Legal · Privacy
Privacy Policy
How we handle account information, credit-report data, documents, correspondence, billing, mailing, and service activity.
Who we are and what this policy covers
Your Resource Group LLC ("YRG," "we," "us," or "our") operates DearBureau. This Privacy Policy explains how we collect, use, disclose, and protect personal information when you visit dearbureau.com, use the DearBureau application, contact support, or use a related DearBureau service.
DearBureau is consumer-rights software built to help you review your own credit report, organize facts and records, prepare correspondence you control, and track what happens next. We do not sell personal information or credit-report data. We do not use credit-report data to build advertising profiles or target advertising. We use limited Google advertising measurement on eligible U.S. marketing requests as described below; advertising personalization and customer-list features are disabled.
This policy does not cover third-party websites or services that have their own privacy policies, including a report source you choose to connect.
Information we collect
Account and identity information
We collect information used to create, secure, and support your account, including your name, email address, account password, postal address, state, ZIP code, Social Security number, and an optional phone number. DearBureau account passwords are stored as one-way password hashes. Sensitive profile information is protected in encrypted storage.
Connected-source and credit-report information
When you connect a supported report source, we collect the credentials and security answers needed to retrieve the report under your instructions. Connected-source secrets are stored encrypted. Reports may include names and aliases, birth date, Social Security number fragments, addresses, employers, scores, account numbers, balances, limits, payment history, collections, inquiries, public records, alerts, and consumer statements.
Documents and workspace content
We collect files and information you choose to add, such as credit reports, collection or validation notices, payment records, creditor statements, identity-theft records, identity documents, bankruptcy records, insurance explanations of benefits, provider bills, answers, evidence, letter drafts, approvals, downloads, responses, and follow-up tasks. These records may contain financial, identity, legal, or health-related information, depending on what you upload.
Billing, mailing, and support information
If you buy a subscription or mailing service, we collect billing contact information, payment status, amount, billing period, discounts, transaction references, and limited card details such as card brand, last four digits, and expiration date. Payment-card number and security-code fields are hosted by our payment processor; DearBureau does not store full card numbers or card security codes. For mailings, we process sender and recipient addresses, approved letter contents, order records, carrier status, tracking information, and delivery or response records. We also collect messages and attachments you send to support.
Device, usage, and security information
We collect information needed to operate and protect the service, such as IP address, browser and device details, timestamps, session and cookie identifiers, requested pages, coarse interaction events, feature activity, diagnostic data, and security or error logs. We use safeguards designed to keep report contents, entered form text, payment details, and report-specific identifiers out of analytics and error-monitoring events.
Failed-import diagnostics
If an import from a connected report source fails, DearBureau may temporarily capture an encrypted copy of the page returned by that source, including page HTML and screenshots that can contain report information. Access is restricted to authorized administrators who need the artifact to troubleshoot the failure. These diagnostic artifacts are scheduled for deletion after 14 days.
Where information comes from
We receive information directly from you, automatically from your browser or device, from report and monitoring sources you direct us to connect, and from providers involved in payment, email, document processing, printing, mailing, analytics, security, and support.
How we use information
We use personal information to:
- create your account, authenticate you, and keep your workspace tenant-scoped;
- retrieve a report from a source you connect or accept a report you upload;
- extract and structure report data, including through document-extraction and artificial-intelligence processors when those tools are enabled;
- organize report facts and identify items for you to review without making a lending, credit, or legal decision about you;
- save your answers and evidence and prepare correspondence for your review;
- print, mail, and track correspondence only after you approve and order it;
- process purchases, renewals, cancellations, discounts, and billing events;
- send service messages, respond to support, and troubleshoot errors;
- measure limited product activity, evaluate site variants, and improve usability;
- detect abuse, protect accounts, enforce our terms, and comply with law.
How we disclose information
We may disclose personal information in these circumstances:
- Service providers. Providers support our application platform, hosting, encrypted storage, document extraction and AI processing, payment processing, transactional email, analytics, error monitoring, printing, and mailing. They receive information needed to perform the service for us and are expected to protect it.
- Advertising measurement and campaign optimization. On an eligible U.S. marketing request that does not send Global Privacy Control, Google may receive the ad click identifier. If a later eligible signup, product activation, or purchase occurs, Google may receive a random conversion identifier, the conversion type and time, and, for a purchase, its amount and currency. We use those limited events to measure our own ads and optimize campaign goals and automated bidding, including Performance Max. We do not send Google your name, contact details, address, Social Security number, internal user ID, report data, dispute content, or payment instrument details for this purpose.
- At your direction. We exchange information with a report source you connect and, when you order a mailing, with the printer, carrier, credit reporting company, information furnisher, or other recipient you select.
- Legal and safety reasons. We may disclose information when we believe disclosure is required by law or reasonably necessary to protect a person, prevent fraud or abuse, investigate security issues, or protect our rights and service.
- Business changes. Information may be reviewed or transferred as part of a financing, merger, acquisition, reorganization, sale of assets, or similar transaction, subject to appropriate confidentiality and legal safeguards.
We do not sell personal information or credit-report data, and we do not use credit-report data for targeted advertising. We do not use enhanced conversions, create customer lists or personalized audiences from DearBureau data, or enable advertising personalization. The limited conversion events and purchase values described above are used to understand whether our own ads lead to eligible signups, product activation, or purchases and to optimize bidding for those outcomes.
Cookies and analytics
DearBureau uses cookies and similar storage for account sessions, security, saved product choices, and other functions needed to provide the service. The marketing homepage also uses a first-party cookie that keeps a site-variant assignment for up to 30 days. If you arrive through a Google ad, an eligible U.S. marketing request may briefly load a minimal measurement page at the original address so Google's tag can register the ad click. Before the tag loads, that page leaves only the click identifier in its address; other query information and the page fragment are not shown to Google. We then remove the identifier before navigating to the requested marketing page. If that requested page retains other query information or a fragment, it does not load the normal Google tag. We may store one identifier in a secure, integrity-protected, restricted cookie for up to 90 days so we can measure campaign results. The cookie is unavailable to page JavaScript, is cleared after an authenticated binding attempt, and the bound identifier is encrypted in our database. When the Google tag is permitted to run, it may also set or read host-only first-party measurement cookies on the marketing host. We configure those cookies not to span DearBureau subdomains, so they are not available to the application host. You can remove or block them through your browser settings.
When analytics is enabled, we use PostHog for limited events that help us understand page visits, signup flow, feature use, and service reliability. Marketing-site PostHog records named events rather than page contents and disables automatic capture and session recording. Application analytics may include a masked interaction replay: entered values and page text are masked, and network bodies and headers are not recorded. Our PostHog configuration respects browser Do Not Track settings. Marketing-site PostHog URL fields exclude query information, fragments, and sensitive path identifiers. On eligible U.S. marketing pages whose browser address has neither a query nor a fragment, our Google tag records an explicit page view and helps measure advertising conversions. Advertising personalization is disabled. Conversion tags run in a sandboxed marketing-site frame, not on the application origin or in the normal application document that contains account, report, identity, or payment information. We do not add IP addresses, browser user-agent values, or enhanced-conversion customer data to Google event payloads. As with any direct browser request to a third-party service, Google receives ordinary connection and browser-header information when its tag is allowed to load. A Global Privacy Control signal on a marketing request stops new Google measurement and click capture. On an authenticated attribution request, it also stops new unsent initial conversion delivery and records the user's measurement opt-out. For an eligible-signup measurement, we do not bind the ad click to the account until the validated onboarding profile already exists. For later conversions that have a browser receipt, both that receipt and the corresponding server-side initial delivery require a fresh eligible U.S. request without Global Privacy Control; an unknown-location, non-U.S., or Global Privacy Control request enables neither. A conversion receipt already durably released to the browser before a later signal may finish and be acknowledged. We may later send its random transaction identifier and correction details—without a click or user identifier—to reduce or retract a previously delivered purchase value after a refund, void, or chargeback.
You can limit cookies through your browser or privacy tools. Blocking cookies needed for authentication or security may prevent parts of DearBureau from working.
Retention and security
We keep information for as long as reasonably necessary to provide DearBureau, maintain your account, complete transactions and mailings, protect the service, resolve disputes, and meet legal, accounting, and compliance obligations. The period varies by record type and context. Some security, billing, mailing, or legal records may remain after account closure, and deletion from backups may take additional time.
A Google ad click identifier stops being eligible for a new conversion no later than 90 days after capture. The browser cookie normally clears earlier. An encrypted server copy is deleted earlier after an applicable GPC signal or erasure request, or after its 90-day expiry once no pending, processing, or submitted initial delivery remains. We retain an identity-minimized conversion and correction ledger containing a random transaction ID, event type and time, purchase value and currency when applicable, and delivery status as needed for deduplication, refunds and chargebacks, accounting, diagnostics, and audit. Direct user-attribution links are kept separately and are removed when no longer needed or in response to an applicable deletion request, subject to legal and transaction-record obligations.
We use administrative, technical, and organizational safeguards designed for the sensitivity of the information we process. These include encrypted connections, encrypted storage for sensitive profile, credential, report, and document data, tenant-scoped access controls, and restricted administrative access. No method of transmission or storage is completely secure. Read our security overview for more detail.
Your choices and privacy rights
You can update certain account information in DearBureau. When self-service subscription cancellation is available for your billing status, you can cancel from the subscription area; if it is unavailable, contact support. You may also contact us to ask about access to, correction of, deletion of, or a portable copy of your personal information.
Depending on where you live, applicable law may give you rights to confirm whether we process your information; access, correct, delete, or obtain a copy of it; opt out of certain sale, sharing, targeted-advertising, or profiling uses; limit certain uses of sensitive information; appeal a request decision; and receive equal service without unlawful discrimination for exercising a privacy right. We do not sell personal information or use credit-report data for targeted advertising. We do not enable Google advertising personalization or use DearBureau data to create customer lists or personalized audiences; our limited conversion measurement and bidding optimization are described above.
To make a request, email support@dearbureau.com with “Privacy request” in the subject. We may need to verify your identity and authority before acting. An authorized agent may submit a request where applicable law permits. We may deny or limit a request where an exception applies, such as when information must be retained for security, fraud prevention, a transaction, a legal obligation, or the rights of another person. To appeal a decision, reply with “Privacy appeal.”
Children and United States use
DearBureau accounts are intended for adults and the service is not directed to children under 13. Do not submit another person’s information, including a child’s information, unless you are legally authorized and DearBureau expressly supports that use. DearBureau is offered for use in the United States. We and our service providers may process information in the United States and other countries where they operate, subject to applicable safeguards.
Changes to this policy
We may update this policy as DearBureau, our providers, or legal requirements change. We will post the updated policy here and revise the effective date. If a change materially affects how we use information already collected, we will provide additional notice when required by law.
Contact us
Your Resource Group LLC
DearBureau Privacy
United States
support@dearbureau.com