FranchiseDiff

Privacy Policy

Last updated: May 10, 2026

FranchiseDiff (“FranchiseDiff,” “we,” “us,” or “our”) is operated as a sole proprietorship by Heemin Cho, based in Illinois, United States. This Privacy Policy explains what personal information we collect when you use franchisediff.com (the “Service”), how we use it, who we share it with, and the choices you have. By using the Service you agree to the practices described here. This Privacy Policy also serves as our notice at collection under California Civil Code §1798.100(b).

The short version: we collect what we need to run accounts, process subscriptions, and (only when you ask) connect you with a franchise consultant. We do not sell or share your personal information for advertising or for any purpose other than what you direct us to do. We do not use your account, lead, or feedback data to train artificial- intelligence models, including third-party LLMs. Most users never have their data shared with anyone outside our service providers.

1. Information we collect

Account information. When you sign up, we collect your email address and (for password accounts) a securely hashed password. If you sign in with Google, we receive your email address and basic profile information from Google as part of the OAuth flow. We do not receive your Google password.

Subscription information. When you subscribe to a paid plan, payment is processed by Stripe. Stripe handles your payment card data; we never see or store full card numbers. We store the Stripe customer and subscription identifiers, your subscription status, and renewal dates so we can grant or revoke paid access correctly.

Lead form submissions.When you submit a “Talk to a Franchise Expert” or similar inquiry form, we collect the information you choose to provide — typically name, email, phone number, the franchise you're interested in, investment budget range, timeline, location, and any free-text message. Lead forms are entirely optional. If you never submit one, none of this information is collected.

Feedback submissions. If you submit feedback through our forms, we collect what you typed and (if provided) your email so we can follow up.

Usage information. Our hosting provider (Vercel) automatically logs basic request metadata — IP address, user agent, request path, response status — for security, abuse prevention, and operational debugging. We fingerprint IP addresses with HMAC-SHA256 keyed by a server-side secret (truncated to 16 hex characters) before storing them in our application database, so the stored value cannot be reversed to an IP without the secret. Full IP addresses are not retained by us beyond short-lived edge logs.

Analytics. We use a small number of first-party-style analytics tools to understand how the Service is used and to keep it fast:

  • PostHog (US-hosted product analytics) — records page views, clicks, and similar product events. For signed-out visitors, events are anonymous and tied only to a randomly generated device identifier; for signed-in users, events are associated with your FranchiseDiff user ID so we can debug account-specific issues. PostHog does not sell event data to third parties, and we do not share PostHog data with advertisers.
  • Vercel Analytics — aggregate page-view counts and referrers, used to gauge traffic and content performance.
  • Vercel Speed Insights — Core Web Vitals and other performance metrics (load time, interaction latency) collected from real visits so we can keep the site fast.

We do not use these tools for advertising, retargeting, or cross-site tracking, and we do not sell the data they collect.

Cookies and local storage. We use cookies and browser localStorage for two purposes: (1) essential authentication and session management (the Supabase auth session cookie), and (2) the analytics tools above, which set a session cookie or localStorage entry to recognize a returning device within a session. We do not use advertising cookies, cross-site tracking cookies, or third-party marketing trackers.

Cookie banner scope. The Service is currently launched for visitors in the United States and Canada, where a cookie consent banner is not legally required for the analytics use described above, so we do not show one. Visitors from the European Economic Area, the United Kingdom, and Switzerland are outside our current launch scope; if you reach the Service from those regions and want analytics events associated with your visit deleted, email support@franchisediff.com. You can also opt out at any time by enabling your browser's Do Not Track or Global Privacy Control signal, by blocking cookies and localStorage for franchisediff.com, or by clearing site data after each visit.

Categories of personal information collected (CCPA). For purposes of the California Consumer Privacy Act and similar state laws, in the preceding twelve (12) months we may have collected the following statutory categories of personal information:

  • Identifiers: name, email address, hashed IP address, online identifiers (Stripe customer ID, Supabase user ID, PostHog device / distinct ID).
  • Customer records: account credentials (hashed password), subscription status, billing history (held by Stripe).
  • Commercial information: products purchased (subscription plan), referral fees received from consultants for qualified leads.
  • Internet or network activity: browser type, request path, response status, referring URL.
  • Geolocation data: approximate (city / region / country level) may be inferred at the edge / CDN layer by our hosting provider for security and abuse prevention; we do not actively collect or store precise GPS-level location.
  • Lead inquiry information (collected only if you submit a lead form): name, email, phone number, franchise of interest, investment budget range, timeline, location preference, free-text message.

We do not collect biometric information, health information, racial or ethnic origin, religious beliefs, sexual orientation, citizenship or immigration status, genetic data, contents of your private communications, government IDs, or financial account numbers (Stripe handles all payment data).

2. How we use your information

We use the information we collect to:

  • Provide, maintain, and improve the Service
  • Authenticate you and keep your session secure
  • Process subscription payments and manage your subscription status
  • Forward lead form submissions to independent franchise consultants you have asked to be connected with (see Sections 3 and 4)
  • Send transactional and service email — account confirmation, password reset, billing receipts, security notices, and lead-submission acknowledgments. We do not currently send marketing or newsletter email; if we ever do, you will be able to opt out
  • Detect, investigate, and prevent abuse, fraud, or security incidents
  • Comply with legal obligations and respond to lawful requests

3. How we share your information

We share information only in the limited circumstances described below. We do not sell or share your personal information for advertising, profiling, or any purpose other than what is listed here.

Independent franchise consultants — only when you direct us to. If — and only if — you submit a lead form on the Service, you direct FranchiseDiff to forward your submission to one or more independent franchise consultants so that they can contact you about the franchise you inquired about. FranchiseDiff may receive a referral fee from those consultants for qualified leads. If you never submit a lead form, none of your information is ever shared with consultants. To stop sharing with consultants, simply do not submit a lead form; if you already submitted one and want to retract it, email support@franchisediff.com.

Service providers (subprocessors). We use vendors that process data on our behalf to operate the Service. They are contractually required to use your information only to provide their service to us:

  • Stripe, Inc. (payment processing, United States) — receives payment card data and billing details directly from you at checkout
  • Supabase, Inc. (database, authentication, United States) — stores account, subscription, lead, and feedback data
  • Vercel, Inc. (hosting, edge logs, analytics, United States) — serves the Service, logs request metadata, and provides Vercel Analytics (aggregate page views) and Vercel Speed Insights (performance metrics)
  • PostHog, Inc. (product analytics, United States) — receives product-event data (page views, clicks, custom events) tied to an anonymous device ID for visitors and to your FranchiseDiff user ID for signed-in users
  • Google LLC (transactional email via Gmail SMTP, United States) — sends transactional email and internal lead-notification email; the recipient address and email body pass through Google's mail infrastructure under Google's standard terms

Legal compliance. We may disclose information when required by law, subpoena, court order, or other valid legal process, or when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

Business transfer. If we ever sell, merge, or transfer the Service, your information may be part of that transfer. You will be notified before your information becomes subject to a different privacy policy.

Aggregated and de-identified data. We may create aggregated or de-identified data (for example, industry-trend reports based on FDD information) that cannot reasonably be used to identify any individual user. We may use and share such data without restriction.

4. Sale and sharing of personal information

We do not sell or share your personal information for cross-context behavioral advertising or for monetary consideration unrelated to a service you have explicitly requested. We do not work with ad networks, retargeting networks, data brokers, or marketing-co-op partners.

The single exception is the lead form, and it is fully user-directed.When you submit a lead form, you affirmatively direct us to forward your submission to independent franchise consultants. We may receive a referral fee from those consultants for qualified leads. Some state privacy laws may classify this exchange as a “sale” or “sharing” of personal information. Whether or not it is technically a sale under those laws, you have control:

  • To prevent any sharing: do not submit a lead form. Browsing the Service, having an account, and subscribing to a paid plan never trigger sharing.
  • To withdraw a previously-submitted lead: email support@franchisediff.com with the subject line “Lead Withdrawal.” We will stop any further forwarding of the lead and delete the lead record from our active systems within 15 business days. If a consultant has already received the lead, we will ask them to delete it; we cannot guarantee what a third party has already done with information once it has been forwarded.
  • To opt out of all current and future lead-sharing: email support@franchisediff.com with the subject line “Do Not Sell or Share My Personal Information.” We will mark your account or contact information as opted out within 15 business days and will not forward any lead from you to any consultant going forward. The same effect can be achieved by clicking the “Your Privacy Choices” link in our site footer.

One-hop limit on consultant use. Our standard arrangement with consultants who receive lead form submissions is — and as we onboard each consultant we will require, by written agreement — that they not sell, share, or further disclose the information for any purpose other than contacting you about the franchise opportunity you inquired about. Each consultant operates under its own privacy policy with respect to your subsequent interactions, but their initial receipt and use of the lead is bound by these one-hop terms.

We do not knowingly “sell” or “share” the personal information of consumers under 16 years of age.

5. Data retention

We keep personal information only as long as we need it for the purposes described in this policy, plus any time required to meet legal, tax, accounting, or dispute-resolution obligations.

  • Account data — retained while your account is active; deleted from active systems within 30 days of account deletion or a verified deletion request, except where retention is legally required (e.g., billing records for tax compliance) or where data has been irreversibly de-identified.
  • Subscription and billing records — retained for up to 7 years to satisfy U.S. tax record-keeping requirements.
  • Lead-form submissions — retained for up to 24 months unless you request earlier deletion.
  • Feedback submissions — retained for up to 24 months.
  • Web server logs (request metadata) — short-lived edge logs typically retained 30 days or less by our hosting provider.

6. Your privacy rights and choices

Regardless of where you live, you can:

  • View your basic account information at any time from your account page; to delete your account or correct stored information, email support@franchisediff.com from the address associated with your account
  • Cancel your paid subscription from the Stripe customer portal accessible through your account
  • Request a copy of the personal information we hold about you, in a structured, commonly-used, machine-readable format (typically JSON or CSV)
  • Request correction or deletion of inaccurate information
  • Opt out of lead-sharing as described in Section 4
  • Email support@franchisediff.com with any privacy question

Account deletion vs. subscription cancellation. These are separate actions. Deleting your account does not automatically cancel an active paid subscription, and cancelling the subscription does not automatically delete your account. To stop being charged, cancel through Stripe first; to remove your data from our active systems, then delete the account.

How we verify privacy rights requests. When you make a rights request, we may need to verify your identity before acting on it — for example, by asking you to confirm information already on file, by requiring the request to be sent from the email address associated with your account, or by requiring you to authenticate from your account. For requests from individuals who do not have a FranchiseDiff account but have submitted information through a lead form, we will typically verify by requiring the request to be sent from the email address used in the lead form. If we are unable to verify your identity to a reasonable degree of certainty, we may decline the request; this protects you from someone else fraudulently requesting deletion or disclosure of your data.

Authorized agents. You may designate an authorized agent to make a request on your behalf. The agent must provide written permission signed by you, and we may still ask you to verify the request directly. For California residents, an entity acting as an authorized agent must be registered with the California Secretary of State.

Response timeline. We respond to verified privacy rights requests within 45 calendar days. If we need additional time (for example, because the request is complex or we need to consult with a service provider), we may extend once by an additional 45 days, with notice to you. We do not charge a fee for handling rights requests.

Right to non-discrimination. We will not deny you the Service, charge you a different price, or provide you a different level of quality because you exercised a privacy right.

7. State-specific privacy rights

Several U.S. states grant their residents specific privacy rights. The rights below are summarized and apply to the extent the corresponding state law applies to FranchiseDiff and to you.

California (CCPA / CPRA). California residents have the right to:

  • Know what categories of personal information we collect, the sources, purposes, and categories of recipients (see Sections 1 and 3)
  • Access the specific pieces of personal information we hold about you
  • Correct inaccurate personal information
  • Delete personal information we hold, subject to legal exceptions
  • Opt out of any “sale” or “sharing” of personal information for cross-context behavioral advertising (we do not engage in either, but see Section 4 regarding lead forwarding)
  • Limit use of sensitive personal information (we do not collect SPI as defined under CPRA)
  • Non-discrimination for exercising any of the above
  • Shine the Light (Cal. Civ. Code §1798.83): request, once per calendar year, the names and addresses of third parties to which we have disclosed personal information for their direct marketing purposes in the prior calendar year. To make a Shine the Light request, email support@franchisediff.com with the subject line “Shine the Light.” We will respond within 30 days.

Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia residents. Residents of these states have rights similar to those described above for California, including the rights to access, correct, delete, obtain a portable copy of, and opt out of certain processing of their personal information. The specific contours of each right vary by state. Some of these states (notably Colorado, Connecticut, and Virginia) also provide a right to appeal a denial of a privacy rights request — to appeal, reply to our denial email and we will reconsider.

How to exercise any state right. Email support@franchisediff.com from the email address associated with your account, identify your state of residence and the right you wish to exercise. We will follow the verification, timeline, and non-discrimination rules described in Section 6.

Global Privacy Control (GPC) and other opt-out signals.We treat opt-out preference signals such as the Global Privacy Control as a valid request to opt out of sale and sharing of personal information for the browser sending the signal and, where we can reasonably associate the signal with a specific user, for that user's account. You do not need to send a separate request if your browser transmits a GPC signal.

7A. International data transfers

The Service is operated from the United States and is primarily intended for users in the United States. Personal information we collect is processed and stored in the United States. If you access the Service from outside the United States — including from the European Economic Area, the United Kingdom, or Switzerland — your data will be transferred to and processed in the United States, which has data-protection laws that differ from those of your home jurisdiction.

EU / UK / Swiss visitors. To the extent the EU GDPR, UK GDPR, or Swiss FADP applies to you, you may exercise your access, rectification, erasure, restriction, portability, objection, and withdrawal-of-consent rights by emailing support@franchisediff.com. You also have the right to lodge a complaint with your local data protection supervisory authority. Where transfers require a specific legal mechanism, we rely on the Standard Contractual Clauses (and the UK Addendum or Swiss equivalent where applicable) entered into with our subprocessors.

8. Communications and TCPA consent

Transactional and service messages. When you create an account, subscribe, or use lead-form features, we send transactional email about those activities (account confirmation, password reset, billing receipts, security notices, lead-submission acknowledgments). These are necessary to provide the Service; you cannot opt out of them while you have an active account or active lead in our system.

Marketing. We do not currently send marketing or newsletter email. If we ever introduce marketing communications, they will be opt-in or include a clear opt-out mechanism.

Phone and SMS contact (TCPA). If you submit a phone number through a lead form, you expressly authorize FranchiseDiff and the specific independent franchise consultant(s) we forward your submission to (which we identify or describe at the point of submission) to contact you at that number — including by phone calls, voicemail messages, automated dialing systems, pre-recorded or artificial-voice messages, and SMS or text messages — about the franchise opportunity you inquired about. Consent to such contact is not a condition of receiving information from FranchiseDiff. Message frequency varies; standard message and data rates may apply. You may revoke consent at any time by replying STOP to any text message, by asking the caller to stop, or by emailing support@franchisediff.com with the phone number on which you wish to revoke consent. See Section 6 of our Terms of Service for the full consent language.

9. Sensitive information and automated decisions

Sensitive personal information.We do not collect personal information that California or other states classify as “sensitive” under CPRA §1798.140(ae) and equivalent state definitions, including: Social Security numbers, driver's license, state identification card, or passport numbers; financial account numbers; precise geolocation; racial or ethnic origin; citizenship or immigration status; religious or philosophical beliefs; union membership; contents of mail, email, or text messages other than what you send us directly; genetic data; biometric or health information; or information concerning your sex life or sexual orientation. Payment card data is collected by Stripe directly; we never receive or store full card numbers.

Account credentials. For password accounts we collect your email address paired with a securely hashed password. The password hash is one-way and salted; we cannot retrieve or display your password in plaintext. While account credentials can fall within sensitive personal information when paired with retrievable passwords, our use of one-way hashing means the credential we store cannot, on its own, be used to access the account elsewhere. We nonetheless apply SPI-equivalent safeguards to it (encrypted at rest, access limited to operator and authentication subprocessor).

Automated decision-making and profiling.We do not engage in automated decision-making (including profiling) that produces legal effects concerning you or similarly significantly affects you. Our paywall is rules-based (you either have an active subscription or you don't) and our data extraction systems classify FDD documents, not users.

10. Security and breach notification

We use industry-standard safeguards to protect your information, including TLS in transit, encryption at rest by our database provider, hashed IP addresses, scoped access keys for service-to-service traffic, and Row-Level Security policies on every database table that contains user data. We limit access to personal information to the operator and to service providers under contractual obligation.

Breach notification. No system is perfectly secure. In the event of a data breach affecting your personal information, we will notify affected users and applicable regulators within the timeframes required by applicable law (typically 30-72 hours for regulator notification under state breach laws, and without unreasonable delay to affected users). If you believe your account has been compromised, contact us immediately at support@franchisediff.com.

11. Children

The Service is not directed to children under 16 and we do not knowingly collect information from children under 16. If you believe a child under 16 has provided us information, contact us at support@franchisediff.com and we will delete it promptly.

12. Third-party links

The Service may include links to third-party websites and services we do not control (for example, links to franchisor websites, regulatory filings, news articles, or our service providers' help centers). Their privacy practices are governed by their own policies, not this one, and we are not responsible for their content or practices.

13. Changes to this policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top reflects the most recent revision. Material changes — those that meaningfully affect how we collect, use, or share your personal information — will take effect no sooner than 30 days after we post the updated policy on the Service and, where we have your email on file, send a notice to your account email. Non-material changes (typo fixes, formatting, contact updates) take effect on posting.

14. Contact

For privacy questions, to exercise any of your rights, to withdraw a previously-submitted lead, or to opt out of any future lead sharing, email support@franchisediff.com. See our Terms of Service and Disclaimer for related provisions.