Privacy Policy
Last updated July 12, 2026
Effective date: July 12, 2026 [PLACEHOLDER — set the actual effective date before publishing]
This Privacy Policy explains how DebtDefense [LEGAL ENTITY NAME AND TYPE TO BE CONFIRMED — e.g., DebtDefense, LLC, a Virginia limited liability company] ("DebtDefense," "we," "us," or "our") collects, uses, and protects information when you use the website at debtdefense.app, our document preparation software, our educational articles, and any related services (together, the "Service").
The short version: we collect what we need to run the Service for you, we use your case information only to prepare your documents and reminders, we do not sell your personal information, and we do not share your case information with debt collectors, creditors, or anyone on the other side of your lawsuit — the only exceptions are the narrow, legally compelled disclosures described in Section 3. The details are below.
1. What We Collect
Account information. When you create an account, we collect your email address and name. Sign-in is passwordless: we email you a secure sign-in link, or you can sign in with your Google account — in which case Google sends us your name and email address. We never see or store a password.
Case information. To prepare documents for you, the Service asks you to enter details about your lawsuit. This can include the names of the parties, the court, case numbers, the amount claimed, relevant dates and deadlines, information about the debt, and your answers to questions the software asks. You may also upload copies of court documents, such as the papers you were served with.
We know this is sensitive information. A lawsuit is a stressful, private matter, and the details of your case — including the fact that you have been sued at all — deserve careful handling. We treat case information as confidential: we use it only to provide the Service to you, as described in Section 2, and we protect it as described in Section 6. We do not use your case information for advertising, and we do not share it with the parties described in Section 3.
Payment information. Payments are processed by Stripe, a third-party payment processor. When you make a purchase, your card number goes directly to Stripe — it never touches our servers, and we never store it. We receive from Stripe only limited information about the transaction, such as a confirmation that payment succeeded, the amount, the last four digits of the card, and the card brand.
Usage information. Like most websites, we collect basic information about how the Service is used: pages visited, features used, approximate location (at the city or region level, derived from IP address), browser and device type, and error reports. We use privacy-conscious analytics to understand how people use the Service and where it can be improved. [ATTORNEY/ENGINEERING TO CONFIRM: specific analytics provider, whether IP addresses are stored or truncated, and whether any cookies beyond strictly necessary ones are set — the cookie disclosure below should match the actual implementation.]
Emails you send us. If you contact support, we keep the correspondence so we can help you and keep a record of the conversation.
2. How We Use Your Information
We use the information described above to:
- Provide the Service — create and maintain your account, let you log in, and save your work in progress;
- Generate your documents — assemble the court forms and related documents you ask the software to prepare, using the case information you enter;
- Send deadline reminder emails — if you enter case dates and turn on reminders, we email you as those dates approach. These reminders are part of the Service, not marketing. You can turn them off at any time;
- Process payments and send receipts — through Stripe, as described above;
- Respond to you — answer support requests and account questions;
- Improve the product — understand, through usage information, which parts of the Service work well and which are confusing, and fix bugs;
- Protect the Service — detect and prevent fraud, abuse, and security incidents;
- Meet legal obligations — comply with applicable law and respond to valid legal process, as described in Section 3.
We do not use your case information to train artificial intelligence models, build marketing profiles, or make automated decisions about you that have legal effects.
3. What We Do NOT Do
These commitments are the heart of this policy:
- We do not sell your personal information. Not your email, not your name, not your case information, not your usage data. We have not sold personal information in the past and we do not sell it now, as "sell" is defined under the California Consumer Privacy Act and the Virginia Consumer Data Protection Act. We also do not share personal information for cross-context behavioral advertising.
- We do not share your case information with debt collectors, creditors, debt buyers, their attorneys, or any opposing party. The information you enter about your lawsuit is used to prepare your documents and reminders — nothing else. The other side learns what is in your documents only if and when you choose to file or send them.
- We do not disclose that you use the Service to the parties listed above.
There are narrow exceptions where the law can require disclosure: we may disclose information if we are legally compelled to — for example, by a valid subpoena or court order — or where disclosure is necessary to protect the safety of a person, to enforce our Terms of Service, or in connection with a corporate transaction such as a merger or acquisition (in which case this policy would continue to apply to your information until you are notified otherwise). Where the law allows, we will attempt to notify you before disclosing your information in response to legal process. [ATTORNEY TO REVIEW: scope of the legal-process notification commitment.]
4. Service Providers (Subprocessors)
Like nearly every online service, we rely on a small number of companies to run our infrastructure. Each one processes information only to provide its service to us, under contracts that restrict how it can use the data:
- Hosting — Vercel hosts the application and serves the website;
- Database — Neon hosts our database, where account and case information is stored;
- Payments — Stripe processes payments, as described in Section 1;
- Email — Resend delivers transactional emails such as sign-in links, deadline reminders, and receipts;
- File storage — [STORAGE PROVIDER TO BE CONFIRMED — e.g., Vercel Blob] stores documents you upload and documents we generate for you;
- Authentication — if you choose "Sign in with Google," Google processes that sign-in under its own privacy policy;
- Analytics — [ANALYTICS PROVIDER TO BE CONFIRMED] processes usage information as described in Section 1.
These providers may store data in the United States. If we add or replace a provider that handles personal information, we will update this policy. [ATTORNEY TO CONFIRM: whether a separately maintained subprocessor list page is preferable to naming providers inline.]
5. Data Retention and Deletion
While your account is active, we keep your account and case information so you can return to your documents — many people work on their case over weeks or months, and deadlines can stretch across a court process.
You can delete your account and case data at any time. Account settings include a delete option, and you can also request deletion by emailing [PRIVACY EMAIL — e.g., privacy@debtdefense.app]. When you delete your account:
- Your account information and case information, including uploaded documents, are deleted from our active systems within [NUMBER TO BE CONFIRMED — e.g., 30] days;
- Copies in encrypted backups are overwritten in the ordinary backup cycle within [NUMBER TO BE CONFIRMED — e.g., 90] days;
- We may retain limited records where the law requires or permits it — for example, payment and tax records, and records needed to resolve disputes or enforce our Terms.
If your account is inactive for a long period, we may delete it after emailing you advance notice at the address on file. [RETENTION SCHEDULE TO BE CONFIRMED BY ATTORNEY.]
6. Security
No online service can promise perfect security, and we do not. But we take the sensitivity of case information seriously, and we use safeguards that include:
- Encryption in transit — connections to the Service are encrypted using TLS (the standard technology behind the padlock in your browser);
- Encryption at rest — data stored in our database and file storage is encrypted;
- Access controls — access to production data is limited to the small number of people who need it to operate the Service, and that access is logged;
- Passwordless sign-in — there is no password to steal; sign-in uses expiring emailed links or your Google account;
- Payment isolation — card numbers are handled entirely by Stripe and never stored on our systems.
If a breach affecting your personal information occurs, we will notify you and the appropriate regulators as required by applicable law.
7. Your Privacy Rights
Everyone can contact us with privacy questions or requests at [PRIVACY EMAIL — e.g., privacy@debtdefense.app], regardless of where they live. State laws also give specific rights to residents of certain states.
Virginia residents (VCDPA)
The Virginia Consumer Data Protection Act gives Virginia residents the right to:
- Confirm and access — know whether we process your personal data, and get access to it;
- Correct — fix inaccuracies in your personal data;
- Delete — have personal data you provided, or that we obtained about you, deleted;
- Data portability — get a copy of personal data you provided to us in a portable and usable format;
- Opt out — opt out of the processing of personal data for targeted advertising, for sale, or for profiling that produces legal or similarly significant effects. As stated in Section 3, we do not sell personal data or use it for targeted advertising or such profiling, so there is nothing to opt out of — but the right exists, and if our practices ever change, we will provide an opt-out mechanism first.
To exercise these rights, email [PRIVACY EMAIL] with the subject line "Privacy Request." We will respond within 45 days (extendable once by another 45 days where reasonably necessary, in which case we will tell you). If we decline a request, you may appeal by replying to our decision, and we will respond to the appeal within 60 days. If the appeal is denied, you may contact the Virginia Attorney General to submit a complaint.
California residents (CCPA/CPRA)
The California Consumer Privacy Act, as amended, gives California residents the right to:
- Know — request the categories and specific pieces of personal information we have collected about you, the sources, the purposes, and the categories of third parties to whom it is disclosed;
- Delete — request deletion of personal information we collected from you, subject to legal exceptions;
- Correct — request correction of inaccurate personal information;
- Opt out of sale or sharing — we do not sell personal information or share it for cross-context behavioral advertising, so there is nothing to opt out of;
- Limit use of sensitive personal information — we use sensitive information (such as case information) only to provide the Service you requested, which is within the uses California law permits without a separate limitation right;
- Non-discrimination — we will not deny you the Service, charge you a different price, or provide a different level of service because you exercised any of these rights.
To exercise these rights, email [PRIVACY EMAIL] with the subject line "Privacy Request." We will verify your identity — usually by confirming control of the email address on your account — and respond within the time California law requires. You may also designate an authorized agent to make a request on your behalf.
Other states
Other states have enacted similar privacy laws. Residents of those states may have comparable rights of access, correction, deletion, and portability, and can make requests through the same email address. [ATTORNEY TO CONFIRM: whether the company meets the applicability thresholds of the VCDPA, CCPA, and other state privacy laws, and to conform this section to the states where thresholds are actually met.]
8. Children
The Service is not directed to anyone under 18, and our Terms of Service require users to be at least 18 years old. We do not knowingly collect personal information from anyone under 18. If we learn that we have collected personal information from someone under 18, we will delete it. A parent or guardian who believes a minor has provided us information can contact us at [PRIVACY EMAIL].
9. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes — especially any change to the commitments in Section 3 — we will post the updated policy on this page with a new effective date and notify you by email or by a notice in the Service before the change takes effect. Minor changes, such as clarifications or updated provider names, may be posted with an updated effective date alone.
10. Contact
Questions, concerns, or privacy requests can be sent to:
- Email: [PRIVACY EMAIL — e.g., privacy@debtdefense.app]
- Mail: DebtDefense, [MAILING ADDRESS TO BE CONFIRMED], Virginia
A closing note on why this policy reads the way it does: DebtDefense exists to help people who have been sued respond to a lawsuit. The information users trust us with — the fact of the lawsuit, the parties, the amounts, the documents — is exactly the kind of information the other side of that lawsuit might want. Keeping it confidential is not a legal formality for us; it is the product working as intended.