Privacy Policy
Last updated 2026-05-31
1. Who we are
HOA Notes is a real estate disclosure analysis service covering ten states (California, Texas, Florida, Virginia, Arizona, Colorado, Nevada, Washington, North Carolina, and Illinois). The Service is operated by Aliso LLC, a California limited liability company based in Orange County, California (the "Operator," "we," "us," "our"). The Service reads Homeowners Association (HOA) disclosure packets, and in California also processes related disclosures alongside the HOA packet (Seller Property Questionnaire, Transfer Disclosure Statement, Natural Hazard Disclosure). It generates a buyer brief and delivers it to the requesting real estate agent or buyer (the "Customer," "you," "your"). Contact: contact form or, for matters requiring written email correspondence, hello@hoanotes.com.
2. What we collect
Plain English description
- Contact information you give us when requesting a brief or signing up for the pilot: name, email address, brokerage affiliation, Multiple Listing Service (MLS) identifier (optional).
- Payment information processed through our payment provider (Stripe). HOA Notes never sees or stores full card numbers; Stripe handles tokenization.
- Disclosure packet content you upload for analysis. This is the document set provided by the seller or the seller's agent under California Civil Code §4525. We process the packet, generate a brief, and retain the source files for the period described under "Retention" below.
- Service usage data: timestamps, packet sizes, processing duration, error logs. Used to operate and improve the service.
- Cookies and similar technologies: a session cookie for the request flow. We also use Plausible, a cookieless privacy-preserving analytics service, to count aggregate pageviews and a small number of named conversion events on the public marketing site at hoanotes.com (for example, clicks to /order, downloads of the sample brief, and pageviews of the post-payment confirmation pages at /order/success and /brokerage/success). The customer-facing brief application at briefs.hoanotes.com, the packet-upload step, and the brokerage admin portal are not instrumented with Plausible. Plausible does not set cookies, does not retain Internet Protocol addresses, does not enable cross-site or cross-device tracking, and does not share data with advertising networks. No advertising trackers anywhere on the site. The public contact form additionally uses Cloudflare Turnstile for bot protection, which may set a cookie strictly to run its automated-abuse check; see §4 below.
Personal information about third parties (important)
The disclosure packets you upload to HOA Notes commonly contain personal information about people who are not our Customers, including (without limitation): homeowners' names and addresses, HOA board member names and contact information, delinquent-account holder identities, named parties in HOA litigation, and architectural-application records. By uploading a packet to HOA Notes, you represent that you have the right under California Civil Code §4525, your role in the real estate transaction, or the express authorization of the affected party to share that personal information with us for the purpose of generating a Brief.
With respect to your own Customer information (contact info, payment info, brief request history), HOA Notes is a "business" as defined under the California Consumer Privacy Act (CCPA) §1798.140(d). With respect to third-party personal information contained in disclosure packets uploaded by you, HOA Notes acts as a "service provider" (as defined under CCPA §1798.140(ag)), processing such information solely on your behalf and only for the purpose of generating your Brief. We do not contact, market to, profile, or otherwise process this third-party information for any purpose beyond generating the Brief you requested.
Your responsibility for third-party data. You are solely responsible for ensuring that your sharing of disclosure packets with HOA Notes complies with applicable privacy, confidentiality, and contractual obligations, including any restrictions imposed by the seller, the seller's agent, the HOA, the HOA's management company, or your brokerage. You agree to indemnify HOA Notes against any claim arising from your sharing of a disclosure packet that exceeded your authority to share.
Categories of personal information collected (CPRA mapping)
For California Privacy Rights Act (CPRA) compliance, the personal information described above maps to the following CPRA-defined categories:
- Identifiers: name, email address, Internet Protocol (IP) address, account identifier (yours; and within disclosure packets, the names and addresses of homeowners and board members).
- Commercial information: brief purchase history, brokerage seat license records, transaction amounts.
- Internet or other electronic network activity: timestamps of order submissions, brief downloads, session cookies, and aggregate Plausible analytics events (page URL, referrer, browser, operating system, device class, country-level geographic detail derived from Internet Protocol address; the address itself is not retained by Plausible).
- Professional or employment-related information: brokerage affiliation, MLS identifier, named parties in HOA documents (board members, management company contacts).
- Inferences: aggregated usage patterns derived for service improvement (no profile of any individual is constructed).
HOA Notes does not intentionally solicit or collect: biometric identifiers, geolocation data beyond IP-derived city-level estimates, sensory data (audio, video), or sensitive personal information as defined under CPRA §1798.140(ae) (Social Security number, driver's license, financial account access credentials, precise geolocation, racial or ethnic origin, religion, union membership, genetic data, sexual orientation, immigration status). However, sensitive personal information may be incidentally contained in disclosure packets uploaded by Customers (for example: financial-hardship details in delinquency or assessment records, named parties to HOA litigation). When sensitive personal information appears incidentally in a packet, it is treated with the same retention and security controls as the rest of the packet content, is not surfaced separately, and is deleted on the same retention timeline. HOA Notes does not knowingly collect personal information of consumers under 16.
3. How we use it
For business purposes as defined under CPRA §1798.140(e):
- Generate the buyer brief, red flag list, and agent talking points you requested.
- Deliver the brief to the email address you provide.
- Bill you for the service through Stripe.
- Improve the service: anonymized aggregate metrics on packet types, common red flags, processing time. HOA Notes does not use your packet content (or any portion of it) to train, fine-tune, or evaluate any artificial intelligence model, including our own internal models or those operated by our service providers. The aggregated, anonymized metrics described in this bullet are derived from operational telemetry (request timestamps, packet sizes, processing duration, error rates), not from the packet content itself, and do not constitute personal information.
- Communicate with you about your request, billing, or major service changes.
- Detect and prevent fraud, abuse, and misuse of the Service.
- Comply with legal obligations and enforce our Terms of Service.
HOA Notes does not use your information for any "commercial purpose" as defined under CPRA §1798.140(g) other than the business purposes listed above. We do not engage in cross context behavioral advertising.
4. Service providers we share with
HOA Notes uses a small set of vendor services to operate. We share only the minimum data required for each. All service providers are bound by contractual obligations (master services agreements, data processing addenda, or terms of service) to protect your information consistent with this Privacy Policy and applicable law. We require our service providers to use personal information only to provide services to HOA Notes and not for their own purposes, including not for cross-context behavioral advertising and not for the sale or share of personal information.
- Anthropic: the underlying language model service used to read the packet and draft the brief. Packet text is sent to Anthropic for processing. Anthropic's policy on customer data is at anthropic.com/legal/privacy. Anthropic processes data in the United States.
- Cloudflare: web hosting, content delivery, Distributed Denial of Service (DDoS) protection, object storage (R2), and Turnstile bot protection on our public contact form. Cloudflare processes data globally; primary processing region for HOA Notes is the United States.
- Railway: backend processing infrastructure for the analysis pipeline. Railway processes data in the United States.
- Stripe: payment processing. Stripe processes data in the United States.
- Resend: transactional email (brief delivery, billing receipts). Resend processes data in the United States.
- HubSpot: customer relationship records (your contact info, your active brief requests). HubSpot processes data in the United States.
- Sentry: error monitoring (technical error context, not packet content). Sentry processes data in the United States.
- Plausible: aggregate website analytics on the public marketing site only (cookieless; no Internet Protocol address retention; country-level geographic detail derived from a daily-rotating hash; no packet content; no customer Identifiers). Plausible Insights OÜ is incorporated in Estonia and processes data on infrastructure operated by European companies within the European Union. Privacy and data processing addendum at plausible.io/data-policy and plausible.io/dpa.
Bot protection on the contact form. The contact form at hoanotes.com/contact uses Cloudflare Turnstile to tell real people apart from automated abuse. When the form loads, Turnstile runs a check in your browser that reads signals such as browser and device characteristics to judge whether a request is automated. We use it only for security and abuse prevention. It is not used for advertising, for cross-site tracking, or to build a profile of you, and any cookie it sets is limited to making that check work. Turnstile is operated by Cloudflare, listed above, and its processing is covered by Cloudflare's privacy policy.
Cross-border processing. Your information may be processed in the United States or any jurisdiction where our service providers operate infrastructure. By using HOA Notes, you consent to this cross-border processing. If you are located outside the United States, your information will be transferred to and processed in the United States, where data protection laws may differ from those in your jurisdiction.
No sale or share of personal information. HOA Notes does not "sell" or "share" your personal information as those terms are defined under California law (CPRA §1798.140(ad) and §1798.140(ah)). We do not share your information with advertising networks. We do not enable cross site or cross device tracking. The vendor relationships listed above are service-provider relationships under CCPA §1798.140(ag), not sales or shares.
5. Retention
- Source disclosure packets: 30 days after delivery of the Brief, then deleted from active storage. You may request immediate deletion at any time before the 30-day mark.
- Generated briefs: 12 months after delivery, so you can re-access them via the link we sent. After that, deleted.
- Contact records: while you have an active subscription or for 24 months after your last paid brief, whichever is longer.
- Billing records: 7 years to comply with California and federal tax recordkeeping requirements.
- Cost-log telemetry: token counts, cost amounts, model identifiers (no packet content, no personal information beyond the order identifier). Retained as long as necessary for accounting, tax compliance, and operational capacity planning; reviewed at least annually for ongoing necessity and pruned where no longer needed.
Backup retention caveat. Even after deletion from active storage, copies of your information may persist in encrypted, access-controlled backup systems for up to 30 additional days as part of our standard disaster-recovery practices. Backup copies are not used for any purpose other than restoration in the event of a system failure.
Deletion method. When we delete personal information, we use secure logical deletion (the records are removed from production systems and from indexes serving the Service). For source disclosure packets specifically, the underlying object-storage entries are deleted via the storage provider's documented secure-deletion procedure.
Legal hold. We may retain personal information longer than the periods stated above if required by law, by court or regulator order, for ongoing dispute resolution, or to enforce our Terms of Service. Any extended retention is limited to the specific information required for the legal purpose and is deleted when the purpose is satisfied.
6. Your California rights (CCPA and CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) give you the following rights:
- Right to know: ask us what personal information we have about you, the categories collected, the categories of sources, the business or commercial purposes for collecting, the categories of third parties with whom we shared the information, and specific pieces of personal information we have collected.
- Right to delete: ask us to delete your personal information.
- Right to correct: ask us to correct inaccurate personal information.
- Right to limit use of sensitive personal information: HOA Notes does not knowingly collect sensitive personal information as defined under CPRA, but you may still exercise this right.
- Right to opt out of sale or sharing: HOA Notes does not sell or share personal information for cross context behavioral advertising; you have the right to opt out of any future sale or share, though none currently occurs.
- Right to non-discrimination: we will not deny service, charge a different price, or provide a different level of service because you exercised any of these rights.
How to submit a request
To exercise any of these rights, submit the request through our contact form (pick the relevant subject) or, for matters requiring written email correspondence, email hello@hoanotes.com with the request type in the subject line. We will respond within 45 days of receipt and verification, or notify you of an extension up to an additional 45 days as permitted by CCPA §1798.130(a)(2).
Identity verification
We must verify your identity before fulfilling certain requests, to protect your information from unauthorized disclosure. We will verify your identity by:
- For non-account-related requests (right to know categories, right to non-discrimination): matching the email address on file with a confirmation reply you send.
- For deletion or correction requests, or specific-pieces requests: matching the email address on file plus an additional confirmation, which may include matching an order identifier from a prior brief or matching a Stripe receipt number issued to you for a prior payment.
- For requests about sensitive or specific personal information, or requests submitted by an authorized agent: we may require additional verification including a sworn declaration of identity.
We do not retain identity-verification information beyond what is necessary to verify a single request, and we do not use that information for any other purpose.
Authorized agent
You may designate an authorized agent to submit a request on your behalf. The authorized agent must provide: (a) signed written permission from you authorizing them to act on your behalf, (b) proof of the authorized agent's identity, and (c) verification of your identity per the procedures above. We may deny a request from an authorized agent who cannot provide signed permission. If you are an authorized agent registered with the California Secretary of State per California Civil Code §1798.135(d), please reference that registration in your initial request and we will follow the simplified verification procedures.
Categories of personal information disclosed in the past 12 months
In the 12 months preceding the date at the top of this policy, HOA Notes disclosed the following categories of personal information to the following categories of recipients, all for the business purposes listed in §3:
- Identifiers, Commercial information: disclosed to Stripe (payment processing), Resend (email delivery), HubSpot (customer relationship records).
- Identifiers, Internet activity, Professional information, third-party Identifiers contained in disclosure packets: disclosed to Anthropic (language model processing), Cloudflare (storage and content delivery), Railway (pipeline processing), Sentry (error monitoring; identifiers only, no packet content).
- Internet activity (aggregate analytics on the public marketing site only): disclosed to Plausible (cookieless aggregate analytics; no Internet Protocol address retention; no customer Identifiers; no packet content).
HOA Notes did NOT sell or share any personal information for cross-context behavioral advertising in the 12 months preceding the date at the top of this policy.
7. Security
Encryption in transit (HTTPS / TLS 1.2 or higher) for all data flowing between you, HOA Notes, and our service providers. Encryption at rest on Cloudflare R2 (server-side encryption) for packet content; vendor-managed encryption at rest at Stripe, HubSpot, Resend, Sentry, and Anthropic per their published security practices and our service agreements. Two factor authentication on every operator account. Quarterly review of vendor access. We are a small operation, so security posture is hands on rather than ISO certified; if your brokerage requires a Service Organization Control 2 (SOC 2) report or equivalent, contact us before contracting.
Security disclaimer. No method of transmission over the Internet, or method of electronic storage, is completely secure. While we strive to use commercially reasonable means to protect your personal information, we cannot guarantee its absolute security. By using the Service you acknowledge this inherent risk.
Breach notification. In the event of a security incident affecting your personal information, we will notify you per California Civil Code §1798.82 within the timelines required by that statute. Notification will be made by email to affected active customers, by notice on the HOA Notes website, or by other reasonable means consistent with the statutory requirement, depending on the nature, scope, and urgency of the incident.
8. Children
HOA Notes is a service for adult homebuyers, licensed real estate agents, and related transaction parties in residential real estate purchases across the states we serve. We do not knowingly collect personal information from anyone under 16. If you believe a child under 16 has submitted personal information through HOA Notes, contact us via the contact form or email hello@hoanotes.com and we will delete the information consistent with our deletion procedures.
9. Changes
Material changes to this policy will be announced by email to active customers at least 30 days before they take effect. The effective date at the top of this page tracks revisions.
10. Contact
Questions, requests, complaints: use the contact form. Where written email correspondence is required, the canonical mailbox is hello@hoanotes.com.