Privacy Policy
Effective Date: May 16, 2026 Last Updated: May 26, 2026 Version: 1.3.1 (solo patch on top of v1.3.0 reconciled with Terms of Service v1.3.0 + Data Processing Agreement v1.1.0 — adds §7.2 "Pre-Upload Local Storage on Your Device" per 5G.28 to disclose the factory-reset / pre-upload risk and the mitigations layered on top of it; pending California attorney sign-off, see ROADMAP 6.3 / 6P.10)
ClearDeduct ("we," "our," or "us") provides software that helps California landlords comply with Assembly Bill 2801 (AB 2801) by documenting rental property condition through timestamped photographs. This Privacy Policy explains how we collect, use, share, and protect your personal information when you use the ClearDeduct mobile application or website (collectively, the "Service").
By using the Service, you agree to the practices described in this Privacy Policy. If you do not agree, do not use the Service.
1. Who We Are
Operating entity: ClearDeduct Privacy contact: privacy@cleardeduct.com Mailing address: [TO BE FILLED — operating entity address required before launch]
1.1 Data Controller and Service Provider Roles
ClearDeduct's role under applicable privacy law depends on which data is being processed:
| Data category | CCPA / CPRA role | GDPR role | Reason |
|---|---|---|---|
| Landlord account data (your email, password, billing info, profile, preferences) | Business | Data Controller | We determine the purposes and means of processing your account data |
| Tenant data uploaded by the landlord (tenant name, contact info, lease dates, property photos) | Service Provider | Data Processor | The landlord is the Business/Controller; we process this data on the landlord's behalf to deliver the AB 2801 compliance service |
| Website visitor data (IP address, browser, pages visited) | Business | Data Controller | Standard analytics/site operation |
1.2 Data Processing Agreement (DPA)
For all tenant data and other third-party data uploaded through the Service, ClearDeduct acts as a Service Provider (CCPA/CPRA) and Data Processor (GDPR Art. 28). Our processing of such data is governed by ClearDeduct's standard Data Processing Agreement (incorporated by reference into the Terms of Service §15.1), which:
- Prohibits ClearDeduct from selling or sharing the data;
- Restricts use to the contracted services only;
- Bars combining the data with information from other sources;
- Specifies sub-processor obligations consistent with this Privacy Policy §5.1 and Terms of Service §16;
- Establishes data-return / deletion procedures upon contract termination (per ToS §4.5 bifurcation between Unperfected Documentation and Finalized Dispositions);
- Sets breach-notification timelines aligned with this Privacy Policy §9.1.
Full DPA text: publicly available at cleardeduct.com/dpa (also accessible in-app via Settings → Legal → Data Processing Agreement). Enterprise customers may request a signed counter-party version by emailing privacy@cleardeduct.com with subject line "Signed DPA Request"; we deliver within 10 business days.
2. Information We Collect
2.1 Information You Provide
- Account information: name, email address, phone number (optional), password (hashed; we never store plaintext).
- Property and tenancy data: property address, unit details, tenant name and contact information, lease dates, deposit amount.
- Inspection data: photos taken through the Service, room and area annotations, deduction line items, contractor invoices.
- Billing information: processed by our payment provider Stripe, Inc. We do not store full credit card numbers on our servers.
- Support communications: any messages you send to us, including the contents of those messages.
2.2 Information We Collect Automatically
- Device data: device model, operating system version, app version, language and region, time zone.
- Usage data: features used, screens visited, actions taken, error logs, crash reports.
- Photo metadata: EXIF metadata embedded by your device camera (date and time, GPS coordinates if location permission granted, camera model). This metadata is required to comply with AB 2801 and cannot be disabled while still using the inspection features.
- Approximate location (optional): if you grant location permission, we record GPS coordinates at the moment a photo is taken. You may revoke this permission at any time in your device settings.
2.3 Information We Receive From Third Parties
- Payment information from Stripe (subscription status, last 4 digits of card, billing country) for accounting purposes only.
- Push notification tokens from Apple Push Notification service (APNs) and Firebase Cloud Messaging (FCM) when you opt into notifications.
- Identity provider information from Apple Inc. (Sign in with Apple) or Google LLC (Sign in with Google) when you choose those signup or login methods on cleardeduct.com: your email address, your display name (Apple transmits the name only on first authentication; Google transmits it on each), and an OAuth/OIDC authentication token used solely to establish your ClearDeduct session. We do not receive your Apple ID password, your Google password, your contacts, calendars, photo library, or any other personal data from your Apple or Google account. If you use Apple's "Hide My Email" feature, the email address we receive is an Apple-relay address (e.g.,
xxxxx@privaterelay.appleid.com) — our outbound system emails reach you through Apple's relay infrastructure, and we never see your real address.
2.4 Sensitive Personal Information (SPI) — Precise Geolocation
Under the California Privacy Rights Act (CPRA), "precise geolocation" — defined as location data that locates a consumer within a geographic radius of 1,850 feet or less — is classified as Sensitive Personal Information (Cal. Civ. Code §1798.140(ae)(2)(F)). Because California Assembly Bill 2801 compliance requires timestamped and geolocated photographic evidence of rental units, the EXIF metadata extracted from photographs uploaded through the Service contains precise GPS coordinates that meet this statutory threshold.
We accordingly disclose:
- We do collect SPI in the form of precise geolocation embedded in photo EXIF metadata.
- Purpose: This SPI is collected and processed solely to (a) timestamp and geolocate inspection photographs as required by California Civil Code §1950.5 (as amended by AB 2801), (b) overlay geolocation data on generated PDF reports for evidentiary admissibility, and (c) verify the authenticity of photograph capture location for landlord-tenant dispute defense.
- Statutory exemption invoked: Pursuant to CPRA §1798.121(a) and 11 Cal. Code Regs. §7027, ClearDeduct invokes the "performing the services or providing the goods reasonably expected" exemption. We do not use this SPI to infer characteristics about you or your tenants, and we do not use it for cross-context behavioral advertising, profiling, or any purpose outside AB 2801 compliance.
- Right to Limit: Because our collection of precise geolocation is strictly necessary to perform the AB 2801 compliance service you requested, the standard CPRA Right to Limit Use of Sensitive Personal Information has limited applicability. Disabling location permission will disable the inspection features that depend on it. To request review of our SPI processing, email privacy@cleardeduct.com.
We do not knowingly collect other categories of SPI: racial or ethnic origin, religious beliefs, union membership, mail/email/text message contents, genetic data, biometric identifiers used to identify a person, health/sex-life/sexual-orientation information, citizenship or immigration status, financial account credentials.
3. How We Use Information
We use your information for the following purposes ("legitimate business interests" under GDPR Art. 6(1)(f) where applicable, and "business purposes" under CCPA §1798.140):
| Purpose | Examples |
|---|---|
| Provide the Service | Authenticate you, store inspections and photos, generate PDF reports, send compliance reminders. |
| AB 2801 compliance | Embed timestamps and GPS overlays on photos; calculate the 21-day deposit-return deadline; retain photographs for the legally required four (4) year period under California Civil Code §1950.5. |
| Billing and fraud prevention | Process subscription payments via Stripe; detect fraudulent charges. |
| Customer support | Respond to your inquiries; troubleshoot bugs you report. |
| Service improvement | Aggregate, anonymized analytics to understand which features are used. We do not use your inspection content to train machine-learning models. |
| Legal compliance | Respond to lawful subpoenas, court orders, or government requests; defend ourselves in legal disputes. |
| Communications | Send transactional emails (deadline reminders, report delivery confirmations); product updates if you opt in. |
4. Legal Bases for Processing (GDPR / UK GDPR)
If you are in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases:
- Contractual necessity (Art. 6(1)(b)): to deliver the Service you have purchased.
- Legitimate interests (Art. 6(1)(f)): to operate, secure, and improve the Service, where these interests are not overridden by your rights.
- Legal obligation (Art. 6(1)(c)): to retain records for tax, accounting, and AB 2801 compliance.
- Consent (Art. 6(1)(a)): for optional marketing emails and location permission. You may withdraw consent at any time.
5. How We Share Information
We share information only with the following categories of recipients:
5.1 Service Providers (Sub-Processors)
To deliver the Service, ClearDeduct directly engages the following third-party service providers as sub-processors. By using the Service, you grant general written authorization under GDPR Article 28(2) and CPRA §1798.140(d) for ClearDeduct to engage these sub-processors to process Your Content and tenant personal data on your behalf, as also reflected in Terms of Service §16.
| Provider | Purpose | Location |
|---|---|---|
| Supabase, Inc. | Database orchestration, authentication, file storage (Postgres + S3-compatible object storage) | United States |
| Stripe, Inc. | Subscription billing and payment processing | United States, EU |
| Resend | Transactional email delivery (account verification, deadline reminders, report delivery) | United States |
| Vercel, Inc. | Web hosting and content delivery network | Global edge network |
| Expo (Expo Application Services) | Mobile push notification routing (intermediary to APNs/FCM) | United States |
| Apple Inc. (APNs) | iOS push notification terminal delivery | United States |
| Google LLC (FCM) | Android push notification terminal delivery | United States |
| Apple Inc. (Sign in with Apple) | OAuth identity verification at web signup/login (landlord email + name only; never tenant data). Scope-limited per Privacy Policy §2.3 — see also §5.1a below. | United States |
| Google LLC (Sign in with Google) | OAuth identity verification at web signup/login (landlord email + name only; never tenant data). Scope-limited per Privacy Policy §2.3 — see also §5.1a below. | United States |
| Sentry | Crash and error reporting for production diagnostics | United States |
| Cloudflare, Inc. | DNS, email routing (any address @cleardeduct.com → operator inbox), CDN | Global edge network |
Downstream infrastructure transparency: Our direct vendors (Supabase, Stripe, Resend) themselves rely on upstream cloud infrastructure providers (typically Amazon Web Services). ClearDeduct does not maintain a direct contractual relationship with these upstream providers; downstream sub-processor chains are published by each direct vendor in their own sub-processor disclosures (e.g., stripe.com/legal/service-providers, supabase.com/security, resend.com/legal/subprocessors).
We require each direct provider to process information only on our instructions and to maintain appropriate security safeguards. We do not authorize any provider to use your information for their own marketing, profiling, or model-training purposes.
You may request the current sub-processor list at any time by emailing privacy@cleardeduct.com. If you object to a newly added sub-processor on legitimate data-protection grounds, you may exercise the termination rights described in Terms of Service §16.3.
5.1a Scope Limitation — Identity Sub-Processors (Apple, Google)
The two identity sub-processors above (Sign in with Apple, Sign in with Google) are functionally distinct from the data sub-processors that handle tenant evidence (Supabase, Stripe, Resend, etc.). Their processing scope is strictly limited to landlord-account authentication:
- What they see: your landlord email address, your display name (at signup), and standard OAuth/OIDC handshake metadata (PKCE codes, ID tokens, refresh tokens). Apple may also see — and conceal from us via "Hide My Email" — the email address you registered with Apple.
- What they never see: tenant personal information, photographs, inspection records, deduction line items, disposition statements, share links, or any other AB 2801 evidence. ClearDeduct does not transmit Tenant Personal Data to Apple's or Google's identity APIs under any circumstance.
- Data Processing Agreement (DPA) scope: Because identity providers do not process Tenant Personal Data, the Sub-processor obligations defined in DPA §4 (which govern tenant-data processors) do not apply to Sign in with Apple or Sign in with Google. They are disclosed in this Privacy Policy for full transparency under GDPR Article 13 and CPRA §1798.100(b), but the contractual data-processing obligations imposed on Supabase / Stripe / Resend / etc. are not contractually applicable to identity verification.
- Opt-out: If you prefer not to use third-party identity verification, you may always create your ClearDeduct account using email + password. SSO is a convenience feature, not a requirement.
5.2 Other Disclosures
- Tenants: when you generate a Move-Out Disposition Statement and email it via the Service, the tenant's email address you provide and the report contents are delivered to the tenant. Secure share links expire after 90 days.
- Legal authorities: if required by law, lawful subpoena, court order, or to defend legal claims.
- Successors: in the event of a merger, acquisition, or asset sale, your information may transfer to the successor entity, subject to this Privacy Policy.
5.3 We Do Not Sell or Share for Cross-Context Behavioral Advertising
ClearDeduct does not sell personal information for monetary or other valuable consideration, and we do not "share" personal information for cross-context behavioral advertising as those terms are defined under the CPRA. We have not done so in the preceding 12 months and have no plans to do so.
6. International Data Transfers
ClearDeduct is operated from the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States and other countries where our service providers operate.
For transfers from the EEA, UK, or Switzerland, we rely on the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the UK International Data Transfer Addendum, supplemented with appropriate technical measures.
7. Data Retention
| Data Type | Retention Period | Reason |
|---|---|---|
| Finalized Dispositions — photographs + reports incorporated into a generated AB 2801 compliance artifact (Move-In Condition Report, Pre-Inspection Notice, Move-Out Disposition Statement) | 4 years from the end of the tenancy | Required by California Civil Code §1950.5(g)(1) (pre-tenancy photo documentation, effective July 1, 2025) and §1950.5(g)(2) (post-tenancy photo documentation + repair receipts, effective April 1, 2025), as amended by AB 2801, plus the 4-year statute of limitations on written contracts (Cal. Code Civ. Proc. §337) |
| Unperfected Documentation — raw uploaded photos / EXIF metadata / draft inspection notes not incorporated into any finalized compliance artifact | Until account deletion or refund + 30-day grace period | CPRA data-minimization principles (Cal. Civ. Code §1798.100(c)); no statutory retention purpose has crystallized for unused trial data |
| Account data | Until you delete your account, plus 30 days of grace period | Allow account recovery |
| Billing records | 7 years | Tax and accounting requirements (Cal. Rev. & Tax. Code §6531) |
| Support communications | 3 years | Defend legal claims |
| Logs and analytics | 13 months | Security investigation |
| Push tokens | Until you uninstall the app or revoke permission | Notification delivery |
7.1 Statutory Retention Override and Data Bifurcation
When you delete your account, request a refund under Terms of Service §4.4, or your subscription is cancelled or terminated for convenience under ToS §8.2(d)–(f), we begin a 30-day grace period during which the account is deactivated but recoverable. During this period, you may export all Your Content (both categories below) via Settings → Download My Data.
Exception — termination for cause: If your account is terminated for cause under Terms of Service §8.2(a)–(c) (Terms violation, evidentiary falsification, or persistent payment delinquency), the 30-day export grace period does not apply and Unperfected Documentation will be subject to immediate destruction. Finalized Dispositions remain subject to the statutory four-year retention mandate described below, irrespective of the termination trigger.
After the 30-day grace period expires, we apply a bifurcated destruction protocol that distinguishes between data subject to statutory retention and data not subject to it:
Finalized Dispositions — photographic evidence and metadata that have been incorporated into a generated AB 2801 compliance artifact — are retained for the full four-year period required by California Civil Code §1950.5(g)(1)–(2) (as amended by AB 2801) and Cal. Code Civ. Proc. §337. ClearDeduct expressly reserves the right under CCPA §1798.105(d)(8) to deny CCPA/CPRA deletion requests with respect to Finalized Dispositions for this retention period. Once the four-year period expires for a specific tenancy, the archived data is permanently destroyed.
Unperfected Documentation — raw uploads that were never compiled into a finalized compliance artifact — is permanently deleted at the end of the 30-day grace period, in strict compliance with CPRA data-minimization principles (Cal. Civ. Code §1798.100(c)). No statutory retention purpose applies to data that was never used to support a security-deposit deduction, and continuing to retain it would needlessly expand the breach-attack surface.
This bifurcated protocol is identified in Terms of Service §4.5 (data lifecycle) and §7.2 (retention override) and is not optional.
7.2 Pre-Upload Local Storage on Your Device
Photos captured through the mobile app are first written to your device's local storage and queued for upload to ClearDeduct's cloud. The upload is automatic, but it requires network connectivity (Wi-Fi or cellular) and that the mobile app be allowed to run. Until a given photo has been uploaded — at which point it appears with a green status indicator in the inspection view and you receive an optional confirmation email — that photo exists only on your device.
This means:
- We cannot recover photos that are lost before they reach our servers. If your device is factory-reset, the ClearDeduct app is uninstalled, the device is replaced or wiped, or the local app data is otherwise cleared while photos are still pending upload, those photos are permanently unrecoverable from ClearDeduct.
- We take several steps to minimize this exposure: an in-app banner persistently displays the count of pending uploads, the app retries automatically on reconnection, and we send a warning email if any photo remains queued for more than 24 hours. You can also disable these emails at any time from Account → Sync Status.
- Recommended user practice: keep the app open on Wi-Fi after an inspection until all photos show the green "uploaded" indicator, and avoid factory-reset / device-transfer until that point.
The local-storage stage is required to support offline inspections in basements, rural properties, and units with poor reception — these are exactly the units AB 2801 documentation matters most for. We treat the small window of device-only existence as an engineering trade-off that we mitigate aggressively rather than eliminate.
8. Your Privacy Rights
8.1 California Residents (CCPA / CPRA)
You have the right to:
- Know what personal information we have collected, used, disclosed, and sold (we do not sell).
- Access a copy of your personal information in a portable, readily usable format (such as JSON).
- Delete your personal information. Please note that your right to deletion is subject to statutory exceptions. Specifically, the four-year retention of inspection photographs and reports is a legal obligation mandated by California Civil Code §1950.5(g)(2) (AB 2801) and Cal. Code Civ. Proc. §337, which overrides deletion requests during that retention period (CCPA §1798.105(d)(8) exception).
- Correct inaccurate personal information.
- Limit the Use of Sensitive Personal Information. As affirmatively recognized in Terms of Service §5.4, the ClearDeduct platform structurally relies upon precise geolocation (GPS in photo EXIF) as a vital and necessary functional input to automate timestamp overlays, geolocation watermarks, and the construction of AB 2801 compliance reports. Because this processing is absolutely essential to the core functionality of the Service that you requested, our processing falls within the CPRA §1798.121(a) "performing the services" exemption for permitted business purposes. We therefore do not offer a facility to limit the use of this specific SPI category. If you do not wish for precise geolocation to be processed, you may manually strip EXIF data from your images prior to upload, recognizing that this will disable the automated AB 2801 compliance features that depend on it (the resulting reports may not satisfy the evidentiary requirements of California Civil Code §1950.5). We do not use this SPI for any purpose outside AB 2801 compliance, and we do not infer characteristics about you or your tenants from it.
- Opt out of sale or sharing for cross-context behavioral advertising (we do not engage in either).
- Non-discrimination — we will not deny service, charge different prices, or provide a different level of service because you exercised your rights.
To exercise these rights, email privacy@cleardeduct.com from the email address on your account, or use the in-app Settings → Download My Data and Settings → Delete My Account flows. We will verify your identity before responding and will respond within 45 days.
You may also designate an authorized agent in writing to make a request on your behalf.
8.2 European, UK, and Swiss Residents (GDPR / UK GDPR)
You have the right to:
- Access your personal data (Art. 15)
- Rectify inaccurate data (Art. 16)
- Erasure ("right to be forgotten") (Art. 17, subject to the same AB 2801 retention override described in §7.1)
- Restrict processing (Art. 18)
- Data portability in a machine-readable format (Art. 20)
- Object to processing based on legitimate interests (Art. 21)
- Withdraw consent at any time, where consent is the legal basis
- Lodge a complaint with your local supervisory authority. EU/EEA residents may contact their national Data Protection Authority; UK residents may contact the Information Commissioner's Office (ICO at ico.org.uk). A complete list of EU supervisory authorities is available at edpb.europa.eu.
Data Protection Officer (DPO): Based on the scale and nature of our processing, ClearDeduct is not required to designate a Data Protection Officer under GDPR Art. 37 (we are not a public authority, our core activities do not consist of large-scale systematic monitoring of data subjects, and we do not engage in large-scale processing of special categories of data outside the AB 2801 compliance context, for which we have invoked the CPRA "performing the services" exemption). For privacy inquiries, contact privacy@cleardeduct.com.
EU Representative: Because ClearDeduct is a California-only service that does not target EU/EEA residents as customers, we have not appointed an EU Representative under GDPR Art. 27. If you are an EEA resident who has nonetheless interacted with our website, you may contact privacy@cleardeduct.com directly.
To exercise these rights, email privacy@cleardeduct.com.
8.3 Your California Privacy Rights (Cal. Civ. Code §1798.83 — "Shine the Light")
California's "Shine the Light" law (Cal. Civ. Code §1798.83) entitles California residents to request, once per year, a notice describing what categories of personal information businesses share with third parties for those third parties' direct marketing purposes.
ClearDeduct does not disclose, share, sell, or rent personal information to third parties for those third parties' direct marketing purposes. We have not done so in the preceding 12 months and have no plans to do so. Accordingly, no "Shine the Light" notice is applicable.
To submit a request or verify this status, email privacy@cleardeduct.com with subject line "California Privacy Rights".
8.4 All Users
Regardless of where you live, you can:
- Update your profile information in the Settings screen.
- Download a JSON archive of your data via Settings → Download My Data.
- Delete your account via Settings → Delete My Account (subject to a 30-day grace period and legal retention requirements).
- Disable push notifications and location permissions in your device settings.
9. Data Security and Breach Notification
We implement industry-standard technical and organizational measures to protect your information:
- Encryption in transit: TLS 1.2+ for all network communications.
- Encryption at rest: AES-256 for stored photographs and database backups.
- Access controls: Role-based access; least-privilege; multi-factor authentication for our staff.
- Row-Level Security (RLS): every database table enforces ownership at the SQL layer; users can never read another tenant's data even if a software bug were present.
- Audit logs: all administrative access is logged and reviewed.
- Vulnerability management: dependencies are scanned weekly; security patches are applied within 30 days of release.
9.1 Breach Notification Timelines
No system can be 100% secure. If we become aware of a breach affecting your personal information, we will notify you and the appropriate regulators within the strict statutory timelines required by applicable law.
California residents (Cal. Civ. Code §1798.82, as amended by Senate Bill 446, effective January 1, 2026): We will notify affected California individuals within thirty (30) calendar days of discovering a security breach involving unencrypted personal information (or encrypted personal information together with the encryption key). If a single breach affects more than 500 California residents, we will additionally submit a sample copy of the consumer notification to the California Attorney General within fifteen (15) calendar days of notifying affected consumers. Notification may be delayed only if a law-enforcement agency determines that immediate notification would impede a criminal investigation, or to the extent strictly necessary to determine the scope of the breach and restore reasonable data-system integrity.
EU / EEA / UK residents (GDPR Art. 33): We will notify the relevant supervisory authority of a personal data breach within 72 hours of becoming aware of it, where feasible. If the breach is likely to result in a high risk to the rights and freedoms of natural persons, we will also notify affected individuals without undue delay (GDPR Art. 34).
Other jurisdictions: We will comply with applicable breach-notification laws in your jurisdiction.
10. Children's Privacy
The ClearDeduct Service is a business-to-business compliance tool intended for adult landlords and property professionals. The Service is not directed to minors, and we apply the following age-specific standards:
- Under 13 (federal COPPA — 15 U.S.C. §§6501-6506): We do not knowingly collect personal information from children under the age of 13. The Service requires account holders to be at least 18 years of age (Terms of Service §1).
- Ages 13–16 (CCPA/CPRA opt-in — Cal. Civ. Code §1798.120(c)): For California minors between 13 and 16 years of age, CCPA/CPRA requires affirmative opt-in consent before any sale or sharing of personal information. Because ClearDeduct does not sell or share personal information (see §5.3 and §8.3), this opt-in requirement does not arise. We nonetheless do not knowingly accept account registrations from individuals in this age group.
- Under 18 (general): Per Terms of Service §1, the Service is only available to individuals 18 years of age or older capable of forming a binding contract under California law.
If you become aware that a minor has provided personal information through the Service, contact privacy@cleardeduct.com immediately and we will delete it without retention (the AB 2801 retention override does not apply because the underlying account registration would have been unauthorized).
11. Cookies and Similar Technologies (Web Only)
The ClearDeduct website (cleardeduct.com) uses only strictly necessary cookies to keep you signed in and to remember your preferences. We do not use advertising cookies, third-party trackers, or analytics that profile individual users.
The mobile application does not use cookies. It uses local device storage to cache your data for offline use; this storage is removed when you uninstall the app or delete your account.
12. Third-Party Links
The Service may contain links to third-party websites (such as the official California Legislature page for AB 2801). We are not responsible for the privacy practices of those sites. We recommend you review their privacy policies.
13. Do Not Track
Some browsers send a "Do Not Track" (DNT) signal. Because there is no industry consensus on how to interpret DNT, we currently do not respond to DNT signals. We do, however, honor the Global Privacy Control (GPC) signal as required by California law: when our website detects a GPC signal, we treat it as a valid opt-out request.
14. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email and through the app at least 30 days before the changes take effect. The "Last Updated" date at the top of this page indicates the most recent revision.
If you do not agree with a material change, you may delete your account before the change takes effect.
15. Contact Us
For privacy questions, requests, or complaints, contact:
- Email: privacy@cleardeduct.com
- Subject line: "Privacy Request"
- Mailing address: [TO BE FILLED — operating entity address required before launch]
For all other inquiries, see the Help & Support section in the app.
This Privacy Policy is provided in English. Translations are for convenience only; the English version controls in the event of any discrepancy.