Legal

Privacy Policy

Effective date: 2026-05-18 · Last updated: 2026-05-18

Draft pending legal review. This policy is a working draft intended to describe how StateWatch actually operates. Have counsel review it before relying on it for compliance. If you have a specific privacy question, email [email protected].

What we collect

When you sign up for StateWatch, we collect:

  • Your email address, so we can send you alerts and confirmation messages.
  • Your state preferences and (on paid tiers) industry tags, so we can match you to relevant bills.
  • A randomly-generated API key and unsubscribe token, both stored only to authenticate your own future actions.
  • Records of which alerts we've sent you, so we don't send the same bill twice.

That's it. We don't collect names, phone numbers, IP addresses, or browser fingerprints. We don't use tracking pixels in emails.

Why we collect it

We collect this information so we can do exactly one thing: send you relevant regulatory alerts. We don't use your data for marketing, analytics, or anything else.

Who we share it with

Three operational subprocessors handle data on our behalf:

  • Render hosts our application and database (US East region).
  • Resend delivers our emails. Your email address is shared with Resend in order to send alerts to you.
  • Stripe processes payments for paid subscribers. We never see or store your card details.

We do not sell, rent, or share your data with any other party for any other purpose. We do not have advertising partners.

How long we keep it

We keep your subscription and alert history for as long as your account is active. If you unsubscribe, we mark your account inactive immediately. If you ask us to delete your data entirely, we will permanently remove your email, subscriptions, and alert records within 30 days. Email [email protected] to make that request.

Your rights

Depending on where you live (CCPA in California, GDPR in the EU/UK, and similar laws in CO/CT/UT/VA/TX), you have the right to:

  • Know what data we have about you.
  • Get a copy of it.
  • Correct anything that's wrong.
  • Delete it.
  • Opt out of any sale or sharing (we don't sell or share your data, so this is automatic).

To exercise any of these rights, email [email protected] from the address on your account. We'll respond within 30 days.

Security

Connections to StateWatch are encrypted in transit (TLS). The database runs in a private network on Render. Tokens are random 256-bit values stored only on our server.

That said, we're a small operation. We don't have SOC 2 attestation. If you need a specific compliance posture, talk to us before signing up.

Changes to this policy

If we change anything material, we'll email everyone with an active subscription before the change takes effect.

Questions? [email protected]