Privacy Policy

Information you provide directly

Property addresses. When you request a report, you provide a property address. This is the core input to our service — we use it to query public data sources and generate your report.

Buyer profile responses. Before generating a report, we ask three quick questions: your user type (buyer, investor, or owner), your primary concern, and your household composition. These responses calibrate your report but are not linked to your identity unless you create an account.

Notes and conversation summaries. If you save notes or conversation summaries in your report (for example, in the Actions or Sharpen areas), we store that content so you can access it when signed in. Notes and conversation summaries you enter are stored securely and never shared with third parties or used for AI training.

Email address. If you create an account (to save properties or purchase reports), we collect your email address for authentication. We use Google Sign-In or magic link email for login — we do not ask for or store passwords.

Payment information. If you purchase a report, your payment is processed by Stripe. CaveatBuyer does not see, receive, or store your credit card number or payment credentials. Stripe handles all payment data under PCI-DSS standards.

Uploaded documents. If you use document upload features, we collect the contents of documents you upload for the purpose of generating your report. See Section 4 for how uploaded document data is handled.

Information collected automatically

Usage analytics. We use PostHog to understand how people use our service. PostHog collects anonymized event data (pages visited, buttons clicked, report features used). We do not track you across other websites.

Device and browser information. We collect standard technical information such as browser type, operating system, and screen size to ensure the service works well across devices.

Information we do not collect

We do not collect Social Security numbers, government-issued identification, credit card numbers (Stripe handles this), your precise geolocation as a person (we geolocate the property address, not you), or information from children under 13.

Generate your property reports. Property addresses and profile responses are sent to public data sources and our analysis engine to create your personalized report.

Authenticate your account. Your email address is used for login via Google Sign-In or magic link.

Process payments. Your email and transaction details are shared with Stripe to process purchases.

Send transactional communications. We send emails when your report is ready, when your account status changes, or when we need to communicate about your service. We do not send marketing emails unless you opt in.

Improve the service. Anonymized analytics help us understand which features are most useful and where the experience needs work.

We do not sell your personal information to third parties. We do not serve third-party advertising on our platform. CaveatBuyer is a paid service, not an advertising business.

We may, with your consent, share relevant information with service providers, real estate professionals, or home services partners whose offerings may be relevant to your property research. Any such sharing will be clearly disclosed and subject to your opt-in consent. You may withdraw consent at any time by contacting us at hello@caveatbuyer.com.

We do not use your property searches to target you with real estate marketing from other companies.

We use a limited number of third-party services to operate CaveatBuyer. Each service receives only the minimum data necessary for its function.

• Stripe (Payment processing): Email address and payment details. Card numbers go directly to Stripe; they are never routed through our servers. Stripe's privacy policy is available at stripe.com/privacy.
• HubSpot (CRM and email marketing): Email address and opt-in status, for transactional communications and beta program management.
• Resend (Transactional email): Email address and message content.
• PostHog (Product analytics): Anonymized usage events and device information.
• Railway (Backend hosting): All service data, encrypted at rest.
• Vercel (Frontend hosting): Standard web request data.
• AI Service Provider(s) (AI-powered report generation): Property data and analysis results for report synthesis. See Section 5 for details. Personal user data (email, name, buyer profile) is not sent to AI providers.

Uploaded document data: If you upload documents, document contents may be transmitted to our AI service provider(s) for analysis. Document contents are not stored by AI providers for training or other purposes under current provider terms.

Government APIs (FEMA, EPA, county assessors, SDCI, etc.): Property addresses only. No personal user data is sent.

Each third-party service operates under its own privacy policy. We select partners that meet reasonable security and privacy standards.

Legal requirements. We may disclose your information if required to do so by law, subpoena, or court order. If we are legally required to disclose your personal information, we will attempt to notify you in advance unless doing so is prohibited.

CaveatBuyer uses AI language model service providers to generate portions of your property report, including findings, observations, and recommendations.

When we generate your report, property-specific data (address, assessor records, permit data, environmental data, and our analysis results) is transmitted to our AI service provider for synthesis. We do not send your email address, name, buyer profile, or other personal information to AI service providers.

As of the effective date of this policy, our primary AI synthesis provider is Anthropic, Inc. (Claude API). We may change AI service providers from time to time. We encourage you to review our current AI provider's privacy practices; Anthropic's privacy policy is available at anthropic.com/privacy.

AI providers receive only what is necessary to generate your report. Under current provider terms, API inputs are not used to train AI models. This may change, and we encourage you to review the current terms of any AI provider we list.

Generated reports are stored in our database for as long as your account is active or until you request deletion.

Account data (email address, saved properties, preferences) is retained while your account is active. If you delete your account, we will remove your personal data within a reasonable time, except as required by law or for legitimate business purposes such as preventing fraud or resolving disputes.

Uploaded documents are processed for report generation and are not retained beyond the processing session unless analysis results are saved to your account.

Analytics data collected by PostHog is anonymized and is not used to identify individual users.

Payment records are retained by Stripe in accordance with their policies and applicable financial regulations. CaveatBuyer retains transaction metadata (amount, date, subscription status) but not payment credentials.

We take reasonable technical and organizational measures to protect your information:

• All data in our database is encrypted at rest (Railway PostgreSQL with encryption enabled)
• All connections use HTTPS encryption in transit
• We do not store passwords (authentication is handled via Google OAuth or magic link)
• Payment data is handled by Stripe's PCI-DSS compliant infrastructure
• Access to production systems is restricted to authorized personnel

No system is perfectly secure. While we work to protect your information, we cannot guarantee absolute security. If we become aware of a data breach affecting your personal information, we will notify you in accordance with applicable law.

Access your data. You may request a copy of the personal information we hold about you by contacting us at hello@caveatbuyer.com. We will respond within a reasonable time.

Delete your data. You may request deletion of your account and associated personal data by contacting us at hello@caveatbuyer.com.

Opt out of analytics. You may opt out of PostHog analytics through your browser's Do Not Track setting or by using a browser extension that blocks analytics scripts.

Unsubscribe from emails. Transactional emails related to your account and purchases cannot be opted out of while your account is active. Promotional emails, if any, will include an unsubscribe link.

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights:

Right to know what personal information we collect, use, and disclose.

Right to delete your personal information, subject to certain exceptions.

Right to opt out of the sale of personal information. CaveatBuyer does not sell personal information.

Right to non-discrimination. We will not treat you differently for exercising your CCPA rights.

To exercise these rights, email hello@caveatbuyer.com with the subject line “CCPA Request.” We will verify your identity and respond within the timeframes required by California law. Although CaveatBuyer does not sell personal information, we provide a “Do Not Sell or Share My Personal Information” link on our website as required by California law.