Privacy Notice

Last updated: June 13, 2026

1. Who we are

COI Watch is operated by Substack Compliance ("we", "us"). Substack Compliance is the data controller for personal data processed in connection with the COI Watch service.

2. Personal data we collect

Account data — name, email, company name, login credentials.
Subcontractor data you upload — contact names, emails, business details, certificates of insurance, W-9s, licenses, and related documents.
Support data — messages and attachments you send us.
Usage and telemetry — pages viewed, actions taken, device identifiers, browser type, IP address, approximate location, and timestamps.
Billing identifiers — the customer identifier returned by Paddle. Card details and full billing information are collected and stored by Paddle, not by us.

3. How and why we use it

Create and operate your account and provide the service (contract performance).
Process subcontractor documents, run AI parsing, and send expiry alerts (contract performance).
Prevent fraud, abuse, and security incidents (legitimate interests).
Improve the service and develop new features (legitimate interests).
Respond to support requests (contract performance / legitimate interests).
Send service announcements; marketing only with consent or where permitted by law.
Comply with legal obligations (legal obligation).

4. Who we share data with

Service providers / subprocessors — hosting, database, email delivery, error monitoring, analytics, and AI document processing providers acting on our instructions.
Paddle.com — our Merchant of Record. Paddle processes payments, manages subscriptions, calculates and remits taxes, and issues invoices on our behalf. See Paddle's privacy notice at https://www.paddle.com/legal/privacy.
Professional advisers — accountants, lawyers, and auditors where reasonably needed.
Authorities — where required by law, court order, or to protect rights and safety.

We do not sell personal data.

5. Retention

We retain personal data only as long as needed to provide the service and to meet legal, accounting, or reporting obligations. Account and document data is kept while your account is active and for a reasonable wind-down period after termination, after which it is deleted or anonymised.

6. Your rights

Depending on your jurisdiction, you may have rights to access, correct, delete, restrict, or port your personal data, to object to certain processing, and to withdraw consent. To exercise these rights, contact us through your account. If you are in the UK or EEA, you may also lodge a complaint with your local supervisory authority.

7. International transfers

Personal data may be processed in countries other than your own. Where we transfer personal data out of the UK or EEA we rely on appropriate safeguards such as Standard Contractual Clauses or adequacy decisions.

8. Security

We use appropriate technical and organisational measures to protect personal data, including encryption in transit, access controls, and least-privilege backend access. No system is completely secure; if a breach affecting your data occurs, we will notify you as required by law.

9. Cookies

We use strictly necessary cookies to keep you signed in and to operate the service, and limited analytics cookies to understand product usage. You can manage cookies through your browser settings.

10. Changes

We may update this Privacy Notice from time to time. Material changes will be communicated by email or in-app notice.

11. Contact

For privacy questions, contact Substack Compliance via the support channel in your account.