Privacy Policy

This page explains what information Porch Approved collects, how we use it, and what control you have over it. Plain English where possible — please contact us if anything is unclear.

1. Who we are

Porch Approved is operated by 6th Wave Consulting, LLC, a Texas limited liability company. The service runs at porchapproved.net (and www.porchapproved.net). We host with a US-based cloud infrastructure provider and store all data in the United States.

2. What we collect

From everyone who visits

• IP address (used for rate limiting and abuse prevention; not joined to your identity)
• Standard request metadata logged by our hosting provider (browser, country, request time)

From members

• Authentication: a session cookie tied to the community password you entered. We do not require an email to view a community.
• If you post a rating, comment, or chat message: the display name you typed plus the content of the message.
• If you mark interest in a group rate: the fact that your session was interested (no name attached unless you also wrote a chat message).

From community admins

• Name, email, phone, mailing address (entered at community signup)
• A salted hash of your admin password (we never store the password itself)
• Any additional admins you add via the team page (their name, email, password hash)

From service providers

• Name, business name, email, phone, password hash (entered at /p/register)
• Stripe customer ID + subscription ID once you upgrade (so we can manage your subscription; we never see your card number)
• Public replies you write under ratings (visible in the community directory)

From people contacting us

• Anything you submit via the support form: name, email, phone (optional), message

3. How we use it

• To run the service. Hosting your community directory, showing ratings to members, routing chat messages, processing logins.
• To prevent abuse. Rate limits use IP address; failed login attempts are logged.
• To respond to support requests. If you contact us, we read your message and reply.
• To send transactional notifications. Password reset links, SMS verification codes (when you opt in), and infrequent service-update notices.

We do not use your data to train AI models, sell to advertisers, or build third-party profiles. We do not run third-party analytics or tracking scripts.

4. Who we share data with

• Cloudflare — hosting, DNS, CDN. Their privacy policy: cloudflare.com/privacypolicy.
• That's it. No payment processor (we don't take payments today). No advertising networks. No data brokers. No analytics services. No CRM exports. We do not sell your data, full stop.

We will disclose data if compelled by valid legal process and we'll notify you if legally permitted.

5. Cookies

We use a small number of strictly-necessary first-party cookies:

• Session cookies — keep you signed in to your community as a member, admin, service provider, or site operator (each role uses a separate cookie). Lifetime: 30 days.
• Technical cookies — short-lived helpers used internally so freshly-written data shows up immediately after you submit it. Lifetime: 7 days.

All our cookies are HttpOnly, Secure, and SameSite=Lax. We do not set any third-party cookies. We do not run analytics, advertising, or tracking cookies — the cookies we do set are the minimum required to make the service work.

6. Your rights

Regardless of where you live, you can:

• Access the data we have about you. Email via the support form with the email you registered with.
• Correct any inaccurate data. Same channel.
• Delete your account and your data. Same channel — we'll delete within 30 days, retaining only what we're legally required to keep (e.g., billing records for tax purposes).
• Export a copy of your data in machine-readable form. Same channel.
• Withdraw consent for any optional processing.

If you're in California, the EU, or the UK and want to exercise rights under CCPA / GDPR / UK GDPR, the same channel works. We respond within 30 days.

7. How long we keep data

• Active accounts: as long as the account is in use.
• Sessions: auto-expire (30 days for app sessions, 90 for invite cookie). Expired sessions are deleted within 24 hours.
• Closed accounts: 90 days after closure, then deleted.
• Operational logs auto-purge on short windows: rate-limit log (7 days), error log (14 days), spam-block log (30 days), operator audit log (90 days), member-phone requests (60 days), one-time tokens (deleted ~7 days after expiry). Backed up first, then deleted from the live database.
• IP addresses stored for monitoring are truncated to the /24 network at write time — we keep enough signal to detect abuse patterns without storing precise locations.
• Backups: retained for 1 year, then rotated out.
• Billing records: kept 7 years for US tax compliance, even after account closure.
• Support requests: kept indefinitely so we can recognize repeat issues, unless you ask for deletion.

8. Security

• HTTPS-only — your traffic to porchapproved.net is always encrypted in transit.
• Passwords are stored using industry-standard salted hashing with a per-account unique salt and a high iteration count (well above OWASP-recommended). We do not store your password and cannot recover it; we can only reset it.
• Session cookies are HttpOnly, Secure, and SameSite=Lax — they're not readable from page scripts and aren't sent on cross-site requests.
• All database access is parameterized — user input is never concatenated into queries.
• Encrypted daily backups stored in access-controlled storage. Restore keys are held only by the site operator.
• Per-IP rate limiting on login, signup, support form, AI Q&A, password reset, and other sensitive endpoints.
• Bot protection on public forms.

We deliberately do not publish detailed technical specifics of our security controls. No system is perfectly secure — if you believe you've found a vulnerability, please contact us with the details and we'll investigate quickly.

9. Children's data

Porch Approved is for adults (18+). We do not knowingly collect data from anyone under 18. If you believe a child has registered, contact us and we'll delete the account.

10. Changes to this policy

If we make material changes we'll update the "Last updated" date at the top of this page and, where we have your email, send a notification. Continued use of the service after a change means you accept the updated policy.

11. Contact

Privacy questions, deletion requests, or anything else: contact form.