myprivacyback

Privacy Policy

Last updated: May 25, 2026

MyPrivacyBack ("we", "us", "our") operates myprivacyback.com and the related service that submits data-deletion requests to data brokers on behalf of our subscribers (the "Service"). This Privacy Policy explains what personal information we collect, why we collect it, how we use it, and your rights over it.

We take privacy seriously because our entire product is privacy. If anything in this policy is unclear, email privacy@myprivacyback.com.

1. Who is the controller of your data?

MyPrivacyBack acts as the data controller for your account information (email, password hash, billing data, support correspondence) and as a data processor when handling the personal information of household members you add to your account for the purpose of submitting deletion requests on their behalf.

Privacy questions and requests: privacy@myprivacyback.com

2. What information we collect

From you, the account holder

  • Email address and password (hashed) for authentication
  • Billing details processed by our payment provider (we do not store card numbers)
  • Support correspondence and dashboard activity

From household members you add

  • Full name(s), including past names and known aliases
  • Current and prior physical addresses
  • Email addresses and phone numbers
  • Date of birth (used by some brokers to verify identity for opt-out)
  • Country and state of residence (drives which legal templates apply)

We collect this information because data brokers require it to identify a record and confirm the request comes from the data subject. We collect no more than necessary.

3. How we use your information

  • To submit data-deletion requests to applicable data brokers under CCPA, GDPR Art. 17, UK GDPR, and similar laws
  • To re-submit requests every 60 days while your subscription is active
  • To respond to broker requests for identity verification (forwarded through us, not directly to the broker)
  • To operate, maintain, and improve the Service (logs, error monitoring, uptime)
  • To bill you and provide customer support
  • To comply with our legal obligations

We do not sell, rent, or share your personal information for marketing or analytics. We do not allow third parties to use your data for their own purposes, other than as strictly necessary to deliver the Service (see Subprocessors below).

4. Legal basis (GDPR / UK GDPR)

  • Contract: processing necessary to deliver the Service you signed up for
  • Legal obligation: tax, accounting, anti-fraud requirements
  • Legitimate interest: security monitoring, abuse prevention, basic product analytics — balanced against your rights
  • Consent: where required for optional features (we will tell you and ask)

5. Sharing with third parties

Subprocessors we use

  • Vercel — web app hosting (United States)
  • Neon — database hosting in AWS us-east-1 (United States)
  • Amazon Web Services (AWS) — worker compute, object storage, transactional email (us-east-1)
  • Stripe — payment processing (United States, GDPR-compliant)
  • Prighter — EU Article 27 representative for EU data subjects (Vienna, Austria)

International transfers from the EU/UK to the US rely on EU Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework where applicable.

Recipients of deletion requests

By using the Service, you instruct us to forward the personal information of any household member you add to the data brokers we submit removal requests to. We share the minimum information necessary for the broker to identify and delete the matching record. See our Data Processing Addendum for the controller / processor relationship in detail.

6. Data retention

  • Account profile (household members' personal data): kept while your subscription is active; deleted within 30 days of cancellation.
  • Billing records: retained 7 years for tax and accounting compliance.
  • Support emails: retained 2 years from last reply.
  • Server logs: retained 30 days unless flagged for security investigation.
  • Removal request audit log (broker, date, outcome): retained 3 years, pseudonymized after subscription ends.

7. Your rights

If you are an EU/UK resident under GDPR, or a California resident under CCPA, you have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion ("right to be forgotten")
  • Restrict or object to certain processing
  • Receive your data in a portable format
  • Withdraw consent at any time, where consent is the legal basis
  • Opt out of the "sale" or "sharing" of your personal information (CCPA) — note: we do not sell or share your data, so this is effectively automatic
  • Lodge a complaint with your local data protection authority

To exercise any of these rights, email privacy@myprivacyback.com. We respond within 30 days (GDPR) or 45 days (CCPA).

8. Security

We use TLS 1.2+ in transit, encryption at rest in our database and object storage, scoped IAM credentials for AWS access, and least-privilege application database roles. Authentication uses industry-standard password hashing (bcrypt). We monitor access logs for anomalies. No system is unbreakable; if we discover a personal data breach that poses a risk to you, we will notify you and the relevant supervisory authority within 72 hours as required by GDPR Art. 33.

9. Cookies

We use only essential, first-party cookies needed to keep you signed in and to remember cookie preferences. We do not use third-party advertising or cross-site tracking cookies.

10. EU representative

For EU data subjects under GDPR Art. 27, our EU representative is Prighter. You may contact them in any official EU language using the address listed at prighter.com.

11. Children

The Service is not directed to children under 16. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided us information, email privacy@myprivacyback.com and we will delete it.

12. Changes to this policy

We may update this policy from time to time. Material changes will be announced by email to active subscribers at least 14 days before they take effect. The "Last updated" date at the top always reflects the current version.

13. Contact

MyPrivacyBack
Privacy: privacy@myprivacyback.com
Support: support@myprivacyback.com