← Back to App Terms of Service

Privacy Policy

This Privacy Policy describes how Report Shield ("Company," "We," "Us," or "Our") collects, uses, stores, and protects information in connection with the Report Shield platform and services ("Service") available at reportshield.app. This Policy applies to all users of the Service ("User," "You," or "Officer").

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy and consent to the data practices described herein.

REPORT CONTENT POLICY: Report Shield does not intentionally store, retain, or log report text or narrative content submitted by officers for analysis. Report content is transmitted for AI processing and is not written to any Report Shield database or persistent storage. Standard infrastructure logs maintained by our hosting provider (Vercel) and AI processing provider (Anthropic) may retain request metadata for limited periods as described in Section 2 below.

1. Information We Collect

We collect only the minimum information necessary to operate and improve the Service. The following categories of information are collected:

Category	What We Collect	Why We Collect It
Account Information	Email address, full name, agency or department name	To create and manage your account and verify your identity
Authentication Data	Encrypted password credentials, MFA enrollment data, session tokens	To authenticate your identity and maintain session security
Subscription Data	Subscription plan, approval status, account creation date	To manage access to the Service and process billing
Payment Information	Payment processing is handled entirely by Stripe. We do not collect or store credit card numbers, bank account details, or other financial data.	To process subscription payments
Usage Data	Session activity, feature usage patterns, error logs	To maintain and improve the Service

2. Report Content — Data Handling Policy

Report Shield is designed to minimize retention of report content. Specifically:

Report text and narrative content submitted by officers for analysis is transmitted to an AI processing endpoint and is not intentionally stored, logged, or retained by Report Shield in any database or persistent storage.
AI analysis results are returned to the officer's browser session only and are not stored on Report Shield's servers.
Session history displayed within the application exists only in the officer's browser memory for the duration of the active session and is permanently deleted when the officer logs out or closes the tab.
We do not create a record of what reports were submitted, what their content was, or what analysis was returned.
We do not sell, share, or transmit report content to any third party for any purpose other than AI processing as described below.

IMPORTANT — AI PROCESSING PROVIDER: Report text submitted for analysis is transmitted to Anthropic's API for processing. Report Shield uses Anthropic's commercial API, which as of September 2025 retains API input and output logs for a maximum of seven (7) days before automatic deletion. This retention is for abuse detection and platform stability only. Anthropic's commercial API terms explicitly prohibit using customer API data to train AI models. Report Shield has not opted into extended retention. Anthropic offers a full Zero Data Retention (ZDR) addendum under which no data is stored at rest after the API response is returned. Report Shield is in the process of executing a ZDR agreement with Anthropic. Until that agreement is finalized, the seven-day log retention window described above applies to report content transmitted through the API. For full details, review Anthropic's API data retention policy at platform.claude.com and their privacy policy at anthropic.com/legal/privacy.

3. How We Use Your Information

We use the information we collect for the following purposes only:

To create, authenticate, and manage your user account
To process and manage your subscription and payments through Stripe
To communicate with you regarding your account, including password resets and access notifications
To enforce these Terms of Service and our acceptable use policies
To maintain the security and integrity of the Service
To comply with applicable legal obligations

We do not use your information for advertising, do not sell your information to third parties, and do not use your information for any purpose beyond those listed above.

4. Third-Party Service Providers

We use the following third-party service providers to operate the Service. Each provider has been selected for I reliability and appropriate data handling practices:

Provider	Purpose	Data Shared
Supabase	Authentication and user account database	Email address, encrypted credentials, account metadata. Supabase encrypts all data at rest using AES-256 encryption by default. Data is also encrypted in transit using TLS. Supabase is SOC 2 Type II certified.
Vercel	Web hosting and content delivery	Vercel logs IP addresses and request metadata for each page load and API call as part of standard infrastructure operation. These logs are retained by Vercel for up to 30 days. Report Shield does not access or process these logs for analytics purposes. Officers should be aware that their IP address — which may be associated with their agency network — is logged by Vercel as part of normal HTTPS request handling. Vercel is SOC 2 Type II certified. See Vercel's privacy policy for full details.
Anthropic	AI report analysis processing (data processor)	Report text submitted for analysis. Anthropic processes this data under our commercial API agreement. API logs are retained for a maximum of 7 days and are never used for model training. Report Shield is pursuing a Zero Data Retention (ZDR) agreement with Anthropic for full elimination of log retention.
Stripe	Payment processing	Payment information (handled directly by Stripe — we do not receive or store card data)
Vercel	Application hosting and delivery	Standard web server logs including IP addresses
Resend	Transactional email delivery	Email address, for sending account-related emails only
hCaptcha	Bot protection on login	Browser interaction data for bot detection

5. Data Security

We implement the following security measures to protect your information:

All data is transmitted over encrypted HTTPS connections with HTTP Strict Transport Security (HSTS) enforced
Multi-factor authentication (MFA) via TOTP (Time-Based One-Time Password) is mandatory for all user accounts without exception
MFA brute-force protection: The MFA verification step enforces a maximum of five (5) consecutive failed code attempts. Upon reaching this limit, the session is immediately and automatically terminated and the user is required to re-authenticate from the beginning. This protection applies specifically to the MFA challenge step, not only to the initial password login. This is implemented at the application level in addition to Supabase Auth's platform-level rate limiting on authentication endpoints.
Password reset events automatically suspend account access and clear all enrolled MFA factors. Accounts must be re-verified by an administrator before access is restored, preventing compromised email from being used to bypass MFA enrollment.
Maximum of one (1) MFA factor permitted per account, enforced at the authentication provider level
Row Level Security (RLS) policies at the database level prevent any user from accessing another user's profile data
Content Security Policy (CSP), X-Frame-Options, X-Content-Type-Options, and Referrer-Policy headers enforced at the server level via Vercel
Sessions are stored in browser session storage only — closing the browser clears the session completely and requires full re-authentication including MFA. Sessions do not persist across browser restarts.
Automatic session termination after 60 minutes of inactivity
Bot protection on all authentication endpoints via hCaptcha
Report text input fields are configured to prevent browser caching, autocorrect, and third-party extension access to report content
Officer PTB certification numbers are collected and verified against the Illinois Professional Training Board records as part of account approval
Infrastructure IP logging: Vercel, Report Shield's hosting provider, logs IP addresses and request metadata as part of standard infrastructure operation. These logs are retained for up to 30 days. Officers using agency networks should be aware that their agency IP address may appear in Vercel's infrastructure logs. Report Shield does not use these logs for analytics or user tracking purposes.

Agency security reviewers may request additional technical documentation of these controls by contacting support@reportshield.app. We will respond to documented security review requests within five (5) business days.

While we implement industry-standard security measures, no system is completely immune to security risks. We encourage users to maintain strong passwords and to report any suspected security issues to support@reportshield.app immediately.

6. CJIS Compliance — Applicability Statement

The FBI's Criminal Justice Information Services (CJIS) Security Policy governs systems that access, transmit, store, or process Criminal Justice Information (CJI) — defined as data originating from NCIC, LEADS, criminal history repositories, biometric databases, and similar federal and state law enforcement systems.

Report Shield does not integrate with, connect to, or receive data from any such system. There is no NCIC, LEADS, or criminal history database connection of any kind. The platform processes only officer-authored narrative text submitted directly by the user. Because no CJI enters the platform at any point, the CJIS Security Policy does not apply to Report Shield.

IMPORTANT — Data Use Restriction: Officers must not submit NCIC query results, LEADS returns, criminal history records, or any data retrieved from a law enforcement database into Report Shield. Report Shield is designed exclusively for officer-authored narrative text. Submitting database-originated CJI would be a misuse of this platform and may violate your agency's data handling policies and applicable law.

Agency security reviewers or IT personnel with questions about this determination may contact us at support@reportshield.app.

7. Data Retention

We retain account information for as long as your account remains active. Upon account deletion:

Your user profile and account metadata will be deleted from our systems
Your email address will be removed from our active user database
Payment history may be retained by Stripe in accordance with their data retention policies and applicable financial regulations

As stated in Section 2, Report Shield does not store report content in any Report Shield database, and therefore there is no report content to delete upon account termination.

8. Your Rights

You have the following rights with respect to your personal information:

Access: You may request a copy of the personal information we hold about you
Correction: You may request correction of inaccurate personal information
Deletion: You may request deletion of your account and associated personal information
Portability: You may request your account information in a portable format

To exercise any of these rights, contact us at support@reportshield.app. We will respond to all requests within thirty (30) days.

9. Law Enforcement and Legal Requests

We may disclose user account information (not report content, which is not retained) in response to valid legal process, including court orders, subpoenas, or other legal requirements. We will notify affected users of any such request to the extent permitted by law. We do not voluntarily provide user information to law enforcement agencies absent legal compulsion.

10. Children's Privacy

The Service is intended solely for use by law enforcement professionals and is not directed at individuals under the age of 18. We do not knowingly collect personal information from minors. If we become aware that a minor Has provided personal information, we will take steps to delete such information promptly.

11. Changes to This Policy

We reserve the right to update this Privacy Policy at any time. Updated policies will be posted at reportshield.app/privacy.html with an updated effective date. We will notify active users of material changes via email. Continued use of the Service following notification of changes constitutes acceptance of the updated Policy.

12. Contact Us

For questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Report Shield
reportshield.app
support@reportshield.app