MyFOIA.ai — Privacy Policy
Effective: May 2, 2026 | Version 1.1 | Replaces all prior versions
By creating an account or using the Services, you agree to the collection and use of information as described in this Policy. This Policy is incorporated by reference into our User Agreement. Capitalized terms not defined here have the meanings given in the User Agreement.
Table of Contents
- Who We Are
- Information We Collect
- How We Collect Information
- How We Use Your Information
- AI Features and Your Data
- Proxy Email and AI Managed Mode
- How We Share Your Information
- Third-Party Service Providers
- Data Retention
- Data Security
- Your Privacy Rights
- California Residents — CCPA Rights
- Children's Privacy
- Cookies and Tracking Technologies
- Links to Third-Party Sites
- Changes to This Policy
- Contact Us
1. Who We Are
MyFOIA.ai is a web-based platform that assists individuals in creating, submitting, tracking, and managing Freedom of Information Act (FOIA) and Privacy Act (PA) requests to U.S. government agencies. We provide AI-assisted request drafting, agency tracking, document storage and analysis, automated correspondence management, and attorney referral services.
MyFOIA.ai is operated by Zhao Boerner from the United States. For privacy inquiries, contact us at privacy@myfoia.ai.
2. Information We Collect
2.1 Information You Provide Directly
- Account registration: First name, middle name, last name, email address, mailing address (street, city, state, ZIP), phone number, recovery phone number, and password (stored as a bcrypt hash — we never store plaintext passwords).
- Requester credentials: Requester type (e.g., journalist, researcher, individual), organization name and URL, publication history, intended use of requested records, subject expertise, prior FOIA research, commercial purpose status, and financial hardship information. This information is used to populate fee waiver arguments in generated FOIA letters.
- FOIA request details: Request name, description, target agency, request text, supporting notes, status updates, and any information you enter in connection with a FOIA or Privacy Act request.
- Uploaded documents: Files you upload in connection with your FOIA requests, including agency correspondence, supporting materials, and any documents you provide for analysis. Uploaded files are stored in Amazon Web Services S3 and their text content is extracted for AI analysis.
- Support communications: Messages, attachments, and information you submit through our support ticket system.
- Payment information: Billing information submitted at checkout. Payment card numbers are processed directly by Stripe and are never stored on MyFOIA.ai servers. We retain only Stripe customer identifiers and subscription tier information.
- User consent records: Timestamp, IP address, and policy version accepted at account creation and any subsequent re-consent events.
2.2 Information We Collect Automatically
- Login and authentication records: IP address, timestamps, device type, browser user-agent, and login attempt outcomes (success or failure). Failed login attempts are tracked to enforce account lockout policy.
- Usage data: Pages visited, features used, request actions taken, and session activity within the platform.
- AI prompt logs: Records of prompts sent to AI model providers on your behalf, including associated request IDs and timestamps. These logs are used for debugging, quality improvement, and abuse detection.
- USPS mailing records: Tracking numbers, delivery confirmations, and certified mail metadata associated with letters sent on your behalf through AI Managed Mode.
- Inbound email metadata: Sender, recipient, subject line, timestamp, and classification data for agency correspondence received at your proxy email address.
2.3 Information We Do Not Collect
We do not collect Social Security numbers, government-issued ID numbers, biometric data, or financial account numbers. We do not purchase data from third-party data brokers.
3. How We Collect Information
- Directly from you when you register, fill out forms, upload documents, submit support tickets, or otherwise interact with the platform.
- Automatically through server logs, session management, and platform analytics when you use the Services.
- From third-party service providers such as Stripe (payment status), Postmark (email delivery status), and USPS (tracking and delivery confirmation).
- From government agencies via your proxy email address, when agencies respond to FOIA requests managed through our AI Managed Mode.
4. How We Use Your Information
We use the information we collect for the following purposes:
| Purpose | Information Used |
|---|---|
| Providing and operating the Services | Account data, request details, uploaded documents, requester credentials |
| Generating AI-assisted FOIA request letters and appeals | Request details, requester credentials, document text, agency rules |
| Managing agency correspondence on your behalf (AI Managed Mode) | Your name and address, proxy email, USPS tracking data, inbound agency emails |
| Processing payments and managing subscriptions | Stripe customer ID, subscription tier, billing history |
| Account security and fraud prevention | Login records, IP addresses, failed attempt counts, device data |
| Providing customer support | Account data, support ticket content, request details |
| Enforcing our User Agreement and applicable law | Account data, usage logs, consent records |
| Improving the platform and AI model performance | AI prompt logs, usage data, aggregated and de-identified analytics |
| Complying with legal obligations | Any information required by applicable law, regulation, or court order |
| Sending service and account notifications | Email address, phone number (for SMS alerts where enabled) |
We do not use your personal information to serve advertisements. MyFOIA.ai is ad-free. We do not sell your personal information to third parties for their own marketing purposes.
5. AI Features and Your Data
MyFOIA.ai uses xAI's Grok model and potentially other AI providers to generate FOIA letters, analyze documents, draft appeals, and provide strategic recommendations. When you use AI-powered features:
- Your request details, document text, and requester credentials are included in prompts sent to AI model providers.
- AI prompt logs — including the content of prompts and associated metadata — are retained for 12 months for debugging and quality improvement.
- AI-generated outputs (letters, analysis, recommendations) are not legal advice. The accuracy of AI outputs is not guaranteed. You are responsible for reviewing all generated content before use.
- We do not use your personal FOIA request content to train AI models without your explicit consent.
6. Proxy Email and AI Managed Mode
When you activate AI Managed Mode for a specific FOIA request, MyFOIA.ai assigns you a dedicated proxy email address for that request. All agency correspondence sent to that address is received, stored, and processed by MyFOIA.ai on your behalf. This means:
- The content of agency emails — including any records, determinations, or personal information contained in agency responses — is stored on our servers and processed by our AI systems.
- We send correspondence to government agencies in your name from your proxy address. You remain legally responsible for all communications sent on your behalf.
- Activation of AI Managed Mode requires your separate, explicit consent through the AI Managed Mode Agreement presented at activation. This Privacy Policy does not itself authorize Managed Mode.
- USPS certified mail records (tracking numbers, delivery confirmations) are stored in connection with your request.
7. How We Share Your Information
We do not sell, rent, or trade your personal information. We share your information only in the following circumstances:
7.1 With Government Agencies (At Your Direction)
When you submit a FOIA request or activate AI Managed Mode, we transmit your name, mailing address, contact information, and request content to the relevant government agency on your behalf. This disclosure is at your explicit direction and is the core function of the Services.
7.2 With Service Providers
We share information with third-party vendors who assist us in operating the platform, as described in Section 8. These providers are contractually bound to use your information only to provide services to MyFOIA.ai and not for their own purposes.
7.3 With Attorney Referral Partners
If you use our Attorney Referral Network, we may share relevant case details (agency, request status, basis for referral) with participating attorneys to facilitate a connection. This sharing occurs only at your request and with your consent.
7.4 For Legal Compliance and Safety
We may disclose your information if required to do so by law, subpoena, court order, or other legal process; to enforce our User Agreement; to protect the rights, property, or safety of MyFOIA.ai, our users, or the public; or to detect, prevent, or address fraud, security, or technical issues.
7.5 Business Transfers
If MyFOIA.ai is involved in a merger, acquisition, sale of assets, or bankruptcy, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on the platform prior to your information becoming subject to a different privacy policy.
7.6 With Your Consent
We may share your information for other purposes with your explicit consent.
8. Third-Party Service Providers
MyFOIA.ai uses the following categories of third-party service providers. Each provider's data practices are governed by their own privacy policies, which we encourage you to review.
| Provider | Purpose | Data Shared |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, document storage (S3), database hosting (RDS) | All platform data — hosted in AWS us-east-1 (Virginia) |
| xAI (Grok) | AI model for request drafting, document analysis, and strategy generation | Request details, document text, requester credentials |
| Stripe | Payment processing and subscription management | Payment card data (processed directly by Stripe), billing information |
| Postmark | Transactional email delivery and proxy email routing | Your email address, proxy email address, email content |
| USPS | Certified mail delivery for AI Managed Mode letters | Your name, mailing address, agency address |
We are not responsible for the data practices of third-party providers. We encourage you to review their privacy policies before using features that involve those providers.
9. Data Retention
We retain your information for as long as necessary to provide the Services and comply with our legal obligations. The following retention periods apply:
| Data Category | Retention Period | Reason |
|---|---|---|
| Account data (name, email, address, credentials) | Duration of account + 3 years post-deletion | Legal compliance, dispute resolution |
| FOIA request records and uploaded documents | 7 years | Appeal and litigation timelines; FOIA statute of limitations |
| Login attempt records | 90 days minimum; extended if suspicious activity flagged | Account security, fraud prevention |
| AI prompt logs | 12 months | System improvement, debugging, abuse detection |
| Payment records | 7 years minimum | Financial regulations (IRS, applicable accounting standards) |
| User consent records | Duration of account + 3 years post-deletion | Legal compliance, audit trail |
| Support ticket records | 3 years from ticket closure | Quality assurance, dispute resolution |
| Inbound agency email content | 7 years | Tied to FOIA request record retention |
When retention periods expire, we securely delete or anonymize the relevant data. You may request early deletion of your account and data as described in Section 11, subject to our legal obligations to retain certain records.
10. Data Security
We implement industry-standard technical and organizational measures to protect your information against unauthorized access, disclosure, alteration, and destruction:
- Encryption at rest: AES-256 encryption for all data stored in our database and AWS S3.
- Encryption in transit: TLS 1.2 or higher for all data transmitted between your browser and our servers.
- Access controls: Role-based access controls limiting employee access to personal data on a need-to-know basis.
- Password security: Passwords are hashed using bcrypt. We never store plaintext passwords.
- Account lockout: Accounts are temporarily locked after repeated failed login attempts to prevent brute-force attacks.
- Two-factor authentication: Available as an optional security enhancement for your account.
11. Your Privacy Rights
Regardless of where you are located, you have the following rights with respect to your personal information:
11.1 Right to Access
You may request a copy of the personal information we hold about you. You can access much of your information directly through your account dashboard and profile settings.
11.2 Right to Correction
You may request correction of inaccurate or incomplete personal information. You can update most of your account information directly in your user profile.
11.3 Right to Deletion
You may request deletion of your account and associated personal information. We will honor deletion requests subject to our legal obligations to retain certain records (see Section 9). To delete your account, contact privacy@myfoia.ai or use the account deletion option in your profile settings.
11.4 Right to Data Portability
You may request a copy of your personal information in a structured, commonly used, machine-readable format. Contact privacy@myfoia.ai to submit a portability request.
11.5 Right to Opt Out of Non-Essential Communications
You may opt out of non-essential email communications (such as product announcements) at any time by using the unsubscribe link in any such email or by updating your notification preferences in your account settings. You cannot opt out of transactional emails necessary to operate the Services (such as account verification, password reset, and request status alerts).
11.6 How to Exercise Your Rights
To exercise any of the above rights, contact us at privacy@myfoia.ai. We will respond to verified requests within 30 days. We may ask you to verify your identity before processing your request.
12. California Residents — CCPA Rights
If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with additional rights:
- Right to Know: You have the right to know what categories of personal information we collect, the purposes for which we use it, and whether we sell or share it.
- Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions.
- Right to Correct: You have the right to correct inaccurate personal information we maintain about you.
- Right to Opt Out of Sale or Sharing: We do not sell or share your personal information for cross-context behavioral advertising. No opt-out is required, but you may contact us to confirm this at any time.
- Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information beyond what is necessary to provide the Services.
- Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
To exercise your CCPA rights, contact us at privacy@myfoia.ai. We will respond within 45 days as required by law.
13. Children's Privacy
MyFOIA.ai is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe we have collected information from a child under 13, please contact us immediately at privacy@myfoia.ai and we will take steps to delete that information.
Users must be at least 18 years of age to create an account and use the Services, consistent with our User Agreement.
14. Cookies and Tracking Technologies
MyFOIA.ai uses session cookies and server-side session management to maintain your login state and provide a consistent experience across the platform. Specifically:
- Session cookies: Required for authentication and to maintain your logged-in state. These are deleted when you close your browser or log out.
- Server-side sessions: We use Flask-Session with server-side storage to manage your session data securely.
- No third-party advertising cookies: We do not use third-party advertising or tracking cookies. We do not participate in cross-site behavioral tracking.
Most browsers allow you to refuse or delete cookies through browser settings. Disabling session cookies will prevent you from logging in to the Services.
15. Links to Third-Party Sites
The Services may contain links to third-party websites, including government agency websites, legal resources, and attorney referral partners. This Privacy Policy applies only to MyFOIA.ai. We are not responsible for the privacy practices of third-party sites and encourage you to review their privacy policies before providing personal information.
16. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
- Post the updated policy at myfoia.ai/privacy_policy with a new effective date;
- Notify registered users by email at the address associated with their account; and
- Where required by law, request your renewed consent.
Your continued use of the Services after the effective date of any update constitutes your acceptance of the revised Policy. If you do not agree to the revised Policy, you must stop using the Services and may delete your account.
17. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Zhao Boerner
910 17th St NW, 5th Floor Suite 23, Washington, DC 20006
Email: privacy@myfoia.ai
Support: Submit a Support Ticket
Response time: Within 30 days of a verified request.
For general support inquiries unrelated to privacy, visit our Support Center.
For legal matters, refer to the governing law and dispute resolution provisions in our User Agreement.
MyFOIA.ai | Zhao Boerner | Version 1.1 | Effective May 2, 2026