Privacy Policy

Two categories of personal data, plus operational telemetry.

Applicant data — when you create an account and build a profile we store: your name, email, phone (optional), city/state, preferred geographies, investable-capital range (bucketed), net-worth range (bucketed), financing-need, ownership preference, years of management or business-ownership experience, prior franchise ownership, industry preferences, and your investment timeline. We deliberately collect ranges for capital and net worth — never exact dollar amounts.

Brand data — when you claim a brand we store your name, work email, role, and the brand you represent.

Operational telemetry — server logs (request paths, status codes, IP addresses for security), authentication events, and basic page-view counters. We do not run third-party ad pixels or behavioral-tracking SDKs on the public site as of the date above.

• To run your account, build your applicant profile, surface fit estimates, and route applications you initiate.
• To extract structured data from public Franchise Disclosure Documents and present it on the platform. (FDD data is public and not personal.)
• To detect abuse, prevent fraud, and keep the service reliable. This is the only use of IP-level logs.
• To communicate with you about your account, an application you submitted, or material changes to this policy.

This is the section that matters most. The flow is applicant-initiated and consent-gated:

1. You apply to a specific brand. That apply action is the consent event for sharing your profile snapshot with that brand. We record the timestamp.
2. If the brand has claimed their listing, your application lands in their inbox. They see the structured profile snapshot, your fit assessment, and contact details.
3. If the brand has not claimed their listing, we route your application by email to the brand’s registered FDD contact and notify you it was sent.
4. Brands can see aggregate counts and ranges of applicant interest (e.g., “5 prospective buyers, top capital range $300K–$500K”) for their own brand without seeing any individual applicant’s details, regardless of claim status. Aggregates are anonymized.

We never push, recommend, or auto-route your data to brands for compensation. We do not sell applicant lists. We do not collect referral or success-based fees if you sign a franchise agreement.

Every applicant introduction (which brand received which application, when, with what consent timestamp) is recorded in an audit log. You can request a copy of your applicant audit trail any time.

We use a small number of third-party processors to run the platform. Each processes data only on our instructions:

• Supabase — database, authentication, storage. US-region.
• Vercel — application hosting. US-region edge.
• Resend — transactional email (authentication, application notifications).
• Google Cloud — durable storage for FDD source PDFs.

We do not share applicant personal data with advertising or data-broker networks.

Account and profile data: kept while your account is active; deleted (or anonymized) within 30 days of account closure on request, except where we’re required to retain it to resolve a dispute, fulfill a legal obligation, or maintain audit-log integrity for applications you submitted.

Application records: retained for as long as the receiving brand keeps them in their pipeline, plus an audit-log entry we retain indefinitely (without contact details after account closure) to ensure we can answer “did this introduction happen and on what consent.”

Server logs: retained 90 days, then truncated.

You can:

• Access a copy of the personal data we hold on you.
• Correct or update your profile from your account at any time.
• Delete your account, which removes your profile and (on request) your application history, subject to the retention exceptions above.
• Withdraw an application you submitted; we’ll mark the receiving brand notified that the application is no longer active.
• Object to specific uses, or request that we stop sending you email outside transactional notifications.

For California residents: you have additional rights under the CCPA / CPRA, including a right to know specific pieces of personal information we hold, a right to delete, and a right to opt out of any “sale” or “sharing” of personal information. We do not sell or share applicant data for cross-context behavioral advertising. To exercise CCPA rights, email privacy@commonfranchise.com.

We use industry-standard encryption in transit (TLS) and at rest, role-based access to applicant data on the server, and audit logging on lead-introduction events. No system is perfect; if you spot a vulnerability, email security@commonfranchise.com.

CommonFranchise is for adults considering a franchise investment. We don’t knowingly collect personal data from anyone under 18.

When we make a material change we’ll update the “last updated” date and, for significant changes, email account holders at least 14 days before the new policy takes effect.

Mission Ctrl, on behalf of CommonFranchise.
Email: privacy@commonfranchise.com
Web: About CommonFranchise