Effective Date and Scope
This Privacy Policy ("Policy") is effective as of April 6, 2026, and was last revised on May 18, 2026. This Policy supersedes all prior versions and shall govern the collection, use, disclosure, and retention of Personal Information as defined herein.
This Policy applies to all Users of BusinessGuard (the "Service"), a private, subscription-based, business-to-business platform operated exclusively for verified business entities. The Service is not accessible to the general public and requires Employer Identification Number ("EIN") verification as a condition of Account registration.
The Service is owned and operated by Silvey & Co. (the "Company," "we," "us," or "our"), a Texas limited liability company. All references to "Company" herein shall mean Silvey & Co. and its authorized agents, successors, and assigns.
By creating, accessing, or maintaining a verified business Account on the Service, You (the "User") acknowledge that You have read, understood, and agree to be bound by the terms of this Policy. To the extent that You access or use the Service on behalf of a business entity, You represent and warrant that You have the authority to bind such entity to this Policy.
Business Account Information: The Company collects information necessary to establish and maintain verified-business access, including, without limitation, business legal name, Employer Identification Number (EIN), primary contact email address, and authorized representative identification details.
Structured Incident Records: The Service collects structured report data submitted by Users through the platform, including, without limitation, evidence links, category classifications, moderation status indicators, and associated metadata.
Minimized Customer Identifiers: The Service processes customer identifiers solely for the purposes of scoped lookup and internal record matching. All customer identifiers are irreversibly hashed using SHA-256 with a per-environment cryptographic pepper prior to storage. The Company does not persist raw customer personally identifiable information ("PII") in any database or data store.
Billing and Subscription Data: Payment and subscription information is processed through our third-party payment processor, Stripe, Inc. The Company does not store, retain, or have access to full payment card numbers on its servers or infrastructure.
Operational and Audit Data: The Company maintains operational logs, audit trail records, dispute and correction request documentation, and moderation action histories in connection with the administration of the Service.
Device and Technical Metadata: The Service automatically collects certain device and browser metadata upon User access, including, without limitation, Internet Protocol (IP) address, browser type and version, operating system, and access timestamps.
Cookie and Tracking Technology Data: The Service collects data through cookies and similar tracking technologies as further described in the "Cookies and Tracking Technologies" section of this Policy.
Purposes of Data Processing
To operate and administer the Service, including the provisioning of the private business workspace, enforcement of verified-business access controls, and delivery of core platform functionality as described in the applicable Terms of Service.
To facilitate the review of report accuracy, resolution of disputes, processing of correction requests, and maintenance of a complete and auditable record of all such actions.
To protect the Service and its Users from abuse, fraud, unauthorized access, and violations of applicable policies, including through the implementation of rate limiting, security monitoring, and automated threat detection mechanisms.
To process billing transactions, administer subscription management, and transmit Account-related notices and communications to Users.
To respond to and process customer support inquiries, legally sensitive notices (including, without limitation, takedown requests), and correction or dispute handling procedures.
To improve the reliability, performance, and availability of the Service, including the diagnosis of technical issues and monitoring of system health and service metrics.
Notwithstanding the foregoing, the Company does not engage in automated decision-making or profiling that produces legal effects or similarly significant effects on any individual, as those terms are defined under applicable data protection laws.
Legal Basis for Processing
Contract Performance: Processing that is necessary for the performance of the agreement between the Company and the User for the provision of the Service, including, without limitation, Account management, report submission, dispute resolution, and related administrative functions.
Legitimate Interest: Processing that is necessary for the purposes of the Company's legitimate interests, including platform security, fraud prevention, service improvement, and the maintenance of audit integrity, in each case balanced against and not overriding the fundamental rights and freedoms of the data subject.
Legal Obligation: Processing that is required to comply with applicable laws, regulations, or legal process, to respond to lawful requests from governmental authorities, and to establish, exercise, or defend legal claims or maintain records as required by law.
Consent: Where required by applicable law, certain processing activities (such as the deployment of optional analytics cookies or the transmission of marketing communications) shall be conducted solely on the basis of the User's freely given, specific, informed, and unambiguous consent. You may withdraw Your consent at any time without affecting the lawfulness of processing conducted prior to such withdrawal.
Restrictions on Use of the Service
The Service shall not operate as, nor shall it be construed as, a public customer directory, consumer reporting agency, or public-facing search engine. No customer-identifying information is published or made accessible to the general public.
The Company does not store raw customer PII in any form. All customer identifiers processed by the Service are subjected to irreversible cryptographic hashing prior to storage, ensuring that raw PII cannot be reconstructed or recovered.
The Service does not permit the submission or storage of unnecessary sensitive personal data, including, without limitation, information relating to health conditions, biometric identifiers, racial or ethnic origin, or religious beliefs, except to the extent expressly authorized under applicable platform policies.
The Service is not designed, intended, or authorized for use as a factor in employment screening, housing decisions, consumer credit determinations, insurance underwriting, government-benefit eligibility assessments, or any other purpose governed by the Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.) or comparable state laws.
The Company does not sell Personal Information, as that term is defined under the California Consumer Privacy Act (Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act).
The Company does not share Personal Information with third parties for the purpose of cross-context behavioral advertising, as defined under applicable state and federal privacy laws.
Data Broker Status
The Company has assessed its obligations under the California Delete Act (Cal. Civ. Code § 1798.99.80 et seq.) and comparable state data broker registration laws. The Company does not believe it qualifies as a "data broker" because (a) all customer identifiers processed by the Service are subjected to irreversible cryptographic hashing with a per-environment pepper prior to storage, such that raw personal information is not retained and cannot be recovered; (b) the Service is available only to verified business subscribers, not to the general public; and (c) access to the Service is provided under a direct contractual relationship with each subscribing business. The Company will re-evaluate this determination if its data practices or applicable law materially change.
Third-Party Service Providers (Sub-Processors)
Supabase, Inc. (Authentication and Database Hosting): Supabase processes Account credentials, session data, and platform records on behalf of the Company pursuant to a data processing agreement. Supabase acts as a sub-processor and is contractually obligated to process User Data solely in accordance with the Company's instructions.
Stripe, Inc. (Payment Processing): Stripe processes billing information, payment transactions, and subscription management data. Stripe's collection, use, and protection of payment data is governed by Stripe's own privacy policy, and Users are encouraged to review such policy independently.
Upstash, Inc. (Rate Limiting and Caching): Upstash processes request metadata for the purposes of abuse prevention, rate limiting enforcement, and performance optimization. Upstash acts as a sub-processor subject to contractual data protection obligations.
Resend, Inc. (Email Communications): Resend processes User email addresses and business names solely for the purpose of delivering waitlist communications and product announcements. Resend acts as a sub-processor and is contractually obligated to process data solely as instructed by the Company.
Cloudflare, Inc. (Bot Protection and CAPTCHA Services): Cloudflare processes device and browser metadata, interaction data, and IP address information through its Turnstile service for the purpose of distinguishing legitimate Users from automated bot traffic. Cloudflare acts as a sub-processor and processes data solely for fraud prevention and abuse detection in accordance with its data processing addendum.
Vercel, Inc. (Application Hosting and Edge Delivery): Vercel processes request logs and serves the platform infrastructure. Vercel acts as a sub-processor and processes data in accordance with its data processing addendum.
The Company requires all third-party service providers to process Personal Information solely as instructed by the Company, to implement and maintain appropriate technical and organizational security measures, and to return or securely delete all Personal Information upon termination or expiration of the applicable processing relationship.
Under no circumstances shall the Company sell, rent, lease, or otherwise transfer Personal Information to any third party for such third party's own independent commercial use.
Cookies and Tracking Technologies
The Service employs cookies and similar tracking technologies, which are categorized as follows: (i) Necessary Cookies, which support authentication, session management, and security functions; (ii) Functional Cookies, which store User preferences and configuration settings; (iii) Analytics Cookies, which collect aggregated usage data and behavioral patterns; and (iv) Marketing Cookies, which may be deployed where applicable and with appropriate consent.
Necessary Cookies are strictly required for the operation of the Service and cannot be disabled by the User. These cookies include, without limitation, session authentication cookies configured with HttpOnly and SameSite=Strict attributes to mitigate cross-site request forgery and session hijacking risks.
Users may manage their cookie preferences through the cookie settings interface provided on the Service. Analytics Cookies and Marketing Cookies shall only be deployed with the User's prior consent to the extent required by applicable law, including, without limitation, the ePrivacy Directive (Directive 2002/58/EC, as amended) and comparable domestic legislation.
Data Retention
Active Account Data: Personal Information associated with an active business Account shall be retained for the duration of the Account's active status and good standing, subject to the retention periods specified herein.
Audit and Moderation Records: Audit logs and moderation action records shall be retained for a period of seven (7) years from the date of creation to support legal compliance obligations, dispute resolution proceedings, and platform integrity requirements.
Withdrawn or Restricted Reports: Reports that have been withdrawn or placed in a restricted state shall be retained in a non-public, access-controlled state for a period of ninety (90) days, after which such records shall be permanently and irreversibly deleted, unless subject to an active legal hold or preservation obligation.
Billing and Transaction Records: Financial transaction records, invoices, and related billing documentation shall be retained for a period of seven (7) years pursuant to applicable tax, financial reporting, and regulatory retention requirements.
Account Closure: Upon closure of a User's Account, the Company shall delete or irreversibly anonymize the User's Personal Information within thirty (30) calendar days, except to the extent that retention is required by applicable law, regulation, or court order, or the data is subject to an active dispute, legal hold, or ongoing investigation.
Waitlist Communications Data: If You join the waitlist, the Company retains Your email address and business name to send waitlist updates. When You unsubscribe, the Company records the date of Your unsubscribe request and stops sending You communications. Within thirty (30) calendar days of Your unsubscribe request, the Company permanently deletes Your email address and business name from its waitlist records. The Company permanently retains a one-way, irreversible cryptographic value derived from Your email address (a SHA-256 keyed hash that cannot be reversed or used to recover Your email address) together with the date of Your unsubscribe request. This one-way value is retained indefinitely for the sole purpose of honoring Your unsubscribe request — it allows the Company to recognize and suppress Your email address so that You are not re-added to the waitlist or contacted again, and it is not used for any marketing, profiling, or other purpose. This practice is maintained to comply with the suppression-record requirements of the federal CAN-SPAM Act (15 U.S.C. § 7704(a)(4)) and constitutes a permitted retention of suppression data recognized under applicable data protection law.
Your Rights
Right of Access: Subject to applicable law, You may request that the Company provide a copy of the Personal Information it maintains in connection with Your business Account. The Company shall respond to verified access requests in accordance with the timeframes specified herein.
Right to Rectification: You may request that the Company correct or complete any Personal Information that is inaccurate, incomplete, or misleading, to the extent such information pertains to Your Account or associated records.
Right to Erasure: You may request the deletion of Your Personal Information, subject to the Company's legal retention obligations, active dispute holds, preservation orders, and any other exceptions recognized under applicable law.
Right to Data Portability: You may request a copy of the Personal Information You provided to the Company in a structured, commonly used, and machine-readable format, to the extent such portability is technically feasible and required under applicable data protection law.
Right to Opt Out: You may opt out of the sale or sharing of Personal Information, as those terms are defined under applicable law. Notwithstanding the foregoing, the Company does not currently sell or share Personal Information as defined by the California Consumer Privacy Act or comparable state privacy statutes.
Right to Non-Discrimination: The Company shall not deny the Service, impose different pricing, or provide a materially different level of service quality to any User on the basis that such User exercised any privacy right conferred by applicable law.
To exercise any right described in this section, You shall submit a verifiable request to the Company at privacy@thebusinessguard.com. The Company shall verify the identity of the requesting party and shall respond to all verified requests within forty-five (45) calendar days of receipt.
In the event that the Company denies a request in whole or in part, You may appeal such denial by submitting a written appeal to privacy@thebusinessguard.com with the subject line "Privacy Rights Appeal." The Company shall respond to all appeals within sixty (60) calendar days of receipt.
California Privacy Rights (CCPA/CPRA)
This section applies solely to natural persons who are residents of the State of California, as defined under the California Consumer Privacy Act of 2018 (Cal. Civ. Code § 1798.100 et seq.), as amended by the California Privacy Rights Act of 2020 (collectively, the "CCPA"). California residents are entitled to the rights set forth in the "Your Rights" section above, in addition to the supplemental disclosures provided herein.
Categories of Personal Information Collected in the Preceding Twelve (12) Months: (i) Identifiers, including business legal name, contact email address, and Employer Identification Number; (ii) Commercial Information, including subscription records and billing transaction history; (iii) Internet or Other Electronic Network Activity Information, including access logs and device metadata; and (iv) Professional or Employment-Related Information, including authorized business representative details.
The Company collects and processes Personal Information for the business purposes enumerated in the "Purposes of Data Processing" section of this Policy. The Company does not sell or share Personal Information, as those terms are defined under the CCPA.
The Company does not use or disclose Sensitive Personal Information for purposes beyond those necessary to perform the Service or as otherwise permitted under Section 1798.121 of the California Civil Code.
You may designate an authorized agent to submit a privacy rights request on Your behalf pursuant to Cal. Civ. Code § 1798.185(a)(7). Any such agent must present a valid written authorization executed by You, and the Company reserves the right to require identity verification from both You and the designated agent prior to processing the request.
Other State Privacy Rights
Texas residents have rights under the Texas Data Privacy and Security Act (Tex. Bus. & Com. Code § 541.001 et seq.). Residents of Virginia (Va. Code § 59.1-575 et seq.), Colorado (C.R.S. § 6-1-1301 et seq.), Connecticut (Conn. Gen. Stat. § 42-515 et seq.), Utah, Oregon, Montana, Florida, Iowa, Delaware, Tennessee, New Hampshire, New Jersey, Minnesota, Maryland, Indiana, Kentucky, and Rhode Island, along with residents of any other state that has enacted comprehensive consumer privacy legislation, possess rights substantially similar to those described in the "Your Rights" section of this Policy, including the rights of access, correction, deletion, and data portability, subject to the exceptions and limitations set forth under the respective state statutes.
Notwithstanding the foregoing, the Company may qualify as a "small business" under the federal Small Business Administration size standards incorporated by reference in Tex. Bus. & Com. Code § 541.002, in which case certain TDPSA obligations may not apply. The Company will honor all verifiable rights requests regardless of applicable size thresholds.
To the extent required by applicable state law, the Company shall honor universal opt-out preference signals, including, without limitation, the Global Privacy Control (GPC), as a valid mechanism for opting out of the sale of Personal Information and targeted advertising, as those terms are defined under the applicable state privacy law.
If You are a resident of a state with comprehensive privacy legislation and the Company denies Your request in whole or in part, You may appeal such denial in accordance with the appeal procedures set forth in the "Your Rights" section of this Policy. The Company shall process all appeals in compliance with the applicable state statutory requirements.
Data Breach Notification
In the event of a security breach involving Personal Information that triggers notification obligations under applicable federal or state law, the Company shall notify affected individuals in the most expedient time possible and without unreasonable delay, and in no event later than as required by the applicable state statute.
The Company shall also notify applicable regulatory authorities as required by law.
Notification shall include, at a minimum, the nature of the breach, the categories of Personal Information affected, and the steps the Company is taking in response.
The Company maintains an incident response plan and shall conduct a post-incident review following any confirmed breach to identify root causes and implement appropriate remedial measures.
International Data Transfers
The Service is operated from and data is stored in the United States. If You access the Service from a jurisdiction outside the United States, You acknowledge that Your Personal Information will be transferred to, stored in, and processed in the United States, where data protection laws may differ from those of Your jurisdiction.
The Company processes data in the United States through sub-processors that maintain appropriate technical and organizational security measures as described in this Policy.
If You are located in the European Economic Area, the United Kingdom, or Switzerland, the Company will implement appropriate safeguards for international data transfers as required by applicable law. Where commercially necessary, the Company may rely on (a) its certification to the EU-US Data Privacy Framework and, where applicable, the UK Extension and the Swiss-US Data Privacy Framework, (b) Standard Contractual Clauses approved by the European Commission (Commission Implementing Decision (EU) 2021/914), or (c) other legally recognized transfer mechanisms. The Company is not currently certified to the Data Privacy Framework; if the Company seeks such certification in the future, this Policy shall be updated accordingly.
Children's Privacy
The Service complies with the Children's Online Privacy Protection Act ("COPPA"), 15 U.S.C. § 6501 et seq., with respect to children under the age of thirteen (13), and extends equivalent protections to all individuals under the age of sixteen (16) consistent with the California Consumer Privacy Act, Cal. Civ. Code § 1798.120(c).
The Service is a business-to-business platform that requires EIN verification as a prerequisite to Account registration. The Service is not directed at, designed for, nor intended to collect Personal Information from, children under the age of sixteen (16). No portion of the Service is structured or marketed to appeal to minors.
The Company does not knowingly collect, solicit, or retain Personal Information from any individual under the age of sixteen (16). In the event that the Company becomes aware that it has inadvertently collected Personal Information from a child under the age of sixteen (16), the Company shall promptly delete such information from its systems and records.
If You have reason to believe that a child under the age of sixteen (16) has provided Personal Information to the Service, You should contact the Company immediately at privacy@thebusinessguard.com so that the Company may take appropriate remedial action.
Data Security
The Company implements and maintains commercially reasonable administrative, technical, and organizational security measures designed to protect Personal Information against unauthorized access, disclosure, alteration, or destruction. Such measures include, without limitation, encrypted communications via Transport Layer Security (TLS), secure session management utilizing HMAC-signed HttpOnly cookies with SameSite=Strict attributes, and role-based access controls.
All customer identifiers are subjected to irreversible one-way hashing (SHA-256 with cryptographic pepper) such that, even in the event of a security incident or data breach, raw customer PII cannot be reconstructed, decrypted, or otherwise recovered from the Company's systems.
API credentials issued through the Service are cryptographically hashed prior to storage. The Company does not log, display, or retain API keys in plaintext form subsequent to their initial issuance.
The Company conducts periodic security assessments and maintains rate limiting, anomaly detection, and abuse prevention mechanisms designed to protect the Service against unauthorized access, denial-of-service attacks, and other security threats.
Notwithstanding the foregoing, no method of electronic transmission or storage is completely secure, and the Company cannot guarantee absolute security of Personal Information. The Company's obligation hereunder is limited to implementing and maintaining commercially reasonable security measures consistent with industry standards for comparable services.
Correction, Disputes, and Moderation
Upon receipt of a dispute or correction request, the Company may place the subject report in a restricted review status pending investigation by the Company's moderation team. During such review period, the report shall not be accessible to other Users of the Service.
Records that have been withdrawn or placed in a restricted state shall remain subject to the Company's internal retention, audit trail, and legal hold obligations as described in the "Data Retention" section of this Policy.
Users shall ensure that all content submitted to the Service is limited to relevant, verifiable facts, is accurate to the best of the submitting party's knowledge, and is subject to review and correction in accordance with the Company's moderation policies.
All moderation actions taken by the Company are logged and maintained as part of the Service's audit trail. For additional details regarding the dispute, correction, and appeal processes, Users should consult the Moderation and Corrections page accessible through the Service.
Changes to This Policy
The Company reserves the right to amend, modify, or supplement this Policy at any time in its sole discretion, to reflect changes in the Company's data processing practices, applicable legal or regulatory requirements, or the features and functionality of the Service.
In the event of any material change to this Policy, the Company shall provide notice to Users by electronic mail or by posting a prominent notice on the Service not fewer than thirty (30) calendar days prior to the effective date of such change. For purposes of this section, a "material change" shall mean any modification that materially affects the collection, use, disclosure, or retention of Personal Information.
Your continued access to or use of the Service following the effective date of any amendment to this Policy shall constitute Your acceptance of and agreement to be bound by the amended Policy. If You do not agree to the terms of the amended Policy, Your sole remedy shall be to discontinue use of the Service and close Your Account.
The "Last Updated" date set forth at the beginning of this Policy indicates the date on which this Policy was most recently revised.
For all inquiries, requests, or complaints relating to privacy, data protection, data subject rights, or this Policy, You may contact the Company at: privacy@thebusinessguard.com.
For general customer support, Account administration, or non-privacy-related inquiries, You may contact the Company at: support@thebusinessguard.com.
Silvey & Co. serves as the data controller (or, where applicable under state law, the "business" or "controller") responsible for the processing of Personal Information collected through the Service. The Company is solely responsible for determining the purposes and means of processing Personal Information in connection with the Service.
Data Protection Safeguards
All customer identifiers are subjected to irreversible one-way cryptographic hashing prior to storage. Raw customer PII is not persisted in the Company's databases or data stores at any time.
Reports are structured and bounded by design. The Service does not provide free-form text fields that could result in the inadvertent disclosure of Sensitive Personal Information.
Users shall limit submitted content to the minimum relevant facts necessary for internal business review purposes.
Dispute, correction, and takedown requests shall be submitted through the Moderation and Corrections interface provided within the Service.
To exercise Your data subject rights pursuant to this Policy, direct all inquiries to privacy@thebusinessguard.com.