Legal · Privacy

Privacy Policy.

Plain language. We collect only what you give us. We never sell or share it. You can leave at any time.

Version: 1.0
Effective date: May 28, 2026
Last reviewed: May 28, 2026
Steward: AmericaFirst4Us Inc.
Contact: tpoc@americafirst4us.com

The short version. If you give us your email to subscribe to our newsletter, we keep it for the purpose of sending you the newsletter. That's it. We don't sell it. We don't share it. We don't enrich it. You can unsubscribe with one click. If you want us to delete every record of you, ask us and we will.

1. Who we are

AmericaFirst4Us Inc. ("AF4U", "we", "us") is the Steward of the ELAI security ecosystem. We are a US corporation. We publish protocols, sign Charter declarations, operate this website, and steward the independent product surfaces (4pdfs.com, idregulators.com, verifythecard.com, OuiAmi) that implement the ELAI cryptographic primitives.

2. What we collect

Information you give us directly

Your email address, when you subscribe to our newsletter or send us an email at tpoc@americafirst4us.com.
Any message content you include if you email us (request a Federal Briefing, ask a privacy question, etc.).

Information we collect automatically

Hashed network metadata when you submit our forms — a salted SHA-256 hash of your IP address and a salted hash of your user-agent string, kept for abuse detection. We do not store raw IPs or raw user agents.
Standard web server logs kept by our hosting provider (Hostinger) for security and operations. We do not aggregate or query these for marketing purposes.

Information we do not collect

We do not use third-party analytics (no Google Analytics, no Meta Pixel, no Mixpanel).
We do not use advertising or retargeting cookies.
We do not track you across other websites.
We do not buy email lists.
We do not enrich email addresses against third-party data brokers.

3. How we use what we collect

We use your email address to send you the ELAI Ecosystem newsletter and to reply to any message you send us. We use hashed network metadata to detect and rate-limit abuse (e.g., bot signups, mass enumeration). That's the whole list.

We do not use any information you give us for behavioral profiling, ad targeting, or commercial enrichment.

4. Who we share it with

No one for marketing or commercial purposes. We never sell, rent, lease, or trade your information.

We do use technical service providers to operate the site and send email — currently Resend (email delivery), Supabase (database hosting), and Hostinger (web hosting). These providers see your email only as required to perform their function. They are contractually bound to handle your data on our behalf and not for their own purposes. We do not authorize them to sell, share, or commercially enrich it.

We will disclose information only when legally compelled by valid US legal process (subpoena, warrant), or when necessary to protect safety. We will challenge over-broad requests where appropriate.

5. How long we keep it

We keep your email until you unsubscribe, plus 30 additional days of suppression-list retention to ensure we honor your unsubscribe across all systems. After 30 days, your email is permanently deleted from our active database.

Hashed network metadata is kept for 90 days for abuse detection and then deleted.

Records we are required to keep by law (e.g., tax records, corporate compliance logs) do not apply to newsletter subscribers — those obligations only attach to commercial transactions, which the newsletter is not.

6. Your rights

For everyone

Unsubscribe at any time using the one-click link in every email we send.
Ask us what we have on you by emailing tpoc@americafirst4us.com. We will respond within 14 days with the full record.
Ask us to delete everything by emailing the same address. We will do so within 14 days and confirm.
Correct anything we got wrong by emailing us.

For EU and UK residents (GDPR / UK GDPR)

You have the additional rights to: data portability (we'll provide your data in JSON format on request), restriction of processing, objection to processing, and to lodge a complaint with your supervisory authority. Our legal basis for processing newsletter subscriber data is your explicit consent, which you may withdraw at any time without affecting prior processing.

For California residents (CCPA / CPRA)

You have the right to know what we collect, to delete what we have, to opt out of "sale" (we don't sell), and to non-discrimination for exercising these rights. Categories collected: identifiers (email) and limited internet activity (hashed network metadata). No sensitive personal information is collected.

7. Children

Our services are not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected information from a child under 13, please contact us and we will delete it.

8. Cookies and similar technologies

We use only essential session cookies required for the site to function. We do not use advertising cookies, tracking cookies, or analytics cookies. We do not embed third-party scripts that set cookies (no Google, Meta, or LinkedIn tags).

Future products on the AF4U platform (account dashboards, signed-in experiences) may use additional essential cookies for authentication. Those will be disclosed in their own product-specific privacy notices.

9. Cryptographic and signed-artifact privacy (forward-looking)

As AF4U expands into the unified ecosystem account model, the following principles remain non-negotiable, consistent with the ELAI Ecosystem Charter:

Private keys are never transmitted to or stored on AF4U systems. Cryptographic keys remain user-held.
Signed artifacts (documents, credentials, attestations) are never aggregated on AF4U-controlled servers. Local-first custody is a protocol-level requirement.
AF4U account data, when introduced, will hold only what is required for access control and billing — never the user's signed content or private keys.

10. Data security

We use TLS for all data in transit. Newsletter subscriber records are stored in Supabase with row-level security policies enforcing that only service-role keys can read or modify the table. Supabase project access requires multi-factor authentication. Resend API keys are rotated periodically and stored in encrypted secret managers.

We will notify affected users within 72 hours of becoming aware of any unauthorized access to personal information that could affect them.

11. International transfers

Our infrastructure (Supabase, Resend, Hostinger) operates primarily from US data centers. If you are accessing our services from outside the US, your data will be processed in the US. By submitting your information, you consent to this transfer. Standard contractual clauses with our processors govern any transfers where required.

12. Changes to this policy

We will update this policy as needed. The current version, effective date, and last reviewed date appear at the top. Material changes will be communicated via the newsletter and a banner on this page for at least 30 days before they take effect.

13. Contact

Privacy questions, requests for access, deletion, correction, or any other matter covered by this policy:

AmericaFirst4Us Inc.
c/o LegalZoom Registered Agent
5865 Ridgeway Center Pkwy, Ste 384
Memphis, TN 38120-4032
Email: tpoc@americafirst4us.com

This Privacy Policy is published in plain English to make our handling of your data legible to humans without legal training. It is intended as a contractually binding statement of how we handle your information, not as legal advice. If anything here conflicts with applicable law, the law controls.