Privacy Policy

1. Information We Collect

We collect the following categories of personal information:

Information you provide directly:

• Account Information: Name, email address, phone number, login credentials, and role (landlord, tenant, vendor, owner)
• Property Information: Property addresses, unit details, lease terms, rental amounts, and property financial data
• Financial Information: Bank account details (collected via Plaid), payment card information (collected via Stripe and never stored on our servers), payment history, and transaction records
• Tenant Information: Rental applications (which may include Social Security numbers for screening purposes), emergency contacts, vehicle information, communication preferences, and preferred language
• Documents: Uploaded files including leases, insurance certificates, inspection reports, receipts, and electronically signed documents
• Communications: Messages between users, maintenance requests, and email correspondence

Information collected automatically:

• Usage Data: Page views, feature interactions, timestamps, and session duration
• Device Information: Browser type, operating system, screen resolution, and device identifiers
• Network Data: IP addresses, approximate geolocation (city/region level), and referring URLs

Information from third parties:

• Plaid: Bank account numbers, routing numbers, account holder name, and balance information (with your authorization)
• TransUnion (SmartMove): Credit reports, criminal records, and eviction history (with applicant consent)
• Esusu: Credit reporting enrollment status and reporting confirmation
• Dwolla: ACH transfer status, customer verification results, and transaction records

2. How We Use Your Information

We use your personal information for the following purposes:

• To provide, maintain, and improve the Service
• To create and manage your account
• To process rent payments, subscription fees, and financial transactions
• To send transactional notifications (payment reminders, maintenance updates, lease notices, invoices, receipts)
• To verify bank accounts and process ACH transfers
• To facilitate electronic document signing
• To conduct tenant screening and background checks (with consent)
• To report rent payments to credit bureaus (with tenant consent)
• To power AI-assisted features (document OCR, expense categorization, maintenance triage)
• To generate financial reports and analytics for your organization
• To improve the Service through anonymized usage analytics
• To detect fraud, prevent abuse, and ensure platform security
• To comply with legal obligations, respond to legal process, and enforce our Terms

3. Legal Basis for Processing

We process your personal information under the following legal bases:

• Contractual Necessity: Processing required to provide the Service under our Terms of Service (account management, payment processing, notifications, document management)
• Consent: Processing based on your explicit consent, which you may withdraw at any time (analytics cookies, credit reporting enrollment, SMS notifications, tenant screening)
• Legitimate Interest: Processing necessary for our legitimate business interests where not overridden by your rights (fraud detection, security, service improvement, anonymized analytics)
• Legal Obligation: Processing required to comply with applicable law (financial record retention, tax reporting, responding to lawful requests from public authorities)

4. Third-Party Services & Data Sharing

We share your data with the following third-party services as necessary to provide the Service. Each operates under its own privacy policy and terms:

• Supabase — Database hosting and user authentication. Account data, property data, and all application records are stored on Supabase infrastructure.
• Dwolla — ACH payment processing. Bank account details, transaction amounts, and payer identity are shared to process payments. ATP Consulting LLC is the contracting party with Dwolla. (Dwolla Privacy Policy)
• Plaid — Bank account verification and linking. Account numbers, routing numbers, and balance information are accessed with your authorization. ATP Consulting LLC is the contracting party with Plaid. (Plaid Privacy Policy)
• Stripe — Subscription billing and credit card payment processing. Payment card data is transmitted directly to Stripe and is never stored on our servers. ATP Consulting LLC holds the Stripe merchant account. (Stripe Privacy Policy)
• Resend — Transactional email delivery. Recipient email addresses and message content are shared for delivery.
• Twilio — SMS notifications. Phone numbers and message content are shared for text message delivery.
• DocuSign — Electronic lease signing. Document content, signer names, and email addresses are shared to facilitate e-signatures.
• TransUnion (SmartMove) — Tenant background screening. Applicant personal information (name, date of birth, SSN, address) is shared with explicit consent to obtain credit, criminal, and eviction reports.
• Esusu — Rent credit reporting. Tenant identity and payment history are shared with consent to report to credit bureaus.
• Anthropic (Claude AI) — Document OCR, expense categorization, maintenance triage, and AI-powered features. Document images and text excerpts may be processed by AI models. Under our commercial API agreement with Anthropic, data sent via the API is not used to train models. Data handling is subject to Anthropic's commercial data processing terms and retention policies.
• PostHog — Product analytics. Anonymized usage data (page views, feature interactions) is collected to improve the Service. Analytics tracking is optional and gated on your cookie consent.
• Sentry — Error monitoring. Technical error data (stack traces, request metadata) is collected to maintain platform stability. We minimize personal information in error reports.
• Vercel — Hosting, deployment, and content delivery. Request data (IP addresses, headers) is processed by Vercel's infrastructure.

We do not sell, rent, or trade your personal information to third parties for marketing purposes. We may disclose your information if required by law, subpoena, court order, or government request, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

5. Cookies & Tracking

We use the following types of cookies and tracking technologies:

• Essential Cookies: Required for authentication, session management, and core functionality (e.g., Supabase auth tokens, locale preferences). These cannot be disabled as they are necessary for the Service to function.
• Analytics Cookies (PostHog): Used to understand how users interact with the Service and to improve functionality. These are optional and can be declined via the cookie consent banner. No analytics data is collected until you affirmatively opt in.

We respect your browser's Do Not Track (DNT) signal. When DNT is enabled, analytics tracking is automatically disabled. You may manage your cookie preferences at any time through the cookie consent banner.

6. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected, or as required by law:

• Account data: Retained while your account is active, plus 30 days after a deletion request to allow for processing
• Financial records & payment transactions: Retained for 7 years for tax compliance and financial audit requirements (IRS, state regulations)
• Screening reports: Retained for 2 years per FCRA permissible purpose requirements, then securely deleted
• Documents: Retained while your account is active. Upon account deletion, documents are retained for 90 days (for recovery purposes), then permanently deleted
• Communication logs: Retained for the duration of the tenancy plus 3 years for dispute resolution
• Usage analytics: Retained for 12 months in identifiable form, then aggregated and anonymized
• Error monitoring data: Retained for 90 days

When data reaches the end of its retention period, it is securely deleted or irreversibly anonymized. Backup copies may persist for up to an additional 30 days before being purged from backup systems.

7. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Right of Access — Request a copy of the personal data we hold about you
• Right to Portability — Export your data in a machine-readable format (JSON) via the data export feature in your portal settings
• Right to Rectification — Request correction of inaccurate or incomplete data
• Right to Erasure / Deletion — Request deletion of your personal data, subject to legal retention requirements
• Right to Restrict Processing — Request that we limit how we use your data while a dispute is being resolved
• Right to Object — Object to processing based on legitimate interest
• Right to Withdraw Consent — Withdraw previously given consent at any time (analytics, credit reporting, SMS)
• Right to Opt Out — Opt out of analytics tracking, SMS notifications, or credit reporting at any time
• Right to Non-Discrimination — We will not discriminate against you for exercising your privacy rights

How to exercise your rights: Use the data export and account deletion features in your portal settings, or contact us at privacy@tierna.org. We will respond to verified requests within 30 days (or 45 days if we notify you of an extension). We may need to verify your identity before processing your request.

Right to lodge a complaint: If you believe your privacy rights have been violated, you have the right to lodge a complaint with your local data protection authority or the New Hampshire Attorney General's Office.

8. Data Security

We implement industry-standard security measures to protect your personal information, including:

• Encryption in transit (TLS 1.2+/HTTPS) and at rest
• Row-level security (RLS) policies ensuring strict data isolation between organizations
• Role-based access controls with principle of least privilege
• HMAC-SHA256 signature verification for all inbound webhooks
• Rate limiting and input validation on all API endpoints
• Zod schema validation on all API routes to prevent injection attacks
• Security headers (CSP, X-Frame-Options, HSTS)
• Error monitoring without exposing personal data in error reports

Despite our efforts, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security of your data. If we become aware of a security breach that affects your personal information, we will notify you in accordance with applicable law (see Section 12).

9. Automated Decision-Making & AI Features

The Service uses AI-powered features that may process your data to generate insights or recommendations. These include:

• Document OCR & Classification: Uploaded documents are analyzed to extract text and suggest document categories. Extracted text is stored to enable full-text search and is used to pre-fill forms for your convenience.
• Expense Categorization: Expense descriptions and vendor names are analyzed to suggest IRS categories.
• Maintenance Triage: Maintenance request descriptions are analyzed to suggest priority levels and vendor specialties.
• Rent Price Suggestions: Unit data and comparable units within your portfolio are analyzed to suggest rent price ranges.
• Dashboard Insights: Aggregated portfolio data is summarized in natural language.
• Anomaly Detection: Payment and maintenance patterns are analyzed to flag unusual activity for your review in notifications.
• Tenant Chatbot: Tenants may interact with an AI chatbot in the portal that answers questions about their balance, lease, and maintenance requests. The chatbot can also create maintenance requests on the tenant's behalf based on their description. The chatbot only accesses the requesting tenant's own data.

These features provide suggestions and informational responses only. Except for the tenant chatbot's ability to create maintenance requests (which the tenant initiates and can review), no AI feature takes binding action without human review. You are not subject to decisions based solely on automated processing that produce legal effects or similarly significant effects. All AI-generated suggestions can be reviewed, edited, or overridden by you before any action is taken.

10. Data Location & International Transfers

The Service is hosted in the United States. Your data is stored and processed on servers located in the United States. Our primary infrastructure providers (Supabase, Vercel) and all third-party processors listed in Section 4 (including Dwolla, Plaid, Stripe, Anthropic, and others) process data within the United States. If you access the Service from outside the United States, you consent to the transfer of your data to the United States, where data protection laws may differ from those in your jurisdiction.

For users in the European Economic Area (EEA), United Kingdom, or Switzerland: we rely on Standard Contractual Clauses (SCCs) and/or other approved transfer mechanisms where required by applicable data protection law to ensure adequate protection for your data.

11. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we learn that we have inadvertently collected personal data from a child under 18, we will take prompt steps to delete it. If you believe a child has provided us with personal information, please contact us at privacy@tierna.org.

12. Data Breach Notification

In the event of a data breach that affects your personal information, we will:

• Notify affected users via email within 72 hours of becoming aware of the breach, where feasible
• Provide a description of the nature of the breach, the categories of data affected, and the approximate number of individuals affected
• Describe the measures taken or proposed to address the breach and mitigate potential adverse effects
• Provide recommendations for protective measures you can take (such as changing passwords, monitoring credit reports, or placing fraud alerts)
• Report the breach to applicable regulatory authorities as required by law (including the New Hampshire Attorney General under RSA 359-C:20 for NH residents)

13. State-Specific Privacy Rights

California (CCPA/CPRA)

California residents have the following additional rights under the California Consumer Privacy Act and California Privacy Rights Act:

• Right to know what personal information is collected, used, shared, or sold
• Right to delete personal information
• Right to correct inaccurate personal information
• Right to opt out of the sale or sharing of personal information
• Right to limit use of sensitive personal information
• Right to non-discrimination for exercising your CCPA/CPRA rights

We do not sell or share (as defined by the CCPA/CPRA) your personal information to third parties for cross-context behavioral advertising. We do not use sensitive personal information for purposes other than those permitted by the CPRA.

Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and other states

Residents of states with comprehensive privacy laws have similar rights to access, correct, delete, and obtain a copy of their personal data, as well as the right to opt out of targeted advertising, profiling, and sale of personal data. To exercise these rights, contact us at privacy@tierna.org. If we decline your request, you may appeal by contacting us at the same address and we will respond within the timeframe required by your state's law.

14. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days' notice via email or a prominent notice within the Service before the changes take effect. The "Last updated" date at the top of this page indicates when this policy was last revised. We encourage you to review this policy periodically. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

15. Contact

For privacy-related inquiries, data subject requests, or to exercise your data rights, contact us at:

ATP Consulting LLC (d/b/a Tierna)
Privacy Officer
Email: privacy@tierna.org
General inquiries: support@tierna.org
Website: tierna.org