Privacy Policy

Last updated: April 6, 2026

CRA Compliance Suite is operated by Terry Arthur Consulting, based in the U.S. Virgin Islands. This policy describes how we collect, use, store, and protect your information when you use our platform.

Information We Collect

Account Information

When you register, we collect your name, email address, and organization name. If you subscribe to a paid plan, payment is processed by Square — we do not store credit card numbers on our servers.

Uploaded Files

When you upload WordPress plugins, themes, or blocks for analysis, we store the uploaded ZIP files on our servers for the duration of your plan's retention period. Files are used solely for compliance analysis and are not shared with third parties.

Analysis Results

We store the results of compliance analyses, including scores, vulnerability findings, SBOM data, and recommendations. These results are associated with your organization account.

Usage Data

We collect basic usage data including pages visited, features used, and analysis frequency. This helps us improve the platform. We use Mautic (self-hosted) for email communications — no third-party tracking services are used.

How We Use Your Data

• Providing the service — analyzing your uploads, generating reports, managing your account
• Communication — account notifications, security alerts, product updates (you can unsubscribe from non-essential emails)
• Platform improvement — aggregate, anonymized usage patterns help us improve analysis accuracy and user experience

We do not sell, rent, or share your personal data or uploaded code with third parties.

Data Storage and Security

• All connections are encrypted via TLS (HTTPS)
• Uploaded files are stored on encrypted volumes
• Passwords are hashed using bcrypt with per-user salts
• JWT tokens are used for session management with automatic expiration
• Two-factor authentication (2FA) is available for all accounts

Data Retention

Uploaded files and analysis results are retained according to your subscription plan:

• Free plan: 7 days
• Starter plan: 90 days
• Professional plan: Indefinite (while subscription active)
• Enterprise plan: Indefinite (while subscription active)

When you delete your account, all associated data — including uploaded files, analysis results, and personal information — is permanently removed within 30 days.

Third-Party Services

• Square — payment processing. Square's privacy policy governs payment data.
• Mautic (self-hosted) — email communications. No data leaves our infrastructure for this purpose.

We do not use Google Analytics, Facebook Pixel, or any third-party tracking services.

Cookies

We use minimal cookies:

• Session cookies — required for authentication (expire when you log out or after 7 days)
• Preference cookies — remember your settings (theme, language)

We do not use advertising cookies or cross-site tracking.

Your Rights

You have the right to:

• Access your personal data and analysis results at any time through your account
• Export your data in standard formats (JSON, PDF)
• Delete your account and all associated data
• Correct inaccurate personal information
• Object to non-essential data processing

If you are in the European Union, you have additional rights under the GDPR, including the right to data portability and the right to lodge a complaint with your local data protection authority.

Changes to This Policy

We will notify registered users by email of any material changes to this policy at least 14 days before they take effect.

Contact

For privacy-related questions or requests, contact us at support@cra-compliance.store.