Privacy Policy

We collect the following categories of information when you use the Service:

• Account and Authentication Data: When you create an account or sign in, we receive your name, email address, and authentication details. Depending on your selected sign-in method, this may include OAuth profile data from Google or magic-link verification tokens. Authentication data is managed through Supabase and NextAuth; passwords (if any) are stored in hashed form by Supabase.
• Billing and Transaction Records: We collect billing contact information, subscription plan selections, report purchase history, usage limits, Stripe customer identifiers, and related metadata needed to manage payments and entitlements. Stripe processes payments on our behalf; we never store full credit card numbers or bank details.
• Report Inputs and Neighborhood Data: To generate reports, you provide property addresses, geographic coordinates, search parameters, and contextual notes. We enrich these inputs with data from third-party sources (such as the Census Bureau, FEMA, FRED, Crimeometer, RentCast, and Google Places) and store generated insights, report versions, and usage history in our Supabase database.
• AI and Insight Generation Data: When we create narrative summaries or insights, we may send the relevant report context and prompts to Google's Gemini API or similar AI services. We limit submissions to the minimum content required to produce the requested output.
• Usage, Device, and Log Data: We automatically collect IP addresses, device and browser characteristics, referring pages, timestamps, error logs, and in-product activity. We use Amplitude for analytics and Meta Pixel for ad attribution when enabled. These tools set cookies or similar identifiers to understand feature usage and campaign performance.
• Communications and Preferences: If you contact us or join email sequences, we store your messages, support history, unsubscribe preferences, and related metadata to deliver customer support and lifecycle communication.

We may also receive contact information from team members who invite colleagues, or from publicly available sources to verify addresses and neighborhood boundaries. We do not intentionally collect personal data about individuals under 18.

We use personal information to:

• Provide, maintain, and improve the Service and generated reports.
• Authenticate users, manage accounts, and enforce usage limits.
• Process payments, subscriptions, and deliver invoices or receipts.
• Respond to inquiries, provide customer support, and send transactional notices.
• Deliver onboarding, product updates, and marketing communications in accordance with your preferences (with opt-out instructions in each message).
• Analyze usage trends, monitor reliability, and enhance performance using aggregated analytics.
• Safeguard against fraud, abuse, and unauthorized access, and comply with legal obligations.
• Produce de-identified or aggregated insights for benchmarking, product planning, or research. We do not attempt to re-identify aggregated data.

We do not sell personal information. We share data with the following categories of recipients:

• Infrastructure and Hosting Providers: We host the application with third-party cloud providers (including Vercel) and store data with Supabase, which processes personal information on our behalf.
• Payment and Subscription Processors: Stripe manages billing, payments, and subscription lifecycle data.
• Analytics and Advertising Partners: Amplitude provides product analytics and Meta Pixel supports ad attribution. These partners may set cookies or device identifiers subject to their own privacy notices.
• Communications Vendors: We use email delivery services (via SMTP providers) to send transactional and lifecycle communications, and to honor unsubscribe requests.
• AI and Data Enrichment Services: To build reports, we request neighborhood, housing, demographic, and economic data from third-party APIs (including the Census Bureau, FEMA, FRED, Crimeometer, RentCast, and Google Places) and may send curated report context to Google's Gemini API to produce narrative insights.
• Professional Advisors and Authorities: We may disclose information to comply with legal obligations, enforce our agreements, protect the security of the Service, or in connection with mergers, acquisitions, financing, or transfers of assets.

Each service provider is bound by contractual obligations to process personal data only on our instructions and to implement appropriate safeguards.

We use cookies and similar technologies to authenticate sessions, remember preferences, measure usage, and run marketing campaigns. Essential cookies from NextAuth and Supabase are required for secure login. Analytics (Amplitude) and advertising (Meta Pixel) cookies are optional and may be disabled through browser settings, ad-blocking tools, or privacy controls offered by those providers. Opting out may impact certain personalization features but not core functionality.

We retain personal information for as long as needed to deliver the Service, satisfy legal or accounting obligations, resolve disputes, or enforce agreements. Typical retention periods include:

• Account and subscription records: retained while the account is active and for a reasonable period after closure.
• Report history, inputs, and generated insights: retained to provide re-downloads, auditability, and customer support.
• Billing and transaction data: retained in accordance with tax, audit, and regulatory requirements.
• Cached third-party datasets: stored for approximately 24–48 hours to reduce API costs, then refreshed or deleted.
• Analytics data: aggregated and de-identified as soon as practical.

When data is no longer needed, we take steps to delete or anonymize it. Where deletion is not immediately possible, we securely store the data and isolate it from further processing.

We operate primarily from the United States. By using the Service, you understand that your information may be transferred to, stored in, and processed in countries where we or our service providers maintain facilities. We rely on contractual safeguards and industry standard security controls to protect data during these transfers.

We employ administrative, technical, and physical safeguards to protect personal information, including encryption in transit, role-based access controls, audit logs, and regular monitoring of our infrastructure. No method of transmission over the internet or electronic storage is completely secure, and we cannot guarantee absolute security.

Depending on your location, you may have rights to access, correct, delete, or request a copy of your personal information, as well as to object to or restrict certain processing. You may also have the right to withdraw consent or opt out of marketing communications.

To exercise these rights, contact us at contact@askvesta.com. We may request verification of your identity before acting on your request. You can unsubscribe from marketing emails by using the link included in each message.

The Service is not directed to individuals under 18, and we do not knowingly collect personal information from minors. If we become aware that a minor has provided personal information, we will take steps to delete it.

We may update this Privacy Policy from time to time. We will post the effective date at the top of the page and, if the changes are material, provide additional notice as required by law. Your continued use of the Service after the revised policy becomes effective signifies your acceptance.

For questions about this Privacy Policy or our data practices, please contact us at contact@askvesta.com.