Privacy Policy

RepoDeck ("we," "us," or "our") operates the website at repodeck.com and associated mobile applications. This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and your rights regarding that data.

By using RepoDeck, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use our services.

1. Data We Collect

Account Information

When you create an account, we collect your email address and a password (hashed and stored securely). You may optionally provide your first name, last name, and phone number in your profile.

Organization & Team Data

If you create or join an organization, we store the organization name, your role (owner, admin, inspector, or viewer), and team invitation details (inviter name, invited email, role, expiration date).

Inspection Reports

We collect data you provide while creating inspection reports, including:

• Property addresses and inspection dates
• Observation narratives, recommendations, and section data
• Photos and images, including EXIF metadata (GPS coordinates, timestamp, camera make/model) when available
• Report delivery and sharing records

Lead & Marketing Data

When you use our free AI tools without an account, we collect your email address and, optionally, the narrative or text you submitted for processing. We also capture UTM parameters (source, medium, campaign) from the URL you arrived from to understand how users find us.

Payment Information

Subscription payments are processed by Stripe. We store your Stripe customer ID, subscription status, and plan details. We do not store credit card numbers, bank account details, or other payment credentials—these are handled entirely by Stripe.

Usage & Technical Data

We automatically collect your IP address for rate limiting and security purposes. We track AI tool usage counts per organization per month. Error reports may include stack traces, browser information, and user identifiers.

2. How We Use Your Data

We use the data we collect to:

• Provide, maintain, and improve our inspection reporting services
• Process inspection narratives, photos, and property data through AI tools to generate refined content
• Send transactional emails (account verification, report delivery, team invitations, password resets)
• Send marketing emails (welcome series, nurture campaigns) to leads who opted in
• Process subscription payments via Stripe
• Monitor and enforce rate limits and prevent abuse
• Track errors and improve application stability
• Analyze usage patterns through analytics tools (only with your consent via the cookie banner)
• Maintain audit logs of significant account actions for security

3. AI Data Processing

RepoDeck uses Google's Gemini API to power AI features including narrative refinement, photo analysis, defect lookup, site intelligence, report auditing, business coaching, and chat. When you use these features:

• Text inputs are sanitized (HTML stripped) and truncated to size limits before being sent to Google's API
• Images are sent in base64 format for visual analysis (e.g., defect identification, equipment label scanning)
• We do not use your proprietary inspection data to train public AI models. Data sent to Google Gemini is subject to Google's API terms of service and data handling policies
• AI usage is rate-limited to 5 requests per minute per IP address

4. Third-Party Services

We share data with the following third-party services to operate RepoDeck:

Infrastructure & Storage

• Supabase — Database, authentication, and file storage. All account data, reports, and media are stored in Supabase-managed PostgreSQL databases.
• Vercel — Web application hosting. Processes HTTP requests and serves the application.
• Google Cloud Platform — Hosts our PDF generation service for report exports.

Communication

• Resend — Email delivery for transactional and marketing emails. Receives recipient email addresses, names, and email content. Maintains an audience list for email marketing.

Payments

• Stripe — Subscription payment processing. Receives and processes payment information directly. We receive webhook notifications about subscription status changes.

AI Processing

• Google Gemini API — Processes text and images for AI-powered features. See Section 3 for details.

Security & Monitoring

• Cloudflare Turnstile — CAPTCHA verification on lead capture forms to prevent automated abuse.
• Sentry — Error tracking and performance monitoring. May receive error details, stack traces, and user context when errors occur.
• Upstash Redis — Rate limiting infrastructure in production. Stores IP addresses temporarily for request counting.

Analytics (Consent Required)

The following services are only activated after you accept analytics cookies via our consent banner:

• Google Analytics (GA4) — Website usage analytics including page views, events (signup, report creation, tool usage), and conversion tracking.
• Microsoft Clarity — Session replay and heatmap analytics to understand user behavior.
• PostHog — Product analytics, feature usage tracking, and session recording.

5. Cookies & Tracking

When you first visit RepoDeck, a cookie consent banner asks for your permission before loading any analytics or advertising scripts.

Essential Storage (No Consent Required)

We use browser localStorage for functional purposes that do not require consent. These include your theme preference (dark/light mode), onboarding completion status, UI dismissal states, and temporary tool input caches. This data stays on your device and is not sent to our servers.

Analytics (Consent Required)

A single “Analytics” consent controls all non-essential tracking: Google Analytics (GA4) for page views and usage events, Microsoft Clarity for session replay and heatmaps, and PostHog for product analytics and feature usage tracking. These tools help us understand how inspectors use RepoDeck so we can improve the experience. You can change your preference at any time by clearing your browser's localStorage or using the consent banner's Customize option.

UTM Parameters

We capture UTM marketing parameters from the URL you arrive with (e.g., utm_source, utm_medium, utm_campaign). These are stored in your browser's session storage (automatically cleared when you close the tab) and may be attached to your lead record to help us understand how users discover RepoDeck.

6. Email Communications

Transactional Emails

We send emails necessary for the operation of your account, including email verification, password resets, report delivery notifications, team invitations, and payment receipts. These cannot be unsubscribed from as they are essential to the service.

Marketing Emails

When you provide your email through a free tool or lead capture form, you may receive a welcome email and a series of follow-up emails (nurture campaign) introducing RepoDeck's features. You can unsubscribe from marketing emails at any time using the one-click unsubscribe link in every email or by visiting our unsubscribe page.

7. Data Security

We implement the following security measures to protect your data:

• All data is encrypted in transit via HTTPS/TLS
• Data at rest is encrypted by our database provider (Supabase)
• Passwords are hashed using industry-standard algorithms (handled by Supabase Auth)
• API inputs are validated using schema-based validation (Zod) at every endpoint
• Rate limiting protects against brute-force and abuse attacks
• CAPTCHA verification prevents automated form submissions
• Webhook signatures are cryptographically verified to prevent tampering (Svix/HMAC for Resend, Stripe signature verification)
• Audit logging tracks significant actions (login, report operations, admin changes) for security monitoring
• Row-Level Security (RLS) policies in our database ensure users can only access their own organization's data

8. Data Retention

• Account data is retained for as long as your account is active.
• Inspection reports and media are retained for as long as your organization's account is active.
• Lead data is retained until you unsubscribe or request deletion.
• Share links for reports expire after 7 days and are automatically cleaned up.
• Team invitations expire after 7 days.
• Audit logs are retained for compliance and security review purposes.

9. Your Rights

Depending on your jurisdiction, you may have the following rights:

• Access — Request a copy of the personal data we hold about you.
• Correction — Request correction of inaccurate personal data.
• Deletion — Request deletion of your personal data and account.
• Opt-out of marketing — Unsubscribe from marketing emails at any time via the link in each email.
• Withdraw cookie consent — Use the cookie banner's Customize option to change your preferences, or clear your browser's localStorage and revisit the site to reset.
• Data portability — Request your data in a portable format.

California Residents (CCPA)

We do not sell your personal information to third parties as defined by the California Consumer Privacy Act (CCPA). Data sharing is limited to service providers (Supabase, Stripe, Resend, Google Gemini) under data processing agreements necessary to operate the service. California residents have the right to request disclosure of data collected and to request deletion of their personal information.

To exercise any of these rights, please contact us at team@repodeck.com. We will respond to your request within 30 days.

10. Children's Privacy

RepoDeck is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us and we will promptly delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last Updated" date. We encourage you to review this policy periodically for any changes.

12. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at:

• Email: team@repodeck.com
• Website: repodeck.com