privacy policy

SpotHOA collects three categories of information:

• Account data: your name, email address, phone number (optional), profile photo (optional), and the HOAs you belong to. Provided by you or through Stytch at sign-up.
• HOA data: anything your HOA uploads or records — documents, ledger events, dues charges and payments, meeting minutes, votes, violations, work requests, and member directory entries.
• Usage data: server-side ledger events tied to your account (“user X exported ledger Y at time Z”), and error reports from the browser and server with personally identifiable fields scrubbed.

We intentionally keep the data footprint small. SpotHOA does not:

• Set advertising or retargeting cookies.
• Use third-party tracking pixels outside email delivery.
• Pull social-graph or profile data beyond what Stytch returns to identify you (name + email).
• Sell any data to third parties. Ever.
• Use your HOA's data to train machine-learning models.

We rely on the following subprocessors to operate the service. If you disagree with this list, don't use SpotHOA.

• Cloudflare — hosting, edge delivery, D1 (SQLite database), R2 (document + image storage), Workers runtime, and Turnstile (CAPTCHA).
• Stytch — authentication and user identity (name and email).
• Stripe — online dues collection. Payment card numbers and bank details are handled by Stripe directly; SpotHOA never sees the card number.
• Resend — transactional email delivery (from notifications@info.spothoa.com).
• Sentry — error monitoring. Personally identifiable fields are scrubbed before reports leave the server.
• Anthropic — AI drafting for meeting-minute summaries, violation notices, and dues reminders. Only runs when a board admin clicks Generate, and content is not used for model training.

If a subprocessor changes we'll update this list and notify HOA primary contacts by email.

SpotHOA runs on Cloudflare's global edge network. Your HOA's data lives in Cloudflare D1, backed by primary storage in the United States (North American East region). Document and image uploads live in Cloudflare R2, configured with US jurisdiction.

Email delivery through Resend and error reports through Sentry are processed in the United States as well.

Retention matches what the product actually does — no secret backups that keep “deleted” data forever:

• Documents: soft-deleted for 30 days, then removed from R2. Before the 30 days elapse, an HOA admin can restore from the vault.
• Account deletion: requests enter a 14-day grace period. Sign in and cancel from the data and privacy page at any point in the window. After 14 days, personal fields are scrubbed and audit entries show “Deleted user”.
• Accounting records: dues charges, payments, and refunds may be retained in aggregate form to meet tax and accounting obligations, even after the HOA deletes itself.
• Error logs: 30 days in Sentry, then discarded.
• Email delivery logs: 30 days in Resend, then discarded.

You can exercise each of the rights below directly in-app:

• Access: download a copy of your personal data via the in-app export flow on the data and privacy page. We email you a signed link that expires after 7 days.
• Delete: request account deletion on the same page. 14-day grace period, reversible during the window.
• Correction: edit your profile (name, email, photo) from settings.
• Restrict: adjust notification preferences per-HOA so we only email you about the things you want.
• Portability: exports are provided as CSV (for tabular data) and JSON (for structured records), both machine-readable.
• Opt out of newsletters: every marketing email (we send very few) contains a one-click unsubscribe link tied to a per-recipient token.

If you can't exercise a right through the UI, email us at privacy@spothoa.com.

SpotHOA is not intended for anyone under 18 years old. We do not knowingly collect information from children. If you believe a child has created an account, email privacy@spothoa.com and we'll delete the account.

If you're a California resident, the California Consumer Privacy Act (CCPA) gives you specific rights:

• Right to know what personal information we collect, why, and who we share it with. The answers are in the sections above.
• Right to delete your personal information, exercised through the account deletion flow.
• Right to opt out of the sale of personal information. We do not sell personal information, so nothing to opt out of — but you have the right.
• Right to non-discrimination for exercising any of the above. We don't charge more or offer less to California residents who exercise a CCPA right.

We apply reasonable security controls to protect your data:

• TLS in transit everywhere.
• Authentication via Stytch, using passwordless email magic links so there is no password to phish or reuse.
• Row-level isolation in the database: every query is scoped to the HOA the caller belongs to, with automated tests that fail if isolation breaks.
• Audited access to the platform admin surface with role-based access gates.
• Cloudflare Turnstile CAPTCHA on public forms (feedback, signups) to resist automated abuse.

No system is perfectly secure. If you find a vulnerability, email privacy@spothoa.com and we'll respond within 5 business days.

We'll revise this page when practices change. For material changes we also email HOA primary contacts at least 14 days before the change takes effect. The “Last updated” date at the top reflects the most recent revision.

Privacy questions, data requests, and breach reports:

• Email: privacy@spothoa.com
• Mail: SpotHOA, P.O. Box 140572, Dallas, TX 75214