Deviation Check is a product of Aliso LLC, a California limited liability company doing business as Deviation Check ("Aliso LLC," "Deviation Check," "we," "us"). This Privacy Policy explains what data we collect when you use our website at deviationcheck.com (the "Site") and our AI-assisted submittal review service (the "Service"), how long we keep it, who we share it with, and your rights under California and other applicable privacy law. Use of the Site and Service is also governed by the Terms of Service.

  • Cookieless aggregate analytics on the marketing site only. We use Plausible to count aggregate pageviews and a small number of named conversion events on deviationcheck.com (for example, /upload clicks, /contact submissions, sample-report views). Plausible does not set cookies, does not retain Internet Protocol (IP) addresses, does not enable cross-site or cross-device tracking, and does not share data with advertising networks. The intake API (api.deviationcheck.com), the account-area UI, the spec and submittal documents you upload, and the generated deviation reports are not instrumented with Plausible. No Google Analytics, no Fathom, no marketing pixels, no visitor profiling, no third-party ad networks, no retargeting. Our hosting and content-delivery providers process Internet Protocol (IP) addresses and request metadata at the network level for security and content delivery, governed by their own privacy policies; we do not access or use those infrastructure logs for analytics.
  • Submittals are not used for model training, per our Anthropic commercial-API agreement. When you upload a spec section and a sub's submittal, the content is processed for the review you requested. As of the effective date of this policy, our Large Language Model (LLM) processor (Anthropic) states that content submitted through its commercial Application Programming Interface (API) is not used to train foundation models. Vendor terms can change; we will update this policy if Anthropic's published position changes materially.
  • Source files deleted in 7 days from active systems. Your spec and submittal documents are removed from active systems within 7 days of report generation, and from backup systems per the backup lifecycle schedule.
  • Reports retained on a hard sunset. 30 days for per-submittal accounts; for the duration of an active subscription plus 30 days post-cancellation for Project and Firm Suite. After the window closes, data is removed from active systems and from backups per the backup lifecycle schedule. There is no opt-in to extend the retention windows.

What we collect

If you submit the Contact form or email us

We collect the fields you fill in: first and last name, work email, optional company, the subject of your inquiry, and your message. This information goes to our customer relationship management (CRM) system and to our inbox. We use it to reply, scope the engagement, and (if you become a customer) deliver the Service.

Email normalization. Before storing or de-duplicating contact records and outbound-email recipients, we may normalize the email address you provide using standard canonicalization techniques. The original address you typed is what receives our reply; an internal canonical form is used to prevent duplicate records.

If you submit a submittal pair through the Service

You upload two files: a spec section and a subcontractor's submittal package. Our pipeline reads both, calls a Large Language Model (LLM) backend (Anthropic) to compare them, and returns a deviation report in HTML, Markdown, and JSON formats. We capture the resulting report and basic metadata (filenames, file sizes, processing timestamp, your account ID).

How we validate and handle your uploaded files

We accept PDF, Markdown (.md), and plain-text (.txt) files up to 100 MB per file and 50 files per packet. Uploads are validated to confirm the file contents match the declared file type. Files that fail this check are rejected before any processing occurs.

  • We do not render your documents in our application. Uploaded files are forwarded only to our AI processor (Anthropic) for analysis. They are never opened in a browser context on our infrastructure.
  • Source files are deleted within 7 days of report generation per the retention schedule in Section 6 below.
  • We retain cryptographic file fingerprints after source-file deletion. A SHA-256 hash of each uploaded file is retained after the source file itself is deleted, for fraud prevention, duplicate-submission detection, abuse prevention, and service integrity purposes. These hashes cannot be used to reconstruct the underlying document.
  • Rate limits apply. Uploads are rate-limited per account and per IP address to protect service availability. Limits are enforced server-side.

If you become a paying customer

We collect billing details through our payment processor (Stripe). We never see or store your full card number; Stripe handles that. We retain invoice records as required by tax and accounting law (generally 7 years).

What we do not collect

The Site loads three categories of third-party request: (a) the cookieless Plausible analytics beacon on the public marketing site (see Third parties below); (b) Cloudflare Turnstile on the Contact form (for bot protection); and (c) requests to our own Application Programming Interface (API) at api.deviationcheck.com. We do not embed YouTube, Vimeo, marketing pixels, chat widgets, or fingerprinting libraries. If a future feature requires loading an additional third-party script (for example, a payment processor's hosted checkout when self-serve billing launches), we will reflect that in this policy.

Our hosting and content-delivery providers may process Internet Protocol (IP) addresses and request metadata at the network level for security and content delivery; that processing is governed by their own privacy policies. We do not request, retrieve, or use those infrastructure logs.

How long we keep your data

Retention windows are fixed and not user-configurable as of 2026-05-06. The schedules below apply by default; there is no opt-in to extend. If you need an artifact long-term, export it within the retention window. After the window closes, data is removed from active systems and from backups per the backup lifecycle schedule.

Source files (your spec and submittal documents)

Removed from active systems within 7 days of report generation, regardless of subscription tier. The 7-day window covers debugging and re-render edge cases. After 7 days, source documents are deleted from active systems; backup copies are removed per the backup lifecycle schedule (typically within 30 days).

Reports (the deviation reports we generate)

  • Per-submittal (pay-as-you-go) accounts: reports retained for 30 days from generation. Export anytime within that window. After 30 days, reports are removed from active systems; backup copies are removed per the backup lifecycle schedule.
  • Project and Firm Suite (subscription) accounts: reports retained for the duration of your active subscription plus 30 days after cancellation. Export anytime during that window. After the post-cancellation grace period, reports are removed from active systems; backup copies are removed per the backup lifecycle schedule.
  • All tiers: there is no opt-in to extend retention beyond the windows above. We cannot recover data that has cycled out of both active systems and backups.

Account, contact, and CRM records

Retained while your relationship with Deviation Check is active. Deleted within 30 business days of a deletion request, subject to the legal-records carve-out below.

Email correspondence

Retained in our email-delivery service's logs and our mail provider's archive while the relationship is active. Deleted within 30 business days of a deletion request, subject to the legal-records carve-out below.

Paid invoices and tax records

Retained for 7 years as required by U.S. tax and accounting law. Deletion of paid-invoice records during this period is not possible. Other invoice types (draft, unpaid, voided) fall under the general Deletion right described in Your rights.

Legal-records carve-out: we may retain certain records longer than the periods above where required by law (tax and accounting; records under legal hold or active dispute resolution). The carve-out is narrow and applies only to the specific records covered.

Why we are allowed to process your data

The Site and Service are intended for a United States business audience. We do not actively market to or target the European Union (EU) or the United Kingdom (UK). California's Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) apply to California residents.

Where the EU or UK General Data Protection Regulation (GDPR) applies, we rely on the following legal bases:

  • Performance of a contract: to provide the Service you have engaged us to perform.
  • Legitimate interests: to respond to inquiries, secure the Site and API, prevent abuse, and operate the Service.
  • Legal obligation: to retain tax, accounting, and dispute-resolution records.
  • Consent: where you provide it explicitly (form-submission acknowledgments, opt-ins).

If you are an EU or UK resident and want to discuss our processing of your personal information, contact us at hello@deviationcheck.com.

Third parties (subprocessors)

To deliver the Service, we use a short list of vendors. Each acts as a data processor under our instructions and is governed by its own privacy policy and our data-processing agreement with it.

Personal-data processors (handle contact details, account, and payment information):

  • Cloudflare: hosts the Site, runs our API at api.deviationcheck.com, and provides Turnstile bot protection on the Contact form.
  • HubSpot: customer relationship management (CRM) system holding your contact and deal records.
  • Resend: email-delivery service for transactional and outbound emails.
  • Stripe: payment processor for invoices and checkout. Deviation Check never sees your card data.

AI processing backend (processes your submittal Content):

  • Anthropic: Large Language Model (LLM) backend that compares spec and submittal text. As of the effective date of this policy, Anthropic states that content submitted through its commercial Application Programming Interface (API) is not used to train foundation models. See Anthropic's commercial terms. Vendor terms can change; we will update this policy if Anthropic's published position changes materially.

Marketing-site analytics (touches only the public marketing site at deviationcheck.com; never submittal Content, the spec section text, the deviation report, or your account record):

  • Plausible: aggregate website analytics on the public marketing site only (cookieless; no Internet Protocol address retention; country-level geographic detail derived from a daily-rotating hash; no submittal Content; no contact details; no payment information). Plausible Insights OÜ is incorporated in Estonia and processes data on infrastructure operated by European companies within the European Union. Privacy and data processing addendum at plausible.io/data-policy and plausible.io/dpa. Plausible is not a subprocessor of submittal Content; the thirty-day pre-notification commitment described below applies to subprocessors that process personal information you provide to us and does not trigger on its addition.

Changes to the subprocessor list. Where Aliso LLC engages a new subprocessor that will process personal information you have provided to us, or replaces an existing subprocessor with one that materially changes how personal information is processed, we will, where reasonably practicable, provide at least thirty (30) days' advance notice by updating this page. If you object to a new subprocessor on data-protection grounds, contact us through our contact form within the notice period; we will work in good faith to resolve the objection or, if it cannot be resolved, your remedy is to terminate the Service. Emergency replacements (for example, where a subprocessor suspends service) may require shorter notice; in those cases we will provide notice as soon as practicable.

We do not sell your personal information. We share information only with the service providers listed in this policy and only as necessary to operate the Service. We do not run advertising networks. We do not embed third-party widgets on the Site.

Cookies and local storage

The Site sets no first-party or third-party tracking cookies. The Contact form uses Cloudflare Turnstile, which is used solely for bot detection and abuse prevention; any short-lived cookies it sets are essential to the form's function.

If you create an account on the Service, an essential session cookie is set to keep you logged in. It is first-party, expires when you log out, and is not used for any other purpose.

Security

We use industry-standard administrative, technical, and organizational safeguards designed to protect personal information and Customer Content against unauthorized access, disclosure, alteration, or loss. These include encrypted transport (HyperText Transfer Protocol Secure, HTTPS) for all Site and API traffic, encryption at rest at the storage backend layer, scoped access controls for Aliso LLC personnel, and a restrictive Content Security Policy on the Site.

We do not currently hold third-party security certifications such as Service Organization Control 2 (SOC 2) or International Organization for Standardization (ISO) 27001. If a particular engagement requires a specific certification or a security questionnaire, contact us at hello@deviationcheck.com to discuss.

No security program eliminates risk. If you become aware of a vulnerability or a suspected security incident affecting the Site or Service, contact us at hello@deviationcheck.com as soon as practicable.

Breach notification. If we determine that a security incident has resulted in the unauthorized access to, disclosure of, or acquisition of unencrypted personal information you have provided to us, we will notify you without unreasonable delay in accordance with California Civil Code section 1798.82 and any other applicable breach-notification law. Notice will be sent to the email address on file for your account or, where no account exists, to the email address on your most recent submission.

Your rights

This section explains the rights available to you regarding personal information Aliso LLC holds about you. These rights apply if you have submitted the Contact form, used the Service, or emailed us. To exercise any of the rights below, submit a request through our contact form with the subject "Privacy rights request."

Rights under the California Consumer Privacy Act / California Privacy Rights Act (CCPA / CPRA)

If you are a California resident, you have the following rights regarding personal information that Aliso LLC, as a "business" under California Civil Code section 1798.140(d), collects about you:

  • Right to know what categories of personal information we collect, the categories of sources, the business or commercial purposes for collection, and the categories of third parties or service providers with whom we share that information. The categories applicable to Aliso LLC are described elsewhere in this Privacy Policy.
  • Right to access the specific pieces of personal information we hold about you, in a portable form where reasonably available.
  • Right to delete personal information we have collected from you, subject to the statutory exceptions in California Civil Code section 1798.105(d) and the legal-records carve-out described above.
  • Right to correct inaccurate personal information we hold about you.
  • Right to opt-out of sale or sharing. Aliso LLC does not sell personal information and does not share personal information for cross-context behavioral advertising; there is therefore no sale or share to opt out of. We do not knowingly sell or share personal information of California consumers under 16 years of age.
  • Right to limit use of sensitive personal information. Aliso LLC does not collect sensitive personal information as defined in California Civil Code section 1798.140(ae) in the ordinary course of providing the Service.
  • Right to non-discrimination. We will not deny, charge differently for, or provide a different level of quality of Service because you exercised any of the rights above.

Rights under the EU and UK General Data Protection Regulation (GDPR)

If the GDPR applies to our processing of your personal information, you have the following rights:

  • Access to your personal information.
  • Rectification of inaccurate or incomplete personal information.
  • Erasure of personal information, subject to legal-records carve-outs.
  • Restriction of processing in certain circumstances.
  • Data portability in a structured, machine-readable format.
  • Objection to processing based on legitimate interests.
  • Withdrawal of consent where processing is based on consent (without affecting the lawfulness of processing before withdrawal).
  • Right to lodge a complaint with your supervisory authority.

Identity verification

To prevent unauthorized access to your personal information, we verify the identity of the requester before completing any request. The level of verification scales with the sensitivity of the request:

  • Non-account requests (Contact form submitters): we match the email address on your request to the email address used in the original submission and may request additional information you previously provided (for example, your company or the subject of your inquiry) to confirm identity.
  • Account holders (per-submittal, Project, Firm Suite): we require verification of additional data points (for example, login to an active account or matching multiple data points associated with the account) before processing deletion or access requests.
  • Authorized-agent requests: see below.

Authorized agents

You may designate an authorized agent to make a request on your behalf under California Civil Code section 1798.135(d). The authorized agent must provide (a) written, signed permission from you authorizing the agent to act, (b) verification of the agent's own identity, and (c) verification of your identity as described above. We may deny a request from an agent that does not submit proof of authorization.

Response timing

We will acknowledge a verified rights request within 5 business days and complete the action within forty-five (45) calendar days from receipt, consistent with California Civil Code section 1798.130(a)(2). We may extend the response window by an additional forty-five (45) calendar days where reasonably necessary, with notice to you. Where the GDPR applies, we will respond within one (1) month of receipt, extendable by two (2) further months for complex requests with notice to you.

California Shine the Light

California Civil Code section 1798.83 (the "Shine the Light" law) entitles California residents to request, once per calendar year, information regarding our disclosure of personal information to third parties for those third parties' direct-marketing purposes. Aliso LLC does not disclose personal information to third parties for their direct-marketing purposes, so there are no disclosures to report.

Children

The Site and Service are intended for an adult business audience. We do not knowingly collect any information from anyone under the age of 18.

Business transfers

If Aliso LLC is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of substantially all of its assets, personal information may be transferred to the successor or acquiring entity as part of that transaction. We will provide reasonable notice (for example, a notice on the Site or to the email address on file for active customers) before any personal information becomes subject to a different privacy policy.

Changes to this policy

If we materially change this policy, we will update the "Last updated" date above and post the change in advance of the effective date.

Data controller and contact

Aliso LLC is the data controller (under the EU and UK General Data Protection Regulation (GDPR)) and the business (under the California Consumer Privacy Act / California Privacy Rights Act (CCPA / CPRA)) for personal information processed under this Privacy Policy. The governing jurisdiction for this Privacy Policy is the State of California, United States; for dispute-resolution provisions see Terms of Service section 15.

Questions about this policy, deletion requests, access requests, or other rights requests: hello@deviationcheck.com.

Aliso LLC dba Deviation Check, deviationcheck.com.