Legal
Privacy Policy
Last updated: May 2026
The short version
We collect only what we need to deliver your report. We never sell your data, share your contract with third parties, or contact the facility you're evaluating. Your contract file is permanently deleted within 30 days of report delivery. We don't send marketing email. If you opt in to research consent, your contract is de-identified before being retained for that purpose.
1. Who we are
FacilityTruth is owned and operated by David Thomas. When this policy says "we," "us," or "FacilityTruth," it means David Thomas operating FacilityTruth. Our contact email is support@facilitytruth.com.
2. What we collect and why
| What we collect | Why we collect it | How long we keep it |
|---|---|---|
| Your name and email address | To deliver your report and respond to support requests | 12 months, then deleted |
| Your contract file (PDF, JPG, or PNG) | To generate your report. Processed by automated system. | 30 days after report delivery, then permanently deleted |
| Facility name and state | To retrieve Medicare and state inspection data for your report | 30 days after report delivery, then deleted |
| Payment confirmation | To confirm purchase (we never see or store your card number) | 12 months for accounting purposes |
| De-identified contract (only if you opt in) | Research and pattern recognition to improve future reports | Until you request deletion or until removed from research library |
| Basic website analytics | To understand site usage and improve the service | Aggregated, non-identifiable data only |
We do not collect: your full payment card number (handled entirely by Stripe), Social Security numbers, your parent's medical records, or any information beyond what's listed above.
3. Personal information in your contract
Senior care contracts typically contain personal information about prospective residents and their families — names, addresses, dates of birth, signatures, references to medical evaluations, financial details, and similar identifying information. We treat this information as confidential.
Specifically:
- Your contract is processed by an automated analysis system. No human at FacilityTruth reads your contract as part of the standard report process.
- If you contact us about a concern with your report, a team member may review the relevant section to assist you — but only with your knowledge and only to resolve your specific concern.
- We do not extract, index, or use names, addresses, dates of birth, or other identifying details from your contract for any purpose other than generating your report.
- Your contract is transmitted and stored using industry-standard encryption.
- Your contract file is retained for 30 days after report delivery (to allow for support requests), then permanently and irreversibly deleted from our active systems.
- We do not use your contract to train AI models for outside parties, sell to data companies, or share with any third party for any reason.
4. Optional research consent
At intake, we offer an opt-in feature inviting you to allow a de-identified version of your contract to be retained in our research library. The library helps us recognize patterns across many contracts and improve future reports.
How de-identification works. If you opt in, our system generates a separate copy of your contract and removes personal identifiers from that copy before retaining it in the research library. Removed identifiers include: prospective resident name, family member names, addresses, dates of birth, contact information, signatures, and any other directly identifying information. The de-identified copy is what enters the research library; your original file is still subject to the 30-day deletion timeline described above.
Important characteristics of research consent:
- Participation is opt-in only. The default is no participation.
- You receive the same report regardless of your choice. Declining has no effect on price, content, or delivery.
- You can revoke consent at any time by emailing support@facilitytruth.com with the subject "Revoke research consent." Your de-identified contract will be removed from the research library.
- De-identified contracts in the research library are accessed only by the automated analysis system for pattern recognition. No human reviews them as part of the research process.
- De-identified contracts are not sold, shared, or made available to any third party.
Limits of de-identification. No de-identification process is perfect. While our system removes identifiers we recognize, we cannot guarantee that a determined party with access to the de-identified data and substantial outside information could not re-identify a contract. The risk is low — the de-identified contracts are not made publicly available and access is restricted to the automated analysis system — but it is not zero. By opting in, you acknowledge this limitation.
5. How we use your information
We use the information we collect for three purposes:
- To deliver your report. Your contract is processed by our automated analysis system to generate the PDF report delivered to your email address.
- To provide customer support. If you email us with a question or concern, we use your name and email to respond.
- To improve the service. Aggregated, non-identifiable usage data, and (only if you opt in) de-identified contracts in the research library, help us improve future reports.
We do not use your information for advertising, marketing, profiling, or any purpose not described in this policy. We do not send unsolicited email after your report is delivered — no newsletters, no promotional messages.
6. Who we share your information with
We share your information with no one, with two narrow exceptions:
- Stripe — our payment processor. Stripe receives your payment information to process the transaction. We never see your full card number. Stripe's privacy practices are governed by Stripe's Privacy Policy.
- Infrastructure providers — the technical services that host our website and process reports. These providers process data on our behalf under confidentiality agreements and are not permitted to use your data for their own purposes.
We never share your data with: senior care facilities, placement agencies, elder law attorneys, data brokers, advertisers, or any other third party. We do not sell data. We do not have affiliate data-sharing arrangements of any kind. Your contract is yours.
7. State privacy law compliance
We make commercially reasonable efforts to comply with state consumer privacy laws applicable in our service area, including:
- California Consumer Privacy Act (CCPA), as amended by CPRA. California residents have specific rights regarding personal information, including the right to know, the right to delete, and the right to opt out of sale or sharing. We do not sell or share personal information as those terms are defined under California law.
- New York SHIELD Act. We implement reasonable administrative, technical, and physical safeguards for the personal information of New York residents.
- Texas Data Privacy and Security Act. We provide Texas residents the rights described in Section 11 below and disclose our data practices as required.
To exercise any rights under your state's privacy law, email support@facilitytruth.com with a description of your request and the state in which you reside.
8. Cookies and tracking
FacilityTruth uses minimal, privacy-respecting analytics to understand basic site usage — pages visited, general traffic patterns. We do not use advertising cookies, cross-site tracking, or behavioral profiling. We do not use Google Analytics or Facebook Pixel.
If you disable cookies in your browser, all core functionality of the site will continue to work normally.
9. Data security
We use industry-standard security practices to protect your information, including encrypted transmission (HTTPS), encrypted storage, and access controls that limit who can access your data within our systems.
If we become aware of a data breach that affects your personal information, we will notify you by email within 72 hours of becoming aware of the breach, or sooner if required by applicable state law. The notification will describe what information was affected and what steps we are taking in response.
No system is perfectly secure. We take security seriously and review our practices regularly, but cannot guarantee that any data transmitted online is fully secure.
10. Your rights
You have the following rights regarding your personal information:
- Access: You can request a copy of the personal information we hold about you.
- Correction: You can ask us to correct inaccurate information.
- Deletion: You can request deletion of your personal information and contract file at any time — even before the 30-day automatic deletion window.
- Portability: You can request your data in a portable format.
- Objection: You can object to our processing of your information.
- Revoke research consent: If you opted in to the research library, you can revoke consent and request deletion of your de-identified contract at any time.
To exercise any of these rights, email support@facilitytruth.com with the subject line "Privacy request." We will respond within 5 business days, or as required by your state's law if a different timeline applies.
11. Children's privacy
FacilityTruth is intended for adults making decisions about care for elderly family members. We do not knowingly collect personal information from anyone under the age of 18. If we become aware that we have inadvertently collected information from a minor, we will delete it.
12. Changes to this policy
We may update this Privacy Policy from time to time. When we do, we'll update the date at the top. For material changes, we'll notify customers we have email addresses for. Continued use of FacilityTruth after a policy update constitutes acceptance of the updated policy.
13. Contact
Questions, concerns, or requests related to this Privacy Policy should be directed to:
David Thomas — FacilityTruth
support@facilitytruth.com
© 2026 FacilityTruth · David Thomas · Terms of Service →