Privacy Policy

Last Updated: January 22, 2026 | Version 2.0 - US Comprehensive Edition

1. Information We Collect

1.1 Personal Information You Provide

We collect information you voluntarily provide when using our Services:

(a) Account Information

• Email Address - Required for account creation and authentication
• Name - Collected during registration or via OAuth providers
• Password - If you register directly (hashed and encrypted, never stored in plain text)
• Profile Information - Optional information you choose to provide

(b) Payment Information

• Payment Card Information - Processed by Stripe, Inc. (we do not store complete card numbers)
• Billing Address - Collected for payment processing and tax compliance
• Transaction History - Records of credit purchases and payments

(c) Property Documents and Analysis Data

• Document Text - Text extracted from inspection reports and seller disclosures, parsed in your browser. PDF files are never uploaded to our servers.
• Document Content - Text, images, and data extracted from your documents via OCR
• Analysis Results - Reports, scores, and recommendations generated by our AI
• Property Information - Addresses, property details derived from your documents

(d) Communications

• Support Inquiries - Content of your communications with customer support
• Feedback - Survey responses, feature requests, and feedback you provide
• Email Correspondence - Emails exchanged with OfferWise

1.2 Information Automatically Collected

(a) Usage Information

• Log Data - IP address, browser type, operating system, device information
• Usage Patterns - Pages viewed, features used, time spent, click patterns
• Session Information - Login times, session duration, authentication methods
• Performance Data - Error logs, crash reports, system performance metrics

(b) Cookies and Tracking Technologies

We use cookies and similar technologies. See Section 9 for detailed cookie information.

1.3 Information From Third Parties

(a) OAuth Authentication Providers

If you authenticate via Google or Facebook, we receive:

• Name and email address
• Profile picture (optional)
• User ID from that provider

(b) Payment Processors

Stripe provides us with:

• Transaction confirmation and receipt information
• Last 4 digits of payment card
• Payment method type (Visa, Mastercard, etc.)
• Transaction success/failure status

2. How We Use Your Information

2.1 Primary Service Purposes

We use your information to:

• Provide Services - Process documents, generate analysis reports, deliver results
• Account Management - Create and maintain your account, authenticate access
• Process Payments - Handle credit purchases, maintain transaction records
• Customer Support - Respond to inquiries, troubleshoot issues, provide assistance
• Service Communications - Send analysis results, account notifications, service updates

2.2 AI Model Improvement

IMPORTANT: We use anonymized, aggregated data derived from your documents to improve our AI models:

• Training Data: Document patterns, text structures, and analysis outcomes (anonymized)
• Model Optimization: Improving OCR accuracy, analysis algorithms, risk scoring
• Feature Development: Building new analysis capabilities based on usage patterns
• Quality Assurance: Identifying and fixing errors, testing improvements

Your data is anonymized before use: All personally identifiable information (addresses, names, specific property details) is removed or redacted before data is used for AI training.

2.3 Legal and Security Purposes

• Compliance: Fulfill legal obligations, respond to lawful requests, comply with subpoenas
• Security: Detect fraud, prevent abuse, protect against security threats
• Enforcement: Enforce Terms of Service, investigate violations
• Protection: Protect our rights, property, and safety, and that of users and public

2.4 Business Operations

• Analytics: Understand usage patterns, measure performance, improve Services
• Research: Conduct internal research on user demographics and behavior
• Marketing: Send promotional emails (opt-out available), analyze campaign effectiveness
• Business Transactions: Facilitate mergers, acquisitions, or asset sales (with notice)

3. How We Share Your Information

3.1 We DO NOT Sell Your Personal Information

3.2 Service Providers and Partners

We share information with trusted service providers who assist in operating our business:

(a) Payment Processing

• Stripe, Inc. - Payment processing (name, email, payment details)
• Subject to Stripe's Privacy Policy: https://stripe.com/privacy

(b) Cloud Infrastructure

• Amazon Web Services (AWS) and/or Google Cloud Platform (GCP)
• Data storage, processing, and hosting
• All data stored in United States data centers only

(c) Authentication Services

• OAuth Providers (Google, Facebook) - If you choose to authenticate via these services

(d) Analytics and Monitoring

• Analytics Services - Usage analytics, performance monitoring (anonymized data only)

3.3 Legal Obligations and Safety

We may disclose information when required by law or to protect rights and safety:

• In response to subpoenas, court orders, or legal process
• To comply with legal obligations or government requests
• To protect against fraud, security threats, or illegal activity
• To enforce our Terms of Service or other agreements
• To protect the rights, property, or safety of OfferWise, users, or public

3.4 Business Transfers

If OfferWise is involved in a merger, acquisition, asset sale, or bankruptcy:

• Your information may be transferred to the acquiring entity
• We will provide notice via email or prominent website notice
• The acquiring entity must honor this Privacy Policy
• You will have the option to delete your account before transfer

3.5 Aggregated and Anonymized Data

We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify you:

• Industry reports and market research
• Service improvement and development
• Public presentations or publications
• Business partnerships and collaborations

4. Data Retention and Deletion

4.1 Retention Periods

We retain different types of data for different periods based on legal requirements and business needs:

Data Type	Retention Period	Deletion Method
Account Information	Account lifetime + 30 days	Secure deletion from all systems
Uploaded Documents	Account lifetime + 30 days	Secure deletion and overwrite
Analysis Results	Account lifetime + 30 days	Secure deletion from databases
Payment Records	7 years (tax/legal requirement)	Secure archival then deletion
Transaction Logs	7 years (legal requirement)	Secure archival then deletion
System Logs	90 days	Automatic purge and overwrite
Support Communications	3 years	Secure deletion
Email Registry (abuse prevention)	Permanent (fraud prevention)	Not deleted (contains only email hash)
Backup Data	30 days rolling	Automatic overwrite
Anonymized Analytics	Indefinite	N/A (cannot identify users)

4.2 Account Deletion

When you delete your account:

1. Immediate: Access to Services terminated
2. Within 24 hours: Account marked for deletion, analysis credits forfeited
3. Within 30 days: All personal data, analysis results, and account records permanently deleted (no document files are stored — PDFs never leave your device)
4. Exceptions: Payment records retained 7 years, email hash retained permanently (fraud prevention)
5. Backups: Deleted data purged from backups within 30 days

4.3 Data Deletion Verification

Upon request, we will provide confirmation that your data has been deleted, including:

• Deletion completion date
• Data types deleted
• Any retained data and legal basis for retention

5. Data Security

5.1 Security Measures

We implement industry-standard security measures to protect your information:

(a) Encryption

• In Transit: TLS 1.3 encryption for all data transmission
• At Rest: AES-256 encryption for stored data
• Database: Encrypted database storage
• Backups: Encrypted backup files

(b) Access Controls

• Authentication: Multi-factor authentication for employee access
• Authorization: Role-based access control (RBAC)
• Least Privilege: Employees access only data necessary for their role
• Audit Logs: All data access logged and monitored

(c) Network Security

• Firewalls: Network perimeter protection
• Intrusion Detection: Real-time monitoring for threats
• DDoS Protection: Distributed denial-of-service mitigation
• Vulnerability Scanning: Regular security assessments

(d) Application Security

• Secure Coding: OWASP secure development practices
• Input Validation: Protection against injection attacks
• Session Management: Secure session handling and timeout
• Password Security: bcrypt hashing with salt

5.2 Security Limitations

5.3 Your Security Responsibilities

You are responsible for:

• Maintaining the confidentiality of your password
• Using strong, unique passwords
• Enabling multi-factor authentication if available
• Logging out after each session
• Reporting suspected security breaches immediately
• Not sharing account credentials with third parties

Privacy Policy continues on next page...

6. California Consumer Privacy Act (CCPA) Rights

6.1 CCPA Definitions

Under CCPA:

• Personal Information: Information that identifies, relates to, or could reasonably be linked with you or your household
• Sale: Sharing personal information for monetary or other valuable consideration
• Business Purpose: Use of information for operational purposes specified in this Policy

6.2 Categories of Personal Information Collected

In the preceding 12 months, we collected the following categories of personal information:

Category	Examples	Collected?
Identifiers	Name, email, IP address, account ID	✅ Yes
Commercial Information	Purchase history, transaction records	✅ Yes
Internet Activity	Browsing history, usage patterns, interactions	✅ Yes
Geolocation Data	IP-based location (city/state level)	✅ Yes
Professional Information	Not applicable to our Services	❌ No
Inferences	Preferences derived from usage patterns	✅ Yes
Sensitive Personal Information	Property documents may contain sensitive data	✅ Yes

6.3 Sources of Personal Information

• Directly from you (registration, uploads, communications)
• Automatically from your device (usage data, cookies)
• From third parties (OAuth providers, payment processors)

6.4 Business Purposes for Collection

• Providing and maintaining Services
• Processing transactions and payments
• Customer support and communications
• Security, fraud prevention, and legal compliance
• Service improvement and AI model training (anonymized data)
• Analytics and business operations

6.5 Categories of Third Parties With Whom We Share

• Service Providers: Stripe (payment), AWS/GCP (hosting), OAuth providers (authentication)
• Business Partners: None (we do not sell data)
• Government/Law Enforcement: When required by law

6.6 Sale of Personal Information

6.7 Your CCPA Rights

California residents have the following rights:

(a) Right to Know

You have the right to request that we disclose:

• Categories of personal information collected
• Specific pieces of personal information we hold about you
• Sources from which information was collected
• Business purposes for collecting or selling
• Categories of third parties with whom we share

(b) Right to Delete

You have the right to request deletion of your personal information, subject to certain exceptions (e.g., legal obligations, fraud prevention).

(c) Right to Correct

You have the right to request correction of inaccurate personal information.

(d) Right to Opt-Out of Sale

Not applicable - we do not sell personal information.

(e) Right to Limit Use of Sensitive Personal Information

You have the right to limit our use of sensitive personal information to necessary business purposes.

(f) Right to Non-Discrimination

We will not discriminate against you for exercising your CCPA rights, including by:

• Denying goods or services
• Charging different prices or rates
• Providing different quality of services
• Suggesting you will receive different prices or quality

6.8 How to Exercise Your CCPA Rights

To exercise your rights:

1. Email: privacy@getofferwise.ai
2. Subject line: "CCPA Request - [Right to Know/Delete/Correct]"
3. Include: Your name, email, account information
4. We will verify your identity before processing
5. Response within 45 days (may extend to 90 days if complex)

6.9 Authorized Agents

You may designate an authorized agent to make requests on your behalf. The agent must:

• Provide proof of authorization (power of attorney or written permission)
• Verify your identity
• Verify their own identity

6.10 Shine the Light Law

California Civil Code Section 1798.83 permits California residents to request information about disclosure of personal information to third parties for direct marketing. We do not share information for third-party direct marketing.

7. State Privacy Laws

7.1 Overview

Several U.S. states have enacted comprehensive privacy laws. If you reside in these states, you may have additional rights:

State	Law	Effective Date
California	CCPA/CPRA	January 1, 2020 / 2023
Virginia	VCDPA (Consumer Data Protection Act)	January 1, 2023
Colorado	CPA (Privacy Act)	July 1, 2023
Connecticut	CTDPA (Data Privacy Act)	July 1, 2023
Utah	UCPA (Consumer Privacy Act)	December 31, 2023
Montana	MCDPA (Consumer Data Privacy Act)	October 1, 2024
Oregon	OCPA (Consumer Privacy Act)	July 1, 2024
Texas	TDPSA (Data Privacy and Security Act)	July 1, 2024
Delaware	DPDPA (Personal Data Privacy Act)	January 1, 2025

7.2 Common Rights Across State Laws

Residents of the above states generally have rights to:

• Access - Request access to personal information
• Correct - Request correction of inaccurate information
• Delete - Request deletion of personal information
• Data Portability - Receive data in portable format
• Opt-Out - Opt out of targeted advertising (not applicable - we don't do targeted ads)
• Opt-Out of Sale - Opt out of data sales (not applicable - we don't sell data)

7.3 How to Exercise State Privacy Rights

To exercise rights under your state's privacy law:

1. Email: privacy@getofferwise.ai
2. Subject: "[Your State] Privacy Rights Request"
3. Include: Name, email, state of residence, specific request
4. We will respond within timeframes required by your state's law

8. Children's Privacy (COPPA Compliance)

8.1 Age Requirements

• Minimum Age: You must be 18 years or older (or age of majority in your jurisdiction) to use our Services
• Under 13: We do not knowingly collect information from anyone under 13
• 13-17: Minors between 13-17 must have parental consent

8.2 If We Learn of Child Data

If we become aware that we have collected personal information from a child under 13:

1. We will delete the information as quickly as possible
2. We will terminate the account
3. We will not use the information for any purpose
4. We will not share the information with third parties

8.3 Parental Notice

If you believe your child under 13 has provided information to us:

• Email: privacy@getofferwise.ai
• Subject: "COPPA - Child Information"
• We will promptly delete the information

9. Cookies and Tracking Technologies

9.1 What Are Cookies?

Cookies are small text files stored on your device by websites you visit. They help websites remember your preferences and improve your experience.

9.2 Types of Cookies We Use

Cookie Type	Purpose	Duration	Can Disable?
Essential	Authentication, security, basic functionality	Session / 1 year	❌ No (required)
Functional	Remember preferences, settings	1 year	✅ Yes
Analytics	Usage statistics, performance monitoring	2 years	✅ Yes
Advertising	Not used - we do not use advertising cookies	N/A	N/A

9.3 Specific Cookies

Cookie Name	Purpose	Type	Duration
session_token	Maintains logged-in state	Essential	Session
csrf_token	Security (prevents CSRF attacks)	Essential	Session
user_preferences	Stores UI preferences	Functional	1 year
analytics_id	Anonymous usage tracking	Analytics	2 years

9.4 How to Control Cookies

(a) Browser Settings

Most browsers allow you to control cookies through settings:

• Chrome: Settings > Privacy and security > Cookies
• Firefox: Preferences > Privacy & Security > Cookies
• Safari: Preferences > Privacy > Cookies
• Edge: Settings > Privacy > Cookies

(b) Impact of Disabling Cookies

If you disable non-essential cookies:

• ✅ You can still use core Services
• ⚠️ Some features may not work properly
• ⚠️ Preferences won't be remembered
• ❌ Cannot disable essential cookies (Services won't function)

9.5 Do Not Track Signals

We do not currently respond to "Do Not Track" (DNT) browser signals, as there is no industry standard for compliance. We do not track users across third-party websites.

10. Data Breach Notification

10.1 Our Commitment

We take data security seriously. If a breach occurs that may affect your personal information, we will:

10.2 Notification Timeline

• Discovery: We continuously monitor for security incidents
• Assessment: Determine scope and affected users within 24-48 hours
• Notification: Notify affected users within 72 hours of confirmed breach
• Regulatory Notice: Notify authorities as required by law

10.3 What We Will Tell You

Breach notification will include:

• Description of what happened
• Types of information potentially affected
• Steps we're taking to address the breach
• Steps you should take to protect yourself
• Contact information for questions
• Date of breach discovery

10.4 Steps You Should Take

If notified of a breach:

1. Change your password immediately
2. Monitor your accounts for suspicious activity
3. Enable multi-factor authentication
4. Review your credit reports (if financial data affected)
5. Be alert for phishing attempts
6. Contact us with questions at: security@getofferwise.ai

© 2026 OfferWise AI. All Rights Reserved.
Privacy Policy - Version 2.0 Enhanced | US Comprehensive Edition
Last Updated: January 22, 2026