Privacy Policy
Effective January 1, 2025 · Last updated December 31, 2024
1. Overview
Cambridge Holdings, LLC d/b/a SafeRedact ("SafeRedact," "we," "us," or "our") provides this Privacy Policy to explain how we collect, use, and protect your personal information when you use our document redaction service at saferedact.app (the "Service").
Privacy by Design: Only extracted text is sent to our AI for analysis. Original file binaries remain in your browser. Text sent for analysis is not stored or retained.
2. Data Controller
Cambridge Holdings, LLC is the data controller responsible for your personal data.
Cambridge Holdings, LLC
United States
Email: privacy@...
For users in the EEA, UK, or Switzerland, SafeRedact acts as the data controller for personal data collected through the Service.
3. Information We Collect
Information You Provide
| Data | Purpose | Legal Basis |
|---|---|---|
| Email address | Account creation, communications | Contract |
| Password (hashed) | Account authentication | Contract |
| Payment information | Subscription billing via Stripe | Contract |
Information Collected Automatically
| Data | Purpose | Legal Basis |
|---|---|---|
| Document count | Usage limits, billing | Contract |
| Feature usage | Product improvement | Legitimate interest |
| Error logs | Debugging, reliability | Legitimate interest |
| IP address | Security, fraud prevention | Legitimate interest |
| Browser/device info | Compatibility | Legitimate interest |
Information We Do NOT Collect
- Document contents or files — Original files remain in your browser; only extracted text is sent for AI analysis and immediately discarded
- Detected sensitive information — SSNs, addresses, etc. are not stored
- Images or previews — We never see your documents
- Redaction patterns — Your selections are not tracked
4. Legal Basis for Processing (GDPR)
For users in the EEA, UK, and Switzerland, we process personal data under these legal bases:
- Contract Performance — Processing necessary to provide the Service (account management, billing, support)
- Legitimate Interests — Processing for business interests that do not override your rights (security, fraud prevention, analytics)
- Consent — Where you have given consent for specific processing (marketing, optional cookies)
- Legal Obligation — Processing necessary to comply with legal requirements
5. How We Use Information
We use collected information to:
- Provide, maintain, and improve the Service
- Process payments and manage subscriptions
- Send transactional emails (receipts, account updates)
- Respond to support requests
- Prevent fraud and abuse
- Comply with legal obligations
- Analyze usage to improve our product (in aggregate)
6. Information Sharing
We do not sell your personal information. We may share information with:
- Service Providers — Companies that help us operate the Service (see Section 7)
- Legal Requirements — If required by law, subpoena, or court order
- Business Transfers — In connection with a merger, acquisition, or sale
- With Your Consent — When you explicitly authorize sharing
7. Sub-Processors
We use the following third-party service providers:
| Provider | Purpose | Location |
|---|---|---|
| Anthropic | AI text analysis | United States |
| Stripe | Payment processing | United States |
| Supabase | Authentication, database | United States |
| Vercel | Website hosting | United States |
| Google Analytics | Website analytics | United States |
| Resend | Transactional email | United States |
Each sub-processor is contractually required to protect your data.
8. International Data Transfers
SafeRedact is based in the United States. If you are located outside the US, your data will be transferred to and processed in the United States.
For EEA, UK, and Swiss Users
We transfer data using these legal mechanisms:
- Standard Contractual Clauses (SCCs) — EU-approved contract terms with our sub-processors
- Supplementary Measures — Additional technical and organizational protections
9. Data Retention
- Document files — Original file binaries remain in your browser; only extracted text sent for AI analysis (not stored)
- Extracted text — Not retained; processed and immediately discarded
- Account data — Deleted within 30 days of account deletion
- Usage logs — Retained up to 90 days
- Payment records — Retained 7 years for tax/legal compliance
10. Your Rights
Depending on your location, you may have these rights:
- Access — Request a copy of your personal data
- Correction — Update inaccurate information
- Deletion — Request deletion of your data
- Portability — Receive your data in a portable format
- Objection — Object to certain processing
- Restriction — Request restriction of processing
- Withdraw Consent — Where processing is based on consent
Contact privacy@... to exercise these rights. We respond within 30 days.
11. Additional Rights for EEA, UK, and Swiss Users
Under GDPR, you have additional rights:
- Right to Lodge a Complaint — Contact your local data protection authority
- Right to Object — Object to processing based on legitimate interests
- Right to Withdraw Consent — Withdraw consent at any time
Supervisory Authorities
- EU: European Data Protection Board
- UK: Information Commissioner's Office (ICO)
- Switzerland: Federal Data Protection Commissioner (FDPIC)
12. Cookies & Local Storage
- Essential cookies — Required for authentication. Cannot be disabled.
- Analytics cookies — Google Analytics. Opt out here.
- Local storage — Stores preferences and guest usage limits.
We do not use advertising cookies.
13. California Privacy Rights (CCPA/CPRA)
California residents have additional rights:
- Right to know what personal information we collect
- Right to delete personal information
- Right to opt out of "sale" or "sharing"
- Right to non-discrimination
We do not sell or share personal information as defined under California law.
14. Children's Privacy
SafeRedact is not intended for children under 16. We do not knowingly collect information from children. Contact privacy@... if you believe we have.
15. Changes to This Policy
We may update this policy. Material changes will be posted with a new effective date and, for significant changes, communicated via email.
16. Contact Us
Cambridge Holdings, LLC
Privacy: privacy@...
General: hello@...