Cribfolio Privacy Policy

Effective Date: May 27, 2026 Last Updated: May 27, 2026 Version: 1.4

Summary of v1.4 update: Privacy requests now route to a dedicated monitored address — privacy@cribfolio.com — separate from product support. This makes CCPA / CPRA / state-privacy-law requests easier to process within statutory deadlines.

Summary of v1.3 update: Added Section 4.8 — explicit non-collection of sensitive personal information under CPRA and similar state laws. Added Section 9.5 — explicit third-party AI service disclosure (Apple Guideline 5.1.2(i)) documenting what is sent to Anthropic Claude, what is never sent, and the one-time in-app consent flow.

1. Introduction

This Privacy Policy ("Policy") explains how Cribfolio ("we," "our," or "us") collects, uses, shares, retains, and protects personal information when you access or use our mobile applications, websites, application programming interfaces, and related services (collectively, the "Services").

By creating an account, signing in, or otherwise using the Services, you acknowledge that you have read and understood this Policy. If you do not agree with our practices as described here, please do not use the Services.

We have written this Policy in plain language wherever possible. If any section is unclear to you, please contact us before you rely on the Services — your understanding matters to us.

2. Who We Are

Cribfolio is a personal property-intelligence application that helps owners of residential real estate track properties, estimate rental pricing, organize maintenance and financial information, and plan upgrades. We operate primarily as a consumer mobile application available through the Apple App Store and as a set of supporting cloud services.

Contact information for all privacy matters is listed in the Contact Us section at the end of this Policy.

3. Scope of This Policy

This Policy applies to personal information we collect through the Services. It does not apply to information collected by third parties, such as partner businesses, service vendors, or other landlords or property owners you may interact with through our referral features. When we link to or integrate with third-party services, those services operate under their own privacy policies and we encourage you to review them separately.

4. Information We Collect

We collect only the information we genuinely need to provide and improve the Services. We have grouped the categories below to align with the personal information classifications recognized under the CCPA/CPRA so that you can match each category to the rights you hold under applicable law.

4.1 Identifiers

• Name (the display name you choose — we do not require legal name)
• Email address (used for account authentication and required service communications)
• Device identifiers, push notification tokens, and session tokens issued by our authentication provider
• IP address (processed automatically for security, fraud prevention, and abuse mitigation; not displayed in your profile)

4.2 Customer records

• Password (stored only as a one-way hash by our authentication provider; we never have access to your plaintext password)
• Subscription tier and billing status (we receive status confirmations from the in-app purchase provider; we do not process your payment card)

4.3 Property-related information you enter or import

• Property street address, city, state, zip code, county
• Property characteristics you enter (bedrooms, bathrooms, square footage, year built, property type, amenities, rental configuration, photos you choose to attach)
• Room-level and item-level condition ratings you enter
• Utility costs, mortgage information, rental rates, and other financial figures you choose to input
• Project, maintenance, and contractor notes you create
• Time entries you log for material participation recordkeeping

You control what property information you enter. If you do not enter a figure, we do not have it. If you do enter it, we store it so we can display it back to you across sessions and devices.

4.4 Usage information

• App screens and features you view and interact with
• Approximate time spent on features, click and tap events, feature adoption signals
• Error logs and performance diagnostics generated when the app encounters a problem
• Device type, operating system version, app version, locale, time zone

4.5 AI-interaction information

• Text prompts you submit to the in-app AI assistant
• Responses generated by the AI assistant
• Images and text you submit to the AI scanner feature (such as appliance serial plates, utility bills, or paint can labels)

4.6 Pricing feedback information (data moat)

If you consent via the data-sharing toggle in your signup flow or in Settings, we collect paired snapshots of the pricing recommendations we display to you alongside the actual rental rates you ultimately set. These snapshots include property characteristics, comp source, amenity configuration, and algorithm version at the time of recommendation. This information trains our pricing model to make more accurate recommendations for every user over time. It is linked to your account identifier so that we can honor deletion requests. You may withdraw this consent at any time from Settings, after which no further snapshots are collected.

4.7 Information we do NOT collect

To be explicit about what we avoid:

• We do not collect precise or coarse device-sensed location. We do not request GPS permission. The property address you type into the app is user-entered content, not device location.
• We do not collect government identification numbers.
• We do not collect financial account numbers, bank routing numbers, or payment card numbers (those are handled by the in-app purchase provider).
• We do not access your device contacts, calendar, health data, or microphone audio.
• We do not access your camera roll as a whole; only the specific photo you select when uploading an attachment.
• We do not collect children's data (see Children's Privacy section below).

4.8 Sensitive personal information (CPRA-defined categories)

Under the California Privacy Rights Act (CPRA) and similar state laws, "sensitive personal information" includes categories such as government identifiers, account log-in credentials in combination with passwords, precise geolocation, racial or ethnic origin, religious or philosophical beliefs, union membership, contents of mail / email / text messages where Cribfolio is not the intended recipient, genetic data, biometric identifiers processed for identification purposes, health information, and information about sex life or sexual orientation.

Cribfolio does not knowingly collect or process any category of sensitive personal information as defined above, with two narrow operational exceptions: (a) account passwords, which are processed only via our authentication provider's one-way hashing as described in Section 4.2 and are never visible to us in plaintext; and (b) any sensitive information you voluntarily type into the AI assistant or display on a photo you choose to scan, which is processed solely to fulfill your request and is governed by Sections 9.5 and 4.5 of this Policy. We do not use sensitive personal information for purposes beyond providing the Services you requested, and we do not sell or share it.

5. How We Use Your Information

We use the information we collect for the following purposes:

• To create and maintain your account and authenticate you at sign-in
• To display your property data, rental rate recommendations, and financial analysis back to you across devices and sessions
• To process your subscription status and confirm your tier entitlements
• To generate on-demand outputs such as the Owner Hours export, property comp analyses, and AI assistant responses
• To diagnose errors, improve reliability, and prevent abuse or fraud
• To communicate with you about your account, including required service notifications, security alerts, receipts, and material changes to terms
• To improve the Services, including (with your consent) training our pricing model on paired pricing-recommendation-and-outcome data
• To comply with legal obligations and enforce our agreements

We do not sell your personal information for monetary consideration. We do not display third-party advertising inside the Services.

6. How We Share Your Information

We share personal information only in the limited circumstances described below.

6.1 Service providers (processors)

We contract with the following vendors to provide parts of the Services. Each is bound by a written agreement requiring them to process your information only on our instructions and to maintain security controls appropriate to the data.

• Supabase — our primary database, authentication, and server infrastructure provider
• Apple App Store and RevenueCat — subscription management and in-app purchase processing
• Anthropic — the underlying language and vision model provider (Claude) for our AI assistant and photo-scanning features; text prompts and photos you submit to these features may be transmitted to Anthropic for processing under Anthropic's API terms. Anthropic does not train its commercial models on data submitted via its API.
• PostHog — product analytics and optional session event logging (subject to your data-sharing preference)
• Sentry — crash reporting and error telemetry (once enabled)
• Apple Push Notification Service — delivery of push notifications you have opted into

6.2 Data sources we read from (not recipients of your data)

The following third-party services provide data we use to produce comp analyses and location signals. We send only non-identifying queries such as zip codes, beds/baths counts, or listing URLs. We do not transmit your name, email, or account identifier to these sources.

• RentCast — rental comp data by location
• AirROI — short-term rental market data
• Walk Score and related location-signal providers — walkability, transit, and school rating data

6.3 Compelled or legal disclosures

We may disclose your information if we believe in good faith that disclosure is required to comply with a subpoena, court order, or other legal obligation; to protect the safety of any person; to enforce our Terms of Service; to investigate fraud, security, or technical issues; or in connection with a merger, acquisition, or asset sale provided that any successor is bound by terms at least as protective of your information.

6.4 Anonymous aggregate data

We may publish or share statistical reports that do not identify any individual user — for example, median rental rates by market, common upgrade patterns, or subscription conversion rates. These reports do not contain your personal information.

6.5 What we do not do

We do not sell your personal information for monetary consideration. We do not display targeted advertising inside the Services. We do not rent your email address to marketing partners. We do not share your property address with referral partners (referrals are triggered by non-identifying signals such as zip code + property type).

7. Third-Party Links and Referral Partners

The Services may display referral cards or links to third-party home services, insurance providers, contractors, and retailers. When you tap one of these links, you leave the Cribfolio Services and the third party's own privacy policy applies. We may receive a commission if you make a purchase from a referred partner. Our receipt of a commission does not influence the safety or objectivity of recommendations; we surface partners based on the actual condition and characteristics of your property.

8. Legal Bases for Processing

For users located in jurisdictions that require us to state a legal basis for processing personal information (such as the United Kingdom or European Economic Area, if we accept users from those regions), our legal bases are:

• Performance of a contract — to provide the Services you have requested
• Legitimate interests — to secure the Services, prevent abuse, and improve the product, provided our interests do not override your rights
• Consent — where we specifically request it, such as for data-sharing toward model training, marketing communications, or optional features
• Legal obligation — where we are required to process data to comply with law

9. AI and Automated Decision-Making

Parts of the Services use automated systems to produce estimates, recommendations, and other outputs. We want you to know when this is happening and how to respond.

• AI assistant — generates conversational answers about your property. Responses may contain errors or outdated information. Always verify important information before relying on it.
• Rental pricing recommendations — produced by a combination of third-party comp data, amenity premiums, and our own algorithms. These are estimates, not guarantees of income.
• Property valuation estimates — based on comparable sales data and user-entered characteristics. Not a formal appraisal and not intended to replace one.
• Photo scanner — uses a vision-language model to extract text and identifiers from photos. Accuracy varies by image quality and content.

No automated system used by the Services produces decisions that have legal or similarly significant effects on you without human review. You retain full control over every decision you make based on our outputs.

If you prefer not to receive AI-generated outputs, you can avoid those features. Disabling AI features does not limit your ability to use the non-AI parts of the Services.

9.5 Third-Party AI Service Disclosure

Some AI features in Cribfolio are powered by Anthropic's Claude, a third-party AI service. This section explains exactly what is sent, what is never sent, and how to control it.

Before any data is sent to Anthropic, Cribfolio displays an in-app consent screen the first time you attempt to use an AI feature. The consent screen identifies the third party (Anthropic), summarizes what data will be transmitted, and requires you to tap "I Agree" before any AI call is made. Tapping "Not Now" blocks AI features until you turn them on later from Settings → AI & Privacy. You are asked only once — after you grant consent, AI features work normally without any further prompts. This consent flow is governed by Apple App Store Guideline 5.1.2(i) and is in addition to this Policy.

What is sent to Anthropic when you use an AI feature:

• Photos you choose to submit for room grading or document scanning (room photos, receipts, paint labels, utility bills, appliance serial plates)
• The text of any question you type into the AI assistant
• Non-identifying property characteristics relevant to your question — for example, your home's square footage, value range, rental type (STR / LTR / Personal), city or metro area, current mortgage rate (if you have entered one)

What is never sent to Anthropic — your personal information stays private:

• Your name (neither your display name nor any name you entered)
• Your Cribfolio account email address
• Your password (we never have it in plaintext — see Section 4.2)
• Payment information, billing details, or subscription tokens
• Your home's street address (we strip this from every AI request — only the city / state level is sent for broad-area context, never the specific street)
• Your property's nickname or label (the name you chose for the property is also stripped before any AI request)
• Your phone number, device contacts, calendar, health data, or device location
• Any data unrelated to the specific AI request you initiated

The only nuance: if you choose to scan a document or photo that visibly contains a name, address, or other identifier (for example, scanning a utility bill that has the billing address printed on it), that image content reaches Anthropic's vision model because that is the content you submitted. We do not separately add or augment identifiers — what you see in the photo is what is sent.

Anthropic's treatment of submitted data:

• Anthropic processes data submitted via its API under Anthropic's Commercial Terms of Service and its Privacy Policy (anthropic.com/legal).
• Anthropic does not train its commercial AI models on data submitted via its API. This is contractually committed by Anthropic and applies to all data Cribfolio sends.
• Anthropic stores submitted data only as long as necessary to provide the API response and operate Anthropic's services, subject to applicable retention windows described in Anthropic's documentation.
• Anthropic applies security and privacy controls that are at least equivalent to the controls Cribfolio applies to your data within our own systems (see Section 12, Data Security).

Your controls:

• Grant consent — tap "I Agree, Enable AI" on the first-run consent modal that appears the first time you press an AI button (such as the photo-grade button, AI question box, or scan button).
• Revoke consent at any time — Settings → AI & Privacy → toggle AI off. Once revoked, no further data is sent to Anthropic from any feature, and you will be prompted again the next time you try an AI feature.
• Skip AI entirely — every AI feature in Cribfolio has a non-AI alternative (manual room ratings, no-AI text fields, manual entry of items). You can use Cribfolio fully without ever enabling AI features.

If we add additional AI vendors or change what categories of data we send, we will require you to grant fresh consent through a new in-app prompt before the change takes effect for your account.

10. Your Privacy Rights

Depending on where you live, you may have the following rights with respect to personal information we hold about you. Regardless of your jurisdiction, we offer the core rights of access, correction, and deletion to all users.

10.1 Rights we offer all users

• Right to access — request a copy of the personal information we hold about you
• Right to correct — ask us to fix inaccurate or incomplete information
• Right to delete — ask us to delete your account and associated information
• Right to withdraw consent — for any processing that relies on your consent (such as data-sharing for model training), you can withdraw consent at any time
• Right to opt out of non-essential communications — unsubscribe from any marketing email via the link in the email itself

10.2 California residents (CCPA/CPRA)

In addition to the rights above, California residents have:

• Right to know the categories of personal information we collect, the purposes, the categories of recipients, and the specific pieces of personal information we hold
• Right to limit use and disclosure of sensitive personal information (we do not use sensitive personal information beyond what is strictly necessary to provide the Services, so this right has limited practical application)
• Right to opt out of the sale or sharing of personal information (we do not sell or share your personal information within the meaning of the CCPA; no action is needed to opt out)
• Right to non-discrimination for exercising privacy rights
• Right to designate an authorized agent to make requests on your behalf

10.3 Colorado, Connecticut, Virginia, Utah, Texas, Florida residents

You have rights similar to those described for California residents, including the right to access, correct, delete, and obtain a portable copy of your personal information. You also have the right to opt out of targeted advertising, though we do not engage in targeted advertising within the Services. Where applicable, you have the right to appeal a refusal of a privacy request.

10.4 How to exercise your rights

To exercise any of the rights above, contact us using the information in Section 18 (Contact Us). We will respond within the timeframes required by the applicable law (generally 45 days in the United States; 30 days for some EU/UK requests), with one extension period available for complex requests.

We will verify your identity before responding to a request. For sensitive requests such as deletion, we may require you to sign in to the Services or confirm via an email link to prevent unauthorized requests.

Account deletion is also available to you directly within the Services from the Settings menu. In-app deletion triggers the same deletion workflow as a written request and is usually faster.

11. Children's Privacy

The Services are intended only for users aged eighteen (18) and older. We do not knowingly collect personal information from anyone under the age of 18. If we learn that we have collected personal information from a minor, we will promptly delete it. If you believe a minor has provided us with personal information, please contact us using the information in Section 18 and we will take prompt action.

12. Data Security

We use technical and organizational measures designed to protect your information against unauthorized access, loss, misuse, or alteration. These include:

• Encryption in transit (TLS 1.2 or higher) for all communications between the app and our servers
• Encryption at rest for database and backup storage
• Row-level security in our database that restricts each user's data to their own account
• Strict access controls within our team, with privileged access limited to the minimum necessary personnel
• Regular review of our security posture, including dependency vulnerability scans

No security system is perfect. In the event of a data incident affecting your personal information, we will notify you and applicable authorities as required by law.

13. Data Retention

We retain personal information only for as long as necessary to provide the Services and to fulfill the purposes described in this Policy.

• Account information — retained for the life of your account plus up to 30 days after deletion to allow recovery in case of accidental deletion
• Property and financial information you enter — retained while your account is active; deleted along with your account
• Pricing feedback data (if you consented) — retained indefinitely in aggregated form for model improvement; individual-level records are deleted when you delete your account
• Usage and diagnostic logs — retained up to thirteen (13) months
• Financial records required by law — retained as long as applicable tax or accounting law requires
• Backups — routine backups are retained up to thirty-five (35) days after creation; we do not restore from backup in ways that would resurrect deleted accounts

14. International Data Transfers

We store and process personal information in the United States. If you are accessing the Services from outside the United States, please be aware that your information may be transferred to, stored in, and processed in the United States, where data-protection laws may differ from those in your country. By using the Services, you consent to such transfer. Where required, we rely on appropriate safeguards such as Standard Contractual Clauses.

15. Cookies, Tracking Technologies, and Do Not Track

Our mobile application does not use web cookies in the traditional sense but does use similar local storage mechanisms (such as persistent tokens for keeping you signed in and cached property data for offline-first rendering). These are strictly necessary for the app to function.

Our supporting websites, if any, may use essential cookies and, where you have given consent, optional analytics cookies.

We honor the Global Privacy Control (GPC) signal as a valid opt-out for purposes under applicable law. We do not respond to traditional Do Not Track headers because no consistent industry standard has emerged.

16. Changes to This Policy

We may update this Policy from time to time. When we make material changes, we will notify you by an in-app notice, by email to the address on file, or by posting the updated Policy with a new "Last Updated" date and a summary of the most significant changes. Where required by law, we will seek your renewed consent before applying a material change to your data.

Minor, non-material changes (such as formatting, typo fixes, or expansion of a list of examples) may be made without notice. We encourage you to review this Policy periodically.

17. No Rights to Third Parties

This Policy does not create any rights for any person other than you as a user of the Services. No other individual or entity may enforce any term of this Policy.

18. Contact Us

For questions about this Policy, to exercise any privacy right, or to report a concern:

• Privacy requests: privacy@cribfolio.com
• Legal notices: legal@cribfolio.com
• Product support: support@cribfolio.com
• General inquiries: info@cribfolio.com
• In-app: Settings → Contact Support
• Mail: Cribfolio, 1321 Sartori Ave, Suite A, Torrance, CA 90501, USA

We aim to respond to every privacy inquiry within five (5) business days and to resolve every request within the timeframes required by applicable law.

End of Privacy Policy — v1.4 — 2026-05-27