Legal · Privacy
Privacy Policy
v1.0 · last updated 28 May 2026
This policy explains what data ArticleProof processes, on what basis, who we share it with, and the rights you have. We process two distinct categories of data in two different roles — we set them out separately below.
1. Who we are
ArticleProof (“ArticleProof”, “we”, “us”) is an AI transparency and disclosure-evidence tool. The service is operated by ArticleProof, located at 5307 Victoria Drive, Vancouver, BC V5P 3V6, Canada. You can reach us at hello@articleproof.app for any privacy question or data-subject request.
We act in two roles. We are a controller for the account data of our customers. We are a processorfor the disclosure-event data that our customers’ widgets capture from their own end-users — that data is processed only on the customer’s documented instructions to provide the service, under the Data Processing Agreement.
Applicable law.Because we operate in British Columbia, Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and the BC Personal Information Protection Act (PIPA) apply to our handling of personal information. Because some of our customers have end-users in the EU/EEA, the EU General Data Protection Regulation (GDPR) and UK GDPR also apply. We aim to meet the higher standard across these frameworks; where they differ, the framework that gives the individual the stronger protection governs.
2. Account data (we are the controller)
When you create an account we process: your email address, an authentication credential (hashed by Supabase Auth — we never store passwords in plaintext), your plan, and your Stripe customer and subscription identifiers.
Purpose: to provide the service, bill you, provide support, and secure the platform. Legal basis (GDPR Art. 6): performance of our contract with you (Art. 6(1)(b)) and our legitimate interest in security and fraud prevention (Art. 6(1)(f)).
3. Disclosure-event data (we are the processor)
When an end-user interacts with a customer’s AI surface, the ArticleProof widget records a disclosure event. Each event may include: event type (render, acknowledge, dismiss, synthetic-output marking, deepfake label), a random session identifier stored in the end-user’s browser localStorage for roughly 30 days, the page URL, the AI model and provider strings, content hashes of the prompt and output (never the content itself), the user-agent string, and a UTC timestamp.
For this data, our customer is the controller and ArticleProof is the processor. We process it solely to provide the disclosure-evidence service and the audit-pack export.
4. IP addresses — we never store them raw
We do not store raw IP addresses. When an event reaches our ingest endpoint we derive a salted SHA-256 hash plus a coarse-truncated form (/24 for IPv4, /48 for IPv6), used only for abuse and rate-limit signals. The salt rotates weekly. The raw IP is discarded after this transformation and is never written to storage.
We retain previous salts so that historical audit packs remain reproducible. Retained salts are never combined with raw IP addresses (which we do not keep), so this does not reconstitute the original IP — it only allows a past, already-hashed value to be re-derived for verification.
5. Cookies and local storage
ArticleProof does not use tracking or advertising cookies. The widget sets a single first-party localStorage session identifier (~30-day lifespan) to correlate one end-user’s disclosure interactions. It is not used for cross-site tracking or advertising.
6. Subprocessors
We use the following subprocessors to deliver the service. Each is bound by a data processing agreement (linked below) and provides appropriate protection for the data it handles. We will give customers at least 30 days’ notice by email before a new subprocessor begins processing customer data, so a customer may object.
7. International transfers
Data may be processed outside the EU/EEA — in Canada (where we operate) and in the United States (where several subprocessors operate). Where required, we rely on the transfer mechanisms and data-protection commitments offered by our subprocessors, including Standard Contractual Clauses where applicable. The transfer mechanism is set out in the Data Processing Agreement.
8. Retention
Account data is kept for the life of the account plus a wind-down period of up to 30 daysafter closure. Disclosure events are retained according to the customer’s plan: 30 days on Free, 90 days on Starter, and unlimited on Growth, Agency, and Founding plans. On account deletion we delete customer data within 30 days, except where we are required to retain certain records by law (for example, Stripe billing records).
How to delete your account. You can request deletion at any time by emailing hello@articleproof.app. We action verified deletion requests within 30 days; self-serve deletion from the dashboard is being added.
9. Your rights
Subject to applicable law, you have the right to access, rectify, erase, restrict, and port your data, and to object to certain processing (GDPR Arts. 15–22). You may withdraw consent at any time where we rely on it, without affecting prior processing. We respond to data-subject requests within the statutory timeline — one month under the GDPR (extendable for complex requests) and the timelines required under PIPEDA/BC PIPA. This is separate from general support, which we answer in 1–2 business days.
For account data, contact us directly at hello@articleproof.app. For disclosure-event datacaptured by a customer’s widget, the customer is the controller — end-users should direct requests to that customer, and we will assist the customer in fulfilling them. You also have the right to lodge a complaint with your local supervisory authority.
10. Security
We isolate tenants with database row-level security, encrypt data in transit with TLS, store credentials only in hashed form, and store prompt/output content only as hashes. No security measure is perfect, but we work to protect your data using industry-standard practices.
11. Children
ArticleProof is a business tool and is not directed at children under 16.
12. Changes to this policy
We may update this policy as the product and applicable law evolve. Material changes are notified by email and reflected in the dated version at the top of this page.
13. Contact
Privacy questions and data-subject requests: hello@articleproof.app. See also our Terms of Service and Data Processing Agreement.
ArticleProof organizes AI transparency records and disclosure events. It is not legal advice.