← Back

Privacy Policy

Effective date: April 10, 2026

1. Overview

curbkarma ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains what information we collect, how we use it, who we share it with, and your rights regarding your data.

2. Information We Collect

2.1 Account Information

When you create an account, we collect your email address. We use this for authentication (via magic link or password) and to send you inquiry notifications.

2.2 Home and Project Data

You may provide the following information voluntarily:

  • Home details: name, address, year built, square footage
  • Project details: title, category, status, dates, costs, contractor information, material details, warranty information, permit status, and notes
  • Timeline notes associated with projects

2.3 Photos and Documents

You may upload photos and documents (receipts, invoices) to the Service. Photos are stored in a private storage bucket accessible only to you. Uploaded images are resized to a maximum of 2048 pixels and compressed to JPEG format. HEIC images are automatically converted to JPEG.

2.4 Inquiry Data (from third parties)

When someone submits an inquiry about your shared report, we collect their name, email address, professional role, and message. This data is stored and forwarded to you.

2.5 Automatically Collected Data

We do not use third-party analytics, tracking pixels, or advertising cookies. We do collect limited operational data:

  • Shared report view counts and last viewed timestamps
  • Failed passcode attempt counts (for brute-force protection)
  • AI parsing request counts (for rate limiting)

3. How We Use Your Information

  • To provide, operate, and maintain the Service
  • To authenticate your identity and secure your account
  • To process AI-powered receipt parsing when you opt in
  • To generate shareable reports at your request
  • To deliver inquiry messages and email notifications
  • To enforce rate limits and prevent abuse
  • To respond to support requests

We do not sell, rent, or trade your personal information.

4. Third-Party Services

We use the following third-party services to operate curbkarma. Each processes data only as necessary to provide its function:

Supabase (database, authentication, storage)

Stores your account data, home/project records, and photos. Handles authentication via email magic links and passwords. Data is stored in a PostgreSQL database with row-level security enforced.

Cerebras (AI receipt parsing)

When you use the receipt parsing feature, your uploaded document is sent to Cerebras for text extraction. The document is processed in real time and is not retained by Cerebras after the request completes.

Resend (email delivery)

Sends inquiry notification emails to homeowners. Emails contain the sender's name, email, role, and message content.

Cloudflare (hosting, DNS, bot protection)

Serves the web application, manages DNS for curbkarma.com, and provides bot protection via Turnstile on the inquiry form. Cloudflare may process IP addresses and browser metadata for security purposes per their own privacy policy.

5. Data Sharing

Your data is shared only in these circumstances:

  • Shared reports: When you create a shared report, the included home details, project data, and photos are accessible to anyone with the link (and passcode, if set). You control what is shared.
  • Third-party services: As described in Section 4, limited data is processed by our service providers to operate the platform.
  • Legal requirements: We may disclose your information if required by law, court order, or governmental request.

6. Data Storage and Security

Your data is stored in Supabase-managed infrastructure. All database tables are protected by row-level security policies, ensuring users can only access their own data. Photos are stored in a private bucket and accessed via time-limited signed URLs (1-hour expiry for in-app use, 7-day expiry for shared reports).

Authentication sessions use JWTs with 1-hour expiry and automatic token rotation. Passcode-protected reports lock after 3 failed attempts.

While we implement reasonable security measures, no system is completely secure. You are responsible for maintaining the confidentiality of your account credentials and shared report links.

7. Data Retention

Your data is retained for as long as your account is active. Upon account deletion:

  • Permanently deleted: authentication data, shared reports, inquiry messages, timeline entries, photos, and AI parsing logs
  • Anonymized: home and project records have all personal identifiers removed (names, titles, addresses, contractor details, notes, photo references) and may be retained for aggregate analytics

8. Your Rights

You have the right to:

  • Access your data: Export all your data as JSON from the Settings page at any time
  • Correct your data: Edit your home and project information directly in the app
  • Delete your data: Delete your account from the Settings page, which triggers permanent deletion and anonymization as described in Section 7
  • Revoke shared access: Delete shared reports at any time to revoke public access

9. Cookies and Local Storage

curbkarma does not use advertising or analytics cookies. We use browser local storage solely to maintain your authentication session (managed by Supabase). Cloudflare may set security cookies as part of its bot protection service.

10. Children's Privacy

The Service is not intended for users under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will promptly delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will update the effective date at the top of this page. Your continued use of the Service after changes constitutes acceptance of the updated policy.

12. Contact

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at support@curbkarma.com.