Privacy Policy
Effective Date: April 25, 2026 Last Updated: April 25, 2026 Version: 1.0.0
ClearDeduct ("we," "our," or "us") provides software that helps California landlords comply with Assembly Bill 2801 (AB 2801) by documenting rental property condition through timestamped photographs. This Privacy Policy explains how we collect, use, share, and protect your personal information when you use the ClearDeduct mobile application or website (collectively, the "Service").
By using the Service, you agree to the practices described in this Privacy Policy. If you do not agree, do not use the Service.
1. Who We Are
Data Controller: ClearDeduct Contact: privacy@cleardeduct.com Mailing address: [TO BE FILLED — operating entity address required before launch]
For California residents, ClearDeduct is the "business" under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). For European/UK residents, ClearDeduct is the "controller" under the General Data Protection Regulation (GDPR) and UK GDPR.
2. Information We Collect
2.1 Information You Provide
- Account information: name, email address, phone number (optional), password (hashed; we never store plaintext).
- Property and tenancy data: property address, unit details, tenant name and contact information, lease dates, deposit amount.
- Inspection data: photos taken through the Service, room and area annotations, deduction line items, contractor invoices.
- Billing information: processed by our payment provider Stripe, Inc. We do not store full credit card numbers on our servers.
- Support communications: any messages you send to us, including the contents of those messages.
2.2 Information We Collect Automatically
- Device data: device model, operating system version, app version, language and region, time zone.
- Usage data: features used, screens visited, actions taken, error logs, crash reports.
- Photo metadata: EXIF metadata embedded by your device camera (date and time, GPS coordinates if location permission granted, camera model). This metadata is required to comply with AB 2801 and cannot be disabled while still using the inspection features.
- Approximate location (optional): if you grant location permission, we record GPS coordinates at the moment a photo is taken. You may revoke this permission at any time in your device settings.
2.3 Information We Receive From Third Parties
- Payment information from Stripe (subscription status, last 4 digits of card, billing country) for accounting purposes only.
- Push notification tokens from Apple Push Notification service (APNs) and Firebase Cloud Messaging (FCM) when you opt into notifications.
2.4 Sensitive Personal Information
We do not knowingly collect "sensitive personal information" as defined under the CPRA (e.g., racial or ethnic origin, religious beliefs, health information, biometric identifiers used to identify a person). Photos uploaded for inspection purposes are treated as standard personal information.
3. How We Use Information
We use your information for the following purposes ("legitimate business interests" under GDPR Art. 6(1)(f) where applicable, and "business purposes" under CCPA §1798.140):
| Purpose | Examples |
|---|---|
| Provide the Service | Authenticate you, store inspections and photos, generate PDF reports, send compliance reminders. |
| AB 2801 compliance | Embed timestamps and GPS overlays on photos; calculate the 21-day deposit-return deadline; retain photographs for the legally required four (4) year period under California Civil Code §1950.5. |
| Billing and fraud prevention | Process subscription payments via Stripe; detect fraudulent charges. |
| Customer support | Respond to your inquiries; troubleshoot bugs you report. |
| Service improvement | Aggregate, anonymized analytics to understand which features are used. We do not use your inspection content to train machine-learning models. |
| Legal compliance | Respond to lawful subpoenas, court orders, or government requests; defend ourselves in legal disputes. |
| Communications | Send transactional emails (deadline reminders, report delivery confirmations); product updates if you opt in. |
4. Legal Bases for Processing (GDPR / UK GDPR)
If you are in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases:
- Contractual necessity (Art. 6(1)(b)): to deliver the Service you have purchased.
- Legitimate interests (Art. 6(1)(f)): to operate, secure, and improve the Service, where these interests are not overridden by your rights.
- Legal obligation (Art. 6(1)(c)): to retain records for tax, accounting, and AB 2801 compliance.
- Consent (Art. 6(1)(a)): for optional marketing emails and location permission. You may withdraw consent at any time.
5. How We Share Information
We share information only with the following categories of recipients:
5.1 Service Providers (Sub-Processors)
| Provider | Purpose | Location |
|---|---|---|
| Supabase, Inc. | Database, authentication, file storage | United States |
| Stripe, Inc. | Subscription billing | United States, EU |
| Resend | Transactional email delivery | United States |
| Vercel, Inc. | Web hosting and content delivery | Global edge network |
| Apple Inc. / Google LLC | Push notification routing | United States |
| Sentry (post-launch) | Crash and error reporting | United States |
We require each provider to process information only on our instructions and to maintain appropriate security safeguards. We do not authorize any provider to use your information for their own marketing or model-training purposes.
5.2 Other Disclosures
- Tenants: when you generate a Move-Out Disposition Statement and email it via the Service, the tenant's email address you provide and the report contents are delivered to the tenant. Secure share links expire after 90 days.
- Legal authorities: if required by law, lawful subpoena, court order, or to defend legal claims.
- Successors: in the event of a merger, acquisition, or asset sale, your information may transfer to the successor entity, subject to this Privacy Policy.
5.3 We Do Not Sell or Share for Cross-Context Behavioral Advertising
ClearDeduct does not sell personal information for monetary or other valuable consideration, and we do not "share" personal information for cross-context behavioral advertising as those terms are defined under the CPRA. We have not done so in the preceding 12 months and have no plans to do so.
6. International Data Transfers
ClearDeduct is operated from the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States and other countries where our service providers operate.
For transfers from the EEA, UK, or Switzerland, we rely on the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the UK International Data Transfer Addendum, supplemented with appropriate technical measures.
7. Data Retention
| Data Type | Retention Period | Reason |
|---|---|---|
| Inspection photos and reports | 4 years from the end of the tenancy | Required by California Civil Code §1950.5 (AB 2801) |
| Account data | Until you delete your account, plus 30 days of grace period | Allow account recovery |
| Billing records | 7 years | Tax and accounting requirements |
| Support communications | 3 years | Defend legal claims |
| Logs and analytics | 13 months | Security investigation |
| Push tokens | Until you uninstall the app or revoke permission | Notification delivery |
When you delete your account, we begin a 30-day grace period during which the account is deactivated but recoverable. After 30 days, we permanently delete or fully anonymize your personal information, except where retention is required by law (such as the 4-year AB 2801 photograph retention or 7-year billing records).
8. Your Privacy Rights
8.1 California Residents (CCPA / CPRA)
You have the right to:
- Know what personal information we have collected, used, disclosed, and sold (we do not sell).
- Access a copy of your personal information in a portable format.
- Delete your personal information, subject to legal retention requirements.
- Correct inaccurate personal information.
- Limit the use of sensitive personal information (we do not collect this category).
- Opt out of sale or sharing for cross-context behavioral advertising (we do not engage in either).
- Non-discrimination — we will not deny service, charge different prices, or provide a different level of service because you exercised your rights.
To exercise these rights, email privacy@cleardeduct.com from the email address on your account, or use the in-app Settings → Download My Data and Settings → Delete My Account flows. We will verify your identity before responding and will respond within 45 days.
You may also designate an authorized agent in writing to make a request on your behalf.
8.2 European, UK, and Swiss Residents (GDPR / UK GDPR)
You have the right to:
- Access your personal data (Art. 15)
- Rectify inaccurate data (Art. 16)
- Erasure ("right to be forgotten") (Art. 17)
- Restrict processing (Art. 18)
- Data portability in a machine-readable format (Art. 20)
- Object to processing based on legitimate interests (Art. 21)
- Withdraw consent at any time, where consent is the legal basis
- Lodge a complaint with your local supervisory authority
To exercise these rights, email privacy@cleardeduct.com.
8.3 All Users
Regardless of where you live, you can:
- Update your profile information in the Settings screen.
- Download a JSON archive of your data via Settings → Download My Data.
- Delete your account via Settings → Delete My Account (subject to a 30-day grace period and legal retention requirements).
- Disable push notifications and location permissions in your device settings.
9. Data Security
We implement industry-standard technical and organizational measures to protect your information:
- Encryption in transit: TLS 1.2+ for all network communications.
- Encryption at rest: AES-256 for stored photographs and database backups.
- Access controls: Role-based access; least-privilege; multi-factor authentication for our staff.
- Row-Level Security (RLS): every database table enforces ownership at the SQL layer; users can never read another tenant's data even if a software bug were present.
- Audit logs: all administrative access is logged and reviewed.
- Vulnerability management: dependencies are scanned weekly; security patches are applied within 30 days of release.
No system can be 100% secure. If we become aware of a breach affecting your personal information, we will notify you and the appropriate regulators within the timelines required by law (e.g., 72 hours under GDPR Art. 33; without unreasonable delay under California Civil Code §1798.82).
10. Children's Privacy
The Service is not directed to children under 18, and we do not knowingly collect personal information from anyone under 18. If you believe we have inadvertently collected information about a minor, contact privacy@cleardeduct.com and we will delete it.
11. Cookies and Similar Technologies (Web Only)
The ClearDeduct website (cleardeduct.com) uses only strictly necessary cookies to keep you signed in and to remember your preferences. We do not use advertising cookies, third-party trackers, or analytics that profile individual users.
The mobile application does not use cookies. It uses local device storage to cache your data for offline use; this storage is removed when you uninstall the app or delete your account.
12. Third-Party Links
The Service may contain links to third-party websites (such as the official California Legislature page for AB 2801). We are not responsible for the privacy practices of those sites. We recommend you review their privacy policies.
13. Do Not Track
Some browsers send a "Do Not Track" (DNT) signal. Because there is no industry consensus on how to interpret DNT, we currently do not respond to DNT signals. We do, however, honor the Global Privacy Control (GPC) signal as required by California law: when our website detects a GPC signal, we treat it as a valid opt-out request.
14. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email and through the app at least 30 days before the changes take effect. The "Last Updated" date at the top of this page indicates the most recent revision.
If you do not agree with a material change, you may delete your account before the change takes effect.
15. Contact Us
For privacy questions, requests, or complaints, contact:
- Email: privacy@cleardeduct.com
- Subject line: "Privacy Request"
- Mailing address: [TO BE FILLED — operating entity address required before launch]
For all other inquiries, see the Help & Support section in the app.
This Privacy Policy is provided in English. Translations are for convenience only; the English version controls in the event of any discrepancy.