Skip to main content
TrackPetition

Startup58 LLC

Privacy Policy

Effective date: May 26, 2026 Last updated: June 2, 2026

1. Introduction

This Privacy Policy explains how Startup58 LLC ("Company," "we," "us") collects, uses, and protects information when you use trackpetition.com (the "Service"). By using the Service, you agree to the practices described in this Policy.

Current status — pre-launch

TrackPetition is currently in a pre-launch phase: today the site is a public information page with an email waitlist, together with a case-status lookup that queries the official USCIS sandbox. At this stage we only collect what you voluntarily provide — your email address if you join the waitlist, the USCIS receipt number you enter to check a case, and the standard server and usage data described below.

The remainder of this Policy describes how the Service will handle data once its full features launch (targeted Q3 2026) — including user accounts, paid subscriptions through Paddle, notifications, saved case history, and self-service account controls. Until a given feature launches, the practices specific to it do not yet apply.

2. Information we collect (specific data types)

a) Account information

  • Email address (required for account creation)
  • Phone number (optional; required only if you enable WhatsApp alerts)
  • Telegram chat ID (optional; required only if you enable Telegram alerts)
  • Display name (optional, user-provided)
  • Encrypted password (we never store plaintext)
  • Account preferences (language, notification settings)

b) Case information

  • USCIS receipt number (receiptNumber) — the 13-character case identifier (3 letters + 10 digits) you voluntarily enter. We treat this as Personally Identifiable Information (PII) because it is associated with an individual's USCIS immigration case.
  • Case status information retrieved from USCIS official systems
  • Case history within our Service

c) Usage data

  • Pages visited and time spent
  • IP address (fraud prevention and analytics)
  • Device type and browser information
  • Geolocation (city or country level, not precise)

d) Payment information (subscribers only)

  • Processed by Paddle (our Merchant of Record)
  • We never store full credit card numbers
  • We receive transaction confirmations only

e) Communication

  • Customer support inquiries
  • Email preferences and consent records

What we do not collect

  • Social Security Numbers
  • Alien Numbers (A-numbers)
  • Passport numbers
  • Financial account numbers
  • Medical information
  • Biometric data
  • Data from anyone under 18

3. How we use your data

We use your data to:

  • Provide the Service
  • Process payments via Paddle
  • Send service notifications
  • Improve the Service through anonymized analytics
  • Comply with legal obligations
  • Prevent fraud and abuse
  • Respond to support requests

We will obtain your active consent before any new data use not described in this Policy.

4. Data sharing — named third parties

We share data only with the following specific entities, all bound by data processing agreements:

a) Paddle (Merchant of Record)

  • Purpose: Payment processing, tax compliance
  • Data shared: Email, name, payment data
  • Their privacy policy: paddle.com/legal/privacy

b) Hostinger (email delivery)

  • Purpose: Sending transactional and account emails (e.g., sign-up, password reset, billing receipts)
  • Data shared: Your email address and the message content
  • Their privacy policy: hostinger.com/legal/privacy-policy

c) Twilio (WhatsApp notifications)

  • Purpose: Delivering case-change alerts over WhatsApp
  • Data shared: Your phone number and the alert message
  • Their privacy notice: twilio.com/legal/privacy

d) Telegram (Telegram notifications)

  • Purpose: Delivering case-change alerts over Telegram
  • Data shared: Your Telegram chat ID and the alert message
  • Their privacy policy: telegram.org/privacy

e) OneSignal (push notifications and email — at launch)

  • Purpose: Browser/device push notifications and case-alert emails (status-change notifications)
  • Data shared: Your device push token and/or email address
  • Their privacy policy: onesignal.com/privacy_policy

f) Cloudflare

g) Google Analytics (Google LLC)

  • Purpose: Aggregated website analytics (pages visited, traffic sources, device/browser type) to understand usage and improve the Service
  • Data shared: A randomized client identifier and page-interaction events. Your IP address is used transiently by Google for coarse geolocation; Google Analytics 4 does not log or store IP addresses. We do not send personal identifiers (name, email, or USCIS receipt numbers) to Google Analytics
  • Their privacy policy: policies.google.com/privacy

h) U.S. Citizenship and Immigration Services (USCIS)

  • Purpose: Retrieving case status information at your request
  • Data transmitted: the USCIS receipt number (receiptNumber) you provide
  • Access basis: USCIS Developer Portal API integration (production access pending at the time of writing)

How we use your receipt number: when you submit a USCIS receipt number, our server authenticates to the official USCIS Case Status API using OAuth 2.0 and sends that receiptNumber to query the current status of that case. We use it solely to retrieve and show you — and, if you enabled alerts, to notify you of — status updates for the case you asked us to track. We do not use receipt numbers for any other purpose, and we do not share them with anyone other than USCIS to perform the lookup.

We do not sell your data. We have never sold data and will never sell data, whether for profit, marketing exchanges, or any monetary or non-monetary exchange.

Third parties are contractually prohibited from using your data for any purpose other than performing services on our behalf. Third parties cannot use your information for their own marketing, profiling, or analytics without your explicit consent. All third parties are bound to the terms and conditions of this Privacy Policy.

5. Data sharing — your choices, risks, and impact on others

Your data-sharing choices

You decide what information you submit to the Service. You may use the Service with the minimum data required for a specific request. You may withdraw a sharing permission at any time through account settings. You may also delete your data entirely (see Section 6).

Benefits, risks, and limitations

  • Benefits: sharing more case information lets us send better-targeted alerts and a richer history of your case.
  • Risks: any information you share enlarges the set of systems and people who can see it. Sharing case information with family members or representatives may reveal family immigration status to them.
  • Limitations: once you delete data, we cannot reconstruct historical responses, debug past requests on your behalf, or restore deleted records.

Impact on others

If you choose to share case information with family members or representatives (for example, a spouse or attorney), please be aware:

  • Recipients see the case information you share.
  • We do not control how recipients use shared information.
  • Sharing may reveal family immigration status, family history, or other personal facts about the individual the case belongs to.
  • Consider the implications before sharing on behalf of another person.

You may revoke sharing permissions at any time through account settings.

6. Your rights — access, correction, deletion

You have the right to:

  • Access all personal data we hold about you
  • Correct inaccurate or incomplete data
  • Request permanent deletion
  • Object to certain data uses
  • Receive your data in a machine-readable format
  • Withdraw consent at any time

How to request data deletion

  • Self-service: Account Settings → "Delete My Account" (single-click option).
  • Email: Write to [email protected] with subject "Data Deletion Request".

When deletion happens

  • Self-service: Permanent deletion within 24 hours.
  • Email request: Acknowledgment within 48 hours; permanent deletion within 7 calendar days.

Data deletion (this section) erases your personal data and is a separate action from account closure (Section 10), which also ends your subscription and access before deleting remaining data within 7 days. If you simply want your data erased as quickly as possible, use the self-service "Delete My Account" option above (within 24 hours).

Exceptions

  • Payment records retained 7 years (legal requirement).
  • Anonymized aggregate analytics may persist.

7. CCPA rights — California consumers

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA):

  • Right to know what personal information we collect.
  • Right to know whether information is sold (we do not sell).
  • Right to access personal information collected.
  • Right to request deletion.
  • Right to non-discrimination for exercising rights.

To exercise these rights, email [email protected] with "CCPA Request" in the subject. We will respond within 45 days.

We do not knowingly sell personal information of any user, including California residents.

8. International rights — GDPR / LGPD

If you are located in the EEA, the UK, or another jurisdiction with data protection laws, you have rights including:

  • Lawful basis for processing.
  • Data portability.
  • Right to erasure.
  • Right to lodge a complaint with a supervisory authority.

Email [email protected] to exercise these rights.

9. Data retention policy

  • Active account data: retained while your account is active.
  • Inactive accounts (12+ months): we send a reactivation email; if there is no response within 60 days, the account is archived; we permanently delete after 24 months of total inactivity.
  • Case lookup history: 24 months active, older entries archived.
  • Payment records: 7 years (legal requirement).
  • Communication records: 3 years.
  • Anonymized analytics: indefinite, non-identifiable.

Dormant accounts policy

After 12 months of no login activity, we send a reactivation email. If you do not respond within 60 days, your account moves to "archived" status (data preserved, service paused). Archived accounts are permanently deleted after 24 months of total inactivity.

10. Account closure

You can close your account at any time:

  • Method 1 — Self-service: Account Settings → "Close My Account" → email link confirmation.
  • Method 2 — Email: Write to [email protected] with subject "Close Account".

What happens:

  • Immediate service access revocation.
  • Subscription canceled (subject to Refund Policy).
  • Personal data permanently deleted within 24 hours (self-service) or within 7 days (email request).
  • Payment records retained 7 years (legal requirement).
  • Anonymized analytics may persist.

Account closure ends your subscription and access, then deletes remaining personal data within 7 days. This is distinct from immediate data deletion: if you only want your data erased and do not need the closure workflow, use the self-service deletion in Section 6 (within 24 hours).

11. Data breach notification

In the event of a data breach affecting your personal information, we will:

  • Notify you by email within 72 hours of detection.
  • Provide details about the nature of the breach.
  • Explain what data was potentially affected.
  • Inform you of the steps we are taking.
  • Provide guidance on actions you may take.
  • Cooperate with applicable regulators.

Notifications come from [email protected].

12. Security

We protect your data with:

  • HTTPS encryption in transit (TLS)
  • Passwords hashed with PBKDF2-HMAC-SHA256 — never stored in plaintext
  • Signed, expiring session tokens (HMAC-SHA256)
  • Credentials and secrets kept server-side, never exposed to the browser
  • Limited access on a need-to-know basis
  • Separation between production and non-production environments
  • Regular dependency and security review

No system is 100% secure. We use commercially reasonable measures.

13. Policy changes

We may update this Policy from time to time.

Material changes

  • Email notification to all users at least 30 days before changes take effect.
  • Active consent required: you must actively agree before changes apply (for example, "Yes, I accept" button on next login).
  • Plain-language summary: we will provide a clear explanation of what changed and why.

Non-material changes (typo fixes, clarifications)

  • Posted with an updated "Last updated" date.
  • No notification required.

If you do not agree to material changes, you may close your account before changes take effect without penalty.

14. Business transfer / ownership change

If Startup58 LLC is acquired, merges, transfers ownership, or ceases operation:

  • We will notify users at least 60 days in advance via email.
  • The new owner's privacy policy must meet or exceed this Policy's protections.
  • You will have options:
    • Continue with the new owner (with new policy notification).
    • Securely export your data.
    • Permanently delete your data before transfer.

In case of cessation: all user data is securely deleted within 90 days unless legally required to retain.

15. Children's privacy

The Service is intended for users 18 years of age or older. We do not knowingly collect data from anyone under 18.

16. International data transfers

Startup58 LLC operates from the United States. Data may be transferred to or processed in:

  • United States (primary) — our hosting provider (Hetzner) operates the server in its U.S. region (Ashburn, Virginia), and Cloudflare provides a global edge network.

For transfers from the EEA or the UK to the United States: we rely on Standard Contractual Clauses (SCCs) approved by the European Commission.

17. Contact us

For privacy questions, requests, or concerns: