Legal
Privacy Policy
How we collect, use, and protect your information — written to be read, not skimmed past.
Last updated: July 2, 2026
Who we are
Permission Report is operated by Persimmon Systems, LLC, a company based in Grand Rapids, Michigan, United States. This policy covers our website at permission.report and the Permission Report application at app.permission.report (together, the "Services").
A quick note about whose data this is
Permission Report is a tool organizations use to track who has access to what. That means there are two kinds of information in play, and we treat them differently:
- Your information — the account details you give us directly (name, email, payment details) and data about how you use our website and product. We decide how this is handled, and this policy describes it.
- Your organization's records — the employee names, access assignments, and signed confirmations your organization enters into Permission Report. Your organization owns and controls this data; we store and process it only to provide the service, on your organization's behalf. We never use it for our own purposes, and we never sell it.
If your employer uses Permission Report and you have questions about a record that mentions you, your employer is the right first contact — they control what's in their account. We'll assist them with any request.
Information we collect
Account information
When you create an account, we collect your name, email address, and organization name. This lets us provide the service, offer support, and send you important account communications. Note that Persimmon Systems, LLC never sees or stores your full credit card number — all payment processing is handled securely by Stripe.
Your organization's access records
To do its job, Permission Report stores the records your organization creates: the people you track (typically names, roles, and work email addresses), the systems and items they have access to, and the signed confirmations of every grant and revocation. What goes in is entirely up to your organization's administrators.
Usage data
We collect basic product usage data like login times and feature usage to keep the service reliable and improve it. On our website, we also collect analytics data — see "Cookies and analytics" below.
How we use your information
We use your information to run Permission Report — nothing more exotic than that. We don't sell your information, and we don't share it with third parties for their marketing.
- To provide and maintain the Services
- To process payments and manage your subscription
- To communicate with you about your account
- To understand how the Services are used so we can improve them
- To comply with legal obligations
Cookies and analytics
Inside the product, we use cookies that are necessary to keep you signed in and remember your preferences.
On our website, we use Google Tag Manager and Google Analytics to understand how visitors find and use the site — which pages get read, roughly where visitors come from, and what kinds of devices they use. Google Analytics sets cookies and collects information such as your device type, browser, approximate location, and the pages you visit. Google processes this data as described in the Google Privacy Policy.
We use this data in aggregate to improve the site. We don't use it to identify individual visitors, and we don't use it for advertising or remarketing. If you'd rather not be counted, you can install the Google Analytics opt-out browser add-on or block cookies for our site in your browser — the site works fine without them.
Third-party services
We use a small number of trusted third-party services to operate our business:
- Stripe handles payment processing. Stripe shares basic payment details with us — like your card's last four digits and issuer — but we never see your full card number.
- Google provides the website analytics described above.
- Email service providers deliver account-related communications like invites, notifications, and receipts.
- Hosting providers run the servers the Services live on, in the United States.
We only work with reputable companies that maintain strong privacy and security standards, and each receives only what it needs to do its job.
Data security
We protect your data using industry-standard encryption and security practices. All data transmission uses HTTPS encryption, and our servers employ standard security measures to protect against unauthorized access.
Data retention
We keep your account information as long as your account is active. Your organization's access records stay in your account for as long as you keep them — audit history tends to matter years later, so we don't automatically expire it.
One thing to know: the audit ledger in Permission Report is intentionally unchangeable. Entries can't be edited after the fact — that's what makes it trustworthy evidence. Individual ledger entries aren't deleted piecemeal; when your organization deletes its account, all of its data goes with it.
If you want your account and its data deleted, email us at hello@permission.report and we'll take care of it promptly.
Your rights
You have control over your data. You can update your account information anytime, export your data, or request complete deletion of your account and everything in it. Just email us — no complicated forms or waiting periods.
- Access your personal information
- Correct inaccurate data
- Request deletion of your data
- Object to processing
- Data portability
If you're an employee of an organization that uses Permission Report, requests about your organization's records should go to your employer, who controls that data — we'll support them in responding.
Changes to this policy
If we need to update this policy, we'll email account holders about any significant changes and update the "Last updated" date at the top of this page. We won't make changes that reduce your privacy protections without giving you notice and a chance to review.
Contact us
If you have any questions about this Privacy Policy, contact us at: