Privacy Policy — FineProof

Last updated: April 18, 2026

FineProof ("we", "us", or "our") operates fineproof.io and the FineProof compliance intelligence application. This Privacy Policy explains how we collect, use, store, and protect information when you use our service, including data accessed through HRIS integrations such as Gusto, Rippling, and others.

Summary: We collect only what we need to deliver the service. We do not sell your data. We do not store payroll or financial data. You can request deletion of your data at any time.

1. Data We Collect

FineProof requests the minimum data necessary to generate your compliance profile. When you connect your HRIS account, we access only:

Data Type	Source	Purpose
Employee work state / location	HRIS (e.g. Gusto)	Determine applicable state employment laws
Company name and headcount	HRIS (e.g. Gusto)	Generate compliance profile and threshold alerts
Account email address	Registration	Account access, alerts, and notifications
Billing information	Stripe (payment processor)	Subscription management — not stored by FineProof

We do not collect or store payroll data, salary information, Social Security Numbers, bank account details, or any employee personal identifiers beyond work location and headcount.

2. How We Use Your Data

Generate your real-time state-by-state compliance profile
Deliver employment law change alerts relevant to your workforce locations
Auto-update compliance documents (handbooks, policies, notices)
Trigger threshold alerts when headcount crosses regulatory thresholds
Send email notifications related to your account and compliance status

We do not use your data for advertising, profiling, or any purpose unrelated to delivering the FineProof service.

3. Legal Basis for Processing

FineProof processes your data on the following legal bases:

Contract performance: Processing necessary to deliver the service you subscribed to.
Explicit consent: You authorize FineProof to access your HRIS data via OAuth2 consent prior to any data access. You may revoke this consent at any time.
Legitimate interests: Security monitoring and service improvement, balanced against your privacy rights.

4. Data Storage and Security

All data is stored in Supabase (hosted on AWS US-East), encrypted at rest using AES-256 encryption. All data in transit is protected by TLS 1.2 or higher. Access to your data is restricted via Supabase Row Level Security — only your account can access your data.

FineProof enforces multi-factor authentication on all internal systems. No data is stored on local developer devices.

5. Data Retention and Destruction

Data Type	Retention Period
Active customer data	Duration of active subscription
Cancelled account data	Deleted within 30 days of cancellation
HRIS-sourced data (employee locations)	Refreshed on each sync, purged after 90 days of inactivity
System access and API logs	12 months, then permanently deleted
Automated backups	7 days, then automatically deleted by Supabase

Data deletion is executed via hard delete — not soft delete. Deleted data is not recoverable.

6. Your Rights

You have the following rights with respect to your data:

Access: Request a full export of your data at any time.
Deletion: Request permanent deletion of all your data. Completed within 30 days.
Correction: Correct inaccurate data via the FineProof dashboard or by contacting us.
Portability: Receive your data in JSON or CSV format upon request.
Consent withdrawal: Revoke HRIS integration access at any time from your HRIS account settings. This will stop all future data syncing.
Objection: Object to processing based on legitimate interests.

To exercise any of these rights, contact us at hello@fineproof.io. We will respond within 10 business days.

7. Data Sharing and Sub-Processors

FineProof does not sell, rent, or share your data with third parties for marketing purposes. We share data only with the following sub-processors, strictly for the purpose of delivering the service:

Sub-Processor	Purpose	Certification
Supabase (AWS)	Database, backend, authentication	SOC 2 Type 2
Netlify	Frontend hosting and delivery	SOC 2 Type 2
Stripe	Payment processing (no financial data stored by FineProof)	PCI DSS Level 1
Google Workspace	Business email	SOC 2 Type 2

8. HRIS Integration Data (Gusto and others)

When you connect FineProof to your HRIS account, you explicitly authorize the connection via OAuth2. FineProof accesses only the scopes you approve. You may disconnect the integration at any time from your HRIS settings, which immediately stops all future data access. Previously synced data will be deleted upon your request or within 30 days of account cancellation.

9. Data Breach Notification

In the event of a security incident affecting your data, FineProof will notify affected customers within 72 hours of confirmed breach. Notification will include the nature of the incident, categories of data affected, likely consequences, and measures taken to address the breach. We will also notify the relevant HRIS platform (e.g. Gusto) within 24 hours if their customer data is involved.

10. Children's Privacy

FineProof is a B2B service intended for business use only. We do not knowingly collect data from individuals under the age of 18.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify customers of material changes via email at least 14 days before the change takes effect. Continued use of FineProof after the effective date constitutes acceptance of the updated policy.

12. Contact

For any privacy-related questions, requests, or concerns:

FineProof
Email: hello@fineproof.io
Website: fineproof.io