Privacy Policy

CREstimate, LLC ("CREstimate," "we," "us," or "our") operates CREstimate.ai (the "Service"). This Privacy Policy explains what information we collect, how we use it, who we share it with, and your rights regarding that information.

By using the Service you agree to the collection and use of information as described here. If you do not agree, please do not use the Service. This policy is incorporated by reference into our Terms of Service.

2.1 Information You Provide

• Account registration — email address, password (hashed by Supabase; never stored in plaintext), and display name.
• Google OAuth — if you sign in with Google, we receive your email, name, and profile picture from Google. We do not receive or store your Google password.
• Payment information — billing name, address, and card details. This information is transmitted directly to Stripe and is never stored on our servers. We only receive a Stripe customer ID and subscription status.
• Uploaded documents — rent rolls, operating statements, offering memoranda, and other files you upload for document parsing. These are processed to extract structured financial data and are not retained after processing is complete.
• Support communications — emails or messages you send to [email protected].

2.2 Information Collected Automatically

• Usage data — which features you use, how many reports you generate, API call timestamps, and quota consumption counts.
• Log data — IP address, browser type, operating system, referring URL, HTTP method, status codes, and request duration. Logs are retained for 30 days.
• Cookies and local storage — session tokens (Supabase auth cookies), preferences, and a cookie-consent flag. See Section 7 for details.

2.3 Property & Address Data You Enter

When you generate a CRESI report or proforma, you enter property addresses and related details. We store these as part of your saved reports (if you are on a plan with report saving). We do not sell or share individual property data with third parties.

• Provide the Service — authenticate your session, process report generation requests, apply subscription limits, and deliver results.
• Billing — create and manage Stripe subscriptions, send payment receipts, handle failed-payment retries, and process refunds.
• Transactional email — send account-related emails such as welcome messages, trial reminders, usage warnings, and payment confirmations via SMTP2GO. We do not send marketing emails without your explicit opt-in.
• Service improvement — aggregate, anonymized usage analytics to understand which features are most used, identify bugs, and prioritize development. We do not build individual behavioral profiles for advertising.
• Security — detect fraud, abuse, and unauthorized access; enforce rate limits; investigate violations of our Terms of Service.
• Legal compliance — respond to lawful requests from courts or government agencies and fulfill record-keeping obligations.

We share your data with the following sub-processors to operate the Service. Each processes only the data necessary for its function.

4.1 Supabase

Role: Authentication, user database, saved reports storage. Data shared: Email, hashed password (or OAuth token), usage counts, saved report content, subscription metadata. Location: United States (AWS us-east-1). DPA: supabase.com/privacy.

4.2 Stripe

Role: Payment processing and subscription management. Data shared: Email, billing name/address, payment method (handled client-side via Stripe.js — we never touch raw card numbers). Location: United States. Privacy policy: stripe.com/privacy.

4.3 SMTP2GO

Role: Transactional email delivery. Data shared: Email address and email content (account notifications only — no marketing without consent). Location: New Zealand / United States. Privacy policy: smtp2go.com/privacy.

4.4 Fireworks AI

Role: Large language model inference for CRESI report generation and document parsing. Data shared: Property address, market data, and (when applicable) text extracted from uploaded documents. This data is sent to Fireworks AI solely to generate report content and is not used to train Fireworks models under our enterprise agreement. Location: United States. Privacy policy: fireworks.ai/privacy.

4.5 Google (OAuth only)

Role: Social sign-in. Data shared: We request only your email address, name, and profile picture from Google. We do not request access to Gmail, Drive, Calendar, or any other Google service. Privacy policy: policies.google.com/privacy.

We do not sell your personal information to any third party. We do not share your data with advertising networks, data brokers, or any party for marketing purposes.

• Account data — retained while your account is active. Deleted within 30 days of account closure, except where retention is required by law.
• Saved reports — retained while you have an active subscription. Reports are preserved (but access is suspended) during a payment grace period. If your subscription lapses for more than 90 days, reports may be permanently deleted.
• Uploaded documents — deleted immediately after parsing completes. We do not retain the original file.
• Usage logs — retained for 30 days, then deleted.
• Payment records — retained for 7 years per IRS and accounting requirements.

We implement the following security measures to protect your information:

• All data in transit is encrypted via TLS 1.2+.
• Passwords are hashed using bcrypt by Supabase and are never accessible to CREstimate employees.
• Authentication tokens are short-lived JWTs; refresh tokens are rotated on use.
• Database access is limited to the application service account via row-level security (RLS) policies in Supabase.
• Payment data never touches our servers — Stripe.js tokenizes card details in the browser before sending to Stripe.

No system is completely secure. If you believe your account has been compromised, contact us immediately at [email protected].

We use cookies and browser local storage for the following purposes:

• Authentication (required) — Supabase stores a session token in a secure, HTTP-only cookie. This is required to keep you signed in; the Service cannot function without it.
• Preferences (functional) — We may store UI preferences (e.g., dark mode state) in local storage.
• Analytics (optional) — We use aggregate, anonymized event counts stored in our own database. We do not use third-party tracking scripts (no Google Analytics, Meta Pixel, etc.).

We do not use advertising cookies or cross-site tracking cookies. You can clear cookies at any time through your browser settings. Clearing the auth cookie will sign you out.

Depending on your location, you may have rights under applicable privacy laws (including GDPR, CCPA, and similar regulations):

• Access — request a copy of the personal data we hold about you.
• Correction — request correction of inaccurate data.
• Deletion — request deletion of your account and associated data (subject to legal retention requirements). You can initiate this from your account settings (Danger Zone).
• Portability — request an export of your saved reports in JSON format.
• Opt-out of transactional email — you can unsubscribe from non-critical emails (e.g., usage warnings) from your profile settings. You cannot opt out of payment receipts and security alerts.

To exercise any of these rights, email [email protected] with the subject line "Privacy Request". We will respond within 30 days. We may need to verify your identity before fulfilling a request.

CCPA (California Residents)

California residents have additional rights under the California Consumer Privacy Act. We do not sell or share personal information as defined under CCPA. To submit a verified consumer request, contact us at the email above. We will not discriminate against you for exercising your CCPA rights.

The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal information from minors. If you believe a minor has provided us with personal information, contact us at [email protected] and we will promptly delete it.

CREstimate.ai is operated from the United States. If you access the Service from outside the United States, your information will be transferred to, processed, and stored in the United States, where data protection laws may differ from those in your jurisdiction.

For users in the European Economic Area, United Kingdom, or Switzerland, data transfers to the United States are conducted pursuant to Standard Contractual Clauses (SCCs) with our sub-processors (Supabase, Stripe, SMTP2GO, Fireworks AI), each of which maintains their own GDPR-compliant transfer mechanisms.

We may update this Privacy Policy from time to time. When we make material changes (such as adding new data processors or changing how we use your data), we will update the "Last updated" date at the top of this page and send an email to registered users at least 14 days before the changes take effect. Non-material changes (typos, clarifications) take effect immediately upon posting.

Your continued use of the Service after the effective date constitutes acceptance of the updated Privacy Policy.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, contact us at: