Privacy notice

Your assessment answers are stored only in your browser’s localStorage. They are never transmitted to our servers. When you close or clear your browser data, they are gone. We designed it this way deliberately: a practice’s compliance posture is sensitive information, and we have no business reason to hold it.

Reports (Risk Analysis Report, Risk Management Plan, 2026 Readiness Gap Report) are generated client-side in your browser and downloaded directly to you. Our servers never receive or process the content of those documents.

When you submit a form on CoreFolio, the only data we receive from that form is:

• Your email address
• Your opt-in choice (which list you signed up for, if any)
• For the CoreFolio Brief: your US state, if you choose to provide it, so we can include state-relevant updates

We do not accept practice names, free-text assessment answers, multi-select answer payloads, or any field that would carry assessment context through our servers.

For reliability and abuse prevention, we retain minimal operational logs related to forms and email delivery. Those logs never include assessment answers or report contents.

If you provide your email address, we use it to:

• Send you the confirmation or summary you requested (free-preview signal, notification signup for the full assessment launch, or Brief welcome)
• Send the CoreFolio Brief if you subscribed (weekly, with a one-click unsubscribe in every issue)

We do not sell your email address. We do not share it with third-party marketers. Transactional and list mail goes through our email delivery vendor, which processes your address only to send the messages you requested.

We use Plausible Analytics (plausible.io) on our home page, the full-assessment notification page, and every page under /learn/. Plausible is cookieless and does not create a cross-site visitor profile. It does not use fingerprinting. It collects: page URL, referrer, approximate geographic region (country and US state, derived from IP address and immediately discarded), browser family, and device type. No personally identifiable information is collected or stored.

No third-party scripts load on any /assess/* route. When you are inside the assessment, no analytics provider receives any signal about which page you are viewing or what you are doing.

Because Plausible is cookieless, we do not display a cookie consent banner.

Every page under /assess/* ships with zero third-party JavaScript. No analytics, no chat widgets, no advertising pixels, no fonts pulled from external CDNs at runtime. We build the fonts into the application at deploy time.

On assessment routes, scripts load only from corefolio.ai.

CoreFolio sets one functional cookie: corefolio_internal, used only to unlock extended assessment routes when your workspace has been granted access. It is HttpOnly, Secure, SameSite=Lax, and scoped to the paths that require it. It carries no personal information.

We set no advertising cookies, no tracking pixels, and no persistent session identifiers on marketing pages.

Email addresses are retained in our transactional email provider until you unsubscribe or request deletion. To request deletion, email us at the address in the footer or click “Unsubscribe” in any email we send you. We will process deletion requests within 30 days.

Questions about this notice? We’re a small team and we read every message. Use the contact link in the footer or reply to any email we’ve sent you.