Introduction
POShield ("we," "our," or "us") is a purchase order verification service based in Redding, California. This Privacy Policy explains how we collect, use, store, and protect information when you use our website, browser extension, and related services.
We are committed to transparency about our data practices. POShield is designed with privacy as a core principle. We collect the minimum data necessary to provide our verification service.
Information We Collect
From Organization Administrators (Verification)
When an administrator verifies their organization through POShield, we collect:
- Organization name and email domain
- Administrator name, work email address, and job title
- Google Workspace or Microsoft 365 authentication data (to verify admin status)
- Names, email addresses, and spending limits of authorized buyers added by the administrator
From the Browser Extension
The POShield browser extension operates with strict privacy constraints:
What the extension DOES:
- Reads the sender's email address from incoming emails (the address already visible on your screen)
- Converts email addresses into irreversible cryptographic hashes locally in your browser
- Checks those hashes against the POShield verification registry on the Arbitrum blockchain
- Displays a green "Verified" badge next to verified senders
- Only checks emails from domains registered on the POShield network (all other emails are completely ignored)
What the extension DOES NOT do:
- Read, access, or transmit email content, subject lines, or body text
- Read, access, or transmit email attachments or documents
- Store, log, or transmit actual email addresses to any server (only hashes are used)
- Track your browsing activity or email reading habits
- Upload, share, or sell any data to third parties
- Access your email account credentials or passwords
From Website Visitors
When you visit our website, we may collect standard web analytics data such as page views, browser type, and referring URL. We do not use this data to identify individual visitors.
How We Use Your Information
We use the information we collect exclusively to:
- Verify that administrators have the authority to register their organization
- Maintain the verification registry so sellers can confirm buyer identity
- Record verification data on the Arbitrum blockchain as an immutable audit trail
- Communicate with administrators about their account and verification status
- Improve and maintain the POShield service
We do not sell, rent, or share your personal information with third parties for marketing purposes. We do not display advertisements in any POShield product.
Data Encryption
All personal information (names, email addresses, organization details) is encrypted at the application level before being stored in our database. This means that even in the event of a database breach, personal data remains encrypted and unreadable without the separate encryption keys, which are stored independently from the database.
Blockchain Data
POShield records verification data on the Arbitrum blockchain (an Ethereum Layer 2 network). Important details about blockchain data:
- Only hashes are stored on-chain. Actual email addresses, names, and organization details are never written to the blockchain. We store cryptographic hashes, which are irreversible representations that cannot be converted back to the original data.
- Blockchain data is permanent. Once recorded, data cannot be modified or deleted. This is by design and creates a tamper-proof verification record. Buyer credentials can be deactivated (marked as inactive) even though the original record remains.
- Blockchain data is public. Anyone can view data on the blockchain. Because only hashes are stored, this does not expose personal information.
Google and Microsoft Authentication
POShield uses Google Workspace and Microsoft 365 OAuth authentication to verify that administrators have admin-level access to their organization. When you sign in:
- We receive the following Google user data and Microsoft user data: your name, email address, and admin status from Google or Microsoft
- We use this information solely to verify your administrative role
- We do not access your emails, documents, calendar, contacts, or any other data in your Google Workspace or Microsoft 365 account
- We do not store your Google or Microsoft password
- You can revoke POShield's access at any time through your Google or Microsoft account settings
POShield's use of Google Workspace APIs is limited to verifying administrator status and complies with the Google API Services User Data Policy, including the Limited Use requirements.
Data Storage and Security
Personal information is stored in a secure database hosted by Supabase, Inc., with servers located in the United States (West region). We implement the following security measures:
- All personal data is encrypted at the application level before database storage
- All data is transmitted over encrypted HTTPS connections
- Database access is protected by Row Level Security (RLS) policies
- Authentication tokens are encrypted and expire automatically
- Smart contract ownership is protected by multi-signature wallet security
Data Retention
We retain your personal information for as long as your organization maintains an active verification on POShield. If you request removal of your organization:
- Your personal information will be deleted from our database within 30 days
- Your buyer credentials will be deactivated on the blockchain (marked as inactive)
- Blockchain hash records cannot be deleted due to the immutable nature of blockchain technology, but they contain no personally identifiable information
Education Customers
For K-12 schools and educational institutions using POShield:
- FERPA Compliance: POShield does not collect, store, access, or process any student education records or student personally identifiable information (PII) as defined by FERPA. Our service exclusively handles adult administrator and purchasing staff verification data.
- SOPIPA Compliance (California): POShield complies with the Student Online Personal Information Protection Act. We do not use any data for advertising, do not sell personal information, do not create student profiles, and implement reasonable security measures.
POShield is prepared to execute Data Privacy Agreements (DPAs) with school districts, including the Student Data Privacy Consortium (SDPC) National Data Privacy Agreement template.
Your Rights
You have the right to:
- Request access to the personal information we hold about you
- Request correction of inaccurate information
- Request deletion of your personal information from our database
- Revoke Google or Microsoft authentication access at any time
- Uninstall the browser extension at any time, which immediately stops all verification checks
California residents may have additional rights under the California Consumer Privacy Act (CCPA). To exercise any of these rights, contact us at the address below.
Children's Privacy
POShield is designed for use by organization administrators, purchasing professionals, resellers, and business professionals. We do not knowingly collect personal information from children under 13.
Third-Party Services
POShield uses the following third-party services:
- Supabase - database hosting and authentication
- Arbitrum (Ethereum L2) - blockchain verification registry
- Google Workspace APIs - administrator verification
- Microsoft 365 APIs - administrator verification
- Stripe - payment processing for paid subscriptions
Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify registered users by email and update the "Last updated" date at the top of this page. Your continued use of POShield after changes are posted constitutes acceptance of the updated policy.
Contact Us
If you have questions about this Privacy Policy or our data practices, contact us at:
POShield
Redding, California
Email: privacy@poshield.com