Privacy Policy

1. Who we are and how to reach us

Tested Media LLC, a Puerto Rico limited liability company doing business as "Mold Scanner AI" (together, "Mold Scanner AI," "we," "us," or "our"), is the controller of the personal information we collect through moldscanner.ai, our free tools, our waitlist, and, when launched, our mobile application. Correspondence and legal notices may be sent to hello@moldscanner.ai or to the postal address we designate in writing on request.

Contact for privacy matters, rights requests, and questions about this policy: hello@moldscanner.ai (put "Privacy Request" in the subject line for formal rights requests).

EU / UK representatives. We do not actively target the European Union or the United Kingdom at this time. If you are an EU, EEA, or UK data subject and your personal data is nonetheless processed by us (for example, because you voluntarily visited our website), you may contact us at the email address above. If we begin actively offering our Services to EU or UK residents, we will appoint a representative under Article 27 GDPR / UK GDPR and update this policy with their contact details before commencing that activity.

2. Scope of this policy

This policy applies to personal information we collect through (a) the moldscanner.ai website and subdomains; (b) our free tools at /tools/; (c) our email waitlist, newsletter, and transactional messaging; and (d) future versions of the Mold Scanner AI mobile application. It does not apply to third-party websites you reach via links from our Services, or to services operated by our subprocessors that you access independently.

3. Personal information we collect

We collect the following categories of personal information. Categories map to the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).

• Identifiers, email address you submit to the waitlist, any free tool's email gate, or our contact form; IP address (transient, used for rate-limiting, abuse prevention, and regional routing); device identifiers when the mobile application launches.
• Customer records (Cal. Civ. Code §1798.80(e)), the email and any optional name you provide.
• Commercial information, record of waitlist participation, record of which free tools you have used, and (when paid features launch) purchase history.
• Internet or other electronic network activity, page views, referring URL, tool interactions, session duration, basic device and browser information (type, OS, viewport), and error logs.
• Geolocation, approximate geolocation derived from IP address (country and region level) for regional routing and abuse prevention. We do not collect precise GPS location from the website. When the mobile application launches, any precise location features will be opt-in at the operating-system level.
• Audio, electronic, visual, or similar information, photos you upload to the Mold vs Mildew Photo Checker or similar photo tools.
• Inferences, AI-generated outputs about the photos you submit (for example, a "possible mold" verdict and a confidence score). These inferences are returned to you and retained only as described in Section 10.
• Marketing attribution, UTM parameters (utm_source, utm_medium, utm_campaign, utm_term, utm_content), Google click identifier (gclid), Facebook click identifier (fbclid), and referring URL, captured from your first visit and, if you submit a form, attached to that submission. Stored in your browser's local storage for up to 30 days.
• Free-tool inputs, answers you type into the Humidity Calculator, quizzes, checklists, storm/post-flood timers, and the tenant complaint wizard. These inputs stay in your browser unless you submit them with your email for the report.

Sensitive personal information (CPRA) and special categories (GDPR)

The photos you upload may, depending on what you photograph, reveal information about your home, possessions, or, rarely, health-related conditions. We do not intentionally ask for or use sensitive personal information for any purpose other than to perform the analysis you requested. We do not use sensitive information to infer characteristics about you. You may limit our use of sensitive information at any time by contacting us (see Section 14).

Information we do NOT collect

• We do not collect precise GPS or device-level location from the website.
• We do not access your contacts, calendar, SMS, or other apps.
• We do not use cross-site advertising trackers, behavioral-ad identifiers, or data broker enrichment.
• We do not collect biometric identifiers or government identification numbers.
• We do not collect financial account or payment-card information on the website. Paid features, when launched, will use a PCI-compliant payment processor that handles payment data directly.

4. How we collect it

• Directly from you, email address, photos, free-tool inputs, questionnaire answers, contact-form messages.
• Automatically from your device, IP address, device and browser information, page views, click events, referring URL, and attribution parameters in the URL when you arrive.
• From third-party services you use to interact with us, for example, if you click a link in an email we sent through our email provider, we receive a "click" event.

We do not purchase personal information from data brokers.

5. Why we use it

• Provide the output you requested, analyze your photos or inputs, generate a report, and email the result to the address you provided.
• Operate and secure the Services, rate-limit abuse, prevent fraud, debug errors, and maintain availability.
• Communicate with you, send transactional messages (your tool report, waitlist updates), educational emails about mold and indoor air quality, and, where permitted, relevant marketing. You can unsubscribe from marketing at any time.
• Improve the Services, review aggregate usage and (with your opt-in consent only) de-identified scan data to improve AI accuracy.
• Measure marketing performance, understand which content and channels bring users to our tools, using your first-party attribution signals.
• Comply with law, respond to lawful requests, enforce our Terms, and protect our rights and the rights of others.

We do not use your personal information to train third-party AI models. We do not use your photos to train our own models unless you expressly opt in. We do not make solely automated decisions about you that have legal or similarly significant effects.

6. Legal basis (GDPR / UK GDPR)

If you are in the EU, UK, EEA, or Switzerland, we process your personal data on the following legal bases:

• Consent (Art. 6(1)(a)), for processing photos you upload to the Mold vs Mildew Photo Checker or similar photo tool; for sending you marketing email (separate, unbundled opt-in); and for any storage or access of information on your device that is not strictly necessary for the Service you requested (including marketing-attribution local storage and non-essential analytics).
• Performance of a contract (Art. 6(1)(b)), narrowly, to deliver a specific tool output you have requested (for example, emailing you the PDF you asked for), where that delivery is objectively necessary for the Service you asked us to provide.
• Legitimate interests (Art. 6(1)(f)), to secure our Services, prevent and investigate abuse or fraud, measure aggregate traffic in a privacy-preserving way, and respond to inquiries. We have performed a balancing test and concluded that these interests do not override your rights and freedoms. You may object at any time (Art. 21).
• Legal obligation (Art. 6(1)(c)), to respond to lawful requests and retain records where required.

To the extent a photo you submit reveals any information within a special category under Art. 9 (for example, information inadvertently relating to health), we rely on your explicit consent (Art. 9(2)(a)), given at the point of upload, as the legal basis for processing it solely to produce the verdict you requested.

For transfers of personal data outside the EEA/UK, see Section 12 (International data transfers).

7. Who we share it with (subprocessors)

We share personal information only with service providers who help us operate the Services, and only to the extent needed to perform those services. Each subprocessor is bound by a contract that limits their use of the data to our instructions. Current subprocessors:

Subprocessor	Purpose	Data it receives	Location
Vercel Inc.	Website hosting and edge delivery	All request traffic (IP, headers, payload)	United States
Supabase Inc.	Database, server-side storage of waitlist signups and tool-usage counters	Email, attribution parameters, tool-usage timestamps	United States
Anthropic PBC	AI inference for photo analysis (Claude / Opus model)	Photos you submit to the Mold vs Mildew Photo Checker, and an accompanying text prompt; no email	United States
Resend, Inc.	Transactional and marketing email delivery (tool reports, waitlist drip, unsubscribes)	Email address, email content, delivery and engagement events	United States
Google Analytics / Plausible (if deployed on a given page)	Aggregate website analytics	Page views, referrer, device type. No email, no photos.	United States / EU (depending on provider)

We will update this list as our subprocessors change. If you want the current list at any time, email hello@moldscanner.ai.

Beyond the subprocessors above, we may disclose personal information (a) to comply with applicable law, legal process, or enforceable government request; (b) to enforce our Terms or investigate possible violations; (c) to protect the rights, property, or safety of Mold Scanner AI, our users, or others; or (d) in connection with a merger, acquisition, reorganization, or sale of assets, subject to standard confidentiality protections.

8. No sale or sharing of personal information

We do not sell personal information for money, and we do not "share" personal information for cross-context behavioral advertising, as those terms are defined under California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, or other U.S. state privacy laws. We do not disclose personal information to third parties for their own direct marketing purposes. Because we do not sell or share for cross-context behavioral advertising, no "Do Not Sell or Share My Personal Information" link is required; however, if our practices ever change, we will update this policy and provide the required link and mechanism before any such activity begins.

9. Photos you upload, what actually happens

When you submit a photo to the Mold vs Mildew Photo Checker or similar photo tool:

• The photo is transmitted over HTTPS to our API.
• The API forwards the photo to Anthropic's Claude model for analysis. Anthropic processes API traffic under Anthropic's Commercial Terms of Service and Data Processing Addendum, which state that inputs and outputs submitted to the API are not used to train Anthropic's models absent separate opt-in. We do not opt in to training use. If Anthropic's terms materially change, we will update this policy before the change becomes effective for us.
• The verdict returned by the model is stored briefly long enough to deliver it to your email and is not used for advertising or third-party disclosure.
• Unless you expressly opt in, we do not retain your photos after delivery of the verdict email. Non-image metadata (timestamp, tool slug, email, verdict category) is retained for anti-abuse rate limiting and for our records as described in Section 10.
• For tools that keep images on your device (for example, the Tenant Mold Complaint Letter photo log, which stores photos in your browser's IndexedDB), the images never leave your device unless you choose to include them in the final email. You can clear them at any time by clearing the site's storage in your browser.

Do not submit photos that contain third parties who have not consented, illegal content, or information you are not authorized to share. See Section 6 of our Terms.

10. Retention and deletion

We keep personal information only as long as necessary for the purposes described in this policy, unless a longer retention period is required or permitted by law.

• Waitlist email, retained until you unsubscribe or request deletion.
• Tool-usage records (email, tool slug, verdict category, timestamp), retained for up to 24 months for analytics, anti-abuse, and compliance, then deleted or de-identified.
• Uploaded photos, not retained after verdict delivery, unless you opt in to retention for improvement purposes.
• Email delivery events (sent, delivered, opened, bounced), retained by our email provider for up to 24 months.
• Server and security logs, retained for up to 180 days for debugging, security, and abuse response.
• Legal-hold records, retained as long as required by applicable law.

You can request deletion at any time (see Section 13). When you ask for deletion, we will delete or de-identify your personal information within 30 days, except where we are required by law to retain it or where we have a compelling legitimate interest that we can document.

11. Security

We use industry-standard administrative, technical, and physical safeguards, including TLS encryption in transit, encryption at rest at our subprocessors, access controls on internal systems, least-privilege principles for staff access, credential rotation, and logging. No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

If you believe you have discovered a security vulnerability, please report it responsibly to hello@moldscanner.ai with the subject line "Security Report." For good-faith security research conducted without accessing, modifying, or exfiltrating other users' data, and without degrading service availability, we will not pursue legal action.

Data-breach notification

If we experience a personal-data breach that is reasonably likely to result in a risk to your rights and freedoms, we will notify affected users and competent supervisory authorities within the timeframes required by applicable law, in particular, within 72 hours of becoming aware of the breach for GDPR/UK GDPR purposes (Art. 33-34), and within the timeframes set by applicable U.S. state breach-notification statutes. Notifications will describe, to the extent known, the nature of the breach, the categories and approximate number of records affected, likely consequences, and steps we have taken or will take to mitigate the breach and protect you.

12. International data transfers

We operate from the United States, and our subprocessors are primarily located in the United States. If you access the Services from outside the United States (including from the EU, UK, EEA, Switzerland, Canada, or elsewhere), your personal information will be transferred to, processed in, and stored in the United States, which may have different data-protection laws than your country.

Where required by law, we rely on valid transfer mechanisms, including the European Commission's Standard Contractual Clauses (SCCs), supplemented, where applicable, by a documented Transfer Impact Assessment (TIA) under Schrems II (CJEU, Case C-311/18), and, for UK transfers, the UK International Data Transfer Addendum. Where a recipient is certified under the EU-U.S. Data Privacy Framework (or the UK or Swiss extensions), we may also rely on that framework. A copy of the relevant transfer mechanism, and the summary of our TIA, is available on request at hello@moldscanner.ai.

13. Your rights (all users)

Regardless of where you live, you may:

• Request a copy of the personal information we hold about you;
• Request correction of inaccurate personal information;
• Request deletion of your personal information;
• Object to or restrict specific processing;
• Withdraw any consent you previously gave (for example, for marketing email), without affecting the lawfulness of prior processing;
• Unsubscribe from marketing email at any time using the unsubscribe link in every marketing message.

To exercise any right, email hello@moldscanner.ai from the email address associated with your data, or another address if you can verify your identity by other reasonable means. We will respond within the timeframe required by applicable law, generally within one calendar month for GDPR/UK GDPR requests (extendable by up to two additional months for complex or voluminous requests, with notice to you), and within 45 days for most U.S. state privacy requests (extendable by an additional 45 days with notice). We will not discriminate or retaliate against you for exercising a privacy right.

Even where a specific legal regime does not apply to our processing (because, for example, a statutory threshold has not been met), we extend the core rights above to all users as a matter of policy.

14. U.S. state privacy rights

Depending on where you live, you may have additional rights under state law, including the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), the Utah Consumer Privacy Act (UCPA), the Texas Data Privacy and Security Act (TDPSA), the Oregon Consumer Privacy Act (OCPA), and similar laws in other states that come into effect from time to time.

Rights under these laws

• Right to know / access, what personal information we have about you, where we got it, why we use it, and to whom we disclose it.
• Right to correct inaccurate personal information.
• Right to delete personal information we hold about you, subject to legal exceptions.
• Right to data portability, receive a copy of your data in a portable, machine-readable format.
• Right to opt out of "sale" and "sharing" for cross-context behavioral advertising. As stated in Section 8, we do not engage in either activity.
• Right to limit use of sensitive personal information. If we ever use sensitive personal information beyond purposes permitted without this right, we will provide a mechanism to limit it.
• Right to opt out of profiling that produces legal or similarly significant effects. We do not engage in such profiling.
• Right to non-discrimination for exercising any of these rights.

How to submit a request

Email hello@moldscanner.ai with the subject line "Privacy Request" and specify the right you wish to exercise. To protect your data, we will verify your identity by confirming control of the email address on file, and for sensitive requests we may ask for additional verification. You may designate an authorized agent to make a request on your behalf; we will ask for written, signed authorization and may confirm directly with you.

Right to appeal (Virginia, Colorado, Connecticut, Texas, Oregon)

If we decline your request, you may appeal by replying to our decision email within 45 days. We will respond to the appeal within 60 days. If we still decline, you may contact your state attorney general.

California "Shine the Light"

We do not disclose personal information to third parties for their own direct marketing purposes.

Scope and thresholds

Some U.S. state privacy laws apply only above specific revenue, volume, or data-sale thresholds. We may not currently meet every threshold that would make a particular state law mandatory for us. Where we extend rights beyond what a given law strictly requires, we do so voluntarily. As our user base grows and any threshold becomes applicable, we will update this policy and our internal practices accordingly.

14a. Consumer health data (Washington, Nevada, Connecticut)

Washington's My Health My Data Act (MHMDA), Nevada's SB 370, and Connecticut's consumer-health-data amendment to the CTDPA impose heightened rules on "consumer health data", broadly, personal information that identifies a consumer's past, present, or future physical or mental health status or conditions, including information derived from nonhealth data through algorithms.

When these laws apply to us. If you are a Washington, Nevada, or Connecticut resident and you use a feature that collects or generates information about your health (for example, a symptom-related quiz or any tool we operate that infers a health status), the information we collect through that feature is consumer health data.

What we do about it.

• Unbundled, affirmative opt-in consent before we collect consumer health data. We will not collect it from a hidden default or from continued use of the Services alone.
• Separate authorization before we share consumer health data with any third party beyond our subprocessors described in Section 7.
• Right to withdraw consent at any time at hello@moldscanner.ai. Withdrawal stops future processing but does not affect processing that already happened.
• Right to delete consumer health data at any time; we will comply within the timeframe required by the applicable statute.
• No sale. We do not sell consumer health data to any third party.
• No geofencing of healthcare facilities for advertising, identification, or tracking purposes.

If you want a plain-language copy of our Consumer Health Data Privacy Policy, email hello@moldscanner.ai with the subject line "Health Data Request." Washington residents may file a complaint with the Washington Attorney General's Office, and Washington residents have a private right of action for MHMDA violations.

15. EU / UK / EEA rights (GDPR)

If the GDPR or UK GDPR applies to our processing of your personal data, you have the following rights:

• Right of access (Art. 15);
• Right to rectification (Art. 16);
• Right to erasure / "right to be forgotten" (Art. 17);
• Right to restrict processing (Art. 18);
• Right to data portability (Art. 20);
• Right to object, including to processing based on legitimate interests and to direct marketing (Art. 21);
• Right not to be subject to solely automated decisions with legal or similarly significant effects (Art. 22);
• Right to withdraw consent at any time, without affecting the lawfulness of prior processing;
• Right to lodge a complaint with a supervisory authority, your local EU data protection authority, the UK Information Commissioner's Office (ICO), or another competent authority.

To exercise any of these rights, contact hello@moldscanner.ai. The core processing activities described in this policy do not require us to appoint a Data Protection Officer under Article 37 of the GDPR; this email reaches the person responsible for privacy at our organization. Appointment of an Article 27 representative is addressed in Section 1 of this policy.

Right to lodge a complaint

You have the right to lodge a complaint with your local supervisory authority, including the UK Information Commissioner's Office (ICO) at ico.org.uk, your national data-protection authority in the EU/EEA (directory at edpb.europa.eu), or the Swiss Federal Data Protection and Information Commissioner (FDPIC).

16. Children's privacy (under 13)

The Services are not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you are under 13, do not submit any personal information through the Services. If you are a parent or legal guardian and believe a child under 13 has provided us with personal information, email hello@moldscanner.ai and we will delete the information promptly, in accordance with the Children's Online Privacy Protection Act (COPPA).

17. Cookies, local storage, and attribution

We use a minimal set of first-party storage technologies:

• Strictly necessary local storage, for example, a short-lived session key that lets a free tool remember the form inputs you typed while you're still on the page. These are necessary to operate the Services and do not require consent.
• Marketing-attribution local storage, we store UTM parameters, Google click identifier (gclid), Facebook click identifier (fbclid), and the referring URL from your first visit in your browser's local storage for up to 30 days. If you submit a form during that time, we attach those parameters to your signup so we can understand which marketing channel brought you in. This storage is first-party, is not shared with ad networks, and does not track you across other websites.
• Analytics, where deployed, we use privacy-friendly analytics (GA4 configured with IP anonymization and no advertising features, or Plausible, depending on the page) to measure aggregate traffic. We do not use third-party advertising cookies. We do not use behavioural ad retargeting cookies.

EU / UK / EEA visitors: consent required. Under the EU ePrivacy Directive (as implemented in national law) and the UK Privacy and Electronic Communications Regulations (PECR), storage of and access to information on your device, including the marketing-attribution storage described above and non-essential analytics, requires your prior, informed, freely given, and specific consent. We will present a consent banner before setting any non-strictly-necessary storage, and you may accept, reject, or withdraw consent at any time. Until you consent, we will not set marketing-attribution storage or non-essential analytics. Strictly necessary storage (for example, a short-lived session key needed to operate the Service you asked for) does not require consent and will always load.

You can also control cookies and local storage through your browser settings. Disabling storage may degrade some functionality (for example, you may lose in-progress tool inputs if you reload the page).

18. Do Not Track and Global Privacy Control

There is no industry consensus on how to respond to web browser "Do Not Track" signals, and we do not currently respond to them. We do honor Global Privacy Control (GPC) signals to the extent required by applicable law for the U.S. states that recognize them; as explained in Section 8, we do not sell or share personal information in any event.

19. Changes to this policy

We may update this privacy policy from time to time. The "Effective date" at the top reflects the latest version. If we make material changes, we will notify you by email (if we have your address) or by a prominent notice on the Services before the changes take effect. Continued use of the Services after the effective date means you accept the updated policy. If you do not agree, you must stop using the Services.

20. Contact us

For questions about this policy, to exercise a privacy right, or to report a concern:

• Email: hello@moldscanner.ai
• Subject line: "Privacy Request" for formal rights requests
• Written response: we will respond within the timeframe required by applicable law