DwellHQ
Sign inGet started

Privacy Policy

Last updated:

1. Information We Collect

We collect the following kinds of information:

  • Account: email address, name, profile image (if you sign in with Google), password hash (for email-and-password accounts), email-verification state, and, if you enable two-factor authentication, your TOTP secret and backup codes. We also record consent records (when you accepted our Terms and which version) for compliance purposes.
  • Property: home addresses, rooms, items, systems, maintenance tasks, service records, home improvement projects, contractor information you enter (names, phone numbers, emails), uploaded documents and photos, and home research notes.
  • Derived location: when you enter a home address, we compute the geocoded latitude, longitude, and IANA timezone using Google Maps Geocoding API to power reminders and local-time features.
  • Collaborator invitations: when you invite someone to a home, we store their email address to deliver the invitation.
  • Usage: last-active timestamp, notification preferences, and feature-usage patterns.
  • Technical/device: IP address, user-agent, device type and mobile identifiers when you use the mobile app.
  • Diagnostic: error reports via Sentry. Stack traces may incidentally include user-entered values.
  • Payment: your Stripe customer ID and subscription status. Card numbers are handled directly by Stripe and never touch our servers.

2. How We Use Your Information

We use your information to:

  • Provide and maintain the Service.
  • Send maintenance reminders and task notifications.
  • Process subscription payments.
  • Send transactional emails (password resets, trial warnings, invitations).
  • Improve the Service based on usage patterns.
  • Respond to support requests.
  • Detect and prevent fraud, abuse, and unauthorized access.
  • Comply with legal obligations, including responding to lawful requests and maintaining required records.
  • Review and approve new-account requests during our beta period.

We do not sell your personal information. We do not use your data for advertising. We do not use your data to train machine-learning models beyond the limited AI-feature processing described in section 5.

3. Data Storage and Security

Your primary data is stored in a PostgreSQL database hosted on Neon in the United States (us-west-2 region). Uploaded files are stored with Cloudflare R2. All data is transmitted over HTTPS. Passwords are hashed with bcrypt. TOTP secrets for two-factor authentication are encrypted with AES-256-GCM at rest.

We maintain backups for disaster recovery; backups containing your data are retained for up to 30 days beyond deletion before they are purged on their normal rotation.

We implement reasonable security measures but cannot guarantee absolute security. You are responsible for keeping your account credentials safe and enabling two-factor authentication for additional protection.

4. Data Sharing

We share your data only in these circumstances:

  • Home collaborators: when you invite someone to a home, they can see property data for that home.
  • Service providers: Stripe (payments), Resend (email delivery), Neon (database), Cloudflare (file storage), Vercel (hosting), Vercel Analytics and Speed Insights (first-party, aggregated usage), Vercel AI Gateway (AI routing), Anthropic (AI features), Sentry (error diagnostics; stack traces may include incidental user data), Google (OAuth profile if you sign in with Google; geocoding for home addresses only). Each provider has its own privacy policy.
  • Legal requirements: if required by law or to protect our rights.

Some of our subprocessors operate in the United States and other jurisdictions. By using the Service, you consent to the transfer of your data to these jurisdictions.

5. AI Features

We offer two optional AI-powered features:

  • AI Home Setup: generate rooms, items, and maintenance tasks from your home’s address.
  • AI Task Suggestions: generate maintenance tasks for a specific item.

AI features are powered by Anthropic Claude via Vercel AI Gateway. When you use an AI feature, the specific home, room, or item context needed for that request is sent to Anthropic. We do not send photos, documents, or other users’ data. Anthropic does not retain this data or use it to train models (zero-retention posture via Vercel AI Gateway).

AI features are available on paid plans.

You can disable AI features at any time from Settings. When off, no home data is sent to Anthropic.

Disabling AI features stops future AI requests but does not delete previously generated tasks or setup content from your account; you can remove those manually.

6. Data Retention

We retain your data for as long as your account is active. Deleted homes are soft-deleted and recoverable for 30 days before permanent removal. If you delete your account, we start a 30-day restore window; after that, your account and data are permanently removed, except where retention is required by law.

Specific retention periods:

  • Consent records: retained for 7 years as proof of consent for regulatory purposes.
  • Billing records: retained for 7 years, or longer where required by applicable tax and financial laws.
  • Sentry error diagnostics: retained for 30 days by default per Sentry’s policy.
  • Database backups: retained for up to 30 days after deletion before rotation.

7. Data Export

You can export a complete JSON snapshot of your account’s data, including all homes, rooms, items, tasks, service records, documents, and research notes, at any time through Settings.

8. Cookies

We use essential cookies for authentication (session tokens) and the beta access gate. We also use a session_ephemeralcookie to support the “Remember me” control on sign-in. We do not use tracking cookies or third-party analytics cookies.

9. Your Rights

You have the right to:

  • Access your personal data (available through the app and data export).
  • Correct inaccurate data (editable through account and home settings).
  • Delete your account and associated data.
  • Export your data in a portable format.
  • Opt out of non-essential emails (notification settings).
  • Exercise the right to object to processing based on legitimate interests.
  • Request that we restrict processing of your personal data.
  • Lodge a complaint with a supervisory authority. For users in the EU or UK, contact your national data-protection authority.

We do not sell your personal information and do not share it for cross-context behavioral advertising.

10. Children's Privacy

The Service is not intended for children under 13. We do not knowingly collect personal information from children under 13. In jurisdictions with a higher digital-consent age (for example, certain GDPR member states), users below that age should not use the Service without parental consent.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes require re-acceptance; the next time you sign in after a material change, you will see a short summary of what changed and be asked to re-accept. Non-material updates (typos, clarifications, formatting) are made in place and reflected in the “Last updated” date.

12. Automated Decision-Making

We do not engage in automated decision-making that produces legal or similarly significant effects. AI-generated suggestions are informational and require your review before action.

13. Data Breach Notification

In the event of a security incident affecting your data, we will notify you without undue delay, and in any case within 72 hours of becoming aware where feasible and required by applicable law.

14. Contact

For privacy-related questions or requests, contact us at privacy@dwellhq.app.