Privacy Policy

Effective Date: February 26, 2026

1. Introduction

Snap Launch LLC ("Company," "we," "us," or "our"), a Florida limited liability company, operates the Simple Advisor Tools platform and the Rollover Analysis Tool at rolloveranalysistool.com (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

We are committed to protecting the privacy and security of your data. Our platform implements industry-standard security controls aligned with the SOC 2 Trust Services Criteria, including encryption at rest and in transit, multi-factor authentication, comprehensive audit logging, and automated data retention policies.

2. Information We Collect

2.1 Information You Provide

  • Account Information: Email address, password (hashed using bcrypt), first name, last name, firm name
  • Profile Information: Company name, phone number, website URL, professional certifications, business address
  • Client Data: Client names, account values, employer names, employment status (data you enter for rollover analyses). Sensitive client data fields are encrypted at the application level using AES-256.
  • Payment Information: Processed by Stripe; we store transaction IDs and subscription metadata but never credit card numbers, CVVs, or full card details
  • Communication Data: Messages you send us, support requests, feedback

2.2 Automatically Collected Information

  • Usage Data: Pages visited, features used, time spent, analysis history
  • Device Information: IP address, browser type, operating system, device identifiers
  • Cookies: Authentication tokens, session data, preferences (see Section 8)
  • Analytics: We may use Google Analytics and Microsoft Clarity to understand usage patterns
  • Audit Logs: All API access, authentication events, and data operations are logged for security monitoring and compliance (see Section 5)

3. How We Use Your Information

We use collected information for:

  • Providing and maintaining the Service
  • Processing subscription payments and billing
  • Generating rollover analysis reports and PDF documents
  • Authenticating users and managing accounts
  • Sending technical notices, updates, and support messages
  • Responding to user requests and support inquiries
  • Improving and optimizing the Service
  • Detecting and preventing fraud, abuse, and security issues
  • Maintaining audit trails for security and compliance purposes
  • Complying with legal obligations

4. Third-Party Service Providers

We use the following third-party services that may collect, store, or process your information:

Supabase (SOC 2 Type II Certified):

Database hosting and authentication. Data stored in US data centers with row-level security policies.

Stripe (PCI DSS Level 1 Certified):

Payment processing. Subject to Stripe's privacy policy. We never store full card details.

Vercel (SOC 2 Certified):

Application hosting and content delivery with DDoS protection and edge caching.

Sentry:

Error monitoring and performance tracking. Sensitive data is redacted before transmission per our data sanitization policies.

Google Analytics & Microsoft Clarity (Optional):

Usage analytics. Subject to Google's and Microsoft's respective privacy policies.

5. Data Security

We implement comprehensive security controls to protect your information, aligned with the SOC 2 Trust Services Criteria:

5.1 Encryption

  • In Transit: All data is transmitted via HTTPS/TLS 1.2+ encryption. Strict-Transport-Security headers enforce HTTPS with HSTS preloading.
  • At Rest: Sensitive client data fields (names, analysis data) are encrypted at the application level using AES-256 before database storage. Database-level encryption is provided by Supabase infrastructure.
  • Passwords: User passwords are hashed using bcrypt with automatic salting via Supabase Auth. We never store plaintext passwords.

5.2 Access Controls

  • Authentication: Bearer token-based authentication with automatic token refresh and expiration.
  • Multi-Factor Authentication (MFA): TOTP-based two-factor authentication is available for all accounts. Users can enable MFA via their Security settings.
  • Row-Level Security (RLS): Database access is restricted by Supabase RLS policies ensuring users can only access their own data.
  • Deny-by-Default API Protection: All API routes require authentication unless explicitly designated as public.
  • Session Management: Automatic session expiry after configurable inactivity periods with user warnings before logout.

5.3 Monitoring & Audit

  • Comprehensive Audit Logging: All authentication events, API access, data modifications, and security events are logged with timestamps, user IDs, IP addresses, and request details.
  • Security Event Detection: Failed authentication attempts and suspicious activity patterns are flagged and monitored.
  • Error Tracking: Sentry integration with automatic sensitive data redaction provides real-time error monitoring without exposing user data.
  • Rate Limiting: API endpoints are rate-limited to prevent abuse, brute-force attacks, and denial-of-service attempts.

5.4 Infrastructure Security

  • Content Security Policy (CSP): Strict CSP headers prevent cross-site scripting (XSS) and injection attacks.
  • Security Headers: X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy headers are applied to all responses.
  • Input Sanitization: All user inputs are sanitized to prevent injection attacks before processing or storage.
  • Dependency Scanning: Automated vulnerability scanning of all dependencies via CI/CD pipeline.

While we implement security best practices and controls aligned with industry standards, no system is 100% secure. We cannot guarantee absolute security and are not liable for unauthorized access, hacking, data loss, or other security breaches beyond our reasonable control. See Terms of Service for limitation of liability.

6. Data Retention

We maintain a formal data retention policy in compliance with Department of Labor requirements:

  • Rollover Analysis Data: Retained for 7 years in accordance with DOL recordkeeping requirements for retirement plan transactions.
  • Audit Logs: Retained for 7 years to support compliance investigations and security reviews.
  • Account Data: Retained while your subscription is active. Upon cancellation, account data is retained for the 7-year compliance period unless earlier deletion is requested.
  • Payment Records: Transaction records are retained for the duration required by applicable tax and financial regulations.
  • Automated Enforcement: Data past the retention period is automatically purged by scheduled processes running daily.

Users may request data deletion by contacting us at help@rolloveranalysistool.com. We will delete personal data upon request, subject to the minimum retention periods required by law and our obligations under DOL regulations.

7. Your Rights and Choices

You have the following rights:

  • Access: Request a copy of personal data we hold about you
  • Correction: Update inaccurate or incomplete information via account settings
  • Deletion: Request deletion of your personal data (subject to legal retention requirements)
  • Export: Download your rollover analysis data in standard formats
  • Security: Enable multi-factor authentication and manage session settings
  • Opt-Out: Unsubscribe from marketing emails (transactional emails required for service)

To exercise these rights, contact us at help@rolloveranalysistool.com

8. Cookies and Tracking

We use cookies and similar technologies for:

  • Essential Cookies: Authentication, session management, CSRF protection (required for service operation)
  • Analytics Cookies: Google Analytics and Microsoft Clarity (if enabled) to understand usage patterns
  • Preference Cookies: Remember your settings and preferences

You can disable cookies via browser settings, but this may affect functionality.

9. Children's Privacy

Our Service is not intended for individuals under 18 years old. We do not knowingly collect information from children. If you believe a child has provided us information, contact us immediately.

10. International Users

This Service is intended for use in the United States only. Data is stored on servers located in the United States. By using the Service, you consent to the transfer and processing of data in the US. We do not guarantee compliance with non-US data protection laws (e.g., GDPR).

11. Changes to This Privacy Policy

We may update this Privacy Policy periodically. Changes will be posted on this page with an updated "Effective Date." Continued use of the Service after changes constitutes acceptance. Material changes may be communicated via email.

12. California Privacy Rights

California residents have specific rights under the California Consumer Privacy Act (CCPA):

  • Right to know what personal information is collected
  • Right to know whether personal information is sold or disclosed
  • Right to opt-out of sale of personal information (we do not sell personal data)
  • Right to deletion of personal information
  • Right to non-discrimination for exercising CCPA rights

13. Contact Us

For questions about this Privacy Policy or to exercise your privacy rights:

Snap Launch LLC

d/b/a Simple Advisor Tools

Email: help@rolloveranalysistool.com

Website: rolloveranalysistool.com

Florida, United States

By using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.