Skip to main content

Legal

Privacy policy.

What we collect, how we use it, and how to exercise your rights — structured the way the California Consumer Privacy Act asks us to.

Reference
Last updatedMay 2026
EffectiveMay 24, 2026
Versionv4

Overview

FastDOL collects the minimum personal information needed to run a federal enforcement data search engine: an email and hashed password if you create an account, API usage counts to enforce quotas, server logs to prevent abuse, and aggregate site analytics for visitors who opt in via the cookie banner. We do not sell personal information. We honor Global Privacy Control. The rest of this page lays out the details using the structure required by the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).

Categories of personal information we collect

The CCPA defines specific categories of personal information at Cal. Civ. Code §1798.140(v). Over the past 12 months we have collected:

  • Identifiers (§1798.140(v)(1)(A)): email address, IP address, user-agent string, optional company name, the account ID we assign at signup, and API key identifiers.
  • Categories described in §1798.80(e): email address (overlap with above), optional company name. We do not collect name, telephone number, signature, physical characteristics, or financial information through the website.
  • Commercial information(§1798.140(v)(1)(D)): account plan (e.g. “free” or “enterprise”) and records of API endpoints accessed plus quota usage.
  • Internet or other electronic network activity (§1798.140(v)(1)(F)): page views, referral sources, approximate geographic region derived from IP, and interactions with site features such as search queries.
  • Inferences (§1798.140(v)(1)(K)): aggregated usage patterns used to improve features (e.g. which dataset slugs see the most traffic). We do not build behavioral profiles of identified individuals.

We do not collect: biometric information, precise geolocation, audio / visual / sensory data, professional or employment information, education information, genetic information, or health information.

Sources

  • Directly from you: email, company name, and password when you sign up; correction or deletion requests you email to us.
  • Automatically from your browser: IP address, user-agent, referer, and page-view events. The first two are sent on every HTTP request as a normal part of the protocol; analytics events are only captured when the cookie banner has been accepted and Global Privacy Control is not active.
  • From service providers: PostHog and Sentry return aggregated dashboards built from events we send them. We do not buy or receive personal information from data brokers or third-party advertising networks.

Business and commercial purposes

Each category we collect is used for one or more of the following CCPA-permitted business purposes (§1798.140(e)):

  • Providing and operating the website and API.
  • Authenticating users and managing accounts.
  • Enforcing per-account API quotas and detecting abuse.
  • Sending transactional email — verification, password reset, security notifications. We do not send marketing email without explicit opt-in.
  • Site analytics: understanding which features and pages are used so we can improve them. Aggregate only.
  • Security, fraud prevention, and debugging.
  • Responding to legal requests and complying with applicable law.

We do not use personal information for purposes materially different from those disclosed here without updating this policy and, where required, obtaining your consent.

Categories of personal information disclosed

We disclose personal information to the following service providers, each bound by contract to use the information only on our behalf and not for their own marketing or other independent purposes:

  • Vercel (hosting): receives IP addresses, request headers, and request bodies in the normal course of serving the website. Identifier and internet-activity categories.
  • PostHog (product analytics): receives page-view events and aggregated usage data only for visitors who accepted the cookie banner and are not signaling GPC. Identifier and internet-activity categories.
  • Sentry (error tracking): receives exception stack traces, browser / runtime context, and URLs with sensitive query parameters scrubbed. Identifier (IP, when present) and internet-activity categories.
  • Transactional email provider: receives recipient email address and message body for verification, password reset, and security notification emails. Identifier category.

We do not serve third-party display advertising and set no advertising cookies. Public pages carry no ad-network tags.

Sale and sharing

We do not sell personal informationas “sell” is defined in Cal. Civ. Code §1798.140(ad). We have not sold personal information in the past 12 months and have no plans to.

Sharing under CPRA §1798.140(ah) means disclosing personal information to a third party for cross-context behavioral advertising, whether or not for monetary consideration. We do not sharepersonal information for cross-context behavioral advertising — the site serves no third-party ads. Should that ever change, we will add the required “Do Not Sell or Share My Personal Information” link before any ad network loads.

We honor the Global Privacy Control (GPC) browser signal. When your browser sends Sec-GPC: 1 or sets navigator.globalPrivacyControl to true, we treat the request as an opt-out of sale and sharing: the cookie banner does not show, third-party analytics scripts do not load, and server-side analytics captures are skipped. This happens whether or not you have an account.

Sensitive personal information

CPRA §1798.140(ae) defines a narrow set of categories as “sensitive” personal information. The only one that applies to us is account log-in in combination with the password (§1798.140(ae)(1)(B)): at signup we collect your email (the log-in identifier) and a hashed version of your password. We use this combination only to authenticate you to your account — not to infer characteristics, not for advertising, not disclosed to third parties for either purpose.

Because the use is limited to authenticating you and operating the service — a purpose specified in §1798.121(d) — the right to limit the use of sensitive personal information does not require a separate opt-out link in our case. You can still delete your account at any time from the Danger Zone on your account page, which removes the credential entirely.

We do not collect: Social Security number, driver license or state ID number, passport number, financial account numbers or credentials, precise geolocation, racial or ethnic origin, religious or philosophical beliefs, union membership, the contents of mail / email / text messages where we are not the intended recipient, genetic data, biometric identifiers, health information, or information about sex life or sexual orientation.

Cookies and similar technologies

  • Essential: session cookies for authentication (logged-in users only) and CSRF tokens. These cannot be disabled without breaking sign-in.
  • Analytics: PostHog cookies for aggregate site usage; loaded only after you accept the cookie banner. Vercel Analytics is cookieless but is also gated on the cookie banner.
  • Consent preference: a localStorage key (cookie_consent) that records your Accept or Reject choice so we don’t re-prompt on this device.

You can manage preferences through your browser settings, by clicking Reject in our cookie banner, or by enabling Global Privacy Control in your browser. Rejecting prevents the analytics cookies above from loading.

Data retention

  • Account data (email, hashed password, company name, account ID, plan): retained for the lifetime of the account. Deleted on account deletion.
  • API usage rows: retained for the lifetime of the account. Only the current calendar month is read for quota enforcement. Deleted on account deletion.
  • Server access logs (IP, user-agent, timestamp, path): 30 days.
  • Audit log entries (account creation, API key rotation, etc.): retained beyond account deletion with the customer ID severed (set to NULL), so the operational audit trail survives without remaining personally identifiable.
  • PostHog analytics events: retained per PostHog’s default retention; applies only to visitors who accepted the cookie banner.
  • Sentry error events: retained per Sentry’s default retention.

Your California privacy rights (CCPA / CPRA)

If you are a California resident, you have the following rights under the CCPA as amended by the CPRA. You can exercise them at no cost and without penalty.

  • Right to know (§1798.110, §1798.115): the categories and specific pieces of personal information we have collected about you, the sources, the business purposes, and the categories of third parties we have disclosed it to.
  • Right to delete (§1798.105): request deletion of personal information we have collected from you, subject to the narrow exceptions in §1798.105(d).
  • Right to correct (§1798.106): request correction of inaccurate personal information.
  • Right to opt out of sale or sharing (§1798.120): we do not sell or share personal information for cross-context behavioral advertising, and we honor Global Privacy Control as a valid opt-out request per §1798.135(b)(1).
  • Right to limit use of sensitive personal information (§1798.121): see the “Sensitive personal information” section above — we use the only sensitive category we collect (login + password) solely to authenticate you, which is a permitted use that does not require a separate limit link.
  • Right to non-discrimination (§1798.125): we will not deny service, charge different prices, or provide a different level of service because you exercised any of these rights.

How to exercise your rights. Email privacy@fastdol.comfrom the address associated with your account, or from any email address along with enough information for us to identify you, and describe what you’re asking for (know, delete, correct, opt-out, or limit). We verify your identity to the extent reasonably necessary and respond within 45 days, or notify you within 45 days if we need an additional 45-day extension as permitted by §1798.130(a)(2). Authorized agents may submit requests on your behalf with written authorization; for deletion requests we will verify directly with you.

Account-level shortcuts. You can delete your account end-to-end from the Danger Zone on your account page. Self-serve data export is on our roadmap; until then, email a know request to privacy@fastdol.com and we will return a JSON file containing your account row, API usage, and key inventory.

Request metrics. CCPA requires businesses processing the personal information of 10 million or more California residents in a calendar year to publish request-volume metrics. We are below that threshold and do not currently publish metrics; this will be reassessed annually.

Rights for visitors outside California

  • EU / UK residents (GDPR / UK-GDPR): rights of access, rectification, erasure, restriction, portability, and objection. Email privacy@fastdol.com. We respond within 30 days.
  • Everyone else: we extend the same access, correction, and deletion rights to all users regardless of jurisdiction. Same email, same 30-day target.
  • Opt out of analytics: click Reject in the cookie banner, or enable Global Privacy Control in your browser. Both result in PostHog and Vercel Analytics not loading.

What we don’t do

  • We do not sell your personal account data (email, search queries, API usage).
  • We do not share your search queries with third parties.
  • We do not use your account data for ad targeting on FastDOL or anywhere else.

FastDOL serves no third-party advertising and runs no ad-network cookies on any page.

Employer data

FastDOL aggregates publicly available federal data from every major US federal agency plus the UVA Corporate Prosecution Registry (an academic source). This data is published by U.S. federal agencies and is public record. FastDOL normalizes and aggregates it but does not create or modify the underlying government records. The employer dataset does not contain personal information about individual executives, owners, or employees — only employer-entity data (EIN, business name, NAICS, violation counts, etc.). To request correction or removal of an incorrectly-attributed record on a profile, email corrections@fastdol.com.

Contact

Privacy questions or data requests: privacy@fastdol.com

General support: support@fastdol.com