DoNotContact.net - Stop Political Spam Texts & Emails

1. Overview
2. Data Minimization Philosophy
3. Consent Management and Audit Trails
4. Information We Collect
5. How We Use Your Information
6. Data Sharing and Disclosure
7. Compliance Alliance Network
7. Service Communications
8. Your Privacy Rights
9. Data Retention and Deletion
10. Security Measures
10. International Data Transfers
11. Cookies and Analytics
12. Children's Privacy
13. Changes to This Policy
14. Data Breach Notification
15. Contact Information
16. Regulatory Compliance

1. Overview

Beag, Inc. ("we," "us," or "our") operates DoNotContact.net and is committed to protecting your privacy while providing a subscription-based suppression list service. This Privacy Policy explains how we collect, use, disclose, and protect your information in compliance with the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), and other applicable privacy laws.

2. Data Minimization Philosophy

We operate on a privacy-first, data-minimization approach:

Payment processing data is handled separately by Stripe according to industry standards
We cannot reverse-engineer these hashes to reveal your actual contact information
We collect only the minimum data necessary to provide our suppression list service
We use cryptographic hashing to store only anonymized versions of your email addresses and phone numbers in our suppression systems

3. Consent Management and Audit Trails

Immutable Consent Records

We maintain permanent, tamper-proof records of your consent for regulatory compliance and audit purposes:

Consent method: How consent was provided (website signup, payment completion)
Consent timestamp: Exact date and time of agreement
IP address: Location and technical details of consent
Policy version: Specific version of terms and privacy policy agreed to
User agent: Browser and device information

Regulatory Compliance

These records are maintained for 7 years minimum to satisfy audit requirements under CCPA, GDPR, MDOPA, and other applicable privacy regulations. Records cannot be altered after creation, ensuring audit integrity.

4. Information We Collect

Personal Information Categories (CCPA)

Category	Examples	Collected	Business Purpose
Biometric Information	None	No	N/A
Commercial Information	Subscription type, payment status, billing history	Yes	Service delivery, billing, account management
Financial Information	Payment method details, billing address (collected and processed by Stripe)	Yes	Payment processing, fraud prevention
Geolocation	None	No	N/A
Hashed Identifiers	Cryptographically hashed versions of email addresses and phone numbers (stored in our systems)	Yes	Suppression service, identity verification for opt-out requests
Identifiers	Email addresses, phone numbers, billing address (collected and stored by Stripe)	Yes	Payment processing, account management, billing, fraud prevention, service communications, targeted advertising
Internet Activity	IP address, browser information, usage patterns, website analytics data, system performance metrics	Yes	Security, fraud prevention, system optimization, service analytics, product improvement

Specific Data Elements

Account Information

• User ID (randomly generated)
• Subscription type (monthly/yearly)
• Account status and creation date
• Consent timestamp and language

Subscription Data

• Stripe payment intent IDs
• Billing dates and subscription status
• Grace period information

Compliance Data

• Exact opt-in consent language
• Consent source and timestamp
• Communication preferences

5. How We Use Your Information

Primary Business Purpose

Your hashed identifiers are shared with approved political campaigns and organizations for suppression purposes only - to help them avoid sending you unwanted political communications.

Specific Uses

1
Compliance: Meeting legal obligations and audit requirements
2
Identity Verification: Confirming your identity for data access requests
3
Product Development: Performance monitoring, error tracking, and feature optimization to enhance user experience
4
Security: Preventing fraud and unauthorized access
5
Service Analytics: Understanding usage patterns to improve our service (using anonymized and aggregated data when possible)
6
Service Communications: Sending confirmations, reports, and account updates
7
Service Marketing: We may occasionally show you ads for our additional services using your hashed data
8
Suppression List Service: Sharing hashed identifiers with campaigns to perform the service you hired us for

6. Data Sharing and Disclosure

Third-Party Recipients

Political Campaigns

What we share: Only hashed identifiers (email/phone hashes)
Purpose: To perform the suppression service you hired us for
Business necessity: Data sharing is essential to provide the service you subscribed to

Service Providers

Stripe: Payment processing (collects billing information, email, phone, and address as required for payment processing and account management)
AWS: Cloud infrastructure and data storage

Note: We have eliminated all email and SMS service providers to maintain our zero-messaging principle.

Privacy Architecture: While Stripe collects and stores your payment and contact information (as required for payment processing), our suppression service is designed to use only cryptographic hashes, ensuring political campaigns never see your actual contact details.

Legal Disclosures

We may disclose information when required by law, court order, or regulatory request.

7. Compliance Alliance Network

What is the Compliance Alliance?

The Compliance Alliance is our revolutionary network that enables bidirectional data sharing between political campaigns, list rental vendors, and marketing organizations. This creates a comprehensive ecosystem for suppression, deliverability intelligence, and list quality management.

Network Members: Political campaigns, marketing vendors, list rental companies
Data Types: Suppression lists, bounce data, deliverability scores, list quality metrics
Privacy Protection: All data exchange uses SHA-256 hashed identifiers only
Bidirectional Benefits: Enhanced suppression plus proactive deliverability intelligence

How Data Sharing Works

1. Core Service Distribution

When you request suppression service, your hashed identifiers are shared with political campaigns as requested by you to perform the service you paid for.

2. Alliance Network Distribution (Outbound)

Your hashed identifiers are also shared with approved Alliance members (campaigns, vendors, list companies) for enhanced suppression coverage across the marketing ecosystem.

3. Alliance Intelligence Collection (Inbound)

Alliance members share back anonymized data including bounce rates, deliverability metrics, and list quality indicators to help us improve service quality and provide deliverability scoring.

4. Enhanced Protection Services

We may provide deliverability scores and list quality insights to help campaigns identify potentially problematic contacts, reducing spam complaints and improving overall email ecosystem health.

5. Privacy Protection

All data sharing - in both directions - uses only anonymous SHA-256 hashes. Your actual email addresses and phone numbers remain completely private and are never shared with any third party.

Alliance Member Requirements

All Compliance Alliance members must agree to strict data usage and privacy requirements:

Suppression Only: Data may ONLY be used for suppression list purposes
No Reverse Engineering: Members cannot attempt to decrypt or reverse-engineer hashes
Security Standards: Must maintain appropriate data security measures
Compliance Reporting: Regular reporting on suppression implementation
Data Deletion: Must delete data upon request or campaign/contract completion

7. Service Communications

Communication Rights

We may contact you using information collected during account setup for business purposes, including:

Account security: Password resets, security alerts, breach notifications
Legal compliance: Privacy requests, data access, policy updates
Service delivery: Billing issues, service updates, technical support
Marketing communications: Service updates, new features, promotional offers (opt-in basis)
Advertising: Social media advertising, targeted marketing using hashed identifiers

All communications comply with CAN-SPAM, TCPA, and applicable regulations. Marketing communications require explicit opt-in and include easy unsubscribe options.

8. Your Privacy Rights

California Consumer Privacy Rights (CCPA/CPRA)

Right to Know

Request information about what personal information we collect, use, and share

Right to Access

Obtain a copy of your personal information

Right to Delete

Request deletion of your personal information (subject to legal retention requirements)

Right to Correct

Request correction of inaccurate personal information

Right to Opt-Out

Opt out of the sale/sharing of personal information

Right to Non-Discrimination

Not receive discriminatory treatment for exercising privacy rights

How to Exercise Your Rights

Privacy Request Portal: Use our comprehensive privacy request API:

• POST /privacy/request with request_type="right_to_know" for information about data collection
• POST /privacy/request with request_type="right_to_access" to access your data
• POST /privacy/request with request_type="right_to_delete" to request deletion
• POST /privacy/request with request_type="right_to_correct" to request corrections
• POST /privacy/request with request_type="right_to_opt_out" to stop data sharing

Legacy Data Access:

• POST /user/data to view your data (same as right_to_access)
• POST /user/export to download your complete data file

Identity Verification: We use payment-based verification with your Stripe payment intent ID to confirm your identity securely without sending emails or SMS.

Response Timeframes

Acknowledgment: Within 10 business days
Response: Within 45 days (may extend to 90 days for complex requests)

9. Data Retention and Deletion

Retention Periods

Active Subscribers

Data retained while subscription is active

Cancelled Subscriptions

30-day grace period, then archived

Legal Compliance

Up to 7 years for audit and compliance purposes

Privacy Request Records

Audit logs retained for 7 years (personal identifiers removed)

Automated Deletion

We implement automated data retention policies to ensure data is not kept longer than necessary.

10. Security Measures

Technical Safeguards

Access Controls: Least-privilege access with multi-factor authentication
Encryption: All data encrypted at rest using AWS KMS
Hashing: Personal identifiers stored only as irreversible SHA-256 hashes
Network Security: TLS encryption for all data in transit

Organizational Safeguards

Annual security assessments
Incident response procedures
Regular security training for staff
Vendor security requirements

10. International Data Transfers

Our services are primarily for US-based users. Data is stored in AWS US data centers with appropriate security measures.

11. Cookies and Analytics

Essential Cookies

We use minimal cookies for:

Session management and authentication
Security and fraud prevention
User preferences and settings

Analytics and Performance

We may collect anonymized analytics data to improve our service:

Website usage patterns and performance metrics
Feature usage and user experience analytics
System performance and error monitoring
Service optimization and product improvement

Privacy-First Analytics

When possible, we use privacy-preserving analytics techniques including data anonymization, aggregation, and minimal data collection. We do not use advertising technologies or cross-site tracking.

12. Children's Privacy

Our service is not intended for children under 16. We do not knowingly collect personal information from children.

13. Changes to This Policy

We will notify users of material changes via:

Website notice and banner notifications
In-app notifications when you log in
Customer Portal notifications (via Stripe)
Direct communication for legally required notifications (when necessary)

Our Approach: We prioritize non-intrusive notification methods and maintain minimal communication consistent with our privacy-first philosophy. Direct communication is reserved for essential legal compliance purposes only.

14. Data Breach Notification

In the event of a security incident:

Users

Notified within 72 hours if high risk (via website notice and Customer Portal)

Regulators

Notified as required by law

Transparency

Annual transparency reports

Note: User notifications will be posted on our website and in the Stripe Customer Portal, maintaining our commitment to not sending unsolicited messages.

15. Contact Information

Privacy Officer

privacy@donotcontact.net

General Support

support@donotcontact.net

Data Protection Officer

dpo@donotcontact.net

Mailing Address

PO Box 5
Millersville, MD 21108

16. Regulatory Compliance

This policy is designed to comply with:

California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
Federal Trade Commission (FTC) privacy and data security guidelines
General Data Protection Regulation (GDPR) principles and standards
Maryland Online Data Protection Act (MDOPA): As a Maryland-based company, we comply with all state privacy requirements
Telephone Consumer Protection Act (TCPA) and CAN-SPAM Act requirements

Compliance Commitment

DoNotContact.net is operated by Beag, Inc. (Maryland), which has experience managing millions of records and hundreds of millions of communications annually. We apply enterprise-grade compliance standards to ensure your data protection.

Our immutable consent tracking and audit trail systems are designed to satisfy the most stringent regulatory requirements and provide complete transparency for any compliance audits.

This privacy policy demonstrates our commitment to transparency and data protection while enabling our core service of political communication suppression.

Privacy Policy

Table of Contents