← Back to Home

Privacy Policy

Last updated: April 26, 2026

1. Who We Are

Obsidian Clad Labs LLC (“OCL,” “we,” “us”) is a limited liability company formed in New Mexico (Entity ID 4424925, EIN 41-4678600) and operating from Tennessee. We build and operate ClauseShield, LienShield, TeachShield, ScamShield, and ShutterShield (collectively, “Services”). This policy applies to all five products and the obsidiancladlabs.com website.

Data Controller of record: Obsidian Clad Labs LLC, 1209 Mountain Road PL NE, STE R, Albuquerque, NM 87110, United States. contact@obsidiancladlabs.com.

2. Information We Collect

Account Data: Name, email address, and password hash when you register.

Payment Data: Processed by Stripe. We never store credit card numbers.

Usage Data: Pages visited, features used, grading submissions, scan inputs, filing details — stored to provide our services.

Device Data: IP address, browser type, and device identifiers collected via standard web server logs.

3. How We Use Your Data

  • Provide and improve our Services
  • Process payments and manage subscriptions
  • Send transactional emails (receipts, password resets)
  • Detect fraud and abuse
  • Generate anonymous usage analytics to improve our products

4. What We Never Do

  • Sell your personal data to third parties
  • Use your uploaded content (contracts, essays, filings, scans, photos) to train AI models
  • Share your data with other users without your consent

5. Data Storage & Security

Your data is stored on encrypted servers hosted by Railway (PostgreSQL) and Vercel. Object storage uses Cloudflare R2. All traffic is encrypted in transit via TLS 1.2 or above. We follow industry-standard security practices including hashed passwords (argon2id or bcrypt), environment-variable secrets, least-privilege access controls, organization-scoped queries, and signature-verified webhooks. Full security posture: llms-full.txt § Security posture.

6. Third-Party Services

We use the following sub-processors:

  • Stripe — payment processing (US)
  • Vercel — frontend hosting and analytics (US, global edge)
  • Railway — backend hosting and database (US)
  • Mailgun — transactional email delivery (US)
  • Cloudflare R2 — object storage (US)
  • DeepSeek — AI inference, no-retention deployment
  • Modal — GPU compute for ShutterShield (US)
  • Google Ads (AW-18128047823) — conversion tracking on public marketing pages of obsidiancladlabs.com and the 5 product sites. Loaded by default for visitors outside the EEA/UK/CH cohort; gated behind explicit Accept inside that cohort via Consent Mode v2 (US)

7. Cookies, Analytics & Conversion Tracking

We use essential cookies for authentication and session management. We do not sell personal data and we do not use cross-site tracking inside our authenticated product applications. Where applicable, cookies are set with SameSite=Lax, Secure, and HttpOnly.

Vercel Analytics & Speed Insights: we use Vercel's aggregate, cookie-less analytics to count visits and measure page-load performance. Before any event is sent, a beforeSend hook strips URL search parameters and hash fragments so we never receive PII (e.g. emails or tokens that may appear in a query string).

Google Ads conversion tracking (AW-18128047823): on our public marketing pages — both this site and the 5 product .app sites — we use a single Google Ads property to attribute paid-ad clicks to sign-ups. The tag is not loaded inside any authenticated product application, so user content (contracts, essays, filings, scans, photos) is never seen by Google. Conversion-tracking cookies expire per Google's defaults (90 days for _gcl_au; 13 months for _gcl_aw).

Consent Mode v2 (EEA / UK / CH): visitors detected from the EEA, UK, or Switzerland see an explicit Accept / Decline banner on first arrival. Until you Accept, Google Ads consent signals (ad_storage, ad_user_data, ad_personalization, analytics_storage) are set to denied and gtag.js is not loaded. Decline keeps gtag.js blocked for the full 365-day choice window. Outside the EEA cohort the tag loads by default.

How to revoke: clear your browser's localStorage for obsidiancladlabs.com to reset the consent state and re-trigger the banner. You can also opt out of personalized advertising at any time through Google's Ad Settings. Or email contact@obsidiancladlabs.com and we will exclude your visits going forward.

8. Your Rights (GDPR & CCPA)

If you are in the EEA, UK, or California, applicable law gives you specific rights over your personal data. We honor these rights for every user, regardless of jurisdiction. Submit any request to contact@obsidiancladlabs.com — we respond within 30 days.

GDPR (Art. 15–22):

  • Access — request a copy of the data we hold about you (Art. 15).
  • Rectification — correct inaccurate or incomplete data (Art. 16).
  • Erasure — delete your account and personal data (Art. 17).
  • Restriction — limit how we process your data (Art. 18).
  • Portability — receive your data in a machine-readable format (Art. 20).
  • Objection — object to processing based on legitimate interests (Art. 21).
  • Automated decision-making — we do not use automated decision-making with legal effects (Art. 22).

CCPA / CPRA (California residents):

  • Right to Know — what categories of personal information we collected, the sources, the purposes, and the third parties we share it with.
  • Right to Delete — request deletion of personal information we collected from you.
  • Right to Correct — correct inaccurate personal information.
  • Right to Opt Out of Sale / Sharing — we do not sell personal information. Google Ads conversion measurement on our public marketing pages may constitute “sharing” under CPRA's broadened definition. California residents can opt out by emailing contact@obsidiancladlabs.com (we will block your visits going forward), via Google's Ad Settings, or with a browser-level Global Privacy Control signal which we honor.
  • Right to Limit Use of Sensitive Personal Information — we do not use sensitive PI for inferring characteristics.
  • Right to Non-Discrimination — exercising any of these rights will not affect your service or pricing.

9. Legal Basis for Processing (GDPR Art. 6)

  • Contract — providing the Services you signed up for (Art. 6(1)(b)). Covers account data, billing, and core product features.
  • Legitimate interests — fraud detection, security monitoring, and aggregate analytics (Art. 6(1)(f)). You may object under Section 8.
  • Legal obligation — tax records, anti-money-laundering checks, lawful court orders (Art. 6(1)(c)).
  • Consent — non-essential analytics, marketing emails (Art. 6(1)(a)). Withdraw any time.

10. International Data Transfers

Our infrastructure (Vercel, Railway, Cloudflare, Stripe, Mailgun, Modal) is primarily located in the United States. If you access our Services from the EEA, UK, or other jurisdictions outside the US, your personal data is transferred to and processed in the United States.

For transfers from the EEA / UK to the US we rely on the EU Standard Contractual Clauses (Module Two: controller-to-processor) signed with each sub-processor, and where applicable the UK International Data Transfer Addendum. We assess each sub-processor for adequacy and require equivalent technical safeguards. A list of current sub-processors is maintained in Section 6 above.

11. FERPA Compliance (TeachShield)

TeachShield processes student work for grading purposes. We act as a “school official” under FERPA. Student data is used solely to provide the grading service and is never shared, sold, or used for advertising or AI training. Teachers are responsible for collecting any consent required by their school or district.

12. Children's Privacy

Our Services are not directed to children under 13 (or under 16 in the EEA). We do not knowingly collect personal data from children. If you believe a child has provided us data, contact contact@obsidiancladlabs.com immediately and we will delete it.

13. Data Retention

We keep personal data only as long as necessary to provide the Services or to meet legal obligations. Specific retention windows by data type:

  • Account data — retained while the account is active. Deleted within 30 days of account deletion request; backups purged within 90 days.
  • Uploaded content (contracts, essays, filings, scans, photos) — retained for the duration of the active subscription. Deleted on account deletion within 30 days; backups within 90 days.
  • Payment records — retained for 7 years to comply with US tax law, then purged.
  • Web server / security logs — retained for 90 days for security and abuse investigation, then purged.
  • Aggregate analytics — retained indefinitely in fully anonymized form (no per-user identifiers).
  • Email transactional records — retained for 12 months in Mailgun, then purged.

14. Right to Lodge a Complaint (Supervisory Authority)

If you are in the EEA or UK, you have the right to lodge a complaint with your local supervisory authority. A list of EU data protection authorities is published by the EDPB at edpb.europa.eu; the UK's authority is the ICO (ico.org.uk). California residents may contact the California Privacy Protection Agency or the California Attorney General's office.

15. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email or in-app notification at least 30 days before they take effect. Continued use of our Services after changes constitutes acceptance.

16. Contact for Privacy Requests

To exercise any right under this policy, ask a privacy question, or report a concern, write to:

Obsidian Clad Labs LLC
1209 Mountain Road PL NE, STE R
Albuquerque, NM 87110, USA
contact@obsidiancladlabs.com

We respond to all privacy requests within 30 days. If we cannot fulfill a request we will explain why and what your options are.

© 2026 Obsidian Clad Labs LLC. All rights reserved.