Privacy Policy

Welcome to our Privacy Policy. This policy describes how we collect, use, disclose, and protect your personal information when you use our Service.

What Makes Our Service Different

Our Service is architected with privacy at its core. We operate on a client-side processing model, which means:

• We do NOT have a traditional user database on our servers
• All form processing happens in your browser on your device
• We do NOT store the personal information you enter (such as property addresses) on any server we control
• When you use the "Share" feature, a compressed shareable link is generated entirely in your browser

Important: Understanding Our Data Flows

When you use our Service:

1. You enter information into our web form (a property address, ratings, notes, checklist items)
2. Your browser stores this locally using browser localStorage (device-side only)
3. When you click "Share", your browser compresses all data using LZ-String compression and creates a shareable link
4. The compressed data is embedded in the URL hash fragment (#) - not sent to any server
5. You can share this link via any platform (WhatsApp, email, SMS, etc.)
6. When someone opens the link, their browser decompresses the data client-side and merges it with their local history
7. When you click an AI tool button, your browser sends your property address directly to the third-party AI service
8. We use Google Analytics to understand how our Service is used
9. Your information may be stored in your browser's localStorage, browser history, and by third-party AI services you choose to use

This means: While we don't store your personal information on our servers, it is visible in URLs, transmitted to third parties at your direction, and may be recorded by those third parties and Google Analytics.

Your Rights and Choices

You have significant rights over your personal information, including:

• UK/EEA Users: Rights to access, rectification, erasure, restriction, portability, objection, and complaint to the ICO
• California Residents: Rights to know, delete, correct, opt-out of sale/sharing, limit use of sensitive data, non-discrimination, and complaint to the California Privacy Protection Agency
• Other US State Residents: Similar rights under state privacy laws (Virginia, Colorado, Connecticut, Utah, Iowa, Montana, Oregon, Texas, Delaware, Nebraska, New Hampshire, New Jersey, and others)
• Australian Users: Rights to access, correction, complaint to the OAIC, and to know about overseas disclosures
• Canadian Users: Rights to access, correction, withdrawal of consent, and complaint to the OPC or Quebec CAI

See Section 11 for full details on how to exercise your rights.

---

2. Who We Are

Data Controller / Business

Service Name: Property AI Analyzer Website: https://apartment-checklist.com

---

3. What Personal Information We Collect

We "process" personal information in your browser and facilitate its transmission to third-party services. We also collect limited analytics data through Google Analytics.

3.1 Information You Provide Directly

When you use our Service, you may provide:

• Property address (street address, city, postcode/ZIP code, country)
• Property details (type, suburb name, features, preferences)
• AI platform analyses (which AI tools you used and when)
• Ratings and notes (your 1-10 star ratings and written notes about each property)
• Checklist data (which inspection checklist items you've checked)
• Custom text or queries you enter into our form fields
• Any other information you choose to include in your analysis

How we process it:

• Stored locally in your browser's localStorage on your device
• When you use the Share feature, compressed using LZ-String and embedded into a URL hash fragment
• When you share the link, the compressed data travels with the URL to recipients you choose
• When recipients open the link, decompressed client-side in their browser
• Never stored on our servers (neither in uncompressed nor compressed form)
• May be stored in your browser history, localStorage, and the devices of people you share links with

3.2 Information Collected Automatically

When you visit our Service:

Google Analytics collects:

• IP address (pseudonymised/anonymised)
• Browser type and version
• Device type and operating system
• Pages visited and time spent
• Referring website
• General location (country/city level)
• Language preference

NOTE: URL hash fragments (which contain your compressed property data when you use the Share feature) are NOT sent to Google Analytics by design. Hash fragments remain client-side in your browser and are not transmitted in HTTP requests to our servers or to Google. However, Google may still collect the page URL (without hash fragments), browser/device information, and other standard analytics data.

Cookies and Similar Technologies:

• Google Analytics cookies (e.g., _ga, _gid, _gat) for analytics purposes
• Session cookies (if any) for functionality
• Preference cookies (if any) to remember your settings

See Section 4 for detailed cookie information.

3.3 CCPA Categories of Personal Information

For California residents, here are the categories of personal information we collect as defined by the California Consumer Privacy Act (CCPA):

CCPA Category	Examples	Collected?
A. Identifiers	Name, address, email, IP address, device ID	YES (address, IP)
B. Personal information under Cal. Civ. Code § 1798.80(e)	Name, address, phone number	YES (address)
C. Protected classification characteristics	Age, race, national origin, marital status	NO
D. Commercial information	Purchase history, product interests	NO
E. Biometric information	Fingerprints, facial recognition	NO
F. Internet or network activity	Browsing history, search history, interactions	YES (analytics)
G. Geolocation data	Precise location coordinates	YES (address provided)
H. Sensory data	Audio, visual, thermal, olfactory	NO
I. Professional or employment information	Job title, employer, work history	NO
J. Non-public education information	Student records, grades	NO
K. Inferences	Preferences, characteristics, behaviour predictions	NO
L. Sensitive personal information	Precise geolocation, racial/ethnic origin, health data	YES (precise location)

---

4. Cookies and Tracking Technologies

4.1 What Are Cookies?

Cookies are small text files placed on your device by websites you visit. They are widely used to make websites work more efficiently and provide analytics information.

4.2 Cookies We Use

Cookie Name	Purpose	Duration	Category
_ga	Google Analytics: Distinguishes users	2 years	Analytics
_gid	Google Analytics: Distinguishes users	24 hours	Analytics
_gat	Google Analytics: Throttles request rate	1 minute	Analytics

4.3 Your Cookie Choices

UK, EEA, and Quebec Users:

We require your explicit consent before placing non-essential cookies (including Google Analytics cookies) on your device. You can:

• Accept all cookies using the "Accept All" button
• Reject non-essential cookies using the "Reject All" button
• Manage preferences by cookie category using the "Cookie Settings" button

You can change your preferences at any time by clicking the cookie settings link in our website footer.

California and Other US State Users:

You have the right to opt out of the "sale" or "sharing" of your personal information, which may occur through certain cookies and tracking technologies. See Section 12 for opt-out options.

All Users:

You can also control cookies through your browser settings:

• Chrome: Settings > Privacy and Security > Cookies
• Firefox: Options > Privacy & Security > Cookies and Site Data
• Safari: Preferences > Privacy > Cookies and website data
• Edge: Settings > Privacy, search, and services > Cookies

Note: Blocking all cookies may affect your ability to use certain features of our Service.

4.4 Do Not Track Signals

Our Service responds to Global Privacy Control (GPC) signals. When we detect a GPC signal from your browser, we will:

• Not load Google Analytics tracking
• Not set analytics cookies
• Honour your opt-out preferences automatically

To enable GPC, use a compatible browser or browser extension that sends this signal.

---

5. Google Analytics

5.1 What Google Analytics Collects

We use Google Analytics, a web analytics service provided by Google LLC (or Google Ireland Limited for users in the EEA/UK), to understand how visitors use our Service.

Google Analytics collects:

• Your IP address (anonymised/pseudonymised)
• Browser and device information
• Pages you visit and actions you take
• Time spent on pages
• Referring website
• Approximate geographic location (country/city level)

5.2 How We've Configured Google Analytics

To protect your privacy:

• IP Anonymisation: We've enabled IP anonymisation so Google receives only partial IP addresses
• Hash Fragment Protection: By design, URL hash fragments (used for Share feature) are NOT sent to Google Analytics or our servers - they remain client-side only
• Data Retention: Analytics data is retained for 50 months
• Advertising Features: Disabled
• Measurement ID: The active Google Analytics 4 (GA4) measurement ID is displayed in the page source of our website

Important: Your property data stored in localStorage and embedded in Share link hash fragments is NOT transmitted to Google Analytics. Google Analytics only sees:

• Page URLs without hash fragments
• Browser and device information
• General usage patterns
• Approximate geographic location

5.3 Google's Use of Data

Google processes analytics data on our behalf under a data processing agreement. Google may also use this data for its own purposes (e.g., improving Google Analytics service, ad personalisation if advertising features are enabled).

For more information: www.google.com/policies/privacy/partners/

5.4 Your Choices Regarding Google Analytics

All Users:

• Install the Google Analytics Opt-Out Browser Add-on
• Use browser privacy modes or cookie controls
• Enable Global Privacy Control (GPC) in your browser

UK/EEA/Quebec Users:

• Refuse consent through our cookie consent banner

California/US State Users:

• Opt out via our "Do Not Sell or Share My Personal Information" link
• Enable GPC in your browser (we honour this signal automatically)

5.5 Legal Basis (UK/EEA Users)

We process Google Analytics data based on:

• Your consent (Article 6(1)(a) UK GDPR) when you accept cookies
• This consent can be withdrawn at any time through cookie settings

5.6 Data Transfers

Google Analytics involves transfers of your personal information to the United States. These transfers are protected by:

• Google's EU-US Data Privacy Framework certification
• Standard Contractual Clauses
• Additional safeguards in our data processing agreement with Google

---

6. How the Share Feature Works: Client-Side Compression & URL Hash Fragments

6.1 What Happens When You Use the Share Feature

This is the most important section to understand how your personal information flows through our Service:

Step 1: You Enter and Store Information Locally
You type information (e.g., property address, ratings, notes, checklist items) into form fields on our website. This information is stored in your browser's localStorage on your device only - it is never sent to our servers.

Step 2: You Click "Share" Button
When you click the Share button on a property analysis, your web browser performs the following entirely client-side:

• Collects all data for that property (address, type, date, AI platform analyses, ratings, notes, checklist state, active tab)
• Uses the LZ-String compression library to compress this data (typically reduces size by 60-80%)
• Creates a URL with the compressed data in the hash fragment (#), for example:

https://apartment-checklist.com#N4IgdghgtgpiBcIAqAnJB...

Step 3: Link Generation is Purely Local
The compression and URL generation happens entirely in your browser's JavaScript environment. No data is transmitted to our servers during this process. The generated link contains your information in compressed form within the URL hash fragment.

Step 4: You Share the Link
You can copy this link and share it through any platform you choose (WhatsApp, email, SMS, messaging apps, etc.). The compressed data travels with the URL to whomever you send it.

Step 5: Recipient Opens the Link
When someone opens your shared link:

• Their browser loads our website
• JavaScript in their browser extracts the compressed data from the URL hash fragment
• The data is decompressed client-side (never sent to our servers)
• The property information is merged with their local browser history
• They can now view your property analysis, ratings, notes, and checklist state

Important: This is Separate from AI Platform Integration
When you click an AI Tool button (ChatGPT, Claude, etc.), that's a different flow: your browser sends your property address directly to the third-party AI service via their search or query interface. The Share feature does not involve AI services - it only creates shareable links for your analysis data.

6.2 Where Your Information May Be Recorded

Because your personal information is embedded in a URL hash fragment, it may be recorded in multiple places:

1. Your Browser History
The complete URL (including the compressed data in the hash fragment) is saved in your browser history. Anyone with access to your browser history can potentially decompress and view this data.

2. Recipient's Browser and Device
When you share the link with someone, the compressed data becomes part of their browser history and is decompressed into their browser's localStorage on their device.

3. Messaging/Email Platforms
If you share the link via WhatsApp, email, SMS, or other messaging platforms, those platforms store the complete URL (including your compressed data) in their message databases.

4. Intermediate Systems (Limited Exposure)
Important: URL hash fragments (the part after #) are generally NOT sent to web servers in HTTP requests. However, they may still be visible to:

• Your local device and browser
• Browser extensions you've installed
• Local network monitoring tools (before the data reaches the internet)
• Client-side analytics (if JavaScript can access the hash)

5. Our Servers Do NOT Receive Hash Fragments
When our website is loaded, your web server typically does NOT receive the hash fragment portion of the URL. This means we cannot see the compressed data on our servers. Only your browser processes the hash fragment.

6. Third-Party AI Service Logs (When Using AI Tools)
Separate from the Share feature: When you click an AI platform button (ChatGPT, Claude, etc.), your browser sends your property address to that third-party service, which may log:

• Your property address (sent as a search query)
• Your IP address
• Timestamp of the request
• Your browser type

6.3 Security Considerations

What We Do:

• Use HTTPS encryption for all connections (protects data in transit from eavesdropping)
• Compress data using LZ-String to reduce URL length and make it less human-readable
• Use URL hash fragments (#) which are NOT sent to web servers
• Process all compression/decompression client-side in your browser
• Provide this transparent disclosure about how the Share feature works
• Implement a 2000-character limit on compressed share URLs to prevent excessively large links

What You Should Know:

• Compressed data in the URL hash fragment is NOT encrypted - it is only compressed
• Anyone with the shared link can decompress and view your property data
• LZ-String compression makes data less human-readable but is not a security measure
• The share feature is designed for sharing data with trusted recipients (family, friends, property partners)
• Hash fragments are visible in your browser's address bar
• HTTPS protects data in transit but the compressed data itself is not encrypted within the URL

Your Options:

• Only share links with people you trust - treat shared links like sharing your actual property analysis
• Clear your browser history after using our Service
• Use private/incognito browsing mode
• Delete items from your history when you no longer need them
• Be cautious about posting shared links publicly (forums, social media) as they contain your property data

6.4 Third-Party AI Services

When you click an AI platform button, you are directly accessing a third-party AI service. Examples of such services include:

• ChatGPT (OpenAI)
• Claude (Anthropic)
• Perplexity AI
• Google AI (Gemini/AI Mode)
• Grok (X/Twitter)

We do not control these third-party services. Each has its own privacy policy and data handling practices. We recommend reviewing their privacy policies before using them:

• ChatGPT Privacy Policy
• Claude Privacy Policy
• Perplexity AI Privacy Policy
• Google AI Privacy Policy
• Grok/X Privacy Policy

What the AI service may do with your information:

• Process your query and provide results
• Store your information in their databases
• Use your information to improve their AI models
• Share your information with their own third parties
• Subject your information to the laws of the countries where they operate

6.5 Legal Characterisation by Jurisdiction

Share Feature (Peer-to-Peer Sharing):

UK/EEA: When you share a link with another person, you (as the data subject) are choosing to disclose your own personal information to that recipient. We facilitate this through client-side tools but do not process or store the shared data on our servers.

California: The Share feature is user-initiated peer-to-peer sharing. We do not "sell" or "share" your personal information to third parties for their commercial purposes. You control who receives your shared links.

Australia: This is a disclosure initiated by you (the individual). We provide the technical means but do not receive or further disclose the compressed data.

Canada: This is user-directed sharing. We process the compression locally in your browser but do not transmit or store the data.

AI Platform Integration (Separate Feature):

UK/EEA: When you click an AI tool button, this constitutes a "disclosure" to a third party (the AI service provider) under Article 13(1)(e) UK GDPR

California: This may constitute "sharing" under the CCPA/CPRA because the AI service may use your information for its own purposes

Australia: This constitutes a "disclosure" under APP 6 and an "overseas disclosure" under APP 8

Canada: This is a disclosure to a third party requiring express consent under PIPEDA and Quebec Law 25

6.6 Why We Chose This Approach

We chose the client-side compression with URL hash fragments approach for several privacy and security reasons:

Privacy Benefits:

• No server-side storage: Your data never touches our servers
• No database: We don't maintain a database of properties or user accounts
• No authentication required: No need to create accounts or provide email addresses
• User control: You decide what to share and with whom
• Hash fragments not sent to servers: The compressed data in the hash fragment typically isn't transmitted to web servers

Technical Benefits:

• Works offline: Service Worker caches the application for full offline functionality after first load
• Platform-agnostic: Share via any messaging platform (WhatsApp, email, SMS, etc.)
• No API costs: No server-side processing or storage costs
• Instant sharing: No server round-trips required
• Progressive Web App (PWA): Install on your device for native-like experience

Alternative Approaches We Considered:

• Server-side storage with share codes: Would require us to store your data and create a database (privacy concerns)
• End-to-end encryption: Would add complexity and require key management
• POST requests to servers: Would require server-side processing and temporary storage
• Email-only sharing: Would limit sharing options and require email collection

Limitations of Our Approach:

• Data is compressed but not encrypted in the URL
• Shared links are long (up to 2000 characters)
• Anyone with the link can decompress and view the data
• Links can be inadvertently shared or leaked

If you have concerns about this approach or need enhanced security for sensitive data, please contact us to discuss your specific requirements.

---

7. Purposes for Processing Personal Information

7.1 Why We Process Your Information

We process your personal information for the following purposes:

Primary Purpose: Facilitate Your Analysis and Collaboration

• To store your property data locally in your browser's localStorage
• To enable you to maintain a history of property analyses
• To facilitate sharing of your property analyses through compressed shareable links
• To enable you to access third-party AI services with pre-filled property queries
• To enable you to obtain AI-generated results based on your information

Legal Basis (UK/EEA):

• Performance of a contract / at your request (Article 6(1)(b) UK GDPR)
• Your explicit actions (clicking Share, clicking AI platform buttons)

Secondary Purpose: Service Analytics and Improvement

• To understand how our Service is used
• To improve Service functionality and user experience
• To monitor Service performance and diagnose technical issues

Legal Basis (UK/EEA):

• Your consent (Article 6(1)(a) UK GDPR) for Google Analytics cookies

Other Purposes:

• To comply with legal obligations
• To establish, exercise, or defend legal claims
• To protect vital interests or public safety

Legal Basis (UK/EEA):

• Legal obligation (Article 6(1)(c) UK GDPR)
• Legitimate interests (Article 6(1)(f) UK GDPR)
• Vital interests (Article 6(1)(d) UK GDPR)

7.2 We Do Not

• Sell your personal information for monetary consideration (but see Section 8 for "sharing" disclosures)
• Use your information for direct marketing without your consent
• Make automated decisions that produce legal or similarly significant effects
• Process sensitive personal information except as you provide it (e.g., if you include health information in your query)

---

8. How We Share Personal Information

8.1 Categories of Recipients

We share or facilitate the sharing of your personal information with the following categories of recipients:

1. Recipients of Your Shared Links (User-Directed Peer-to-Peer Sharing)

• Who: Individuals or entities you choose to share links with (family, friends, partners, agents, etc.)
• What: All data you've entered for a property (address, type, ratings, notes, checklist state, AI platform analyses)
• Why: To collaborate and share your property analysis with trusted parties
• How: You generate a compressed shareable link and send it via your chosen platform (WhatsApp, email, SMS, etc.)
• Important: This is user-directed sharing - we do not control who you share with or receive the data on our servers

2. Third-Party AI Service Providers (When You Click AI Tool Buttons)

• Who: AI platforms and services you choose to query (ChatGPT, Claude, Perplexity, Google AI, Grok)
• What: Your property address or suburb name (sent as a search query)
• Why: To obtain AI-generated property analysis and insights
• How: Direct transmission from your browser when you click an AI platform button
• Important: Each AI service has its own privacy policy and data practices

2. Analytics Service Providers

• Who: Google LLC / Google Ireland Limited (Google Analytics)
• What: IP address (anonymised), browser/device information, usage patterns, approximate location
• Why: To understand Service usage and improve functionality
• How: Through Google Analytics tracking code (when you consent to cookies)

3. Technology Infrastructure Providers

• Who: Web hosting and domain service providers
• What: Limited technical data (IP addresses, access logs, DNS queries)
• Why: To make our website accessible and performant
• How: Standard web infrastructure operation

Note on Client-Side Libraries: We use the LZ-String compression library (open source, MIT licensed) for the Share feature. This library runs entirely in your browser's JavaScript environment and does not transmit data to any third party. The library code is hosted locally on our server and loaded when you visit our website.

4. Legal and Professional Advisors

• Who: Lawyers, accountants, auditors, insurers
• What: Limited information necessary for professional services
• Why: To obtain professional advice and services
• How: Secure, confidential channels

5. Law Enforcement and Regulatory Authorities

• Who: Police, courts, regulators, government agencies
• What: Information required by law or legal process
• Why: To comply with legal obligations or respond to lawful requests
• How: In response to court orders, subpoenas, or statutory requirements

8.2 Important: No Traditional "Data Sharing" by Us

Because of our client-side architecture:

• We do NOT send your form information to our own servers
• We do NOT receive or store the compressed data from your Share links
• We do NOT share your information with third parties for their marketing
• We do NOT combine your information with data from other sources
• We do NOT sell your information for monetary consideration
• We do NOT have access to who you share links with or what data you share

Share Feature: When you generate and share a link, YOU are choosing to disclose your property analysis to recipients you select. The data travels directly from your device to theirs via the messaging platform you choose (WhatsApp, email, SMS, etc.). We facilitate the compression and link generation but do not receive or process the shared data.

AI Platform Integration: When you click an AI tool button (ChatGPT, Claude, etc.), YOU are initiating a direct disclosure of your property address to that third-party AI service. We generate the search query link but the disclosure occurs when you choose to click it.

8.3 "Sale" or "Sharing" Under CCPA

California Law Definition:

Under California law, "sale" means disclosing personal information to a third party for monetary or other valuable consideration. "Sharing" means disclosing personal information to a third party for cross-context behavioural advertising.

Our Assessment:

We do not "sell" your personal information for money. However:

• Google Analytics: May constitute "sharing" if Google uses data for advertising purposes (depends on configuration)
• Third-Party AI Services: Depending on how the AI service uses your information, this may constitute "sharing" under California law

Your Right to Opt-Out:

You have an absolute right to opt out of the "sale" or "sharing" of your personal information. See Section 12 for instructions.

8.4 Cross-Border Data Transfers

The recipients described above may be located in countries outside your own, including:

United States:

• Google Analytics (Google LLC)
• Many third-party AI services

Other Countries:

• Various AI service providers operate globally

Safeguards for International Transfers:

For UK/EEA Users:

• Standard Contractual Clauses (SCCs) approved by the European Commission / UK ICO
• EU-US Data Privacy Framework certifications (where applicable)
• Additional technical and organisational safeguards
• Transfer Impact Assessments

For Australian Users:

• Contracts requiring compliance with Australian Privacy Principles (APPs)
• Standard Contractual Clauses where appropriate

For Canadian Users:

• Contracts requiring "comparable level of protection" (PIPEDA)
• "Substantially the same protection" for Quebec users (Law 25)
• Transfer Impact Assessments (Quebec)

Notice: When your information is transferred to other countries, it becomes subject to the laws of those countries, including laws that may permit government access.

---

9. International Data Transfers

9.1 Where Your Information May Be Transferred

Given the nature of our Service, your personal information may be transferred to and accessed from multiple countries:

Definite Transfers:

• United States: Google Analytics (Google LLC), OpenAI (ChatGPT), Anthropic (Claude), Perplexity AI, X/Twitter (Grok)
• United Kingdom: Google Ireland Limited (for UK/EEA users), Anthropic
• Canada: Potential AI service provider operations
• Australia: Potential AI service provider operations

Potential Transfers:

• Any country where third-party AI services you choose to use operate

9.2 Legal Basis for Transfers (UK/EEA Users)

Transfers outside the UK/EEA are protected by:

1. Adequacy Decisions

• Where the UK/EU has recognised the destination country as providing adequate protection

2. Standard Contractual Clauses (SCCs)

• Approved contractual terms that bind the data recipient
• We use SCCs with Google and, where possible, with AI service providers

3. Your Explicit Consent (Article 49(1)(a) UK GDPR)

• When you click an AI platform button (ChatGPT, Claude, etc.), you are explicitly consenting to the transfer of your property address to that service
• When you share a link containing your property data with recipients in other countries, you are initiating the transfer
• We provide this privacy policy and clear information about these transfers before you consent

4. Necessity for Contract Performance (Article 49(1)(b) UK GDPR)

• The transfer is necessary to fulfil your request to use the AI service

9.3 Australian Cross-Border Disclosure Obligations

Contracts with Overseas Recipients:

Under APP 8, we have taken steps to ensure overseas recipients comply with Australian Privacy Principles, including:

• Written contracts requiring compliance with the APPs (excluding APP 1)
• Security obligations equivalent to APP 11
• Breach notification and cooperation provisions
• Your right to access and correct personal information held overseas

Countries and Recipients:

We disclose personal information to the following overseas recipients:

• United States: Google LLC (Google Analytics), OpenAI (ChatGPT), Anthropic (Claude), Perplexity AI, X/Twitter (Grok)
• United Kingdom: Google Ireland Limited (for UK/EEA users), Anthropic
• Canada: AI service providers with Canadian operations
• Australia: AI service providers with Australian operations

Your Accountability:

If you choose to use third-party AI services we link to, you are initiating overseas disclosures to those services. We recommend reviewing their privacy policies and understanding where they process data.

9.4 Canadian Cross-Border Disclosure Notices

PIPEDA Notice:

Your personal information may be processed and stored in the United States and other countries. When your information is outside Canada, it is subject to the laws of those countries, including laws permitting government access.

Quebec Law 25 Notice:

Before transmitting your personal information outside Quebec, we:

• Conduct Transfer Impact Assessments (TIAs) to evaluate protection levels
• Implement appropriate safeguards through contracts
• Provide you with this notice about the transfer

Service Provider Contracts:

We require our service providers outside Canada/Quebec to provide a level of protection comparable to Canadian privacy laws through:

• Contractual requirements
• Implementation of security safeguards
• Limitations on use and disclosure

---

10. Data Retention

10.1 How Long We Keep Your Information

Information You Provide (Form Data):

• On Our Servers: We do NOT retain this information (client-side processing only)
• In Your Browser: Stored in browser local storage/session storage until you clear it
• In Your Browser History: Until you clear your browser history
• With Third-Party AI Services: Subject to their retention policies (see their privacy policies)

Google Analytics Data:

• Standard Retention: 50 months from collection
• User-Level and Event-Level Data: Automatically deleted after retention period
• Aggregate Reports: May be retained indefinitely (no longer personally identifiable)

Access Logs (from our web hosting):

• Retention Period: 30 days
• Purpose: Security monitoring, performance analysis, legal compliance
• Deletion: Automatically purged after retention period

Cookie Data:

• Session Cookies: Deleted when you close your browser
• Persistent Cookies: Retained until expiry date (see Section 4.2) or until you delete them

10.2 Retention Criteria

We determine retention periods based on:

• The purposes for which we process the information
• Legal, regulatory, or contractual obligations
• Need for legal defence and limitation periods
• User expectations and sector practices

10.3 Your Right to Erasure

You can delete personal information we hold by:

• Form Data in Browser: Clearing browser local storage and history
• Google Analytics Data: Using Google's opt-out tools or requesting deletion (see Section 11)
• Third-Party AI Services: Contacting those services directly to request deletion

---

11. Your Data Protection Rights

Your rights vary depending on where you are located. This section describes the rights available in each jurisdiction.

11.1 UK and EEA Users - Rights Under UK GDPR

You have the following rights under UK GDPR / EU GDPR:

1. Right to Be Informed (Article 13)

• This Privacy Policy fulfils this right by providing transparent information

2. Right of Access (Article 15)

• You can request a copy of the personal information we hold about you
• We will provide this within one month (extendable by two further months if complex)
• First copy is free; we may charge for additional copies

3. Right to Rectification (Article 16)

• You can correct inaccurate or incomplete personal information
• Given our architecture: You can simply re-enter correct information; data in your browser can be updated by you

4. Right to Erasure / "Right to Be Forgotten" (Article 17)

• You can request deletion of your personal information in certain circumstances
• For data in your browser: Clear browser history and local storage
• For Google Analytics: We can request deletion or you can opt out going forward

5. Right to Restriction of Processing (Article 18)

• You can ask us to temporarily stop processing your information in certain situations

6. Right to Data Portability (Article 20)

• You can request your information in a structured, commonly used format
• Applicable when processing is based on consent or contract and carried out by automated means

7. Right to Object (Article 21)

• You can object to processing based on legitimate interests
• You have an absolute right to object to direct marketing (we do not conduct direct marketing)

8. Rights Related to Automated Decision-Making (Article 22)

• We do not conduct automated decision-making that produces legal or similarly significant effects

9. Right to Withdraw Consent

• Where processing is based on consent, you can withdraw it at any time
• Withdrawal does not affect the lawfulness of processing before withdrawal
• For cookies: Use our cookie settings banner

10. Right to Complain to a Supervisory Authority

• You can lodge a complaint with the Information Commissioner's Office (ICO):
  • Website: https://ico.org.uk/
  • Phone: 0303 123 1113
  • Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom

11.2 California Residents - Rights Under CCPA/CPRA

California residents have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

1. Right to Know (CCPA § 1798.100) You can request:

• Categories of personal information we collect
• Categories of sources
• Business/commercial purposes for collection
• Categories of third parties to whom we disclose
• Specific pieces of personal information we hold about you

2. Right to Delete (CCPA § 1798.105)

• You can request deletion of your personal information
• Exceptions apply (e.g., to complete transactions, comply with legal obligations)

3. Right to Correct (CPRA - CCPA § 1798.106)

• You can request correction of inaccurate personal information

4. Right to Opt-Out of Sale/Sharing (CCPA § 1798.120)

• You have an absolute right to opt out of the "sale" or "sharing" of your personal information
• We honour Global Privacy Control (GPC) signals automatically
• See Section 12 for opt-out instructions

5. Right to Limit Use of Sensitive Personal Information (CPRA - CCPA § 1798.121)

• If we use or disclose sensitive personal information for purposes other than permitted purposes, you can limit such use
• We collect precise geolocation (address you provide) but use it only for the service you request

6. Right to Non-Discrimination (CCPA § 1798.125)

• We will not discriminate against you for exercising your CCPA rights
• We will not deny goods/services, charge different prices, or provide different quality

7. Right to Designate an Authorized Agent

• You can designate an authorized agent to make requests on your behalf
• The agent must provide proof of authorization

How to Exercise CCPA Rights:

Given our client-side architecture where we do not store your personal information on our servers, most data is stored locally in your browser. To exercise your rights:

• Delete your data: Clear your browser's localStorage and history
• Access your data: View your browser's localStorage and history
• Correct your data: Clear and re-enter information in the form

For Google Analytics data opt-out, see Section 12.1.

Response Time: We will respond within 45 days (extendable by 45 days if necessary)

Verification: We will verify your identity before responding to requests (to protect your information)

Right to Appeal: If we deny your request, you have the right to appeal by contacting us

Complaints: You can file a complaint with the California Privacy Protection Agency:

• Website: https://cppa.ca.gov/
• Email: info@cppa.ca.gov

11.3 Other US State Residents - State Privacy Laws

If you reside in Virginia, Colorado, Connecticut, Utah, Iowa, Montana, Oregon, Texas, Delaware, Nebraska, New Hampshire, New Jersey, Tennessee, Minnesota, Maryland, Indiana, Kentucky, or Rhode Island, you have similar rights under your state's privacy law:

Rights include:

• Right to confirm whether we process your personal information
• Right to access your personal information
• Right to correct inaccuracies
• Right to delete your personal information
• Right to obtain a copy of your personal information (data portability)
• Right to opt out of: (1) targeted advertising, (2) sale of personal information, (3) profiling in furtherance of decisions with legal/similarly significant effects

How to Exercise Rights:

Given our client-side architecture where we do not store your personal information on our servers:

• Delete your data: Clear your browser's localStorage and history
• Access your data: View your browser's localStorage and history
• Correct your data: Clear and re-enter information in the form

For Google Analytics data opt-out, see Section 12.1.

Response Time: 45 days (extendable depending on state law)

Right to Appeal: If we deny your request, you may appeal. We will provide appeal instructions with any denial.

State Attorney General Complaints:

• Virginia: https://www.oag.state.va.us/
• Colorado: https://coag.gov/
• Connecticut: https://portal.ct.gov/AG
• Other states: Contact your state Attorney General's office

11.4 Australian Users - Rights Under Privacy Act

Australian users have the following rights under the Australian Privacy Principles (APPs):

1. Right to Access (APP 12)

• You can request access to personal information we hold about you
• We will provide access within 30 days
• We may charge a reasonable fee for providing access

2. Right to Correction (APP 13)

• You can request correction of inaccurate, out-of-date, incomplete, or misleading information
• If we refuse correction, you can request a statement of disagreement be attached

3. Right to Complain (APP 1.4)

• You can complain about our handling of your personal information
• We will investigate and respond within 30 days

4. Right to Information About Overseas Disclosures (APP 8.1)

• This Privacy Policy provides information about our overseas disclosures (see Section 9.3)

How to Exercise Rights:

Given our client-side architecture where we do not store your personal information on our servers:

• Delete your data: Clear your browser's localStorage and history
• Access your data: View your browser's localStorage and history
• Correct your data: Clear and re-enter information in the form

For Google Analytics data opt-out, see Section 12.1.

Complaints to OAIC:

If you are not satisfied with our response, you can complain to the Office of the Australian Information Commissioner (OAIC):

• Website: https://www.oaic.gov.au/
• Phone: 1300 363 992
• Email: enquiries@oaic.gov.au
• Post: GPO Box 5288, Sydney NSW 2001, Australia

11.5 Canadian Users - Rights Under PIPEDA and Quebec Law 25

PIPEDA Rights (All of Canada except Quebec):

1. Right to Access (Principle 9)

• You can request access to your personal information
• We will respond within 30 days
• We may charge a minimal fee

2. Right to Correction

• You can request correction of inaccurate or incomplete information
• If we disagree, we will note your correction request

3. Right to Withdraw Consent (Principle 3)

• You can withdraw consent at any time (subject to legal or contractual restrictions)
• We will inform you of implications of withdrawal

4. Right to Complain

• You can file a complaint with the Office of the Privacy Commissioner of Canada (OPC):
  • Website: https://www.priv.gc.ca/
  • Phone: 1-800-282-1376
  • Email: info@priv.gc.ca

Quebec Law 25 Rights (Quebec Residents):

Quebec residents have enhanced rights under Quebec Law 25:

1. Right to Access (s.27)

• Request access to personal information and details of third-party communications
• Response within 30 days

2. Right to Rectification (s.28)

• Request correction or deletion
• If we disagree, we will note your request

3. Right to Portability (s.28.1)

• Request information in structured, commonly used format
• For information you provided and we hold with consent or for contract

4. Right to Withdraw Consent (s.14)

• Withdraw consent as easily as it was given
• Opt-out mechanism must be as obvious and easy as opt-in

5. Right to Deindexing (s.28.1)

• Request removal from public search results in certain circumstances

6. Right to Complain

• File a complaint with the Commission d'accès à l'information du Québec (CAI):
  • Website: https://www.cai.gouv.qc.ca/
  • Phone: 1-888-528-7741
  • Email: reception@cai.gouv.qc.ca

How to Exercise Canadian Rights:

Given our client-side architecture where we do not store your personal information on our servers:

• Delete your data: Clear your browser's localStorage and history
• Access your data: View your browser's localStorage and history
• Correct your data: Clear and re-enter information in the form

For Google Analytics data opt-out, see Section 12.1.

---

12. Opt-Out Mechanisms and Choices

12.1 Opt-Out of Google Analytics

All Users:

• Install the Google Analytics Opt-Out Browser Add-on
• Enable "Do Not Track" or Global Privacy Control in your browser (we honour these signals)
• Manage cookie preferences through our cookie banner (UK/EEA/Quebec users)

12.2 Opt-Out of "Sale" or "Sharing" (US Users)

To opt out of the "sale" or "sharing" of your personal information:

Option 1: Use Our Opt-Out Link

Click here: Do Not Sell or Share My Personal Information

This will:

• Stop Google Analytics tracking on future visits (we'll honour your choice for 12 months)
• Prevent third-party AI service links from auto-executing (you'll see a warning)
• Set a cookie or use browser storage to remember your preference

Option 2: Enable Global Privacy Control (GPC)

Enable GPC in your browser or install a GPC browser extension. We automatically detect and honour GPC signals.

GPC-compatible browsers include:

• DuckDuckGo Privacy Browser
• Brave
• Firefox (with Privacy Badger extension)
• Chrome/Edge (with GPC extension)

Option 3: California Privacy Rights Request

For California residents, you can exercise your "Do Not Sell or Share" rights by:

• Using the "Do Not Sell or Share My Personal Information" link on our website
• Enabling Global Privacy Control (GPC) in your browser (we automatically honor this signal)

Option 4: Opt Out at Third-Party AI Services

Remember: When you use third-party AI services, they are independent data controllers. To limit their use of your information, consult their privacy policies and opt-out mechanisms.

12.3 Cookie Preferences

UK, EEA, and Quebec Users:

Manage your cookie preferences at any time by clicking the "Cookie Settings" link in our footer. You can:

• Accept all cookies
• Reject non-essential cookies
• Customise preferences by category

12.4 Browser History and Local Storage

All Users:

To delete personal information stored locally in your browser:

Clear Browser History:

• Chrome: Settings > Privacy and Security > Clear browsing data
• Firefox: Options > Privacy & Security > Clear History
• Safari: History > Clear History
• Edge: Settings > Privacy, search, and services > Clear browsing data

Clear Local Storage:

• Most browsers: Developer Tools (F12) > Application/Storage tab > Clear local storage

Use Private Browsing:

• Use Incognito (Chrome), Private (Firefox/Safari), or InPrivate (Edge) mode
• Browser history and local storage are automatically cleared when you close the private window

---

13. Data Security

13.1 How We Protect Your Information

We implement appropriate technical and organisational measures to protect your personal information against unauthorised access, alteration, disclosure, or destruction:

Technical Measures:

• HTTPS Encryption: All connections use TLS 1.2+ encryption to protect data in transit
• Access Controls: Limited personnel access to systems and data
• Security Monitoring: Logging and monitoring for security incidents
• Regular Updates: Timely security patches and updates

Organisational Measures:

• Staff Training: Privacy and security training for all staff
• Privacy by Design: Privacy considerations in system design
• Vendor Management: Security requirements for third-party service providers
• Incident Response Plan: Documented procedures for security incidents

13.2 Share Feature and URL Hash Fragment Security Limitations

Important Security Notice:

Our Share feature uses client-side compression and URL hash fragments to enable peer-to-peer sharing. This approach has specific security characteristics:

What Our Approach Protects:

• ✅ Data is NOT sent to our servers (hash fragments typically aren't transmitted in HTTP requests)
• ✅ Data is compressed using LZ-String, making it less human-readable
• ✅ You control who receives the shared links
• ✅ No account creation or email collection required
• ✅ HTTPS encrypts data in transit when accessing our site

What Our Approach Does NOT Protect:

• ❌ Compressed data in the URL hash is NOT encrypted (only compressed)
• ❌ Anyone with the shared link can decompress and view your data
• ❌ Shared links are visible in your browser's address bar
• ❌ Shared links are recorded in your browser history
• ❌ Shared links are stored by messaging platforms you use to share them
• ❌ Browser extensions may have access to URLs including hash fragments
• ❌ Local network monitoring tools may capture URLs before they reach the internet

When Using AI Platform Buttons (Separate from Share Feature):

• ❌ Property addresses are sent as search queries to third-party AI services
• ❌ URLs are logged by the AI service's web servers
• ❌ URLs may be logged by proxies, VPNs, and corporate networks
• ❌ URLs may be sent in HTTP referrer headers to subsequent sites

Your Responsibility:

• Only share links with trusted parties - treat them like sharing your actual property analysis
• Do NOT post shared links publicly (forums, social media, public repositories)
• Clear browser history after using the Service if privacy is a concern
• Consider using private/incognito browsing mode
• Be aware of browser extensions that may access URLs
• Delete items from your local history when no longer needed

13.3 Third-Party Security

We cannot control the security practices of third-party AI services. When you use those services, their security measures apply. We recommend:

• Reviewing their security policies
• Using strong passwords for any accounts
• Enabling two-factor authentication where available

13.4 No Guarantee

Important Disclaimer: While we implement reasonable security measures, no internet-based service can be 100% secure. We cannot guarantee absolute security of your personal information.

---

14. Data Breach Notification

14.1 Our Breach Response Procedures

In the event of a data breach that affects your personal information:

Investigation:

• We will promptly investigate the nature, scope, and cause of the breach
• Assess the risk to individuals
• Take steps to contain and mitigate the breach

Notification to Individuals (When Required):

UK/EEA Users:

• We will notify you within 72 hours if the breach poses a high risk to your rights and freedoms
• Notification will include nature of breach, likely consequences, and measures taken

California/US State Users:

• We will notify you without unreasonable delay if your unencrypted personal information was or is reasonably believed to have been acquired by an unauthorised person
• Notification will comply with state breach notification laws

Australian Users:

• We will notify you if an eligible data breach occurs that is likely to result in serious harm
• Notification will be made as soon as practicable

Canadian Users:

• We will notify you of breaches of security safeguards involving personal information that poses a real risk of significant harm
• Notification will include nature of breach, steps being taken, and steps you can take

Notification to Regulators:

We will notify the appropriate data protection authorities as required by law:

• UK/EEA: ICO within 72 hours
• California: CPPA and California Attorney General (if threshold met)
• Australia: OAIC as soon as practicable
• Canada: OPC / CAI (Quebec) as soon as feasible

14.2 Breaches at Third-Party Services

If a data breach occurs at a third-party AI service to which you submitted information via our Service:

• We have no control over their breach notification procedures
• You should monitor communications from those services
• They are responsible for notifying you in accordance with applicable laws

---

15. Children's Privacy

15.1 Age Restrictions

Our Service is not directed to children. We do not knowingly collect personal information from children under the age of:

• 13 years (United States - COPPA)
• 13 years (Canada - PIPEDA)
• 14 years (Quebec - Law 25)
• 16 years (UK/EEA - without parental consent)
• 18 years (in some Australian states for certain processing)

15.2 Parental Notice

If you are a parent or guardian and believe your child has provided personal information to our Service:

• Clear the child's browser localStorage and history immediately
• If the child used third-party AI services, contact those services directly to request deletion

15.3 COPPA Compliance (US)

Under the Children's Online Privacy Protection Act (COPPA), if we become aware we have collected personal information from a child under 13 without verifiable parental consent, we will take steps to delete that information.

Note: Our client-side architecture means:

• Data is stored locally in the browser's localStorage on the child's device
• Share links may contain the child's property analysis data in compressed form
• When AI platform buttons are clicked, information goes directly from the child's browser to third-party AI services

Parents should:

• Supervise children's internet use
• Clear browser localStorage and history regularly
• Ensure children don't share generated links with untrusted parties
• Contact third-party AI services directly to request deletion if they were used

---

16. Changes to This Privacy Policy

16.1 Updates

We may update this Privacy Policy from time to time to reflect:

• Changes in our practices
• Changes in applicable laws
• New features or services
• Feedback from users or regulators

16.2 Notice of Changes

Material Changes: When we make material changes, we will:

• Update the "Last Updated" date at the top of this policy
• Provide prominent notice on our website
• For UK/EEA users: Obtain fresh consent if required by GDPR
• For California users: Notify you as required by CCPA (e.g., if material changes to use of sensitive personal information)

Minor Changes: For minor updates (e.g., clarifications, formatting), we will update the "Last Updated" date but may not provide separate notice.

16.3 Your Responsibility

Please review this Privacy Policy periodically. Your continued use of our Service after changes indicates acceptance of the updated policy.

If you do not agree with changes, you should stop using our Service.

---

17. Contact Information and Complaints

17.1 About Our Client-Side Architecture

Important Notice:

Due to our privacy-by-design, client-side architecture:

• We do NOT store your personal information on our servers
• Your data resides in your browser's localStorage on your device
• We cannot access, retrieve, or delete data we don't possess

To Exercise Your Rights:

• Delete your data: Clear your browser's localStorage and history (see Section 12.4 for instructions)
• Access your data: Use your browser's developer tools to view localStorage contents
• Correct your data: Simply clear and re-enter information in our form
• Opt-out of analytics: See Section 12.1 for Google Analytics opt-out options

For Third-Party AI Services:

If you used third-party AI services (ChatGPT, Claude, Perplexity, Google AI, Grok) through our platform, you must contact those services directly to exercise rights regarding data they collected. We do not control or have access to data held by those services.

17.2 Complaints to Supervisory Authorities

If you are not satisfied with our response to your privacy concerns, you can lodge a complaint with the relevant data protection authority:

UK Users:

• Information Commissioner's Office (ICO)
• Website: https://ico.org.uk/make-a-complaint/
• Phone: 0303 123 1113
• Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

EEA Users:

• Contact your national data protection authority
• List: https://edpb.europa.eu/about-edpb/about-edpb/members_en

California Users:

• California Privacy Protection Agency (CPPA)
• Website: https://cppa.ca.gov/
• Email: info@cppa.ca.gov
• California Attorney General
• Website: https://oag.ca.gov/contact/consumer-complaint-against-business-or-company

Other US State Users:

• Contact your state Attorney General's consumer protection division

Australian Users:

• Office of the Australian Information Commissioner (OAIC)
• Website: https://www.oaic.gov.au/
• Phone: 1300 363 992
• Email: enquiries@oaic.gov.au
• Post: GPO Box 5288, Sydney NSW 2001

Canadian Users:

• Office of the Privacy Commissioner of Canada (OPC)
• Website: https://www.priv.gc.ca/
• Phone: 1-800-282-1376
• Email: info@priv.gc.ca

Quebec Users:

• Commission d'accès à l'information du Québec (CAI)
• Website: https://www.cai.gouv.qc.ca/
• Phone: 1-888-528-7741
• Email: reception@cai.gouv.qc.ca

---

18. Jurisdiction-Specific Provisions

18.1 California-Specific Provisions

Notice of Financial Incentives:

We do not offer any financial incentives or price or service differences for the collection, sale, or deletion of California residents' personal information.

Notice at Collection:

At the point of collection (when you enter information into our form), we collect the categories of personal information listed in Section 3.3 for the purposes described in Section 7.

Shine the Light Law:

California residents can request information about disclosures of personal information to third parties for direct marketing purposes. We do not share personal information with third parties for their direct marketing purposes.

Categories of Personal Information Sold or Shared (Past 12 Months):

Category	Sold?	Shared?	Third-Party Recipients
Identifiers (address)	No	Yes (via URL)	AI service providers
Geolocation (address)	No	Yes (via URL)	AI service providers
Internet/network activity	No	Possibly (Google Analytics)	Google LLC

Sensitive Personal Information:

We collect precise geolocation data (the address you provide). We use this only for the purpose you request (generating AI service queries) and not for inferring characteristics about you.

Automated Decision-Making:

We do not use personal information for automated decision-making that produces legal or similarly significant effects.

Retention:

See Section 10 for detailed retention information as required by CCPA.

18.2 Virginia-Specific Provisions

Targeted Advertising: We do not conduct targeted advertising.

Sale of Personal Information: We do not sell personal information.

Profiling: We do not profile in furtherance of decisions that produce legal or similarly significant effects.

Sensitive Data: We process precise geolocation data (address) only with your consent (by using the Service) and for the purpose you request.

Appeal Rights: If we decline a request, you may appeal within a reasonable period by contacting us. We will respond within 60 days.

18.3 Colorado-Specific Provisions

Universal Opt-Out Mechanism: We recognise and honor Global Privacy Control (GPC) signals as valid opt-out requests.

Data Protection Assessments: We conduct and document data protection assessments for processing that presents heightened risk of harm.

Consent for Sensitive Data: We process precise geolocation data (address) only with your consent.

18.4 Connecticut-Specific Provisions

Universal Opt-Out Mechanism: We recognise and honor Global Privacy Control (GPC) signals.

Processing Sensitive Data: We obtain consent before processing sensitive data (including precise geolocation).

Targeted Advertising/Sales/Profiling: We do not conduct targeted advertising, sell data, or profile for legal/similarly significant effects.

18.5 Australian-Specific Provisions

Notifiable Data Breaches Scheme:

Under the Notifiable Data Breaches (NDB) scheme, if we experience an eligible data breach likely to result in serious harm, we will:

• Notify you as soon as practicable
• Notify the OAIC
• Publish a statement on our website if it is not practicable to notify individuals directly

APP Compliance Statement:

We commit to complying with all Australian Privacy Principles (APPs) when handling your personal information.

Cross-Border Disclosure:

We have taken reasonable steps to ensure overseas recipients comply with the APPs through contractual arrangements (see Section 8.4).

18.6 Quebec-Specific Provisions

Consent Requirements:

We will obtain your express, free, informed, and specific consent before:

• Collecting, using, or communicating your personal information
• Using your information for a purpose not related to the original purpose

Technological Means:

We provide clear and simple technological means for you to:

• Give consent (accept cookies banner)
• Withdraw consent (reject cookies, clear browser data)
• Express preferences (cookie settings)

Withdrawing consent is as easy as giving it.

Privacy Impact Assessments (PIAs):

We conduct PIAs when:

• Acquiring or developing information systems or electronic services involving personal information
• Restructuring information holdings involving personal information
• Communicating personal information outside Quebec

Transfer Impact Assessments (TIAs):

Before transferring personal information outside Quebec, we:

• Conduct TIAs to assess the level of protection in the destination
• Implement appropriate safeguards through contracts
• Document the assessment and safeguards

Incident Notification:

If a privacy incident occurs that presents a risk of serious harm, we will:

• Notify you promptly
• Notify the CAI
• Take reasonable measures to diminish the risk

---

19. Additional Information

19.1 No Automated Decision-Making

We do not use your personal information for automated decision-making (including profiling) that produces legal effects or similarly significantly affects you.

19.2 No Sensitive Data Processing (Except as You Provide)

We do not intentionally collect sensitive personal information such as:

• Health data
• Biometric data
• Genetic data
• Precise geolocation (beyond the address you choose to provide)
• Race or ethnicity
• Religious or philosophical beliefs
• Sex life or sexual orientation
• Political opinions or trade union membership

However: If you include sensitive information in the text you enter (e.g., including a health condition in your query), this will be embedded in the URL and transmitted to third-party AI services. Please avoid including sensitive information unless necessary.

19.3 Marketing and Communications

We do not use your personal information for direct marketing unless you explicitly opt in to receive marketing communications.

If we offer marketing in future: You will have the right to opt out at any time via an unsubscribe link in every marketing email.

19.4 Third-Party Links

Our Service may contain links to third-party websites, plug-ins, and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you.

We do not control these third-party websites and are not responsible for their privacy practices. When you leave our Service, we encourage you to read the privacy policy of every website you visit.

19.5 Changes to Personal Information

If you need to update or correct the information you provided:

• For data in your browser: You can simply clear and re-enter the information
• For data held by third-party AI services: You must contact those services directly
• For Google Analytics data: Contact us and we can request deletion or correction with Google

19.6 Accessibility

We are committed to making our Privacy Policy accessible to people with disabilities. If you have difficulty accessing any part of this policy, please contact us and we will provide the information in an alternative format.

---

20. Definitions

Personal Information / Personal Data: Information that identifies, relates to, or could reasonably be linked with you or your household (California definition). Information relating to an identified or identifiable natural person (GDPR definition).

Processing: Any operation performed on personal information, such as collection, recording, organisation, structuring, storage, use, disclosure, erasure, or destruction.

Controller / Business: The entity that determines the purposes and means of processing personal information. In this policy, "we," "us," or "our" refers to the operator of apartment-checklist.com (Property AI Analyzer) as the controller/business.

Data Subject / Consumer: The individual to whom personal information relates (you, the user).

Third Party: An entity other than the data controller/business and the data subject, such as AI service providers.

Consent: Freely given, specific, informed, and unambiguous indication of your wishes by which you signify agreement to processing of your personal information.

Cookies: Small text files placed on your device by websites you visit.

Sale (CCPA): Selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic means, personal information to a third party for monetary or other valuable consideration.

Sharing (CCPA): Sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic means, personal information to a third party for cross-context behavioral advertising.

Sensitive Personal Information: Specific categories of personal information that reveal highly personal details, such as precise geolocation, health data, financial account access credentials, racial/ethnic origin, religious beliefs, or sex life/sexual orientation.

Global Privacy Control (GPC): A technical standard that allows users to signal their privacy preferences (specifically, to opt out of sale/sharing) via their browser or browser extension.

---

Summary Table: Key Information at a Glance

Aspect	Details
Who We Are	Property AI Analyzer (apartment-checklist.com)
What We Collect	Address/location you provide; Google Analytics data (IP, browser, usage)
How We Collect	You enter into our form; Google Analytics cookies
Why We Collect	To facilitate sharing and AI service access; to understand Service usage
Who Receives Data	Recipients of shared links you send; Third-party AI services (when you click buttons); Google (Analytics)
Where Data Goes	Your browser localStorage; Shared link recipients' browsers; AI service servers (US, UK, CA, AU); Google servers (US)
How Long We Keep	Our servers: We don't store it; Your browser: Until you clear it; Google Analytics: 50 months
Your Rights	Access, delete, correct, opt-out (varies by jurisdiction)
How to Exercise Rights	Clear browser localStorage and history (see Section 12.4); Opt-out of analytics (Section 12.1)
Complaints	UK: ICO; US: State AG/CPPA; AU: OAIC; CA: OPC/CAI
Cookies	Google Analytics cookies (require consent in UK/EEA/Quebec)
Security	HTTPS encryption; access controls; BUT URLs are visible

---

Thank you for reading our Privacy Policy.

Due to our privacy-by-design architecture, we do not maintain contact information as we do not store or have access to your personal data. Your data remains in your browser's localStorage on your device. To exercise your rights, see Section 17.1 for instructions on managing your local data.

---

End of Privacy Policy