Privacy Policy

2. Information We Collect

Account information: Name, email address, phone number, company name, and password (stored as a bcrypt hash).

Property data: Property addresses, descriptions, features, amenities, pricing, photos, and other listing details you submit.

Brand assets: Logos, brand colors, taglines, tone preferences, and writing samples you provide for personalization.

Payment information: Stripe processes all payments. We store your Stripe customer ID and subscription status but never store credit card numbers or bank details.

Usage data: Pages visited, features used, submission counts, and general interaction patterns to improve the Service.

Technical data: IP address, browser type, device type, and operating system, collected automatically when you access the Service.

3. How We Use Your Information

We use your information to:

Provide the Service, including AI content generation, PDF rendering, and brand personalization. Process subscription payments and manage your account. Send transactional emails (account verification, password resets, subscription updates, billing receipts). Improve the Service through anonymized usage analytics. Respond to support requests and communicate important service updates. Detect and prevent fraud, abuse, or security threats.

4. AI Processing & Third-Party Data Sharing

To generate marketing content, we send your property details and brand profile to Anthropic's Claude AI via their API. Anthropic's API terms state that API inputs are not used to train their models. We do not share your data with Anthropic for any purpose other than generating your requested content.

We share limited data with the following sub-processors, each engaged solely to operate the Service. Each sub-processor receives only the data necessary to perform its function and is bound by its own privacy and security commitments.

Anthropic (United States): AI content generation. Receives your property details, brand profile, and tone preferences to produce listing copy, social posts, email campaigns, and video scripts. API inputs are not used to train Anthropic's models.

Mapbox (United States): Address autocomplete and geocoding. Receives partial address strings as you type so the form can suggest matches and resolve them to a full address.

ATTOM Data (United States): Public-record property data. Receives an address (and optional unit) to look up beds, baths, square footage, year built, subdivision, lot size, and last-sale information so we can pre-fill the submission form.

RentCast (United States): Supplemental public-record property data. Receives an address (and optional unit) as a fallback when ATTOM Data does not return a record, for the same set of property fields described above.

Stripe (United States): Payment processing. Receives the billing information necessary to process transactions, manage subscriptions, and send payment receipts. We do not see or store full card numbers; Stripe is PCI-DSS Level 1 certified.

Supabase (United States): Database and file storage. Stores your account, brand profile, listings, and uploaded images with AES-256 encryption at rest.

Resend (United States): Transactional and marketing email delivery. Receives your email address and name to send account-related emails (verification, password reset, billing receipts, trial reminders) and, if you opt in, the marketing newsletter.

Google Calendar (United States): Onboarding-call scheduling. When you book a 15-minute onboarding call from our website, we send your name, email address, and phone number to Google Calendar to create the calendar event and dispatch reminder invitations. If you do not book a call, no data is sent to Google.

Render (United States): Application hosting. Processes inbound HTTP requests to serve the Service.

Cloudflare (United States): Edge network, DNS, and DDoS protection. Sits in front of the Service and receives request metadata (IP address, user agent, referrer, requested URL) to route traffic, enforce TLS, and block abusive clients. Cloudflare does not have visibility into application-level data such as account details or listing content.

We do not sell, rent, or trade your personal information to third parties for marketing purposes. We do not authorize any sub-processor above to use your data for its own marketing.

International transfers. All sub-processors above are located in the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States. By using the Service, you consent to this transfer. Where required, we rely on the Standard Contractual Clauses (SCCs) and our sub-processors' equivalent commitments to safeguard transfers from the European Economic Area, United Kingdom, and Switzerland.

5. Data Storage & Security

Your data is stored on Supabase PostgreSQL servers with AES-256 encryption at rest. All data transmitted between your browser and our servers is encrypted using TLS 1.2+. Passwords are hashed using bcrypt and never stored in plain text.

We implement access controls, rate limiting, CSRF protection, and session management to protect your account. See our Security page for additional details.

6. Data Retention

We retain your account and property data for as long as your account is active. After account deletion or termination, we retain your data for 30 days to allow for recovery, after which it is permanently deleted from our systems and backups.

If you submit a verified deletion request under GDPR, CCPA, or another applicable privacy law, we will permanently delete your personal information within 30 days, regardless of subscription status.

Payment records are retained as required by applicable tax and financial regulations.

7. Your Rights

Depending on where you live, you have some or all of the following rights regarding your personal data:

Access (GDPR Art. 15 / CCPA right to know): request a copy of the personal data we hold about you, together with details of why we hold it and who we share it with.

Rectification (GDPR Art. 16): correct inaccurate or incomplete information directly from your profile, brand kit, or submission detail pages, or by contacting support.

Erasure (GDPR Art. 17 / CCPA right to delete): request permanent deletion of your account and associated data, subject to limited retention required by tax and financial regulations.

Restriction of processing (GDPR Art. 18): ask us to pause processing of your data while we resolve a dispute or correct an inaccuracy.

Data portability (GDPR Art. 20): receive a machine-readable export of the data you have provided to us, and transmit it to another controller.

Object to processing (GDPR Art. 21): object to processing that relies on our legitimate interests, including any direct-marketing communications.

Withdraw consent (GDPR Art. 7(3)): withdraw any consent you have given, at any time. Withdrawal does not affect the lawfulness of processing before the withdrawal.

Automated decision-making (GDPR Art. 22): we do not subject you to decisions based solely on automated processing that produce legal or similarly significant effects.

Lodge a complaint (GDPR Art. 77): file a complaint with your local data protection authority if you believe our processing infringes applicable law.

To exercise any of these rights, contact us at swiftlistai@gmail.com. We will respond within 30 days. We do not charge a fee for reasonable requests.

8. California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect, the right to request deletion, and the right to opt out of the sale of personal information. We do not sell personal information.

9. Cookies & Tracking

The Service uses two strictly necessary cookies, both first-party, both HTTP-only, both Secure, both SameSite=Lax:

swiftlist_session — maintains your authenticated session after sign-in. Set on successful login; cleared on logout.

swiftlist_csrf — carries an anti-CSRF token used to verify that state-changing requests originated from your browser session.

Cloudflare may set additional strictly-necessary cookies (e.g. __cf_bm) at the network edge to identify and block abusive automated traffic; these are operational, not analytical.

We do not use third-party analytics cookies, advertising pixels, or cross-site tracking technologies.

10. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If we learn that we have collected data from a child under 18, we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification at least 30 days before taking effect. The "Last updated" date at the top reflects the most recent revision.

12. Contact

For questions about this Privacy Policy or to exercise your data rights, contact us at swiftlistai@gmail.com.