Home / Privacy Policy

Privacy Policy

This Privacy Policy explains how FranchiseStack collects, uses, discloses, and safeguards your information when you visit our website at franchisestack.ai and use our AI-powered franchise intelligence platform.

Effective Date: March 19, 2026

1. Introduction & Data Controller

Welcome to FranchiseStack ("we," "us," "our," or the "Company"). FranchiseStack is operated by Steeled Inc., a Delaware Corporation. We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy describes how we collect, use, process, and share information about you when you access or use our website located at franchisestack.ai (the "Site"), our AI-powered franchise intelligence platform, and any related services, tools, or features we offer (collectively, the "Services").

For the purposes of applicable data protection laws, the data controller responsible for your personal information is:

Data Controller: Steeled Inc., a Delaware Corporation
Email: franchisestack@polsia.app

By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with the practices described in this Privacy Policy, please do not use our Services. We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information.

This Privacy Policy applies to all visitors, users, and others who access or use the Services, regardless of where you are located. Certain sections of this Privacy Policy apply specifically to residents of the European Economic Area (EEA), United Kingdom (UK), or the State of California, and are identified accordingly.

2. Information We Collect

We collect information in several ways depending on how you interact with our Services. The types of information we collect fall into the following categories:

2.1 Personal Information You Provide

When you create an account, subscribe to our platform, request information, or otherwise interact with our Services, you may voluntarily provide us with the following types of personal information:

  • Account Information: Your name, email address, telephone number, and password when you register for an account.
  • Profile Information: Professional background, industry experience, geographic location, and other details you choose to include in your investor profile.
  • Franchise Preferences: Your preferred franchise categories, industry sectors, geographic regions of interest, ownership models (e.g., single-unit, multi-unit, semi-absentee, absentee), and operational preferences that you provide to enable our AI matching system to deliver relevant franchise recommendations.
  • Financial Information for Profiling: Investment capital range, net worth range, liquid capital availability, desired ROI targets, risk tolerance, and financing preferences. This information is used exclusively for franchise matching and profiling purposes and is not used to process payments. We do not store complete bank account numbers or credit card numbers on our systems.
  • Payment Information: When you make a purchase or subscribe to a paid plan, your payment information (such as credit card number, billing address, and related details) is collected and processed directly by our third-party payment processor, Stripe. We do not store your full payment card details on our servers.
  • Communications: Any messages, inquiries, feedback, or other communications you send to us via email, contact forms, or other channels.
  • Due Diligence Data: Information you enter into our due diligence tracking tools, including notes from validation calls, discovery day observations, and franchise evaluation criteria.

2.2 Information Collected Automatically

When you access or use our Services, we automatically collect certain information about your device and usage patterns, including:

  • Device Information: Device type, operating system, browser type and version, screen resolution, language settings, and unique device identifiers.
  • Usage Data: Pages visited, features used, time spent on pages, click patterns, search queries within our platform, franchise profiles viewed, reports generated, and other interactions with the Services.
  • Log Data: Internet Protocol (IP) address, access times and dates, referring/exit URLs, and server log information.
  • Location Data: Approximate geographic location derived from your IP address. We do not collect precise geolocation data unless you explicitly grant permission.

2.3 Information from Third Parties

We may receive information about you from third-party sources, including:

  • Authentication Providers: If you choose to sign in using a third-party service (such as Google), we may receive your name, email address, and profile picture associated with that account.
  • Analytics Partners: We may receive aggregated or de-identified data from analytics providers to help us understand how users interact with our Services.
  • Franchise Data Sources: Publicly available franchise information from regulatory filings, franchise disclosure documents (FDDs), and industry databases that we use to power our intelligence platform.

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 Service Delivery and Operations

  • To create and manage your account, authenticate your identity, and provide access to the Services.
  • To deliver the franchise intelligence features you have requested, including franchise profiles, FDD analysis reports, ROI calculations, and territory intelligence.
  • To process transactions, manage subscriptions, and fulfill orders for paid features or reports.
  • To provide customer support and respond to your inquiries, requests, and feedback.
  • To maintain, operate, and improve the functionality, performance, and reliability of our Services.

3.2 AI Matching and Personalization

  • To build and maintain your investor profile based on the financial information, franchise preferences, and other data you provide.
  • To power our AI franchise matching engine, which analyzes your investor profile against thousands of franchise opportunities and generates personalized match scores and recommendations.
  • To personalize your experience on the platform, including displaying relevant franchise categories, tailored insights, and customized reports.
  • To refine and improve the accuracy of our AI matching algorithms over time based on aggregated usage patterns and feedback.

3.3 Analytics and Platform Improvement

  • To analyze usage trends, monitor aggregate platform performance, and understand how users interact with different features.
  • To conduct research and development for new features, tools, and enhancements to the platform.
  • To generate aggregated, de-identified statistics about franchise industry trends, user preferences, and market demand (which cannot be used to identify individual users).
  • To detect, prevent, and address technical issues, bugs, and errors in the Services.

3.4 Communications

  • To send you transactional emails related to your account, including registration confirmations, subscription receipts, and security alerts.
  • To send you informational communications about new features, franchise insights, platform updates, and educational content related to franchise investing, where you have opted in to receive such communications.
  • To send you marketing communications about our Services, promotions, or events, subject to your consent where required by law. You may opt out of marketing emails at any time by clicking the "unsubscribe" link in any marketing email or by contacting us at franchisestack@polsia.app.

3.5 Legal and Compliance

  • To comply with applicable laws, regulations, legal processes, or enforceable governmental requests.
  • To enforce our Terms of Service and other agreements.
  • To protect the rights, property, safety, and security of FranchiseStack, our users, and the public.
  • To detect, prevent, or otherwise address fraud, security incidents, or technical issues.

4. AI Processing & Automated Decision-Making

FranchiseStack uses artificial intelligence and automated processing as a core part of our franchise intelligence platform. We believe in transparency about how AI processes your data and the decisions it influences.

4.1 How AI Processes Your Data

Our AI systems process the personal information you provide (including your investor profile, financial parameters, and franchise preferences) to:

  • Generate Match Scores: Our AI engine analyzes your investor profile against franchise opportunity data to produce numerical match scores that indicate how well a particular franchise aligns with your stated criteria.
  • Produce FDD Summaries: AI models process franchise disclosure document data to generate plain-language summaries of key terms, fee structures, earnings claims (Item 19), litigation history, and other material provisions.
  • Calculate ROI Projections: AI models use your financial inputs combined with franchise performance data to generate estimated return-on-investment projections and payback period calculations.
  • Provide Territory Analysis: AI processes demographic, economic, and competitive data to assess territory viability for specific franchise concepts.

4.2 GDPR Article 22 Compliance

Under the EU General Data Protection Regulation (GDPR), you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

We want to be clear about how this applies to FranchiseStack:

  • Advisory, Not Determinative: Our AI-generated match scores, ROI projections, and franchise recommendations are provided as informational tools to assist your decision-making process. They do not constitute financial advice, investment recommendations, or binding determinations. No franchise agreement, investment decision, or financial commitment is made automatically by our AI systems.
  • Human Oversight: All significant outputs of our AI systems are designed to be reviewed and acted upon by you, the user. You retain full control over which franchises to explore, which to pursue, and whether to proceed with any investment.
  • Right to Contest: If you believe an AI-generated output about you is inaccurate or unfair, you have the right to contest the output, request human review of the underlying logic, and obtain an explanation of how the result was derived. To exercise this right, contact us at franchisestack@polsia.app.
  • Right to Opt Out: You may request that your data not be processed by our AI matching system. Note that opting out of AI processing will limit the personalized features available to you, including match scores and tailored recommendations.

4.3 AI Data Handling

When processing your data through AI systems, we implement the following safeguards:

  • Your personal data is transmitted to our AI processing partners (including Anthropic, our AI model provider) using encrypted connections and is processed in accordance with our data processing agreements with those partners.
  • We do not use your personal data to train third-party AI models. Your inputs are processed for the sole purpose of generating outputs for your use within the platform.
  • AI-generated outputs may contain inaccuracies, and we clearly label all AI-generated content as such. You should independently verify all information before making investment decisions.
  • We regularly audit our AI systems for accuracy, bias, and fairness to ensure they operate as intended.

5. Cookies & Tracking Technologies

We use cookies and similar tracking technologies to collect and store information when you visit our Site and use our Services. A cookie is a small data file that is placed on your device when you visit a website. Cookies help us operate and improve our Services, personalize your experience, and understand how users interact with our platform.

5.1 Types of Cookies We Use

Cookie Type Purpose Duration
Essential Cookies These cookies are strictly necessary for the operation of our Services. They enable core functionality such as user authentication, session management, security protections, and load balancing. Without these cookies, the Services cannot function properly. These cookies do not require your consent under applicable law. Session to 1 year
Analytics Cookies These cookies help us understand how visitors interact with our Site by collecting information about pages visited, time spent on the platform, navigation patterns, error occurrences, and feature usage. This information is aggregated and used to improve the Services. We use a first-party analytics beacon to track visitor metrics. Up to 2 years
Functional Cookies These cookies enable enhanced functionality and personalization, such as remembering your preferences (e.g., language, region, display settings), retaining your franchise search filters, and pre-filling forms with information you have previously provided. If you do not allow these cookies, some or all of these features may not function properly. Up to 1 year

5.2 Local Storage

In addition to cookies, we use browser local storage to maintain session information and unique visitor identifiers for analytics purposes. Local storage operates similarly to cookies but is stored differently in your browser and does not have automatic expiration dates.

5.3 Managing Your Cookie Preferences

Most web browsers are set to accept cookies by default. You can adjust your browser settings to refuse cookies, delete existing cookies, or alert you when cookies are being set. Please note that if you disable or refuse cookies, some parts of our Services may become inaccessible or may not function properly.

To manage cookies in common browsers:

  • Chrome: Settings > Privacy and Security > Cookies and other site data
  • Firefox: Settings > Privacy & Security > Cookies and Site Data
  • Safari: Preferences > Privacy > Manage Website Data
  • Edge: Settings > Cookies and site permissions > Cookies and site data

5.4 Do Not Track Signals

Some browsers include a "Do Not Track" (DNT) feature that sends a signal to websites you visit indicating that you do not wish to be tracked. Because there is no uniform standard for interpreting DNT signals, our Services do not currently respond to DNT signals. However, you can manage your privacy preferences using the cookie controls described above and the opt-out mechanisms described in this Privacy Policy.

6. Data Sharing & Third Parties

We do not sell your personal information to third parties. We may share your information in the following limited circumstances:

6.1 Service Providers

We engage trusted third-party service providers who perform services on our behalf, subject to contractual obligations to protect your data and use it only as directed by us. These include:

  • Stripe (Payment Processing): We use Stripe, Inc. to process subscription payments and other transactions. When you make a payment, your payment card details are collected and processed directly by Stripe in accordance with their privacy policy and PCI-DSS compliance standards. We receive only a tokenized reference to your payment method, along with transaction confirmations and billing details necessary to manage your subscription. You can review Stripe's privacy policy at stripe.com/privacy.
  • Anthropic (AI Processing): We use Anthropic's Claude AI models to power our franchise matching engine, FDD analysis, ROI projections, and other AI-driven features. When you use these features, relevant data from your investor profile and queries is transmitted to Anthropic's API for processing. Anthropic processes this data in accordance with their data processing terms and does not use your data to train their models. You can review Anthropic's privacy practices at anthropic.com/privacy.
  • Hosting and Infrastructure Providers: We use cloud hosting providers to store data and run our Services. All data is encrypted in transit and at rest.
  • Analytics Providers: We use analytics services to collect aggregated information about how users interact with our Services, helping us understand usage patterns and improve the platform. Analytics data is collected using first-party mechanisms and is not shared with third-party advertising networks.
  • Email Service Providers: We use third-party email services to deliver transactional and, where applicable, marketing communications.

6.2 Legal Requirements

We may disclose your information if required to do so by law or in the good faith belief that such disclosure is necessary to:

  • Comply with a legal obligation, subpoena, court order, or governmental request.
  • Protect and defend the rights or property of Steeled Inc.
  • Prevent or investigate possible wrongdoing in connection with the Services.
  • Protect the personal safety of users of the Services or the public.
  • Protect against legal liability.

6.3 Business Transfers

If Steeled Inc. is involved in a merger, acquisition, reorganization, asset sale, or bankruptcy proceeding, your personal information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our Site of any change in ownership or uses of your personal information, as well as any choices you may have regarding your personal information.

6.4 With Your Consent

We may share your personal information for purposes not described in this Privacy Policy when we have obtained your explicit consent to do so.

6.5 Aggregated and De-Identified Data

We may share aggregated or de-identified information that cannot reasonably be used to identify you with third parties for research, analytics, industry reporting, or other purposes. For example, we may publish reports about franchise industry trends based on aggregated platform data.

7. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes for which it was collected, provide the Services, and comply with our legal obligations. The specific retention periods depend on the type of data and the context in which it was collected:

  • Account Data: We retain your account information for as long as your account is active. If you request account deletion, we will delete or anonymize your personal information within 30 days, except where retention is required by law or for legitimate business purposes (such as resolving disputes or enforcing our agreements).
  • Investor Profile and Franchise Preferences: Retained for the duration of your active account. Upon account deletion, this data is permanently deleted within 30 days.
  • Transaction and Billing Records: Retained for a minimum of 7 years after the date of the transaction, as required by applicable tax and financial regulations.
  • Usage and Analytics Data: Retained in identifiable form for up to 24 months. After this period, usage data is either deleted or irreversibly aggregated and anonymized.
  • Communication Records: Customer support inquiries and related correspondence are retained for up to 3 years after the last interaction to ensure continuity of service and for quality assurance purposes.
  • AI Processing Logs: Logs of AI processing activities (such as franchise match queries) are retained for up to 12 months for debugging, performance monitoring, and audit purposes, after which they are deleted or anonymized.
  • Legal Hold Data: If your data is subject to a legal hold (e.g., in connection with litigation or a regulatory investigation), it will be retained until the hold is lifted, regardless of the standard retention period.

When personal information is no longer needed for the purposes for which it was collected or as required by law, we securely delete or anonymize it using industry-standard methods.

8. Your Rights

Depending on your location and applicable law, you may have the following rights regarding your personal information. To exercise any of these rights, please contact us at franchisestack@polsia.app.

8.1 Rights Under the GDPR (EEA/UK Residents)

If you are a resident of the European Economic Area (EEA) or the United Kingdom (UK), you have the following rights under the General Data Protection Regulation (GDPR) and the UK GDPR:

  • Right of Access (Article 15): You have the right to request a copy of the personal information we hold about you, along with information about how we process it, the purposes of processing, and the categories of third parties with whom we share it.
  • Right to Rectification (Article 16): You have the right to request correction of any inaccurate personal information we hold about you, and to have incomplete personal information completed.
  • Right to Erasure (Article 17): You have the right to request deletion of your personal information, subject to certain exceptions (e.g., where we are required to retain data for legal compliance). This is also known as the "right to be forgotten."
  • Right to Data Portability (Article 20): You have the right to receive your personal information in a structured, commonly used, and machine-readable format, and to transmit that data to another controller without hindrance.
  • Right to Object (Article 21): You have the right to object to the processing of your personal information for direct marketing purposes, or where processing is based on our legitimate interests, on grounds relating to your particular situation.
  • Right to Restrict Processing (Article 18): You have the right to request that we restrict the processing of your personal information in certain circumstances, such as when you contest the accuracy of the data or when processing is unlawful but you do not want deletion.
  • Right to Withdraw Consent: Where we rely on your consent as the legal basis for processing, you have the right to withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
  • Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority in your country of residence if you believe our processing of your personal information violates applicable data protection law.

8.2 Rights Under the CCPA/CPRA (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

  • Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which it was collected, the business or commercial purpose for collecting it, and the categories of third parties with whom we share it.
  • Right to Delete: You have the right to request that we delete personal information we have collected from you, subject to certain exceptions provided under the CCPA.
  • Right to Opt-Out of Sale or Sharing: You have the right to opt out of the "sale" or "sharing" of your personal information. We do not sell your personal information as defined under the CCPA. We do not share your personal information for cross-context behavioral advertising purposes.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights. You will not receive different pricing, different quality of services, or otherwise be penalized for exercising your rights under the CCPA.
  • Right to Correct: You have the right to request that we correct inaccurate personal information we maintain about you.
  • Right to Limit Use of Sensitive Personal Information: You have the right to limit the use and disclosure of your sensitive personal information to purposes that are necessary for providing the Services.

8.3 How to Exercise Your Rights

To exercise any of the rights described above, please submit a request by emailing us at franchisestack@polsia.app. When submitting a request, please include the following to help us verify your identity and process your request efficiently:

  • Your full name and email address associated with your FranchiseStack account.
  • A description of the specific right you wish to exercise.
  • Any additional information that may help us verify your identity (we may request further verification depending on the nature of the request).

We will acknowledge receipt of your request within 10 business days and will respond substantively within 30 days (or within 45 days for CCPA requests, with an extension of up to 90 days if reasonably necessary, with notice to you). If we cannot verify your identity, we may request additional information or deny the request.

9. International Data Transfers

FranchiseStack is operated from the United States. If you are accessing our Services from outside the United States, please be aware that your personal information may be transferred to, stored in, and processed in the United States and other countries where our service providers operate. These countries may have data protection laws that are different from the laws of your country of residence.

9.1 Transfers from the EEA/UK

When we transfer personal information from the European Economic Area (EEA) or United Kingdom (UK) to countries that have not been deemed to provide an adequate level of data protection by the European Commission or UK Secretary of State, we implement appropriate safeguards to ensure your data is protected, including:

  • Standard Contractual Clauses (SCCs): We use the European Commission's Standard Contractual Clauses (and the UK Addendum, where applicable) as the primary transfer mechanism for personal data transfers to the United States and other third countries.
  • Data Processing Agreements: We enter into data processing agreements with all third-party service providers who process personal data on our behalf, requiring them to implement appropriate technical and organizational measures to protect personal data.
  • Supplementary Measures: Where necessary, we implement supplementary measures (such as encryption, pseudonymization, and access controls) to ensure an adequate level of protection for transferred data.

9.2 EU-U.S. Data Privacy Framework

Where applicable, we rely on the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework as additional mechanisms for lawful data transfers. We monitor developments in international data transfer regulations and update our practices accordingly.

By using our Services, you acknowledge that your information may be transferred to and processed in the United States and other jurisdictions as described in this section. If you have questions about international data transfers, please contact us at franchisestack@polsia.app.

10. Children's Privacy

Our Services are not intended for, nor directed at, individuals under the age of 13. We do not knowingly collect, solicit, or maintain personal information from anyone under 13 years of age. If we learn that we have collected personal information from a child under 13, we will take immediate steps to delete that information from our systems.

If you are a parent or guardian and believe that your child under 13 has provided personal information to us, please contact us immediately at franchisestack@polsia.app so that we can take appropriate action.

For users between the ages of 13 and 18 (or the age of majority in your jurisdiction), we recommend that a parent or guardian review this Privacy Policy and supervise the use of the Services. Franchise investing involves significant financial decisions, and we strongly recommend that minors do not use the platform without appropriate adult supervision and guidance.

11. Security Measures

We take the security of your personal information seriously and implement a combination of technical, administrative, and organizational measures designed to protect your data against unauthorized access, alteration, disclosure, or destruction. These measures include, but are not limited to:

  • Encryption: All data transmitted between your browser and our servers is encrypted using Transport Layer Security (TLS/SSL). Sensitive data stored on our systems, including authentication tokens and financial profiling data, is encrypted at rest using AES-256-GCM encryption.
  • Access Controls: Access to personal information is restricted to authorized personnel who require it to perform their job functions. We employ role-based access controls and the principle of least privilege.
  • Secure Infrastructure: Our Services are hosted on enterprise-grade cloud infrastructure with built-in redundancy, automated backups, and continuous monitoring for security threats.
  • Authentication Security: User accounts are protected by secure authentication mechanisms. We use JSON Web Tokens (JWT) with expiration controls and support passwordless authentication via secure magic links.
  • Parameterized Queries: All database operations use parameterized queries to prevent SQL injection attacks.
  • Regular Security Reviews: We conduct periodic reviews of our security practices and update our measures in response to new threats, vulnerabilities, and industry best practices.
  • Vendor Security: We require all third-party service providers who handle personal data to maintain appropriate security measures and demonstrate compliance with applicable security standards.
  • Incident Response: We maintain an incident response plan to address potential data breaches. In the event of a breach that poses a risk to your rights and freedoms, we will notify you and applicable regulatory authorities as required by law.

While we strive to protect your personal information, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security, but we are committed to taking all reasonable steps to safeguard your data.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes, we will:

  • Update the "Effective Date" at the top of this Privacy Policy.
  • Post the revised Privacy Policy on our Site at franchisestack.ai/privacy.html.
  • For material changes that significantly affect how we collect, use, or share your personal information, we will provide prominent notice (such as a banner on our Site or an email notification to registered users) at least 30 days before the changes take effect.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. Your continued use of the Services after any changes to this Privacy Policy constitutes your acceptance of the updated policy. If you do not agree with any changes, you should discontinue your use of the Services and contact us to request deletion of your account and personal information.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy, our data practices, or your personal information, please contact us at:

FranchiseStack (operated by Steeled Inc., a Delaware Corporation)
Email: franchisestack@polsia.app

We aim to respond to all inquiries within 10 business days. If you are not satisfied with our response, you may have the right to lodge a complaint with your local data protection authority (for EEA/UK residents) or the California Attorney General's office (for California residents).

For data access requests, deletion requests, or other rights-related inquiries, please include your full name, the email address associated with your FranchiseStack account, and a clear description of your request to help us process it efficiently.

14. California Privacy Rights (CCPA/CPRA)

This section provides additional information for residents of the State of California, as required by the California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA).

14.1 Categories of Personal Information Collected

In the preceding 12 months, we have collected the following categories of personal information (as defined under the CCPA):

Category Examples Collected
A. Identifiers Name, email address, IP address, unique device identifiers, account ID Yes
B. Personal Information (Cal. Civ. Code 1798.80(e)) Name, telephone number, financial information (investment range, net worth range for profiling purposes) Yes
C. Protected Classification Characteristics N/A No
D. Commercial Information Subscription history, transaction records, franchise preferences, reports purchased Yes
E. Biometric Information N/A No
F. Internet/Network Activity Browsing history on our Site, search queries, page interactions, feature usage Yes
G. Geolocation Data Approximate location derived from IP address Yes
H. Sensory Data N/A No
I. Professional/Employment Information Industry experience, professional background (provided in investor profile) Yes
J. Education Information N/A No
K. Inferences Franchise match scores, investor profile categories, predicted franchise fit Yes
L. Sensitive Personal Information Account login credentials Yes

14.2 Sources of Personal Information

We collect personal information from the following categories of sources:

  • Directly from you: Information you provide when creating an account, building your investor profile, using platform features, or communicating with us.
  • Automatically: Information collected through cookies, local storage, and server logs when you access or use the Services.
  • Third-party sources: Information from authentication providers (e.g., Google sign-in), publicly available franchise regulatory filings, and analytics services.

14.3 Business Purposes for Collection

We collect and use personal information for the business and commercial purposes described in Section 3 of this Privacy Policy, including providing the Services, AI-powered franchise matching, analytics, communications, and legal compliance.

14.4 Sale and Sharing of Personal Information

We do not "sell" personal information as defined under the CCPA. We do not "share" personal information for cross-context behavioral advertising as defined under the CPRA. We have not sold or shared personal information in the preceding 12 months.

14.5 Retention

We retain each category of personal information for the periods described in Section 7 (Data Retention) of this Privacy Policy.

14.6 Exercising Your California Privacy Rights

California residents may exercise their rights by contacting us at franchisestack@polsia.app. We will verify your identity before processing any request. You may also designate an authorized agent to make a request on your behalf, provided the agent presents written authorization from you and we can verify your identity.

We will not discriminate against you for exercising any of your CCPA/CPRA rights.

14.7 California "Shine the Light" Law

Under California Civil Code Section 1798.83, California residents who have an established business relationship with us may request information about the categories of personal information we have shared with third parties for their direct marketing purposes during the preceding calendar year. We do not share personal information with third parties for their direct marketing purposes.

15. European Privacy Rights (GDPR)

This section provides additional information for residents of the European Economic Area (EEA) and the United Kingdom (UK), as required by the General Data Protection Regulation (GDPR) and the UK GDPR.

15.1 Legal Bases for Processing

We process your personal information only when we have a lawful basis to do so. The legal bases we rely on include:

Legal Basis Processing Activities
Performance of Contract (Article 6(1)(b)) Creating and managing your account; providing franchise intelligence features, match scores, FDD analysis, and ROI calculations; processing subscription payments; delivering customer support.
Legitimate Interests (Article 6(1)(f)) Improving and optimizing the Services; analyzing usage trends and platform performance; detecting and preventing fraud and security threats; conducting aggregated research and industry analysis. Our legitimate interests do not override your fundamental rights and freedoms.
Consent (Article 6(1)(a)) Sending marketing communications; using non-essential cookies and tracking technologies; processing sensitive financial profile data for AI matching beyond what is strictly necessary for the contract.
Legal Obligation (Article 6(1)(c)) Retaining transaction records for tax and financial reporting; complying with regulatory requests; preserving data subject to legal holds.

15.2 Your Rights Under the GDPR

As described in Section 8.1, EEA and UK residents have the rights of access, rectification, erasure, data portability, objection, restriction of processing, withdrawal of consent, and the right to lodge a complaint with a supervisory authority. For detailed descriptions of these rights, please refer to Section 8.1 above.

15.3 Data Protection Officer

If you have questions or concerns about our data protection practices, or if you wish to exercise your rights under the GDPR, you may contact us at franchisestack@polsia.app. We will handle your inquiry in accordance with GDPR requirements and respond within 30 days.

15.4 Supervisory Authority

If you are located in the EEA or UK and believe that our processing of your personal information infringes applicable data protection law, you have the right to lodge a complaint with your local supervisory authority. A list of EEA data protection authorities is available at edpb.europa.eu. For UK residents, you may contact the Information Commissioner's Office (ICO) at ico.org.uk.

15.5 Data Processing Agreements

We have entered into Data Processing Agreements (DPAs) with all third-party service providers who process personal data on our behalf, as required under Article 28 of the GDPR. These agreements ensure that our processors implement appropriate technical and organizational measures to protect personal data and process it only in accordance with our documented instructions.

15.6 Data Minimization

In accordance with the GDPR's data minimization principle, we collect only the personal information that is necessary for the purposes described in this Privacy Policy. We regularly review the data we collect and process to ensure that we are not collecting or retaining more data than is needed for the specified purposes.