Privacy Policy

RightStart is operated by Josh Green, based in California, United States. For the purposes of applicable data protection law, RightStart is the data controller responsible for your personal data. You can reach us at help@rightstart.co.

RightStart offers sign-in with Google as an authentication option, provided through our authentication service, Clerk. When you sign in with Google, we access the following Google user data:

• Data accessed. Your Google account name, email address, and profile picture. These are the only types of Google user data our application accesses. We request only basic profile scopes ("email" and "profile") — no access to Gmail, Google Drive, Calendar, or any other Google services.
• How we use it. Your Google name and email are used solely to create and identify your RightStart account, authenticate your sessions, send transactional emails (purchase receipts, security alerts), and — only with your separate opt-in consent — send product update emails. We do not use your Google data for advertising, profiling, or any purpose unrelated to operating the service.
• Data sharing. We do not sell, rent, or share your Google user data with any third parties for marketing or advertising. Your Google data is shared only with our authentication provider (Clerk) as necessary to process sign-in, our database provider (Neon) for account storage, and our email delivery provider (Resend) to send transactional and, where you have opted in, product update emails. These providers act as data processors under contractual agreements and do not use your data for their own purposes.
• Storage and protection. Your Google user data is stored in our database hosted on Neon (SOC 2 compliant) in the United States. All data is encrypted in transit via HTTPS/TLS and encrypted at rest by our infrastructure providers. Access to production systems is restricted to authorized personnel only.
• Retention and deletion. Your Google user data is retained while your account is active. When you close your account, all Google user data is deleted within 90 days. You can request deletion at any time by emailing help@rightstart.co. You can also revoke RightStart's access to your Google account at any time through your Google Account permissions.

RightStart's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

We collect minimal data, and only what's needed to operate and improve the service:

• Account information. When you create an account, we collect your name and email address through our authentication provider, Clerk. Clerk also processes authentication tokens, session data, and login timestamps on our behalf.
• Purchase information. When you make a purchase, payment is processed by Stripe. RightStart does not store your full credit card number. We receive a transaction confirmation, the last four digits of your card, and your billing address from Stripe for our records.
• Feedback submissions. When you use the in-app feedback button, we store your message, the feedback type (bug, idea, or contact), the page URL, your browser user-agent string, and your email address if you choose to provide one.
• Usage analytics. We use Vercel Analytics to collect anonymous, aggregated page view and performance data (Core Web Vitals). This does not track individual users or use advertising cookies.
• Search and filter activity. We may log how the tool is used — including search criteria, filter selections, and report generation — to improve the product and understand usage patterns. This data is associated with your session but is used internally only.

We use the information we collect to:

• Provide and operate the service (account management, authentication, report generation)
• Process purchases and send transaction confirmations
• Send transactional and service-related emails (account verification, password resets, security alerts, purchase receipts, service announcements)
• Respond to your feedback and support requests
• Improve the service based on usage patterns and analytics
• Send product update and marketing emails, only with your separate opt-in consent

For users in the European Economic Area (EEA) and United Kingdom, we process personal data under the following legal bases:

• Contractual necessity. Account data and payment processing, which are required to provide the service you signed up for.
• Legitimate interest. Usage analytics, service improvement, and transactional communications. Our legitimate interest is operating and improving the service, and we believe this does not override your rights because the data is minimal, mostly aggregated, and directly related to the service you chose to use.
• Consent. Marketing communications and optional feedback submissions. You can withdraw consent at any time.

• We do not sell, rent, or share your personal information with third parties for marketing, advertising, or any other purpose. We do not “sell” or “share” personal information as those terms are defined under the California Consumer Privacy Act (CCPA).
• We do not use third-party advertising trackers, retargeting pixels, or behavioral profiling tools.
• We do not use your data to make automated decisions that produce legal or similarly significant effects on you.

We use only essential cookies required for the service to function. We do not use advertising or tracking cookies.

• Authentication cookies. Clerk sets session cookies to keep you logged in and secure your account. These are strictly necessary and cannot be disabled while using the service.
• Analytics. Vercel Analytics does not use cookies. It collects anonymous, aggregated performance data only.

All compensation data displayed by this tool comes from publicly filed IRS Form 990 returns. This data is public record, freely available from the IRS. RightStart does not create or modify this data — we index, normalize, and present it for analysis.

Information about individuals named in Form 990 filings (names, titles, compensation) originates from U.S. public records filings and is widely available from government sources. We process this data under our legitimate interest in nonprofit transparency and governance research. We do not combine 990 data with other sources to build profiles of named individuals.

If you are named in a Form 990 filing displayed on this site and have concerns, please contact us at help@rightstart.co.

We use the following third-party service providers to operate the service. These providers process data on our behalf under data processing agreements and do not use your data for their own purposes.

• Clerk (authentication) — Privacy Policy
• Vercel (hosting and analytics) — Privacy Policy
• Neon (database, SOC 2 compliant) — Privacy Policy
• Cloudflare (data storage via R2) — Privacy Policy
• Stripe (payment processing) — Privacy Policy
• Resend (email delivery) — Privacy Policy

All connections to these providers use HTTPS/TLS encryption in transit.

Your data is processed and stored in the United States. If you are located outside the United States, your data will be transferred to the U.S. for processing. U.S. data protection laws may differ from those in your jurisdiction.

For transfers of personal data from the EEA or UK, we rely on the EU-U.S. Data Privacy Framework where applicable, and Standard Contractual Clauses incorporated into our agreements with sub-processors.

Transactional emails. We send account-related emails that are necessary to operate the service (verification, password resets, purchase receipts, security alerts, service announcements). These cannot be opted out of while your account is active.

Marketing emails. We will only send you product updates, feature announcements, or promotional emails if you have separately opted in. You can unsubscribe at any time using the link in each email. We honor unsubscribe requests within 10 business days.

Every non-transactional email we send includes our identity, a physical mailing address, and a clear unsubscribe link.

• Account data. Retained while your account is active. Deleted within 90 days of account closure.
• Purchase records. Retained for 7 years for tax and accounting purposes.
• Feedback submissions. Retained indefinitely unless you request deletion.
• Usage and search logs. Retained for up to 24 months, then deleted or anonymized.

To request deletion of your data, email us at help@rightstart.co with the email address associated with your account.

Depending on your location, you may have the following rights regarding your personal data:

• Access. Request a copy of the personal data we hold about you.
• Correction. Request correction of inaccurate data.
• Deletion. Request deletion of your personal data.
• Portability. Request your data in a structured, machine-readable format.
• Objection. Object to processing based on legitimate interest.
• Restrict processing. Request that we limit how we use your data.
• Withdraw consent. Where we rely on consent, withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at help@rightstart.co. We will respond within 30 days.

California residents: Under the California Consumer Privacy Act (CCPA), California residents have the right to know what personal information we collect and how we use it, request deletion of personal information, and opt out of the sale or sharing of personal information. We do not sell or share personal information as defined by the CCPA. To exercise your rights, contact us at the email above.

EEA and UK residents: You have the right to lodge a complaint with your local data protection supervisory authority if you believe your rights under GDPR have been violated.

RightStart is not directed at anyone under 16 years of age. We do not knowingly collect personal data from children. If we learn that we have collected data from a child under 16, we will delete it promptly. If you believe a child has provided us with personal data, please contact us at help@rightstart.co.

In the event of a data breach affecting your personal information, we will notify affected users by email and any applicable regulatory authorities as required by law. Where required by GDPR, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach.

We may update this policy from time to time. For material changes, we will notify registered users by email at least 14 days before the changes take effect. The “Last updated” date above will always reflect the most recent revision.

Continued use of the service after changes take effect constitutes acceptance for processing based on contractual necessity or legitimate interest. Where we rely on consent, we will seek your renewed consent for material changes.

Privacy questions or data requests? Contact us at help@rightstart.co.