Privacy Policy

Last updated: May 2026 · Version 2026-05-08

RegWatch (“we,” “us”) provides property-intelligence services across NY/NJ/CT and federal coverage. This Privacy Policy explains what personal information we collect, how we use it, who we share it with, your rights under U.S. state privacy laws and the GDPR (where applicable), and how we secure and retain your data.

1. Categories of Personal Information We Collect

The CCPA / CPRA defines twelve categories of personal information. We collect:

• Identifiers: name, email address, IP address (pseudonymized via monthly-salt SHA-256 hash for non-authenticated traffic), browser fingerprint cookie, user account ID.
• Customer records: billing address (collected by Stripe at checkout), Stripe customer ID, last-4 of payment card (kept by Stripe; we never see the full PAN).
• Commercial information: reports purchased, subscription tier, credits used, properties saved or monitored.
• Internet activity: pages visited, searches performed, AI chat prompts and responses, feature usage.
• Geolocation: approximate (city-level) inferred from IP. We do not collect precise geolocation.
• Professional / employment information: if you list your firm, license number, or role on your account profile or in broker verification.
• Inferences: derived from your activity (e.g., whether you appear to be an investor vs broker, frequency of use).
• Public-record data about third parties: we aggregate property owner names, addresses, and recordings from public sources. This is not your personal information unless you are the owner.

We do not collect Sensitive Personal Information as defined by CPRA §1798.140(ae): no SSNs, financial account numbers, biometrics, precise geolocation, racial/ethnic origin, religion, union membership, genetic data, health data, or contents of private communications. The CPRA “Limit Sensitive PI” right does not apply.

2. Sources

• Directly from you: registration form, account profile, Stripe checkout, AI chat input, support emails, removal-request forms.
• Third-party authentication: Google OAuth (name + email when you sign in with Google).
• Service providers: Stripe (payment metadata), Mailgun (email engagement), Cloudflare (request edge data), PostHog (product analytics), Sentry (error reports).
• Public records: NYC Open Data, ACRIS, DOB, HPD, DOF, PLUTO, county clerks, FEMA, HUD, Census. These are about properties and (in some cases) named owners — see §1.

3. Purposes

We use personal information to:

• Provide the Service: render reports, run AI chat, process payments, deliver email confirmations and alerts.
• Account management: authentication, password reset, email verification, billing.
• Improve the Service: aggregate analytics, error monitoring, A/B testing of UI.
• Communicate: transactional confirmations, security notices, optional product updates (you can unsubscribe from non-transactional email).
• Comply with law: respond to subpoenas, court orders, tax obligations, and statutory requests.
• Prevent fraud: detect chargeback abuse, ATO attempts, scraping, and FCRA-prohibited use.

4. Sub-Processors

We share personal information with the following service providers (a.k.a. sub-processors), each bound by a data-processing agreement:

• Stripe — payments and subscription billing. Stripe processes your payment card and billing address; we never see the full card number.
• Mailgun — transactional and outreach email delivery.
• Cloudflare — DNS, CDN, WAF, bot management. Edge traffic data.
• Groq — large-language-model inference for AI chat. Your chat prompts and the property brief context (which may include public-record owner names and contacts) are sent to api.groq.com at request time. We apply a PII-redaction filter before sending and again on output. Groq’s default policy retains prompts briefly for abuse review and does not train on customer prompts.
• PostHog — product analytics. Distinct ID, page views, event properties.
• Sentry — error monitoring. Stack traces, request metadata; we strip PII via a server-side scrubbing rule.
• Google — OAuth (sign-in with Google) + Google Maps Static / Street View (premium-only PDF reports).
• Contabo — server hosting.

A current sub-processors list is also available at [email protected] on request.

5. Retention Schedule

• Account data (email, name, password hash): while account is active, plus 30 days after deletion.
• Chat messages (chat_messages): 90 days, then automatically purged.
• Email send body archive (email_sends.body): 365 days, then NULLed (status row kept for 7-year audit).
• Search log (pseudonymized IP + query): 18 months, then automatically purged.
• Payment records: 7 years (Stripe + our metadata), as required by U.S. tax law.
• Sentry / PostHog event data: per provider default (Sentry 90 days; PostHog 25 months).

Account deletion immediately removes account data, chat history, search logs, saved buildings, monitors, and email preferences from our database. Some derivative records (admin audit logs, payment metadata) are retained per regulatory requirements.

6. CCPA / CPRA Rights (California Residents)

If you are a California resident you have the right to:

• Know what personal information we’ve collected about you in the past 12 months.
• Access the specific pieces of personal information we hold.
• Delete your personal information (subject to legal-retention exceptions).
• Correct inaccurate personal information.
• Opt out of “sale” or “sharing” of personal information — submit at /privacy/do-not-sell or by sending Sec-GPC: 1 from your browser.
• Limit Use of Sensitive PI — not applicable; we do not collect sensitive PI per §1.
• Authorized agent: you may submit requests through an agent with written authorization.
• Non-discrimination: we will not deny service, charge a different price, or degrade service for exercising privacy rights.

Submit requests to [email protected]. We respond within 45 days (extendable +45 with notice).

7. Other State Privacy Laws

The following states grant residents privacy rights similar to CCPA: Colorado (CPA), Connecticut (CTDPA), Virginia (VCDPA), Texas (TDPSA), Utah (UCPA), Oregon (OCPA), Montana (MCDPA), Iowa (ICPA), Delaware (DPDPA), Indiana (ICPA-IN), Tennessee (TIPA), New Jersey (NJDPA, effective Jan 2025), New Hampshire (Effective 2025), Minnesota, Maryland. We honor access, deletion, correction, and (where granted) opt-out of targeted advertising / sale / profiling rights for residents of these states. Submit the same way as CCPA requests — to [email protected].

8. Sale & Sharing of Personal Information

We do not sell personal information for monetary consideration. We do not share personal information for cross-context behavioral advertising. We do not run ad networks or third-party retargeting pixels.

A small subset of activity falls under broad readings of “sale” or “sharing” under state privacy laws — most notably, when a customer purchases a property report that includes a public-record owner-of-record name (about a person we have no direct relationship with). We honor opt-outs at /privacy/do-not-sell for this category.

9. Global Privacy Control (GPC)

We honor the Sec-GPC: 1 request header as a valid opt-out of sale/sharing under CCPA, CPA, CTDPA, and other state laws that mandate GPC honor. When GPC is detected we set a gpc=1 cookie and (for signed-in users) flag your account immediately.

10. International Transfers (GDPR / UK GDPR)

The Service is operated from the United States. If you access it from the European Economic Area, the United Kingdom, or Switzerland, your personal information will be transferred to the U.S. We rely on Standard Contractual Clauses (where applicable) and the UK addendum for transfers to and from non-adequate jurisdictions. EU/UK residents have rights of access, rectification, erasure, restriction, portability, objection, and withdrawal of consent — submit to [email protected]. We do not have an EU representative under GDPR Art. 27; if our offering materially expands into the EU we will appoint one. Lodge complaints with your supervisory authority if you cannot resolve issues with us.

11. Children Under 13

The Service is not directed to children under 13 and we do not knowingly collect personal information from anyone under 13. If we learn that we have done so, we will delete the data and terminate the account. Contact [email protected] if you believe a child has registered.

12. Cookies & Tracking Technologies

We use the following cookie / similar-technology categories:

• Strictly necessary: session cookie (regwatch-session, iron-session encrypted), CSRF token, visitor-ID cookie (rw_vid), GPC opt-out flag.
• Analytics: PostHog distinct-ID + event cookies. Subject to your opt-out signals.
• Payment: Stripe sets cookies on its checkout domain.
• Tag managers / ads: none — we do not run third-party ad cookies.

Browser controls (block third-party cookies, clear cookies) work as expected. Logout removes the session cookie. Account deletion removes the visitor-ID mapping in our database.

13. AI Chat & Groq Disclosure

Our AI chat sends your typed message and the property brief (data assembled from public records and your saved properties) to Groq, a third-party LLM inference provider. Before transmission we apply a regex-based PII redaction layer that scrubs phones, emails, SSNs, EINs, international phone formats, and Luhn-validated credit-card sequences. We apply the same filter on output before showing responses.

Groq’s default terms retain prompts briefly for abuse review and do not train on customer prompts. Chat messages are stored in our database for 90 days then purged. You can delete your account to immediately purge all chat history.

14. NY SHIELD Act

For New York residents, we maintain reasonable administrative, technical, and physical safeguards as required by NY Gen Bus L §899-bb. These include: bcrypt-hashed passwords, encrypted-in-transit and (where applicable) encrypted-at-rest data, SHA-256 pseudonymization of search-log IPs, role-based access controls, audit logging of admin actions, dependency vulnerability monitoring, and an incident response plan.

15. Data Breach Notification

If we discover an unauthorized acquisition of personal information that triggers state notification laws (NY SHIELD §899-aa, CA Civil Code §1798.82, GDPR Art. 33-34, etc.), we will notify affected users without unreasonable delay and in any case within the applicable statutory deadline. Notifications go to your registered email address and (where required) include the categories of information affected, the date range of exposure, and remediation steps.

16. Daniel’s Law (NJ) Removal Process

Covered persons under New Jersey’s Daniel’s Law (judges, prosecutors, law enforcement, and analogous roles per N.J.S.A. 56:8-166.1) may submit a removal request at /privacy/removal-request. We action verified requests within 10 business days. We honor analogous requests from NY/CT covered persons under the same SLA where state law permits.

17. Account Deletion

Delete your account at any time from your account settings or by emailing [email protected]. Account deletion cascades across user-scoped tables — chat history, saved buildings, monitors, search log, email preferences, favorites, purchased reports — within seconds. Some records (payment metadata, admin audit logs) are retained per the schedule in §5.

18. Privacy Contact

Privacy team: [email protected]. Mailing address: see postal address in our email footers (CAN-SPAM disclosure).

19. Updates to This Policy

We may revise this Privacy Policy. Material changes will be (a) posted with a new “Last updated” date and version number, and (b) emailed to your registered address at least 30 days before taking effect. Continued use after the effective date constitutes acceptance. Version-controlled — current: 2026-05-08. Prior versions available on request.

This Privacy Policy is effective as of May 2026 (version 2026-05-08).