Privacy Policy

1. Who We Are

ReportRex AI (“we”, “us”, “our”) operates the property market report platform available at reportrexai.com and associated subdomains (collectively, the “Service”). ReportRex AI is incorporated in the State of Delaware, USA.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. The Service is intended for use by real estate professionals operating in the United States.

2. Information We Collect

2.1 Account Information

When you register, we collect:

• Full name and email address
• Phone number (optional, displayed on generated reports)
• Brokerage or agency name
• State and city
• Profile photo and brokerage logo (optional)
• Brand color preference
• Password (stored as a bcrypt hash via Supabase Auth — we never see your plain-text password)

2.2 Report and Usage Data

When you use the Service, we collect:

• Reports you generate, including suburb or location, timeframe, market data, and AI-generated content
• Homeowner names and street addresses you enter for cover letters (stored only within your report record)
• Email addresses of homeowners you send reports to
• Report email open events (tracked via a per-email pixel — no cross-site tracking profiles are created)
• Report generation counts and usage metrics

2.3 Billing Information

Subscription payments are processed by Paddle as Merchant of Record. We do not store your credit card or payment card details on our servers. Paddle provides us with subscription status, plan type, and billing dates only. Paddle’s privacy practices are governed by their own Privacy Policy.

2.4 Technical Data

• IP address and browser or device type (collected by Supabase Auth on login)
• Session cookies necessary for authentication
• Error logs and performance data (used internally for debugging and service improvement)

3. How We Use Your Information

We use your personal information to:

• Provide, operate, and improve the ReportRex AI platform
• Generate branded PDF reports and web report pages with your name, logo, and contact details
• Send transactional emails (account verification, report delivery, billing notifications) via Resend
• Send product-related emails during your trial period (onboarding tips, usage reminders) — you may opt out at any time
• Enforce plan limits and manage subscription access
• Detect and prevent fraud, abuse, and Terms of Service violations
• Comply with applicable US laws and regulations

We do not sell your personal data to third parties. We do not use your data to train AI models.

4. AI Processing

When generating market commentary and cover letters, suburb and market data is sent to the Google Gemini API for processing. We do not send your personal profile details (name, photo, etc.) to the Gemini API. Homeowner first names entered for cover letters are sent to Gemini solely to personalize the letter greeting. Google’s data processing for API customers is governed by the Google Cloud Data Processing Addendum.

5. Third-Party Service Providers

We share data with the following third-party processors only as necessary to provide the Service:

Each service provider is contractually required to handle data securely and only for the purposes we specify. We do not authorize them to use your data for their own purposes.

6. Data Retention

• Account data is retained while your subscription is active and for 90 days after cancellation or account closure
• Generated reports are retained indefinitely while your account is active
• Upon account deletion request, all personal data is permanently deleted within 30 days, except where retention is required by applicable law
• Email delivery logs are retained for 90 days for debugging purposes, then deleted
• Cached market data (Redis) contains no personal information and expires automatically after 24 hours

7. Cookies

We use only cookies that are strictly necessary for the operation of the Service:

• Authentication cookies — maintained by Supabase Auth to keep you logged in (session-based, cleared on logout or expiry)
• CSRF protection tokens — prevent cross-site request forgery

We do not use advertising cookies, third-party tracking pixels, or analytics cookies. The report open tracking pixel used in email delivery is associated only with a specific report email record and does not create tracking profiles across sites or sessions.

8. CAN-SPAM Compliance

All marketing and promotional emails we send comply with the CAN-SPAM Act. Each marketing email includes a clear and conspicuous unsubscribe mechanism. We will honor opt-out requests within 10 business days. Transactional emails (billing receipts, account security notices, report delivery) are not subject to opt-out under CAN-SPAM as they are necessary for the operation of your account.

9. California Privacy Rights (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with the following rights regarding your personal information:

• Right to Know — you may request details about the categories and specific pieces of personal information we have collected about you
• Right to Delete — you may request deletion of your personal information, subject to certain exceptions
• Right to Opt-Out of Sale — we do not sell your personal information to third parties. No opt-out action is required.
• Right to Non-Discrimination — we will not discriminate against you for exercising any of your CCPA rights

To exercise your CCPA rights, email us at privacy@reportrexai.com. We will respond within 45 days as required by law.

10. Your Privacy Rights (All Users)

Regardless of location, all users of the Service may:

• Access — request a copy of personal data we hold about you
• Correction — update inaccurate or incomplete data (most data can be updated directly in your account settings)
• Deletion — request deletion of your account and associated personal data
• Portability — request an export of your report data in a structured format
• Opt-Out of Marketing — unsubscribe from marketing emails at any time using the link in any email or by contacting us

To exercise any of these rights, email privacy@reportrexai.com. We will respond within 30 days.

11. Children’s Privacy (COPPA)

The Service is intended for professional use by adults aged 18 and over. We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided us with personal information, we will delete it promptly in accordance with the Children’s Online Privacy Protection Act (COPPA).

12. Security

We implement reasonable technical and organizational measures to protect your data, including:

• All data transmitted over HTTPS/TLS encryption
• Row-level security (RLS) enforced at the database level — users can only access their own data
• Supabase Storage with private bucket access and signed URLs with short expiry
• API rate limiting on all endpoints
• No payment card data stored on our servers — handled entirely by Paddle

No method of electronic storage or transmission is 100% secure. If you believe your account has been compromised, contact us immediately at support@reportrexai.com.

13. Governing Law

This Privacy Policy is governed by the laws of the State of Delaware, USA, without regard to conflict of law principles. By using the Service, you consent to the collection and use of your information as described in this policy.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email and update the “Last updated” date above. Continued use of the Service after the updated policy takes effect constitutes your acceptance of the revised policy.

15. Contact

For privacy-related questions or requests: