Privacy Notice

Summary of key points

• We process the personal information you give us to run the service — nothing more. We do not use analytics trackers, advertising cookies, or fingerprinting, and we do not sell or share personal information.
• We do not process sensitive personal information.
• We do not collect any information from third parties.
• We share information only with the service providers that run our infrastructure, named below.
• Depending on where you live, you have rights over your personal information — see sections 8 and 10.

1. What information do we collect?

In short: information you provide to us.

We collect personal information that you voluntarily provide when you register for the Services, use them, or contact us. This may include:

• names
• email addresses
• phone numbers
• brokerage names
• real estate license numbers

Records you create. The working records you enter to use the service: buyer names and contact information, notes, agreement terms and dates, compensation details, tour history, and documents you upload.

Sign-in. We use email magic links — there are no passwords, so we never collect or store one. A session cookie keeps you signed in, and our hosting provider keeps standard server logs.

Sensitive information. We do not process sensitive information.

All personal information that you provide to us must be true, complete, and accurate, and you must notify us of any changes.

2. Your clients' information

Buyer records belong to you. You are responsible for having an appropriate basis to store your clients' information; we act as the custodian of that data on your behalf. We never contact your buyers, never use their information for any purpose other than showing it back to you, and never share it with other accounts — every account's data is isolated from every other account's at the database level.

3. How do we process your information?

In short: to provide and administer our Services, communicate with you, keep the Services secure, and comply with law.

• To facilitate account creation and authentication and otherwise manage user accounts.
• To deliver the Services — storing your records and showing you coverage status.
• To respond to inquiries and offer support.
• To send administrative information — sign-in links, agreement-expiration alerts, and changes to our terms and policies. We do not send marketing email.
• To request feedback about your use of the Services.
• To protect the Services — security monitoring and fraud prevention.
• To comply with our legal obligations — responding to legal requests and exercising or defending legal rights.

4. When and with whom do we share your personal information?

In short: only with the service providers that run our infrastructure, and in limited legal situations.

We share data with third-party service providers who perform services on our behalf and need access to do that work. We have contracts in place with each of them designed to safeguard your personal information: they cannot do anything with it except what we instruct, they do not share it with any other organization, and they protect and retain it only as we direct. The third parties we share personal information with are:

• Supabase — database, user authentication, and document storage
• Vercel — website hosting
• Resend — transactional email delivery

We may also need to share personal information in connection with a business transfer — any merger, sale of company assets, financing, or acquisition of all or a portion of our business.

5. How long do we keep your information?

We keep your personal information only as long as necessary for the purposes in this notice — which means the period of time you have an account with us — unless a longer period is required or permitted by law. When we have no ongoing legitimate business need to process your personal information, we will delete or anonymize it, or, if that is not possible (for example, because it is stored in backup archives), securely store and isolate it from further processing until deletion is possible.

6. How do we keep your information safe?

In short: through appropriate technical and organizational security measures.

Data is encrypted in transit. Access is isolated per account using database-level row security, so your records are visible only to you. Documents you upload are stored privately and served through short-lived signed links. Because sign-in uses email links, there is no password database to breach. If a breach of security affects your personal information, we will notify you as required by Florida law (Fla. Stat. § 501.171).

However, no electronic transmission over the internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise that hackers, cybercriminals, or other unauthorized third parties will not be able to defeat our security. Although we will do our best to protect your personal information, transmission to and from our Services is at your own risk. You should only access the Services within a secure environment.

7. Do we collect information from minors?

We do not knowingly collect, solicit data from, or market to children under 18 years of age, nor do we knowingly sell such personal information. By using the Services, you represent that you are at least 18. If we learn that personal information from users under 18 has been collected, we will deactivate the account and take reasonable measures to promptly delete such data. If you become aware of any data we may have collected from children under 18, contact us at privacy@bbaguard.com.

8. What are your privacy rights?

In short: you may review, change, or terminate your account at any time.

Withdrawing your consent: If we are relying on your consent to process your personal information, you have the right to withdraw it at any time by contacting us at privacy@bbaguard.com. This will not affect the lawfulness of processing before the withdrawal.

Account information: You can review or change your account information by logging in and updating your account, or by contacting us. Upon a request to terminate your account, we will deactivate or delete your account and information from our active databases, though we may retain some information to prevent fraud, troubleshoot problems, assist with investigations, enforce our legal terms, or comply with legal requirements.

9. Controls for Do-Not-Track features

Most web browsers and some mobile operating systems include a Do-Not-Track ("DNT") setting. No uniform technology standard for recognizing and implementing DNT signals has been finalized, so we do not currently respond to DNT browser signals. If a standard is adopted that we must follow, we will inform you in a revised version of this notice. California law requires us to state how we respond to DNT signals: because no industry or legal standard exists, we do not respond to them at this time.

10. Do United States residents have specific privacy rights?

In short: residents of California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia may have rights to access, correct, copy, or delete their personal information.

Categories of personal information we collect

Of the categories defined by state privacy laws, we have collected the following in the past twelve months:

• Identifiers — names, email addresses, phone numbers (collected)
• Personal information as defined in the California Customer Records statute — name and contact information (collected)
• Professional information — brokerage name and real estate license number (collected)

We do not collect protected classification characteristics, commercial or financial information, biometric information, internet activity or browsing history, geolocation data, audio/video information, education information, inferences, or sensitive personal information.

We have not sold or shared any personal information to third parties for a business or commercial purpose in the preceding twelve months. We disclose personal information to the service providers listed in section 4 under written contracts.

Your rights

Depending on your state, these rights may include: knowing whether we process your personal data; accessing it; correcting inaccuracies; requesting deletion; obtaining a copy; non-discrimination for exercising your rights; and opting out of targeted advertising, sales, or profiling (none of which we do). Some states provide additional rights, such as obtaining a list of the third parties we have disclosed personal data to.

How to exercise your rights

Submit a data subject access request or email us at privacy@bbaguard.com. We will need to verify your identity before acting on a request, using only the information needed to confirm you are the person our records concern. An authorized agent may submit a request on your behalf with written, signed permission from you.

Appeals

If we decline to act on your request, you may appeal by emailing privacy@bbaguard.com. We will respond in writing with the reasons for our decision. If your appeal is denied, you may submit a complaint to your state attorney general.

California "Shine The Light" law

California Civil Code Section 1798.83 permits California residents to request, once a year and free of charge, information about personal information (if any) we disclosed to third parties for direct marketing purposes. We do not disclose personal information for direct marketing. California residents may submit such a request at privacy@bbaguard.com.

11. Do we make updates to this notice?

Yes, as necessary to stay compliant with relevant laws and to reflect changes in our practices. The updated version will be indicated by the "Last updated" date at the top. If we make material changes, we will notify active users by email or by prominently posting a notice.

12. How can you contact us about this notice?

Email us at privacy@bbaguard.com.

13. How can you review, update, or delete your data?

You may have the right to request access to the personal information we collect from you, details about how we have processed it, correct inaccuracies, or delete it. To make a request, submit a data subject access request or email privacy@bbaguard.com. You can export your records (CSV or PDF) from the app before account deletion.