Plain-English summary. We collect what we need to run the product — your account info, your searches and saved properties, payment records (processed by Stripe), and basic technical data like IP and browser. We do not sell your personal information, and we do not share it with advertisers for targeted advertising. If you live in California, Virginia, Colorado, Connecticut, Utah, or another state with a privacy law, you have specific rights under that law (access, deletion, correction, opt-out) — see Section 9.

1. Who We Are

Dwelfy ("Dwelfy", "we", "us", or "our") operates the Dwelfy platform. This Privacy Policy describes how we collect, use, disclose, and protect personal information about visitors to and users of the platform. Questions: contact us at [email protected].

2. Personal Information We Collect

In the past 12 months, and on a forward-looking basis, we collect or may collect the following categories of personal information (CCPA category labels in brackets):

• Identifiers [Cat. A] — name, username, email address, account ID, IP address, device identifiers.
• Customer records [Cat. B] — billing name and address, payment card information (Stripe-tokenized; we never store full PANs), subscription history.
• Commercial information [Cat. D] — properties you save, search filters, portfolio entries, calculator inputs, plan tier.
• Internet/network activity [Cat. F] — pages visited, features used, browser type, OS, time zone, referring URL, click stream, session duration.
• Geolocation data [Cat. G] — city, ZIP/postal code, or state you enter in searches; coarse IP-derived location. We do not collect precise device GPS without explicit opt-in.
• Inferences [Cat. K] — investor preferences derived from saved searches and portfolio mix (e.g., "interested in single-family rentals in TX"), used to surface relevant listings and content.
• Communications — messages you send through the platform, support tickets, replies to our emails.

We do not intentionally collect "sensitive personal information" as defined under the CPRA (e.g., government IDs, precise geolocation, racial or ethnic origin, biometric data, health information).

3. How We Use Personal Information

We use your information to:

• Operate, maintain, and improve the platform.
• Process payments and manage subscriptions (via Stripe).
• Send service notifications, security alerts, and account updates.
• Provide customer support and respond to your inquiries.
• Analyze usage patterns and product performance (aggregate / anonymized where feasible).
• Detect, prevent, and address fraud, abuse, and technical issues.
• Send marketing emails about new features, market reports, or related products — only after you opt in, and you can unsubscribe at any time.
• Comply with applicable law and respond to lawful requests from public authorities.

4. How We Share Personal Information

We share personal information only with service providers ("processors" under most state laws) who help us run the platform, and only to the extent needed for them to do so:

• Stripe — payment processing (PCI DSS Level 1).
• Supabase — database hosting and authentication.
• Cloudflare — content delivery, edge caching, DDoS mitigation, bot protection. Aggregate and minimal personal data.
• Resend — transactional and marketing email delivery.
• PostHog — product analytics. Anonymous pageview data sitewide; identified events only after you sign in. Data minimization is applied.

We may also disclose personal information if required by subpoena, court order, or other valid legal process; to enforce our Terms; or to protect the rights, property, or safety of Dwelfy, our users, or others.

We do not sell personal information for money or other valuable consideration, and we do not share it with third-party advertisers for cross-context behavioral advertising. If that ever changes, this policy will be updated and we will offer the opt-out the law requires.

5. Data Sources for Property Information

Property listings, prices, photos, square footage, school ratings, and similar information come from third-party portals (e.g., MLS-syndicated feeds where licensed) and from public records (county tax assessor and recorder offices, the U.S. Census Bureau, state-level housing-authority datasets). These datasets describe properties, not individuals, and are processed to provide accurate market analysis. Underlying public sources remain authoritative; derived figures on Dwelfy may differ — verify against the source before making a transactional decision.

6. Data Retention

We retain personal information for the following periods:

• Account data: while your account is active, and for 12 months after deletion to handle reactivation requests and disputes.
• Payment records: 7 years, to satisfy IRS, tax, and accounting record-retention norms.
• Usage logs: 12 months, then aggregated and anonymized.
• Marketing consent records: for the duration of consent plus 12 months.
• Backups: may persist for up to 35 days after a deletion request before being fully purged from rotation.

7. Data Security

We implement administrative, technical, and physical safeguards designed to protect personal information, including encryption in transit (TLS 1.3), encryption at rest, role-based access controls, audit logging, and periodic security reviews. No system is 100% secure; you use the platform at your own risk and should use a strong, unique password.

8. International Data Transfers

Some of our service providers operate outside the United States. Where personal information is transferred internationally, we rely on appropriate transfer mechanisms (such as Standard Contractual Clauses or equivalent) and apply comparable safeguards.

9. Your Privacy Rights (CCPA / CPRA and Other State Laws)

Depending on the state where you live, you may have one or more of the following rights:

• Right to Know — request the categories and specific pieces of personal information we have collected, the sources, the business purpose, and the third parties with whom we share it.
• Right to Delete — request that we delete personal information we have collected, subject to exceptions allowed by law (e.g., to complete a transaction, comply with a legal obligation, or detect security incidents).
• Right to Correct — request correction of inaccurate personal information.
• Right to Opt Out of Sale or Sharing — we do not currently sell or share for cross-context advertising, but if that ever changes you will be able to opt out via a clear "Do Not Sell or Share My Personal Information" link.
• Right to Limit Use of Sensitive Personal Information — applies in California; we do not currently collect SPI for purposes other than what the CCPA permits without limitation.
• Right to Non-Discrimination — we will not deny service, charge a different price, or provide a different level of service because you exercised your privacy rights.
• Right to Data Portability — receive your personal information in a structured, commonly used, and machine-readable format.

To exercise any of these rights, email [email protected] with "Privacy Rights Request" in the subject line, or use the in-app request form when available. We will verify your identity (typically by confirming your account email) and respond within 45 days, with one 45-day extension if reasonably necessary.

You may also designate an authorized agent to make a request on your behalf. We will require the agent to provide written authorization and may verify the request directly with you.

10. Children's Privacy

Dwelfy is intended for users 18 and older. We do not knowingly collect personal information from children under 13 in violation of the Children's Online Privacy Protection Act (COPPA). If you believe a child under 13 has provided us personal information, contact [email protected] and we will delete it.

11. Automated Decision-Making

We use automated calculations for deal scoring, yield estimates, and other investment metrics. These are informational tools only — they do not produce legal effects, do not determine eligibility for any product or service, and should not be the sole basis for any investment decision.

12. Cookies and Similar Technologies

We use the following categories of cookies:

• Strictly necessary — authentication session cookies (Supabase-issued JWTs), cookie-consent state, market-detection cookie (UK / US).
• Payment — Stripe session cookies set during checkout only.
• Analytics — PostHog first-party cookies for anonymous pageview measurement and identified event tracking after sign-in.

You can disable non-essential cookies via your browser. Disabling analytics cookies does not restrict access to the service. We honor browser-level Global Privacy Control (GPC) signals where applicable as an opt-out of any future sale or sharing.

13. Notice of Financial Incentives

We do not currently offer any program that provides a financial incentive in exchange for personal information. If we introduce one (e.g., a referral program), we will provide a separate notice describing the material terms.

14. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent revision. Material changes will be posted on the platform and, where we have your email, sent to you in advance. Continued use of the service after the effective date constitutes acceptance.

15. Contact Us

For privacy questions or to exercise your rights:
Email: [email protected]
California residents may also contact the California Attorney General's Office. Residents of other states with comprehensive privacy laws may contact their state attorney general.

This Privacy Policy was prepared as a starting point and has not been reviewed by a US privacy attorney. Before relying on it for any commercial purpose, please have it reviewed by US counsel familiar with the CCPA/CPRA and the comprehensive state privacy laws applicable to your user base.