Deviation Check is a product of Aliso LLC, a California limited liability company doing business as Deviation Check ("Aliso LLC," "Deviation Check," "we," "us"). This Privacy Policy explains what data we collect when you use our website at deviationcheck.com (the "Site") and our AI-assisted submittal review service (the "Service"), how long we keep it, who we share it with, and your rights under California and other applicable privacy law. Use of the Site and Service is also governed by the Terms of Service.
The short version
- No behavioral or advertising analytics. No Google Analytics, no Plausible, no Fathom, no marketing pixels, no visitor profiling, no third-party ad networks, no retargeting. Our hosting and content-delivery providers process Internet Protocol (IP) addresses and request metadata at the network level for security and content delivery, governed by their own privacy policies; we do not access or use those infrastructure logs for analytics.
- Submittals are never used for model training. When you upload a spec section and a sub's submittal, the content is processed for the review you requested. As of the effective date of this policy, our Large Language Model (LLM) processor (Anthropic) states that content submitted through its commercial Application Programming Interface (API) is not used to train foundation models.
- Source files deleted in 7 days from active systems. Your spec and submittal documents are removed from active systems within 7 days of report generation, and from backup systems per the backup lifecycle schedule.
- Reports retained on a hard sunset. 30 days for per-submittal accounts; for the duration of an active subscription plus 30 days post-cancellation for Project and Firm Suite. After the window closes, data is removed from active systems and from backups per the backup lifecycle schedule. There is no opt-in to extend the retention windows.
What we collect
If you submit the Contact form or email us
We collect the fields you fill in: first and last name, work email, optional company, the subject of your inquiry, and your message. This information goes to our customer relationship management (CRM) system and to our inbox. We use it to reply, scope the engagement, and (if you become a customer) deliver the Service.
Email normalization. Before storing or de-duplicating contact records, free-sample eligibility records, and outbound-email recipients, we may normalize the email address you provide using standard canonicalization techniques. The original address you typed is what receives our reply; an internal canonical form is used to prevent duplicate records and to enforce the one-per-organization free-sample eligibility rule described in Terms of Service section 3.1.
If you submit a submittal pair through the Service
You upload two files: a spec section and a subcontractor's submittal package. Our pipeline reads both, calls a Large Language Model (LLM) backend (Anthropic) to compare them, and returns a deviation report in HTML, Markdown, and JSON formats. We capture the resulting report and basic metadata (filenames, file sizes, processing timestamp, your account ID).
If you become a paying customer
We collect billing details through our payment processor (Stripe). We never see or store your full card number; Stripe handles that. We retain invoice records as required by tax and accounting law (generally 7 years).
What we do not collect
We do not run first-party analytics events on Site pages. The Site currently loads only Cloudflare Turnstile on the Contact form (for bot protection) and our own Application Programming Interface (API) at api.deviationcheck.com. We do not embed YouTube, Vimeo, marketing pixels, chat widgets, or fingerprinting libraries. If a future feature requires loading an additional third-party script (for example, a payment processor's hosted checkout when self-serve billing launches), we will reflect that in this policy.
Our hosting and content-delivery providers may process Internet Protocol (IP) addresses and request metadata at the network level for security and content delivery; that processing is governed by their own privacy policies. We do not request, retrieve, or use those infrastructure logs.
How long we keep your data
Source files (your spec and submittal documents)
Removed from active systems within 7 days of report generation, regardless of subscription tier. The 7-day window covers debugging and re-render edge cases. After 7 days, source documents are deleted from active systems; backup copies are removed per the backup lifecycle schedule (typically within 30 days).
Reports (the deviation reports we generate)
- Per-submittal (pay-as-you-go) accounts: reports retained for 30 days from generation. Export anytime within that window. After 30 days, reports are removed from active systems; backup copies are removed per the backup lifecycle schedule.
- Project and Firm Suite (subscription) accounts: reports retained for the duration of your active subscription plus 30 days after cancellation. Export anytime during that window. After the post-cancellation grace period, reports are removed from active systems; backup copies are removed per the backup lifecycle schedule.
- All tiers: there is no opt-in to extend retention beyond the windows above. We cannot recover data that has cycled out of both active systems and backups.
Account, contact, and CRM records
Retained while your relationship with Deviation Check is active. Deleted within 30 business days of a deletion request, subject to the legal-records carve-out below.
Email correspondence
Retained in our email-delivery service's logs and our mail provider's archive while the relationship is active. Deleted within 30 business days of a deletion request, subject to the legal-records carve-out below.
Paid invoices and tax records
Retained for 7 years as required by U.S. tax and accounting law. Deletion of paid-invoice records during this period is not possible. Other invoice types (draft, unpaid, voided) fall under the general Deletion right described in Your rights.
Legal-records carve-out: we may retain certain records longer than the periods above where required by law (tax and accounting; records under legal hold or active dispute resolution). The carve-out is narrow and applies only to the specific records covered.
Why we are allowed to process your data
The Site and Service are intended for a United States business audience. We do not actively market to or target the European Union (EU) or the United Kingdom (UK). California's Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) apply to California residents.
Where the EU or UK General Data Protection Regulation (GDPR) applies, we rely on the following legal bases:
- Performance of a contract: to provide the Service you have engaged us to perform.
- Legitimate interests: to respond to inquiries, secure the Site and API, prevent abuse, and operate the Service.
- Legal obligation: to retain tax, accounting, and dispute-resolution records.
- Consent: where you provide it explicitly (form-submission acknowledgments, opt-ins).
If you are an EU or UK resident and want to discuss our processing of your personal information, contact hello@deviationcheck.com.
Third parties (subprocessors)
To deliver the Service, we use a short list of vendors. Each acts as a data processor under our instructions and is governed by its own privacy policy and our data-processing agreement with it.
Personal-data processors (handle contact details, account, and payment information):
- Cloudflare: hosts the Site, runs our API at api.deviationcheck.com, and provides Turnstile bot protection on the Contact form.
- HubSpot: customer relationship management (CRM) system holding your contact and deal records.
- Resend: email-delivery service for transactional and outbound emails.
- Stripe: payment processor for invoices and checkout. Deviation Check never sees your card data.
AI processing backend (processes your submittal Content):
- Anthropic: Large Language Model (LLM) backend that compares spec and submittal text. As of the effective date of this policy, Anthropic states that content submitted through its commercial Application Programming Interface (API) is not used to train foundation models. See Anthropic's commercial terms. Vendor terms can change; we will update this policy if Anthropic's published position changes materially.
We do not sell your personal information. We share information only with the service providers listed in this policy and only as necessary to operate the Service. We do not run advertising networks. We do not embed third-party widgets on the Site.
Cookies and local storage
The Site sets no first-party or third-party tracking cookies. The Contact form uses Cloudflare Turnstile, which is used solely for bot detection and abuse prevention; any short-lived cookies it sets are essential to the form's function.
If you create an account on the Service, an essential session cookie is set to keep you logged in. It is first-party, expires when you log out, and is not used for any other purpose.
Security
We use industry-standard administrative, technical, and organizational safeguards designed to protect personal information and Customer Content against unauthorized access, disclosure, alteration, or loss. These include encrypted transport (HyperText Transfer Protocol Secure, HTTPS) for all Site and API traffic, encryption at rest at the storage backend layer, scoped access controls for Aliso LLC personnel, and a restrictive Content Security Policy on the Site.
We do not currently hold third-party security certifications such as Service Organization Control 2 (SOC 2) or International Organization for Standardization (ISO) 27001. If a particular engagement requires a specific certification or a security questionnaire, contact hello@deviationcheck.com to discuss.
No security program eliminates risk. If you become aware of a vulnerability or a suspected security incident affecting the Site or Service, contact hello@deviationcheck.com as soon as practicable.
Your rights
If you have submitted the Contact form, used the Service, or emailed us, you can exercise the following rights by writing to hello@deviationcheck.com:
- Access: request a copy of the data we hold about you.
- Rectification: ask us to correct inaccurate or incomplete information.
- Deletion: ask us to delete your data, subject to the legal-records carve-out.
- Portability: receive your data in a structured, machine-readable format.
- Objection: object to processing based on legitimate interests.
We will acknowledge within 5 business days and complete the action within 30 business days. The rights above are intended to satisfy obligations under California law (CCPA / CPRA) and EU and UK law (GDPR), where each applies. Residents of those jurisdictions have any additional rights granted by local law; we will honor any such rights on the same email-request mechanism.
Children
The Site and Service are intended for an adult business audience. We do not knowingly collect any information from anyone under the age of 18.
Business transfers
If Aliso LLC is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of substantially all of its assets, personal information may be transferred to the successor or acquiring entity as part of that transaction. We will provide reasonable notice (for example, a notice on the Site or to the email address on file for active customers) before any personal information becomes subject to a different privacy policy.
Changes to this policy
If we materially change this policy, we will update the "Last updated" date above and post the change in advance of the effective date.
Data controller and contact
Aliso LLC is the data controller for personal information processed under this Privacy Policy. The governing jurisdiction for this Privacy Policy is the State of California, United States; for dispute-resolution provisions see Terms of Service section 15.
Questions about this policy, deletion requests, access requests, or other rights requests: hello@deviationcheck.com.
Aliso LLC, dba Deviation Check, deviationcheck.com.