Privacy Policy

Last updated 2026-05-31

1. Who we are

HOA Notes is a real estate disclosure analysis service covering ten states (California, Texas, Florida, Virginia, Arizona, Colorado, Nevada, Washington, North Carolina, and Illinois). The Service is operated by Aliso LLC, a California limited liability company based in Orange County, California (the "Operator," "we," "us," "our"). The Service reads Homeowners Association (HOA) disclosure packets, and in California also processes related disclosures alongside the HOA packet (Seller Property Questionnaire, Transfer Disclosure Statement, Natural Hazard Disclosure). It generates a buyer brief and delivers it to the requesting real estate agent or buyer (the "Customer," "you," "your"). Contact: contact form or, for matters requiring written email correspondence, hello@hoanotes.com.

2. What we collect

Plain English description

Personal information about third parties (important)

The disclosure packets you upload to HOA Notes commonly contain personal information about people who are not our Customers, including (without limitation): homeowners' names and addresses, HOA board member names and contact information, delinquent-account holder identities, named parties in HOA litigation, and architectural-application records. By uploading a packet to HOA Notes, you represent that you have the right under California Civil Code §4525, your role in the real estate transaction, or the express authorization of the affected party to share that personal information with us for the purpose of generating a Brief.

With respect to your own Customer information (contact info, payment info, brief request history), HOA Notes is a "business" as defined under the California Consumer Privacy Act (CCPA) §1798.140(d). With respect to third-party personal information contained in disclosure packets uploaded by you, HOA Notes acts as a "service provider" (as defined under CCPA §1798.140(ag)), processing such information solely on your behalf and only for the purpose of generating your Brief. We do not contact, market to, profile, or otherwise process this third-party information for any purpose beyond generating the Brief you requested.

Your responsibility for third-party data. You are solely responsible for ensuring that your sharing of disclosure packets with HOA Notes complies with applicable privacy, confidentiality, and contractual obligations, including any restrictions imposed by the seller, the seller's agent, the HOA, the HOA's management company, or your brokerage. You agree to indemnify HOA Notes against any claim arising from your sharing of a disclosure packet that exceeded your authority to share.

Categories of personal information collected (CPRA mapping)

For California Privacy Rights Act (CPRA) compliance, the personal information described above maps to the following CPRA-defined categories:

HOA Notes does not intentionally solicit or collect: biometric identifiers, geolocation data beyond IP-derived city-level estimates, sensory data (audio, video), or sensitive personal information as defined under CPRA §1798.140(ae) (Social Security number, driver's license, financial account access credentials, precise geolocation, racial or ethnic origin, religion, union membership, genetic data, sexual orientation, immigration status). However, sensitive personal information may be incidentally contained in disclosure packets uploaded by Customers (for example: financial-hardship details in delinquency or assessment records, named parties to HOA litigation). When sensitive personal information appears incidentally in a packet, it is treated with the same retention and security controls as the rest of the packet content, is not surfaced separately, and is deleted on the same retention timeline. HOA Notes does not knowingly collect personal information of consumers under 16.

3. How we use it

For business purposes as defined under CPRA §1798.140(e):

HOA Notes does not use your information for any "commercial purpose" as defined under CPRA §1798.140(g) other than the business purposes listed above. We do not engage in cross context behavioral advertising.

4. Service providers we share with

HOA Notes uses a small set of vendor services to operate. We share only the minimum data required for each. All service providers are bound by contractual obligations (master services agreements, data processing addenda, or terms of service) to protect your information consistent with this Privacy Policy and applicable law. We require our service providers to use personal information only to provide services to HOA Notes and not for their own purposes, including not for cross-context behavioral advertising and not for the sale or share of personal information.

Bot protection on the contact form. The contact form at hoanotes.com/contact uses Cloudflare Turnstile to tell real people apart from automated abuse. When the form loads, Turnstile runs a check in your browser that reads signals such as browser and device characteristics to judge whether a request is automated. We use it only for security and abuse prevention. It is not used for advertising, for cross-site tracking, or to build a profile of you, and any cookie it sets is limited to making that check work. Turnstile is operated by Cloudflare, listed above, and its processing is covered by Cloudflare's privacy policy.

Cross-border processing. Your information may be processed in the United States or any jurisdiction where our service providers operate infrastructure. By using HOA Notes, you consent to this cross-border processing. If you are located outside the United States, your information will be transferred to and processed in the United States, where data protection laws may differ from those in your jurisdiction.

No sale or share of personal information. HOA Notes does not "sell" or "share" your personal information as those terms are defined under California law (CPRA §1798.140(ad) and §1798.140(ah)). We do not share your information with advertising networks. We do not enable cross site or cross device tracking. The vendor relationships listed above are service-provider relationships under CCPA §1798.140(ag), not sales or shares.

5. Retention

Backup retention caveat. Even after deletion from active storage, copies of your information may persist in encrypted, access-controlled backup systems for up to 30 additional days as part of our standard disaster-recovery practices. Backup copies are not used for any purpose other than restoration in the event of a system failure.

Deletion method. When we delete personal information, we use secure logical deletion (the records are removed from production systems and from indexes serving the Service). For source disclosure packets specifically, the underlying object-storage entries are deleted via the storage provider's documented secure-deletion procedure.

Legal hold. We may retain personal information longer than the periods stated above if required by law, by court or regulator order, for ongoing dispute resolution, or to enforce our Terms of Service. Any extended retention is limited to the specific information required for the legal purpose and is deleted when the purpose is satisfied.

6. Your California rights (CCPA and CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) give you the following rights:

How to submit a request

To exercise any of these rights, submit the request through our contact form (pick the relevant subject) or, for matters requiring written email correspondence, email hello@hoanotes.com with the request type in the subject line. We will respond within 45 days of receipt and verification, or notify you of an extension up to an additional 45 days as permitted by CCPA §1798.130(a)(2).

Identity verification

We must verify your identity before fulfilling certain requests, to protect your information from unauthorized disclosure. We will verify your identity by:

We do not retain identity-verification information beyond what is necessary to verify a single request, and we do not use that information for any other purpose.

Authorized agent

You may designate an authorized agent to submit a request on your behalf. The authorized agent must provide: (a) signed written permission from you authorizing them to act on your behalf, (b) proof of the authorized agent's identity, and (c) verification of your identity per the procedures above. We may deny a request from an authorized agent who cannot provide signed permission. If you are an authorized agent registered with the California Secretary of State per California Civil Code §1798.135(d), please reference that registration in your initial request and we will follow the simplified verification procedures.

Categories of personal information disclosed in the past 12 months

In the 12 months preceding the date at the top of this policy, HOA Notes disclosed the following categories of personal information to the following categories of recipients, all for the business purposes listed in §3:

HOA Notes did NOT sell or share any personal information for cross-context behavioral advertising in the 12 months preceding the date at the top of this policy.

7. Security

Encryption in transit (HTTPS / TLS 1.2 or higher) for all data flowing between you, HOA Notes, and our service providers. Encryption at rest on Cloudflare R2 (server-side encryption) for packet content; vendor-managed encryption at rest at Stripe, HubSpot, Resend, Sentry, and Anthropic per their published security practices and our service agreements. Two factor authentication on every operator account. Quarterly review of vendor access. We are a small operation, so security posture is hands on rather than ISO certified; if your brokerage requires a Service Organization Control 2 (SOC 2) report or equivalent, contact us before contracting.

Security disclaimer. No method of transmission over the Internet, or method of electronic storage, is completely secure. While we strive to use commercially reasonable means to protect your personal information, we cannot guarantee its absolute security. By using the Service you acknowledge this inherent risk.

Breach notification. In the event of a security incident affecting your personal information, we will notify you per California Civil Code §1798.82 within the timelines required by that statute. Notification will be made by email to affected active customers, by notice on the HOA Notes website, or by other reasonable means consistent with the statutory requirement, depending on the nature, scope, and urgency of the incident.

8. Children

HOA Notes is a service for adult homebuyers, licensed real estate agents, and related transaction parties in residential real estate purchases across the states we serve. We do not knowingly collect personal information from anyone under 16. If you believe a child under 16 has submitted personal information through HOA Notes, contact us via the contact form or email hello@hoanotes.com and we will delete the information consistent with our deletion procedures.

9. Changes

Material changes to this policy will be announced by email to active customers at least 30 days before they take effect. The effective date at the top of this page tracks revisions.

10. Contact

Questions, requests, complaints: use the contact form. Where written email correspondence is required, the canonical mailbox is hello@hoanotes.com.