAA compliant. Do not enter protected health information.
• Multi-factor authentication is not currently available.

No method of electronic transmission or storage is 100% secure. While we strive to use commercially reasonable means to protect your information, we cannot guarantee absolute security. For more information, please see the Limitation of Liability section in our Terms of Use.

7. Data Retention

• Active accounts: Your data is retained indefinitely while your subscription is active.
• Canceled subscriptions: Your data remains in our database until you choose to delete your account.
• Deleted accounts: All data (matters, rounds, share links, AI analyses, and account information) is permanently deleted when you delete your account via the Account page. Deletion is immediate due to database cascade rules.
• Server logs: Retained per Vercel and Supabase's standard retention policies.
• Payment records: Retained by Stripe per its policies and applicable legal requirements.

8. Your Rights and Choices

• Access: You can view all your data through the dashboard at any time.
• Export: You can export your data in PDF or Excel format per matter, or export all matters from the Account page.
• Correction: You can edit matter names, party names, and round data at any time.
• Deletion: You can delete individual matters, individual rounds, or your entire account (Account page > Delete Account).
• Emails: Transactional emails are sent only when you initiate them (email reports, password resets). We do not currently send marketing emails.
• Cookies: Session cookies are essential for the Service to function. Disabling them will prevent login and normal use of the Service.

9. GDPR Rights (EU Residents)

If you are a resident of the European Union, you have certain rights under the General Data Protection Regulation (GDPR):

• Right to access: Request a copy of your personal data
• Right to rectification: Request correction of inaccurate data
• Right to erasure: Delete your account and all associated data
• Right to data portability: Export your data via PDF or Excel
• Right to restriction of processing: Contact us to restrict certain processing activities
• Right to object: Contact us regarding specific processing concerns

Most of these rights can be exercised through self-service features on the Account page. For additional requests, contact us at contact@settlepoint.io.

10. Children's Privacy

The Service is not directed at individuals under 18 years of age. We do not knowingly collect personal information from children under 18. If we learn that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us at contact@settlepoint.io.

11. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to know: What personal information is collected and how it is used (described in this policy)
• Right to delete: Request deletion of your personal information (available via Account page > Delete Account)
• Right to opt-out of sale: We do NOT sell your personal information to third parties
• Right to non-discrimination: We will not discriminate against you for exercising your privacy rights

12. International Data Transfers

The Service is hosted in the United States via Vercel and Supabase infrastructure. If you are accessing the Service from outside the United States, your information will be transferred to, stored, and processed in the United States. By using the Service, you consent to the transfer of your information to the United States. We rely on standard contractual protections where applicable.

13. Do Not Track Signals

The Service does not currently respond to “Do Not Track” (DNT) browser signals. We do not engage in cross-site tracking of our users.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a prominent notice on the Service. Your continued use of the Service after such changes constitutes your acceptance of the revised policy. The “Last Updated” date at the top of this page reflects the most recent revision.

15. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at: contact@settlepoint.io