Data Handling
Last updated: April 6, 2026
Transparency about how we handle data is important to us, especially given that we work with regulated financial services firms. This page explains exactly what data we collect, how we process it, where it is stored, and how long we retain it.
What We Scan
When you request a compliance scan, our system accesses only publicly available information:
- Your public website: We visit pages that any internet user could access. We do not attempt to bypass login pages, CAPTCHAs, or access restricted areas.
- Public SEC filings: We cross-reference your website content against your firm's Form ADV data from the SEC's IAPD database, which is publicly available.
- Linked PDF documents: If your website links to public PDF documents (e.g., Form ADV brochure, Form CRS, privacy policy), we download and extract text from these for analysis.
How the Scan Works
1
You submit your URL and email. This is stored securely in our database so we can deliver your report.
2
We crawl your public website. A headless browser visits your homepage and up to 9 relevant subpages (disclosures, services, legal, etc.). Only visible text content is extracted.
3
We download linked PDFs. Up to 5 compliance-relevant PDFs linked from your site (Form ADV, Form CRS, privacy policy) are downloaded and text-extracted.
4
AI-assisted analysis. The extracted text is analysed against SEC Marketing Rule requirements, with findings cross-referenced against your public Form ADV filings.
5
Manual review. Generated findings are reviewed before delivery to ensure accuracy and relevance.
6
Report delivery. Your personalised scorecard and/or full report is delivered to the email address you provided.
What We Do Not Access
- Password-protected client portals or account areas
- Internal systems, databases, or non-public documents
- Social media accounts (LinkedIn, Facebook, Twitter, etc.)
- Email content, client lists, or financial records
- Any information that requires authentication to access
Data Storage and Security
- Infrastructure: Data is stored on Supabase (built on PostgreSQL), hosted on AWS infrastructure with SOC 2 Type II compliance.
- Encryption: All data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
- Access control: Access to stored data is restricted to authorised personnel only via role-based access controls.
- PDF storage: Generated report PDFs are stored in encrypted object storage with access controlled via signed, time-limited URLs.
Data Retention
- Email addresses: Retained until you request deletion or unsubscribe from communications.
- Scraped website content: Raw scraped text is retained for the purpose of generating and supporting your report. It is not used for any other purpose.
- Reports and scorecards: Retained indefinitely to support your ongoing compliance needs, unless you request deletion.
Your Rights
You may request at any time:
- Data export: A copy of all data we hold about your firm
- Data deletion: Permanent removal of your email, scraped content, and generated reports
- Correction: Updates to any inaccurate information
To make a request, email info@riahealthcheck.com. We will respond within 5 business days.
Questions
If you have questions about our data handling practices, contact us at info@riahealthcheck.com.
This service is provided for informational and educational purposes only and does not constitute legal, compliance, or investment advice. RIA Health Check is not affiliated with, endorsed by, or sponsored by the U.S. Securities and Exchange Commission or FINRA.