What we collect

Three categories, all customer-initiated.

Order metadata. The information your buyer's agent submits with each brief request: name, work email, brokerage affiliation, and (optional) MLS identifier. Stripe handles the payment; HOA Notes never sees or stores full card numbers. We need this much to deliver the brief and to bill the order.

Disclosure packet content. The PDFs you upload for analysis: the documents provided by the seller or seller's agent under California Civil Code §4525 and analogous statutes in the other nine states we cover. A packet is commonly some combination of CC&Rs, bylaws, reserve study, audited financials, board minutes, architectural-application records, and pending-litigation disclosures. Multiple PDFs are treated as one bundle, 200 MB total maximum.

Brokerage portal seat information (Brokerage Seat License only). If your brokerage holds a Seat License, we additionally retain the per-Seat roster (named individual per Seat), per-Seat usage telemetry for the fair-use ceilings described in our Terms, and the admin contact for the brokerage. Per-Seat usage telemetry is continuously visible to the brokerage's named admin via the customer portal.

Service usage data. Timestamps, packet sizes, processing duration, error logs, and cost-log telemetry (token counts, model identifiers; no packet content). Used to operate the service and plan capacity. We use a session cookie for the request flow. No cross-site tracking cookies. No advertising trackers. No third-party analytics that share data outside HOA Notes.

The disclosure packets you upload commonly contain personal information about third parties (homeowners, board members, delinquent-account holders, named parties in HOA litigation). By uploading a packet, you represent that you have the right under Civil Code §4525, your role in the transaction, or the express authorization of the affected party to share that information with us for the purpose of generating a Brief. See the Privacy Policy for the full CCPA/CPRA category mapping.

Where the data lives

Cloudflare R2 object storage, US region. Every uploaded packet lands in a private R2 bucket under a per-order prefix. Encrypted at rest by default (AES-256 server-side encryption) and in transit (TLS 1.2 or higher to Cloudflare). The packet is read once by our pipeline; the resulting brief is hosted at briefs.hoanotes.com behind a unique, unguessable order identifier.

Pipeline processing on Railway, US region. The analysis pipeline runs on Railway infrastructure in the United States. Workers read packets from R2, run extraction and language-model analysis, render the brief PDF, and write the brief back to object storage. Nothing intermediate persists on a worker filesystem or in a third-party SaaS.

Order, billing, and CRM metadata. Order records are stored in our application database. Billing records live with Stripe. Active customer-contact records are mirrored in HubSpot for relationship continuity. All processing is in the United States.

Email transit. Order confirmations, brief-delivery notifications, and billing receipts go out via Resend on a verified sub-domain. We never include packet content or any portion of the buyer brief in email bodies. Emails contain order identifiers and links to the brief hosted at briefs.hoanotes.com; the documents themselves never leave our storage via email.

No customer data in source control. Real customer packets and briefs never enter a Git repository. The sample brief at briefs.hoanotes.com/sample/brief.pdf is built from anonymized content for marketing.

Who has access

Internal personnel. Aliso LLC personnel with operator scope. Today this is the founder. Access is via Cloudflare and Railway consoles with two-factor authentication and per-action audit logging. Vendor access is reviewed quarterly.

The requesting customer. The brief is delivered to the email address provided on the order. The brief itself is hosted behind a unique, unguessable order identifier at briefs.hoanotes.com.

Subprocessors. We use a small set of vendor services to operate. We share only the minimum data each one needs. All subprocessors are bound by contractual obligations to protect your information and to use it only to provide services to HOA Notes (not for their own purposes, not for cross-context behavioral advertising, not for sale or share).

  • Anthropic - large language model service that reads packet text and drafts the brief. US processing.
  • Cloudflare - web hosting, content delivery, DDoS protection, and R2 object storage. Primary processing region: United States.
  • Railway - backend pipeline infrastructure for the analysis run. US processing.
  • Stripe - payment processing. Stripe handles card tokenization; HOA Notes never sees full card numbers. US processing.
  • Resend - transactional email (order confirmations, brief-delivery links, receipts). Email content only; packet content never transits Resend. US processing.
  • HubSpot - customer-relationship records (contact info, active brief-request history). No packet content. US processing.
  • Sentry - error monitoring (technical error context only, no packet content). US processing.

The full subprocessor list, with each vendor's purpose and processing region, is in the Privacy Policy.

What we never do

  • We never train AI models on your packet content. Not language models, not embeddings, not anything. Your packet is used to produce your brief and nothing else. We do not use packet content (or any portion of it) to train, fine-tune, or evaluate any artificial intelligence model, including our own internal models or those operated by our subprocessors.
  • We never sell or share your personal information. Not for analytics, not for advertising, not for any commercial purpose. We do not engage in cross-context behavioral advertising. The vendor relationships above are service-provider relationships under CCPA §1798.140(ag), not sales or shares.
  • We never email packet content or brief content. Emails contain order identifiers and links to documents hosted in our storage. The documents stay behind authenticated, unguessable URLs.
  • We never use your packet beyond producing your brief. No profile of any individual is constructed. No third-party marketing. No surfacing of incidentally-collected sensitive personal information for any purpose other than producing the brief you ordered.
  • We never store packet content outside the United States. R2, Railway, and our other US-processing subprocessors are the entire processing footprint for packet content.
  • We never set cross-site tracking cookies. A session cookie for the request flow is the only cookie we set. No advertising trackers, no cross-domain analytics, no fingerprinting.

How long we keep it

  • Source disclosure packets - 30 days. Uploaded packets are retained for 30 days after delivery of the Brief, then deleted from active storage. You may request immediate deletion at any time before the 30-day mark.
  • Generated briefs - 12 months. The buyer-facing brief PDF is retained for 12 months after delivery so you can re-access it via the link we sent. After that, deleted.
  • Contact records - while active, plus 24 months. While you have an active subscription or for 24 months after your last paid brief, whichever is longer.
  • Billing records - 7 years. Retained for 7 years to comply with California and federal tax recordkeeping requirements.
  • Cost-log telemetry - indefinite. Token counts, cost amounts, model identifiers (no packet content, no personal information beyond the order identifier). Retained as long as necessary for accounting, tax compliance, and operational capacity planning; reviewed at least annually and pruned where no longer needed.

Backups. Even after deletion from active storage, copies of your information may persist in encrypted, access-controlled backup systems for up to 30 additional days for disaster recovery. Backups are not used for any purpose other than restoration.

Early deletion. Before the periods above, you can request earlier deletion of any data not needed for tax substantiation through the contact form. We honor verified requests within 45 days unless retention is required by legal hold.

If something goes wrong

Breach notification under California Civil Code §1798.82. In the event of a security incident affecting personal information we hold, we will notify you within the timelines required by that statute. Notification is made by email to affected active customers, by notice on the HOA Notes website, or by other reasonable means consistent with the statutory requirement, depending on the nature, scope, and urgency of the incident. The notification includes the nature of the incident, the categories of information involved, our containment steps, and any action we recommend you take.

How to reach us. Security questions, suspected incidents, or vulnerability disclosures: use the contact form with subject "SECURITY." We commit to acknowledging within one business day and substantively responding within five business days. If the contact form is unavailable, the security-contact procedure in §7 of the Privacy Policy applies as a fallback.

Compliance posture, honestly

We try to be straight about what we do and do not have today.

  • California focus and Davis-Stirling fluency. HOA Notes' legal-compliance cross-reference is calibrated to each covered state's HOA and condominium act, with California's Davis-Stirling Common Interest Development Act (Civil Code §§4000–6150) as the deepest layer. Davis-Stirling fluency is a product-knowledge claim, not a legal certification or a substitute for a California real estate attorney's review.
  • CCPA / CPRA. We honor right-to-know, right-to-delete, right-to-correct, right-to-limit-use-of-sensitive-personal-information, right-to-opt-out, and right-to-non-discrimination requests through the process described in §6 of the Privacy Policy. With respect to your own customer information we are a "business" under CCPA §1798.140(d); with respect to third-party personal information contained in packets we act as a "service provider" under §1798.140(ag), processing solely on your behalf and only to generate your brief.
  • SOC 2. Not currently certified. We are a small operation and our security posture is hands-on rather than ISO certified. If your brokerage's procurement requires a SOC 2 report or equivalent, contact us; we can provide subprocessor lists and security questionnaire responses as an interim.
  • GDPR. Not applicable. HOA Notes serves the United States only and does not process personal data of EU residents.
  • HIPAA. Not applicable. We do not collect, store, or process Protected Health Information.
  • California Uniform Electronic Transactions Act (Civil Code §1633.7). Click-wrap acceptance at order time, with checkbox state, timestamp, and IP address recorded, constitutes an electronic signature under California law. See §0 of the Terms.

How to verify these claims

Three ways to confirm what is on this page.

  1. Read the Terms of Service and Privacy Policy. Both are click-wrap accepted at order time and are the binding versions of these commitments. If anything on this page differs from those documents, the legal documents govern.
  2. Ask a security or procurement question. Use the contact form with subject "SECURITY" and we will respond in writing within five business days.
  3. Confirm a specific subprocessor. Each subprocessor listed under "Who has access" publishes its own security and privacy posture. If your brokerage's procurement needs vendor-specific documentation, ask via the contact form and we will route the request.

This page is a public commitment. We update it as our infrastructure changes; the date below shows when it was last reviewed.

Last reviewed: May 10, 2026.