Privacy Policy

CrashStory ("we," "our," or "us") operates the website crashstory.com (the "Site"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our Site and use our services, including our crash data platform, attorney directory, and lead generation services. CrashStory is operated from Colorado, United States.

By using our Site, you consent to the data practices described in this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access the Site.

1. Information We Collect

We collect several categories of information to provide our services, connect you with attorneys, and improve your experience on CrashStory.

A. Information You Provide Directly

• Personal identifiers: Name, phone number, email address, and mailing address when you create an account, submit a claim, or request a consultation.
• Case and crash-related data: Accident date, location, description, injuries, vehicle information, insurance details, police report numbers, and other information you provide when using our case evaluation tools or submitting a crash report.
• Attorney profile information: For lawyers registering on our platform: name, firm name, bar number, practice areas, contact information, and professional credentials.
• Communications: Messages, reviews, and feedback you submit through the Site.

B. Information Collected Automatically

• IP address: Your Internet Protocol address is collected when you access our Site.
• Device information: Browser type and version, operating system, device type, screen resolution, and language preferences.
• Browsing history: Pages visited, search queries, features used, time spent on pages, referring URLs, click patterns, and interaction data.
• Geolocation data: Approximate geographic location derived from your IP address, and precise location if you enable browser location services for nearby accident search functionality.
• Advertising identifiers: Click IDs, UTM parameters, and campaign attribution data from advertising platforms.

C. Crash Data from Public Sources

We source crash data from publicly available records maintained by the Colorado Department of Transportation (CDOT). This data includes accident dates, locations, contributing factors, severity, and vehicle types. Personal identifying information of accident participants is not included in public CDOT records.

2. How We Use Your Information

We use the information we collect for the following purposes:

• Connecting users with attorneys: To match accident victims with qualified personal injury attorneys based on location, case type, and preferences, and to facilitate the attorney bidding and lead distribution system.
• Providing crash data and analysis: To deliver accident search results, crash data visualizations, settlement value estimates, and educational content from public CDOT records.
• Analytics and site improvement: To understand how visitors interact with our Site, improve functionality, optimize content, and enhance user experience.
• Marketing and advertising: To deliver relevant advertisements, measure ad performance, and send marketing communications if you have opted in.
• Legal compliance: To comply with applicable laws, regulations, legal processes, and enforceable governmental requests.
• Service communications: To send case status updates, bid notifications, and other service-related messages.
• Security and fraud prevention: To detect, prevent, and address fraud, abuse, and security threats.

3. How We Share Your Information

We may share your information with the following parties:

• Attorney network: When you request a consultation, submit a case, or when an attorney bids on your case, your contact information and case details are shared with the relevant attorneys and law firms in our network. This is a core part of our lead generation service.
• Advertising partners: We share data with advertising platforms including Google Ads, Facebook/Meta, Microsoft Advertising, TikTok Ads, and LinkedIn for campaign measurement, optimization, and retargeting. This may include hashed identifiers, conversion events, and click attribution data.
• Analytics providers: We share usage data with analytics services including Google Analytics (GA4) and Plausible Analytics to understand Site usage patterns and improve our services.
• Hosting and infrastructure providers: Cloud hosting, content delivery networks, and database services that process data on our behalf.
• Email service providers: Third-party email delivery services for transactional and marketing communications.
• Payment processors: Stripe processes attorney subscription payments. CrashStory does not store credit card numbers directly.
• Lead compliance services: TrustedForm certificates are generated to verify the authenticity and consent of lead submissions.
• Legal requirements: When required by law, court order, subpoena, or to protect our rights, property, and safety.
• Business transfers: In connection with a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity.

4. Cookies and Tracking Technologies

We use cookies, pixels, and similar tracking technologies to collect information about your browsing activity and deliver a better experience. The following technologies are used on our Site:

A. Essential Cookies

Required for site functionality, authentication, session management, and security. These cannot be disabled without breaking core Site features.

B. Analytics Cookies

• Google Analytics (GA4): We use Google Analytics to measure traffic, user behavior, and conversion events. Google Analytics may set cookies and collect IP addresses, device data, and browsing history. You can opt out using the Google Analytics Opt-out Browser Add-on.
• Plausible Analytics: A privacy-focused analytics service that does not use cookies or collect personal data.

C. Advertising and Tracking Pixels

• Google Ads: Conversion tracking and remarketing pixels to measure ad effectiveness and serve targeted ads.
• Facebook/Meta Pixel: Tracks conversions and enables retargeting through Facebook and Instagram advertising.
• Microsoft Advertising (Bing UET): Conversion tracking for Microsoft/Bing advertising campaigns.
• TikTok Pixel: Measures ad performance and enables audience targeting on TikTok.
• LinkedIn Insight Tag: Tracks conversions and enables retargeting for LinkedIn advertising campaigns.

D. Lead Compliance

• TrustedForm: Generates certificates to verify the authenticity and consent of lead form submissions. TrustedForm may record session replays of form interactions.

E. UTM Parameters and Click Tracking

We collect UTM parameters (utm_source, utm_medium, utm_campaign, utm_term, utm_content) and advertising click identifiers (gclid, fbclid, msclkid, ttclid, li_fat_id) from incoming URLs to attribute traffic sources and measure marketing campaign performance.

F. Managing Cookies

You can control cookies through your browser settings. Most browsers allow you to block or delete cookies. However, disabling cookies may affect site functionality, including login and saved preferences. You may also use browser extensions or platform-specific opt-out tools to manage tracking.

5. Third-Party Services

Our platform integrates with third-party services, each governed by their own privacy policies. Key integrations include:

• Attorney directory and lead distribution: Personal injury attorneys listed on our platform receive user-submitted case information and contact details as part of our lead generation service.
• Google Maps / Mapbox: For displaying crash locations and map-based search. Subject to Google/Mapbox privacy policies.
• Stripe: For processing attorney subscription payments. CrashStory does not store credit card numbers.
• Email delivery services: For transactional emails (case updates, bid notifications) and marketing communications.
• Google Analytics / Plausible: For website analytics and usage tracking.
• Advertising platforms: Google, Facebook/Meta, Microsoft, TikTok, and LinkedIn for ad serving and conversion measurement.

We encourage you to review the privacy policies of these third-party services to understand how they handle your information.

6. Data Retention

We retain your information for the following periods:

• Account data: Retained for as long as your account is active. After account deletion, personal data is purged within 30 days, except where retention is required by law.
• Case submissions and lead data: Retained for up to 7 years to comply with legal record-keeping requirements and to support potential legal proceedings.
• Analytics data: Personally identifiable analytics data is deleted within 26 months. Aggregated and anonymized analytics data may be retained indefinitely.
• Marketing data: Retained until you opt out or request deletion, whichever occurs first.
• Public crash data: Retained as long as it remains available from CDOT sources and is relevant to our service.
• TrustedForm certificates: Retained in accordance with lead compliance requirements, typically for the duration of the applicable statute of limitations.

7. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal information:

A. Rights Under State Privacy Laws (CCPA, CPA, and Others)

• Right to know/access: You may request a copy of the personal information we have collected about you, including the categories of information, the sources, the purposes for collection, and the third parties with whom we share it.
• Right to deletion: You may request deletion of your personal information, subject to certain legal exceptions (e.g., ongoing legal obligations, fraud prevention).
• Right to correction: You may request that we correct inaccurate personal information.
• Right to data portability: You may request your data in a portable, commonly used, machine-readable format.
• Right to opt out of sale/sharing: You may opt out of the sale of your personal information or the sharing of your personal information for cross-context behavioral advertising.
• Right to non-discrimination: We will not discriminate against you for exercising your privacy rights.

B. Colorado Privacy Act (CPA) Compliance

Under the Colorado Privacy Act, Colorado residents have the rights listed above, plus the right to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects. We will respond to verified requests within 45 days as required by the CPA. You may appeal a denial by contacting us at the address below.

C. How to Exercise Your Rights

To exercise any of these rights, contact us at david@crashstory.com. We may need to verify your identity before processing your request. We will respond within the timeframe required by applicable law.

D. Opt-Out of Marketing

You may opt out of marketing emails at any time by clicking the "unsubscribe" link in any marketing email or by contacting us directly. Please note that you may still receive transactional or service-related communications.

8. Children's Privacy

CrashStory is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have inadvertently collected personal information from a child under 13, we will take steps to delete such information promptly. If you believe that a child under 13 has provided us with personal information, please contact us at david@crashstory.com.

9. Data Security

We implement industry-standard security measures to protect your information, including:

• HTTPS/TLS encryption for all data in transit.
• Encryption at rest for sensitive data stored in our databases.
• Role-based access controls limiting who can access user data.
• Regular security audits and vulnerability assessments.
• Secure password hashing for user accounts.
• Monitoring for unauthorized access and anomalous activity.

However, no method of transmission over the internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal information, we cannot guarantee its absolute security. In the event of a data breach involving your personal information, we will notify you and applicable regulatory authorities as required by law.

10. Do Not Track Signals

Some browsers transmit "Do Not Track" (DNT) signals. There is currently no industry standard for how companies should respond to DNT signals. At this time, our Site does not respond to DNT signals. However, you can use the opt-out mechanisms described in this Privacy Policy to control tracking.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of significant changes by posting the updated policy on this page and updating the "Last updated" date at the top. For material changes, we may also notify you via email if you have an account. Your continued use of the Site after changes are posted constitutes your acceptance of the updated Privacy Policy.

12. Contact Information

If you have questions about this Privacy Policy, our data practices, or wish to exercise your privacy rights, you may contact us:

• Privacy inquiries: david@crashstory.com
• Data Protection contact: david@davidmelamed.com
• CrashStory
• Denver, Colorado, United States
• crashstory.com