Privacy Notice
Last updated: May 3, 2026
Jurisdictional Applicability
| Jurisdiction | Primary statute(s) for the website surface | Lawful basis we rely on |
|---|---|---|
| United States (federal + California baseline) | FTC Act §5; CAN-SPAM Act (15 U.S.C. §7701 et seq.); CCPA / CPRA (Cal. Civ. Code §§1798.100–1798.199.100) | Notice + opt-out; opt-in for marketing email (CAN-SPAM compliant) |
| Other US comprehensive-privacy states (CO, CT, VA, UT, TX, OR, MT, etc.) | State comprehensive privacy acts | Notice + opt-out; honor Global Privacy Control |
| Canada (federal, excluding Quebec) | PIPEDA (S.C. 2000, c. 5); Canada Anti-Spam Legislation ("CASL", S.C. 2010, c. 23) | Meaningful express consent for the waitlist email under PIPEDA + CASL |
Out of scope of this notice. GDPR (EU/EEA), UK GDPR / Data Protection Act 2018, and Quebec Law 25 do not apply to this notice because the website is geo-restricted away from those audiences. If you are a regulator from one of those jurisdictions reading this notice, please contact privacy@faultfinder.ai so we can confirm scope and route you appropriately.
1. Plain-Language Summary
- Who we are. FaultFinder, Inc. (Delaware) — formation pending. We are building an OBD-II diagnostic product for vehicle owners and independent shops. This website (faultfinder.ai) is our pre-launch marketing site and waitlist.
- What we collect on this website. Your email address (only if you join the waitlist) and the bare minimum technical information needed to operate the website. That's it.
- What we do NOT collect. No advertising trackers. No third-party analytics in v1. No social-media pixels. No cross-site tracking. No GPS or location data. No vehicle data — the product is not live yet.
- Why we collect your email. To send you waitlist updates and notify you when the product launches.
- Who we share it with. Only the two operational vendors named in §5 (Cloudflare for hosting; an email-delivery provider for the waitlist). No data brokers, no advertisers.
- Your rights. You can ask us what we hold about you, correct it, delete it, or unsubscribe at any time. Email privacy@faultfinder.ai.
- Geographic scope. US and Canada (excluding Quebec) only. We are not currently open to EU, UK, or Quebec users.
2. Defined Terms
- "FaultFinder", "we", "us", "our" — FaultFinder, Inc. (Delaware) — formation pending.
- "Website" — the marketing website at faultfinder.ai and any subdomain we operate as part of the marketing surface (e.g. blog).
- "Waitlist" — the email-collection mechanism on the Website that lets you register interest in being notified at product launch.
- "Personal information" — given the meaning under PIPEDA s. 2(1) and the CCPA §1798.140(v); roughly, information about an identifiable individual.
This notice is about the Website only. The FaultFinder mobile application and connected-vehicle product are not yet generally available; the product privacy notice will be published separately before launch.
3. Personal Information We Collect
Through the waitlist form
- Your email address — collected only when you submit the waitlist form and click "submit". We do not pre-fetch or capture email addresses you type but do not submit.
Automatically when you visit the Website
- Connection metadata that any web server receives by default: your IP address, the URL you requested, your browser's user-agent string, the referring URL, and the time of the request. We retain these in short-lived edge logs operated by our hosting provider (Cloudflare; see §5).
- Strictly-necessary cookies / local storage required for the page to load and for the waitlist form's anti-abuse protection. We do not set advertising cookies, analytics cookies, or social-media cookies.
No third-party analytics in v1. This Website does not currently use Google Analytics, Plausible, PostHog, Fathom, Mixpanel, Amplitude, or any other third-party product-analytics SDK. If we add analytics before product launch, we will update this notice and the cookie statement in §6 before the change goes live and will lean toward a self-hosted or non-tracking option.
No marketing or advertising trackers. The Website does not load Meta Pixel, TikTok Pixel, LinkedIn Insight, Google Ads conversion tags, X / Twitter pixels, or similar.
4. Why We Collect It (Purposes and Lawful Basis)
| Purpose | Personal information used | Lawful basis (US / CA-ex-QC) |
|---|---|---|
| Add you to the waitlist and send you launch updates | Email address | Consent at the moment of waitlist submission (CASL express consent in Canada outside Quebec; CAN-SPAM compliant in the US); we treat the act of submitting the form as opt-in for waitlist correspondence |
| Operate the Website (serve the page, prevent abuse) | Connection metadata, strictly-necessary cookies | Legitimate operational purpose under PIPEDA Principle 4.3 / CCPA business-purpose §1798.140(e)(1)–(8) |
| Comply with legal obligations (e.g. respond to a lawful request, defend a claim) | Whatever is responsive | Legal obligation / defence of legal claims |
We do not use your email for any purpose other than waitlist correspondence and product-launch notification. We will obtain fresh consent before using it for anything else (e.g. surveys, paid-feature offers).
Sensitive personal information (CCPA SPI). The Website does not collect SPI as defined in CCPA §1798.140(ae). No precise geolocation, no government identifiers, no health data, no financial-account data, no biometrics, no race/ethnicity/religion data.
5. Who We Share It With (Recipients)
We share personal information only with the two operational service providers below and only for the purposes listed.
| Provider | What they process | Purpose | Location |
|---|---|---|---|
| Cloudflare, Inc. | All Website traffic, including IP address, user-agent, requested URL; waitlist form submissions transit Cloudflare on the way to our backend | Website hosting (Cloudflare Pages), serverless functions (Pages Functions), DNS, CDN, DDoS / bot-abuse protection, and storage of the waitlist email database (Cloudflare D1) | United States (with Cloudflare's global edge) |
| Email-delivery provider — final selection to be confirmed before this notice is published | Email address; the content of waitlist messages we send you | Transactional and waitlist-update email delivery | United States |
No other third-party processors. We do not transfer your personal information to advertisers, ad networks, data brokers, telematics insurers, vehicle manufacturers, dealerships, or any other third party.
No sale or share for cross-context behavioral advertising. FaultFinder does not sell personal information and does not share personal information for cross-context behavioral advertising under the CCPA or any equivalent state law. There is no advertising business model on this Website.
Disclosure required by law. We may disclose personal information in response to a valid subpoena, court order, search warrant, or other legal process, and where reasonably necessary to protect our rights, the safety of our users, or the security of the Website. We will narrow such disclosures to what is strictly required and, where the law permits, notify you.
Business transfers. If FaultFinder is acquired or merges with another company, your personal information may be transferred to the successor entity. We will give you advance notice and an opportunity to delete your waitlist record before the transfer takes effect.
6. Cookies and Similar Technologies
This Website uses only strictly-necessary, first-party cookies and local-storage entries:
- a session token used by the waitlist form to prevent duplicate submissions and bot abuse;
- a small key/value pair used by Cloudflare's bot-abuse protection (Cloudflare's
__cf_bmand similar; these are first-party from your perspective).
We do not use cookies for advertising, cross-site tracking, audience segmentation, or behavioral analytics. We do not need a consent banner under any of the laws applicable to our geo-restricted audience because we do not deploy non-essential cookies; if that changes (e.g. if we add analytics before launch), we will update this notice and add an appropriate consent mechanism before the change goes live.
7. International Data Transfers
Our hosting provider (Cloudflare) and our planned email-delivery provider are US-based. As a result:
- US users. Your data is processed within the United States.
- Canadian users (excluding Quebec). Your personal information may be transferred to and processed in the United States. Under PIPEDA, FaultFinder remains accountable to you for the personal information transferred to a processor outside Canada and has contractually required comparable protection. You can complain to the Office of the Privacy Commissioner of Canada at www.priv.gc.ca or to your provincial privacy commissioner.
8. How Long We Keep Data
| Data category | Retention | Rationale |
|---|---|---|
| Waitlist email | Until product launch + 12 months, unless you unsubscribe earlier | We need the email until launch to notify you, plus 12 months after launch to give you a fair chance to convert; afterwards we delete unconverted waitlist records on a rolling basis |
| Cloudflare edge logs (IP, user-agent, URL) | Per Cloudflare's defaults (typically a few days for raw logs) | Operational debugging and abuse mitigation only |
| Email-delivery logs (open / unsubscribe events) | Per the email-delivery provider's defaults; we do not retain past 24 months | Allows us to honor unsubscribes and demonstrate CASL / CAN-SPAM compliance |
| Records we are legally required to keep (e.g. proof of consent for CASL) | The applicable statutory minimum | Legal obligation |
When you unsubscribe, we delete your email from the active waitlist and retain only the minimum suppression record needed to ensure we do not re-add you (a hashed reference, not your raw email).
9. Your Rights
9.1 Rights at a glance
| Right | US (CCPA + comprehensive-state baseline) | Canada (PIPEDA, ex-Quebec) |
|---|---|---|
| Know what we hold about you | Yes (CCPA §1798.110) | Yes (PIPEDA s. 8) |
| Correct inaccurate data | Yes (CCPA §1798.106; CO/CT/VA/etc.) | Yes (PIPEDA s. 9) |
| Delete your data | Yes (CCPA §1798.105; comprehensive-state laws) | Yes (PIPEDA, under OPC guidance for limited categories) |
| Opt out of sale / share / SPI use | Yes — although we do not sell or share | Withdraw consent |
| Honor Global Privacy Control ("GPC") | Yes — we treat a GPC signal as a valid opt-out of sale/share for California users and as an objection to direct marketing for all US users | n/a (no equivalent yet) |
| Withdraw consent for marketing email | Yes (CAN-SPAM unsubscribe) | Yes (CASL withdrawal of consent) |
| Lodge a complaint with a regulator | California Privacy Protection Agency / state AGs | Office of the Privacy Commissioner of Canada; provincial commissioners |
9.2 How to exercise your rights
Email privacy@faultfinder.ai with the request you would like to make. We will respond within:
- 45 days under CCPA / state comprehensive privacy laws (extensible by 45 days with notice);
- 30 days under PIPEDA.
For most requests we will rely on access to the registered email address as identity proof. We will not charge a fee for the first request in any 12-month period and will only charge thereafter where the law allows.
You can lodge a complaint with your regulator at any time without going through us first. We would, however, appreciate the chance to address your concern.
10. Children
This Website is not directed to children under 13. We do not knowingly collect personal information from anyone under 13. If you believe a child under 13 has provided us with personal information through the Website, contact privacy@faultfinder.ai and we will delete it promptly.
11. Security
We use commercially reasonable safeguards including:
- TLS (HTTPS) for all traffic to and from the Website;
- managed encryption at rest for the waitlist email database (Cloudflare D1);
- least-privilege access controls — only the CEO and CTO have production access to the waitlist database;
- no production data in support tooling, marketing tooling, or analytics tooling.
No system is perfectly secure. If we discover a personal-information breach affecting Website users, we will notify the Office of the Privacy Commissioner of Canada (where the PIPEDA "real risk of significant harm" threshold is met under the Breach of Security Safeguards Regulations) and applicable US state AGs / individuals on the timelines required by law.
12. Privacy Contact / Privacy Officer
FaultFinder's Chief Executive Officer is the designated person responsible for personal information under PIPEDA Principle 4.1 (Accountability) for the Website surface.
- Privacy contact (DSARs, deletion, unsubscribe escalations): privacy@faultfinder.ai
- CEO / Privacy Officer: ceo@faultfinder.ai
When headcount permits, FaultFinder will reassign the Privacy Officer role to a dedicated function and update this notice at that time.
13. Changes to This Notice
This notice is versioned under semantic versioning (MAJOR.MINOR). MAJOR bumps reflect changes that materially reduce a user's privacy or expand the categories of data, purposes, or recipients; MINOR bumps reflect clarifications and additions that do not reduce a user's privacy.
We will give at least 30 days' advance notice of any MAJOR change by posting an updated version with a clear "What changed" entry in the change log below and, where we have a current email for you, by emailing the change to your waitlist address.
| Version | Date | Notes |
|---|---|---|
| 1.0 | May 3, 2026 | Initial narrow website-only Privacy Notice for faultfinder.ai. Geo-scoped to US + Canada excluding Quebec. |