Privacy Policy

Last updated: April 27, 2026
Effective date: April 27, 2026

At a glance

We built FrictionScan for developers who are careful about what they ship. We try to be equally careful about how we handle your data. A few things worth knowing up front:

• We do not train foundation or general-purpose models on your Customer Content by default. If we ever want to, we will ask you to opt in separately.
• Foundation-model providers we send data to operate under published commercial API terms that, by their own terms, prohibit training on data submitted through the API and require short retention windows. The current list is on our subprocessor page.
• You can delete your data. Self-service for most of it; written request for the rest. Backups rotate out within 90 days.
• We publish our subprocessors and notify you before adding new ones. You can subscribe to updates.
• We don't sell personal information and we don't do targeted advertising.

The formal policy below is what governs. This summary is just to set expectations.

1. Introduction

This Privacy Policy describes how Force Prime Corp., a Delaware corporation with its principal office at 16192 Coastal Highway, Lewes, Delaware 19958, County of Sussex, USA (together with its affiliates, "FrictionScan", "we", "us", "our"), collects, uses, shares, and protects information in connection with the FrictionScan website at frictionscan.com, the FrictionScan MCP server, API, SDK, command-line tools, dashboard, and related services (collectively, the "Service").

FrictionScan is a business-to-business tool used primarily by software developers and their organizations. This Policy is incorporated into our Terms of Use. Capitalized terms not defined here have the meaning given in the Terms of Use.

2. Scope, Roles, and DPA

For account information, billing, the website, and our general business operations, we act as a data controller under the EU GDPR and UK GDPR, and a business under the California Consumer Privacy Act ("CCPA") as amended.

For Customer Content that our customers submit to the Service or that the Service captures from the customer's applications — for example, screenshots, DOM snapshots, code references, URLs, review decisions, and test-account credentials — we act as a data processor / service provider on behalf of our customer. The customer is the controller / business.

If you are an end user of one of our customers' applications and your personal data has ended up in the Service (for example, because a customer's application rendered your information on a page that was captured as a screenshot), please contact that customer first. We will support them in responding to you.

If we process your Customer Content under a written Data Processing Addendum ("DPA") signed by you, the DPA governs that processing. The DPA is available on request at hello@frictionscan.com.

This Policy does not cover:

• third-party services you connect to the Service (coding agents, cloud providers, GitHub, CI/CD, etc.), which are governed by their own policies;
• the applications you test with the Service;
• any data your coding agent processes outside of FrictionScan.

3. Information We Collect

3.1 Information you provide

• Account data: name, email, company, role, password (hashed and salted), and similar information needed to create and manage your account.
• Billing data: billing address, plan, and transaction history. Full payment card details are handled by our payment provider (e.g., Stripe) under their terms and are not stored by us.
• Communications: messages you send to us — support requests, survey responses, design-partner feedback, correspondence.
• Configuration: project settings, routes, auth hints, viewport preferences, theme configurations, feature flags, and similar information needed to run the Service on your application.
• Credentials for test environments: if you provide credentials so the Service can reach authenticated areas of your application, we store them encrypted at rest, make them available only to the processing components that need them, and use them solely to perform the evaluations you request. You can remove stored credentials at any time.

3.2 Customer Content processed by the Service

When you use the Service, it captures artifacts from your application in order to evaluate UI changes. These artifacts (part of "Customer Content" as defined in the Terms of Use) may include:

• screenshots of pages and states of your application;
• DOM snapshots and layout information;
• network and console diagnostics;
• references to your source code and commit metadata provided by your coding agent;
• review decisions, classifications, rationales, and comments made by you or your Authorized Users.

Customer Content may incidentally include personal data that appears in your application during evaluation (for example, names, emails, or avatars visible on test pages). Because you control what is rendered, you are responsible for ensuring Customer Content complies with applicable law and with the privacy commitments you have made to your own users. We strongly recommend running the Service against test accounts and synthetic data wherever possible.

3.3 Automatically collected information

• Usage data: features and pages used, actions taken, API endpoints called, timestamps, and device/browser metadata.
• Log and diagnostic data: IP address, user-agent, error traces, and performance metrics. Parts of this data (such as IP address) can identify you, and we treat them as personal data.
• Cookies and similar technologies: see Section 10.

3.4 Information from third parties

• Authentication providers: if you sign in through a third-party identity provider (e.g., Google, GitHub), we receive the identifiers and profile fields they share.
• Coding agents and platforms: when you invoke the Service via a coding agent or connect a platform such as GitHub or Vercel, we receive metadata from that integration.
• Business contacts: we may obtain business contact information for prospects from public sources, partners, or referrals, consistent with applicable law.

3.5 Information we ask you not to submit

We ask you not to submit to the Service:

• personal data of categories described as "sensitive" or "special" under applicable law (e.g., health data, government IDs, precise geolocation, biometric data, children's data), unless a written agreement covers it;
• payment card data or other payment credentials (use your billing account instead);
• secrets, API keys, or production credentials that are not required for the evaluation;
• content you are contractually prohibited from disclosing to processors like us.

If you send us such data without a covering agreement, we will take reasonable steps to delete it, and may ask you to resubmit the request without that data.

4. How We Use Information

We use information to:

1. Provide the Service: discover application surfaces, build baselines, run deterministic and AI-assisted evaluations, generate reports, surface fixes to your coding agent, and maintain your account and subscription.
2. Support and communications: respond to requests; send administrative notices, operational alerts, service updates, and security notifications.
3. Security and abuse prevention: detect and respond to fraud and abuse; enforce our Terms; conduct audits.
4. Analytics and product improvement: understand how the Service is used, measure performance, diagnose issues, and improve features. Where this involves Customer Content, we use de-identified or aggregated data unless you have separately opted in.
5. Training and tuning our Service: see Section 5 for the specific rules that apply.
6. Legal and compliance: comply with law, respond to lawful requests, and exercise or defend legal claims.
7. Marketing and business development: with appropriate consent or legitimate interest, we may send you product news or offers. You can opt out of marketing emails at any time using the unsubscribe link or by contacting us.

Legal bases (EEA, UK, Switzerland)

Where GDPR or UK GDPR applies, we rely on:

• Contract performance to provide the Service you have asked for and to manage your account;
• Legitimate interests to secure, operate, and improve the Service, to run our business, and to market related products to existing business contacts, provided these interests are not overridden by your rights;
• Consent, where required (e.g., for certain cookies, for opt-in marketing to non-customers, and for any use of identifiable Customer Content to train models outside your account);
• Legal obligations, where we are required to process data to comply with law.

5. AI and Machine-Learning Training

5.1 Default position

We do not use your Customer Content to train foundation or general-purpose machine-learning models by default.

When the Service runs, it processes Customer Content to generate your reports and to maintain your account-specific baseline and models of your frontend. This is part of the Service you are paying for, not training of cross-customer models.

5.2 Aggregate and de-identified improvements

We may use de-identified or aggregated signals (such as counts of evaluations, detection performance on synthetic benchmarks, rule-hit frequencies, and latency metrics) to improve the Service for all customers. These signals cannot reasonably be used to identify you or your end users.

5.3 Training outside your account — opt-in only

If we want to use identifiable Customer Content — for example, specific screenshots, specific DOM snapshots tied to your application, or the text of your review decisions — to train or tune models that will be applied outside of your account, we will ask for your separate, explicit opt-in. For this purpose, "identifiable" means data that, alone or in combination with other data reasonably available to us, can be linked to your account, your application, your end users, or individual Authorized Users. You can withdraw that opt-in at any time going forward. After withdrawal, we will stop using the relevant Customer Content for new training runs. We note, however, that data already incorporated into trained model weights generally cannot be extracted from those weights; our commitment on withdrawal is therefore forward-looking rather than retroactive.

5.4 Third-party foundation-model providers

The advisory pipeline sends certain Customer Content (such as screenshots, DOM extracts, and short text prompts) to foundation-model providers to perform classifications and descriptions. We access these providers through their commercial APIs, which are governed by each provider's published commercial API terms of service. Those terms — as of the date of this Policy — state that the provider does not train its models on data submitted via the API, and that inputs and outputs are retained only for limited periods (typically up to thirty (30) days) for abuse-monitoring purposes. The current list of providers, along with summaries of their published retention and training terms and the countries in which processing takes place, is on our subprocessor page at [frictionscan.com/subprocessors]. If a Subprocessor's published training or retention posture changes in a way that would materially affect you, we will update the subprocessor page and, where reasonably possible, notify you in advance.

5.5 Your review decisions

When you or your Authorized Users make review decisions in the Service (such as "accept change", "reject", or "send back to agent"), we store these decisions to run the Service for you and to compute aggregate quality metrics. Decisions made in your account are not used to train models applied to other customers' accounts without your separate opt-in.

5.6 Feedback, support, and bug reports

If you include Customer Content in a feedback, support, or bug-report message (for example, attaching a screenshot to a support email), that content is still Customer Content and is subject to this Policy. Separately, the text of the feedback or bug report itself may be used to improve the Service and internal tooling.

5.7 Automated decision-making

The Service uses automated processing, including deterministic rules and AI classification, to generate advisory reports. These reports are advisory only: the final decision to accept, reject, or ship any change rests with you and your Authorized Users. The Service does not make legal decisions about individuals and is not designed to produce legal or similarly significant effects on data subjects under GDPR Article 22.

6. How We Share Information

We do not sell personal information, and we do not "share" personal information for cross-context behavioral advertising as those terms are defined by California law or comparable U.S. state laws. We do not engage in targeted advertising.

6.1 Your Authorized Users

Information in your account (including Customer Content and review decisions) is visible to the Authorized Users you invite. You are responsible for controlling who you invite and for removing users who should no longer have access.

6.2 Your coding agent

When the Service communicates with your coding agent, the agent receives reports, suggested fixes, and related artifacts. The agent provider then processes that output under their own terms and privacy policies — including, depending on the provider and your settings, potentially for their own model training. We do not control what your agent provider does with output we hand back; you should consult the agent provider's terms and privacy settings to decide what data to share with your agent.

6.3 Subprocessors

We use vendors to help operate the Service, typically across these categories:

• Network, edge, and security (DNS, web application firewall, DDoS mitigation, edge TLS);
• Cloud hosting, storage, and content delivery;
• Foundation-model providers for the advisory pipeline, accessed through commercial APIs whose published terms prohibit training on data submitted via the API;
• Payment processing and tax calculation;
• Email, support, and customer communications (including transactional email such as one-time passwords and system notifications);
• Error tracking and monitoring;
• Business operations (e.g., productivity suites, internal tooling, contract management).

A current, named list of our Subprocessors, together with the categories of data each processes and the country in which processing takes place, is published at [frictionscan.com/subprocessors]. You can subscribe to notifications there. We will give at least thirty (30) days' notice before engaging a new Subprocessor that processes Customer Content, except where we must move faster to address a security incident, replace a failing or discontinued vendor, comply with a legal obligation, or similar emergency — in which case we will notify you as soon as reasonably practicable and, where feasible, before the new Subprocessor begins processing Customer Content. Where you have a signed DPA with us, the DPA may set out additional rights to object.

We flow down appropriate privacy and security obligations to Subprocessors and remain responsible for their performance in providing the Service.

6.4 Business transfers

If we are involved in a merger, acquisition, financing, reorganization, or sale of assets, information may be transferred as part of that transaction. We will require the recipient to honor this Policy with respect to your data or give affected users notice and a reasonable opportunity to exercise their rights.

6.5 Legal, safety, and compliance

We may disclose information when we reasonably believe it is necessary to (a) comply with law, legal process, or a lawful government request, (b) enforce our Terms, (c) protect the rights, property, or safety of FrictionScan, our users, our Subprocessors, or the public, or (d) detect, prevent, or address fraud, abuse, or security issues. We will push back on requests that appear overbroad, unlawful, or inconsistent with applicable law, and will produce only what is legally required. Where we can do so lawfully, we will notify the affected customer of a compelled disclosure or of a regulatory investigation that specifically implicates that customer's data, and we will give the customer a reasonable opportunity to seek a protective order or other appropriate relief.

7. International Transfers

We are headquartered in the United States. We and our Subprocessors may process data in the United States and other countries that may not provide the same level of data protection as your country.

For transfers from the EEA, UK, or Switzerland to countries not recognized as providing adequate protection, we rely on the European Commission's Standard Contractual Clauses (SCCs) (the modules appropriate to each transfer), the UK International Data Transfer Addendum, and, for Swiss data, the Swiss Federal Data Protection and Information Commissioner's recognition of those SCCs.

We conduct transfer impact assessments where appropriate, and apply supplementary measures (such as encryption in transit and at rest, access controls, strict vendor selection, and the right to challenge lawful requests) consistent with guidance from the European Data Protection Board.

Where U.S. Subprocessors may be subject to legal requests under the U.S. CLOUD Act, comparable extraterritorial laws in other jurisdictions, or similar government-access regimes, we will (i) minimize the personal data we send, (ii) resist overbroad or unlawful requests where we have grounds to do so, and (iii) notify affected customers where legally permitted.

You can request a summary of the safeguards we apply to your data by contacting hello@frictionscan.com.

8. Retention

We retain information only as long as necessary to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements.

Our retention schedule (which we may adjust with reasonable notice):

• Account data: for the life of your account, plus up to twelve (12) months after closure for legal, audit, and dispute purposes.
• Customer Content (screenshots, DOM, review decisions, baselines): for the duration of your subscription, and up to ninety (90) days after you delete a project or close your account, unless you request earlier deletion.
• Backups: isolated from live processing and rotated out within an additional ninety (90) days after the primary retention period ends. Deleted Customer Content will not be used for any purpose other than disaster recovery during that rotation window.
• Test-environment credentials: until you remove them or your account is closed, whichever is first.
• Billing and tax records: for the period required by tax and accounting law (typically up to seven (7) years).
• Security logs and audit trails: up to twelve (12) months, longer only when required to investigate an incident or by law.
• De-identified / aggregated analytics: may be retained indefinitely, as this data cannot reasonably identify you.

You can ask us to delete Customer Content earlier using the self-service controls in the Service, or by writing to hello@frictionscan.com. We honor such requests, subject to legal holds and a short operational window required to propagate deletion across systems and backups.

9. Security

We implement administrative, technical, and physical safeguards designed to protect information, including:

• encryption in transit (TLS) and encryption at rest for sensitive fields, including stored credentials;
• role-based access control and least-privilege access for personnel;
• secret scanning, credential rotation, and hardware-backed keys for critical systems;
• centralized logging and monitoring with alerting for suspicious activity;
• periodic vulnerability scanning and code review;
• security review of vendors before we onboard them.

We align our practices with the SOC 2 trust-services criteria, and we pursue formal attestations as our scale and customer commitments require. Enterprise customers and prospects under a mutual non-disclosure agreement may request our current security overview, completed SIG Lite questionnaire, summary of our most recent penetration test, and a status update on our SOC 2 program by contacting hello@frictionscan.com.

Breach notification

If we become aware of a personal-data breach that affects your data, we will notify you without undue delay and in accordance with applicable law. Where we are acting as a processor subject to GDPR, we will notify you without undue delay after becoming aware of the breach, consistent with our DPA. Notifications will describe, to the extent known, the nature of the breach, the categories of data affected, likely consequences, and measures taken or proposed.

No system is perfectly secure. You are responsible for protecting your credentials and restricting access to your account. Please report suspected vulnerabilities or incidents promptly to hello@frictionscan.com.

10. Cookies and Similar Technologies

We use cookies and similar technologies to:

• keep you signed in (strictly necessary);
• remember preferences (functional);
• measure how the Service is used (analytics).

We do not use advertising cookies and do not engage in cross-site tracking. Where required (e.g., in the EEA, UK, and California), we show a cookie banner that lets you control non-essential cookies. Your browser also lets you block or delete cookies; the Service may not function properly without strictly necessary cookies.

11. Your Privacy Rights

11.1 Users in the EEA, UK, and Switzerland

Subject to conditions in applicable law, you may have the right to:

• access your personal data and request a copy;
• request correction or erasure;
• restrict or object to processing;
• withdraw consent (without affecting the lawfulness of processing based on consent before withdrawal);
• portability of data you provided to us;
• lodge a complaint with your supervisory authority (for example, your national Data Protection Authority).

If your personal data is in Customer Content uploaded by one of our customers, please contact that customer first; we will assist them in responding within the timeframes required by law.

To exercise these rights with us, contact hello@frictionscan.com. We will respond within the timeframes required by law — generally one month under GDPR, with possible extension for complex requests.

11.2 Residents of U.S. states with comprehensive privacy laws

If you are a resident of a U.S. state that has a comprehensive consumer-privacy law currently in effect (including California, Colorado, Connecticut, Delaware, Iowa, Minnesota, Montana, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah, and Virginia, as well as other states whose laws come into force from time to time), you generally have the right to:

• know what personal information we collect, use, disclose, and retain about you;
• request deletion of personal information;
• request correction of inaccurate personal information;
• opt out of the sale or sharing of personal information (we do not sell or share personal information as those terms are defined);
• opt out of certain targeted advertising (we do not conduct targeted advertising);
• limit the use of sensitive personal information (we do not collect sensitive personal information for secondary purposes);
• be free from retaliation or discrimination for exercising your rights.

California residents may designate an authorized agent to make requests. To exercise these rights, contact hello@frictionscan.com. We will verify your request by confirming information we already hold about you. If we deny a request, you may appeal by replying to our response with "Appeal" in the subject line.

This Policy is also available in alternative accessible formats on request.

11.3 Other jurisdictions

If your jurisdiction provides specific privacy rights not listed above, you can exercise them by contacting hello@frictionscan.com.

11.4 Do Not Track and Global Privacy Control

Our Service does not respond to browser "Do Not Track" signals because there is no common industry standard for interpreting them. We honor Global Privacy Control (GPC) signals for users covered by U.S. state privacy laws that treat GPC as a valid opt-out.

12. Children

The Service is intended for business use by adults. We do not knowingly collect personal data from anyone under 18. Where applicable law sets a lower minimum age for consent to online services (for example, 13 in the U.S. under COPPA, or 13–16 under GDPR depending on the country), we nevertheless restrict the Service to users aged 18 and older. If you believe a person under 18 has provided personal data to the Service, contact hello@frictionscan.com and we will delete it.

13. Changes to this Policy

We may update this Policy. When we make material changes, we will post a notice in the Service or send an email at least thirty (30) days before the changes take effect, where reasonably possible. The "Last updated" date at the top shows when this Policy was last revised. A summary of recent changes is maintained at [frictionscan.com/privacy/changelog]. Continued use of the Service after the effective date means you accept the updated Policy.

14. Contact

Controller of general Service data:
Force Prime Corp.
16192 Coastal Highway, Lewes, Delaware 19958, County of Sussex, USA

For all privacy inquiries and rights requests, security incidents, DMCA and copyright notices, DPA requests, Subprocessor notification subscriptions, and any other questions about this Policy, contact us at hello@frictionscan.com. When writing, please indicate the subject of your inquiry (for example, "Privacy request", "Security incident", "DMCA notice") in the subject line so we can route your message appropriately.

If we appoint an EU or UK representative under GDPR Article 27, their contact details will be listed here.