Privacy · effective 2026-07-08

Privacy Policy

This policy describes what personal data Exposure Bureau LLC (“we”, “us”) actually collects through this website and its report service, why, who processes it, how long we keep it, and how you can have it deleted. It reflects our current practices, not aspirational ones — it is not legal advice.

01·Who we are

Exposure Bureau is a US LLC that produces a recurring, quantified intelligence report from public and licensed sources. This site is currently a marketing and lead-capture site plus a free credential-exposure teaser — there are no user accounts and no billing on it today.

02·What we collect

First-party form submissions. When you submit one of our forms we store what you give us, as given, in our database:

  • Waitlist / sample request (table leads): name, business email, company domain, and any message or interest you select.
  • Free CES teaser request (table teaser_requests): business email and company domain, so we can email you a single-index snapshot.
  • Resource / material requests (tables leads + report_subscriptions): business email and the materials you asked for.

Technical data. Our edge host records a request IP and timestamp for security and abuse rate-limiting. We do not run advertising trackers.

Report-service signals (clients). For a paying client’s report, we ingest observations tied to that client’s own domains and brands from public and licensed sources. Personal identifiers in that data are hashed at ingest (SHA-256 + salt) and we store only the hash plus observation metadata — brand and market data is aggregate, never individual-person profiling.

03·Why we process it (legal basis)
  • Consent — for every first-party form: you submit your details so we can contact you or send what you asked for. You can withdraw consent at any time by deleting your data (Section 06).
  • Legitimate interests — security and abuse-prevention (rate-limiting), and producing the exposure indices for a client from minimized, hashed source data.
  • Legal obligation — where the law requires us to retain or disclose data.
04·Who processes it

We use a small set of processors, each under their standard data-processing terms:

  • Supabase — Postgres database hosting for form submissions (row-level security, service-role writes only).
  • Resend — transactional email delivery (confirmation links, the teaser, and any material you request).
  • Cloudflare — website hosting, edge delivery, and rate-limiting.

We do not sell personal data, and we do not “share” it for cross-context behavioral advertising (CCPA/CPRA). We do not run targeted advertising.

05·How long we keep it
  • Form leads (waitlist, teaser, resources): retained until you ask us to delete them.
  • Client report signals: 13 months by default, configurable per category; stored as hashed identifiers plus metadata.
06·Your rights & how to delete your data

Subject to applicable law, you can request access to, correction of, or deletion of your personal data, and object to or withdraw consent for processing. For business email you submitted to us, the fastest route is our self-service deletion flow:

exposurebureau.com/privacy/delete — enter your email, confirm via the single-use link we send, and every record tied to that address (and any linked subscriptions) is erased.

For any other request, or written attestation, email [email protected]. We may need to verify your identity, and we will respond within the time your law allows (30 days under GDPR, extendable only where permitted).

07·Cookies

The site uses only strictly-necessary cookies for security and basic function. We do not use advertising or cross-site tracking cookies. You can control cookies in your browser; blocking strictly-necessary ones may break parts of the site.

08·Automated decisions

We do not make decisions producing legal or similarly significant effects about you by solely automated means. Our index scores are one input to a human decision by our client — never a final automated determination about an individual.

09·Children

The service is not directed at anyone under 18 and we do not knowingly collect their personal data. If we learn we have, we delete it promptly.

10·Changes & contact

We may update this policy; the effective date above changes when we do, and material changes will be noted here. Questions or requests: [email protected].