Privacy Policy

1. Who we are

eCartar ("we," "us," "our") is a real estate investment analysis platform operated from the United States. We are in the process of formal incorporation; this policy will be updated with the legal entity name and registered address once incorporation is complete.

For privacy-related questions, contact us at: privacy@ecartar.com

2. Information we collect

2.1 Account information

When you create an account, we collect:

• Email address
• Password (stored as a cryptographic hash — we never store or see your plaintext password)
• Display name (if provided)
• Google account information (if you sign up via Google OAuth): name, email, and profile picture URL

2.2 Investment and financial data

When you use eCartar to analyze investments, you provide property details, financial inputs, and assumptions. This data is stored to provide the service and is accessible only to you (and our systems as needed to operate the platform). We do not access, review, or use your investment data for any purpose other than providing and improving the service.

2.3 Payment information

If you subscribe to a paid plan (Pro or Max), payment is processed by Stripe. We do not store your credit card number, CVV, or full card details on our servers. Stripe provides us with a truncated card identifier (last 4 digits), expiration date, and billing address for record-keeping purposes. See Stripe's Privacy Policy.

2.4 Usage data

We automatically collect certain technical information when you use eCartar:

• IP address
• Browser type and version
• Device type and operating system
• Pages visited and features used within the application
• Timestamps of activity
• Referral source (how you found eCartar)

This data is used for security, debugging, and improving the product. It is not used for advertising or sold to third parties.

2.5 AI-processed data (Max plan only)

If you use AI-powered features (investment analysis, portfolio summary, document scanner), your investment data is sent to Anthropic's API for processing. Anthropic processes this data solely to generate the analysis response and does not use it to train models. See Anthropic's Privacy Policy.

2.6 Uploaded documents (Max plan only)

If you use the document scanner feature, uploaded PDFs (offering memorandums, rent rolls, T12 statements, etc.) are processed to extract data into your analysis. Uploaded documents are stored temporarily for processing and deleted within 30 days unless you choose to retain them.

3. How we use your information

We use the information we collect to:

• Provide, maintain, and improve eCartar's services
• Process your subscription and manage billing
• Authenticate your identity and secure your account
• Generate AI-powered analyses when you request them (Max plan)
• Send transactional emails (account confirmation, password reset, billing receipts)
• Respond to support tickets and inquiries
• Monitor for security threats and prevent abuse
• Analyze aggregate, anonymized usage patterns to improve the product

We do not use your information to serve advertisements, build advertising profiles, or sell your data to any third party.

4. Third-party services

eCartar relies on the following third-party service providers to operate. Each has access only to the data necessary for their function:

We may add additional service providers as the platform grows. This policy will be updated accordingly, and material changes will be communicated to you via email or in-app notification.

5. Data storage and security

Your data is stored on servers operated by Supabase (built on AWS infrastructure) located in the United States. We implement the following security measures:

• All data is encrypted in transit using TLS 1.2+
• Database-level encryption at rest
• Passwords are hashed using bcrypt with salting
• Row-level security policies ensuring users can only access their own data
• Access to production systems is restricted and logged

No system is perfectly secure. While we take reasonable measures to protect your data, we cannot guarantee absolute security. If we become aware of a data breach affecting your personal information, we will notify you and applicable authorities as required by law.

6. Data retention

• Account data: Retained for as long as your account is active. If you delete your account, we will delete your personal data within 30 days, except where retention is required by law (e.g., billing records for tax purposes).
• Investment data: Retained for as long as your account is active. Deleted upon account deletion.
• Payment records: Retained for 7 years as required for tax and accounting compliance.
• Usage logs: Retained for up to 12 months, then anonymized or deleted.
• Uploaded documents: Deleted within 30 days of processing unless you explicitly choose to retain them.

7. Your rights

Depending on your location, you may have the following rights regarding your personal data:

7.1 All users

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate personal data.
• Deletion: Request deletion of your personal data and account.
• Data portability: Request an export of your investment data in a standard format.
• Withdraw consent: Where processing is based on consent, you may withdraw it at any time.

7.2 California residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act and California Privacy Rights Act:

• The right to know what personal information we collect and how we use it
• The right to delete your personal information
• The right to opt out of the sale of personal information — we do not sell personal information
• The right to non-discrimination for exercising your privacy rights

7.3 European Economic Area residents (GDPR)

If you are in the EEA, our legal bases for processing are:

• Contract performance: Processing necessary to provide the service you signed up for
• Legitimate interest: Security monitoring, fraud prevention, product improvement
• Consent: AI-powered analysis features, marketing communications (if any)

You have the right to lodge a complaint with your local data protection authority.

7.4 Exercising your rights

To exercise any of these rights, contact us at privacy@ecartar.com. We will respond within 30 days. We may verify your identity before processing the request.

8. Cookies and tracking

eCartar uses essential cookies required for the platform to function (authentication session, preferences). We do not use advertising cookies or third-party tracking cookies for marketing purposes.

If we add analytics tools in the future, this section will be updated and you will be given the option to opt out.

9. Children's privacy

eCartar is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from minors. If we learn that we have collected data from a child under 18, we will delete it promptly.

10. International data transfers

eCartar is operated from the United States. If you access the service from outside the US, your data will be transferred to and processed in the United States. By using eCartar, you consent to this transfer. We rely on standard contractual clauses and service provider agreements to safeguard international transfers where applicable.

11. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via email or a prominent notice within the application at least 30 days before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision.

12. Contact us

If you have questions about this Privacy Policy or our data practices, contact us at:

Email: privacy@ecartar.com

We aim to respond to all inquiries within 5 business days.