Privacy Policy

We collect information you provide directly, information collected automatically through your use of the Service, and information obtained from third parties, in each case as described below.

A. Information you provide directly

• —Account registration data: full name, email address, and password when you create an account.
• —Payment and billing information: credit or debit card details, billing address, and transaction history — processed and stored by Stripe, Inc. on our behalf. Patchly does not store raw payment card data.
• —Communications: messages, support requests, feedback, and survey responses you submit to us.
• —User-generated content: addresses, neighborhood searches, and any annotations or notes you create within the Service.

B. Information collected automatically

• —Log data: IP address, browser type and version, operating system, referring URLs, pages viewed, and timestamps.
• —Device identifiers: hardware model, unique device identifiers, and mobile network information where applicable.
• —Usage data: features accessed, reports generated, search queries (addresses), session duration, and click-path analytics.
• —Cookies and similar technologies: session cookies (required for authentication), preference cookies, and analytics cookies as described in Section 7.

C. Information from third parties

• —Authentication providers (e.g., Google OAuth): if you choose to authenticate via a third-party identity provider, we receive your name, email address, and profile photo as permitted by your settings with that provider.
• —Stripe, Inc.: subscription status, payment method type (e.g., Visa ending in 4242), and billing cycle information.
• —OpenStreetMap / Nominatim: geographic coordinates and address metadata returned in response to user-initiated searches. We do not transmit personally identifiable information to these services beyond the address string you enter.
• —Analytics providers: aggregate and pseudonymized behavioral data as described in Section 7.

We use the personal information we collect for the following purposes, each of which is grounded in a lawful basis under applicable data protection law:

• —Service delivery: to create and maintain your account, process your subscription, generate neighborhood intelligence reports, and provide the features you access.
• —Authentication and security: to verify your identity, prevent unauthorized access, detect and investigate fraud, and enforce our Terms of Service.
• —Billing and payments: to process payments, issue invoices, handle refund requests, and maintain accurate financial records as required by law.
• —Product improvement: to analyze usage patterns, diagnose technical issues, measure feature adoption, and prioritize development efforts. This analysis is performed on pseudonymized or aggregated data wherever feasible.
• —Communications: to send transactional emails (e.g., account confirmation, password reset, subscription receipts), service notifications, and — where you have consented — marketing communications. You may opt out of marketing communications at any time.
• —Legal compliance: to comply with applicable laws, regulations, legal process, or enforceable governmental requests, and to establish, exercise, or defend legal claims.
• —Legitimate interests: to protect the safety of our users and third parties, prevent abuse, and ensure the integrity of the Service, where such interests are not overridden by your data protection rights.

Patchly, Inc. does not sell, rent, or trade your personal information to third parties for their own marketing purposes. We disclose personal information only in the following circumstances:

• —Service providers (processors): we engage third-party companies to perform functions on our behalf, including cloud hosting (Supabase / AWS), payment processing (Stripe), email delivery, and analytics. These providers access personal information only as necessary to perform their services and are contractually bound to protect it.
• —Business transfers: in connection with a merger, acquisition, reorganization, asset sale, or similar transaction, your information may be transferred as part of the business assets. We will notify you via email and/or prominent notice on the Service before your information is transferred and becomes subject to a different privacy policy.
• —Legal obligations: we may disclose information when required by law, subpoena, court order, or other governmental authority, or when we believe in good faith that disclosure is necessary to protect rights, property, or safety.
• —With your consent: we may share information for any other purpose with your explicit prior consent.
• —Aggregated / de-identified data: we may share anonymized, aggregated, or de-identified information that cannot reasonably be used to identify you, without restriction.

We retain personal information for as long as your account is active or as needed to provide you the Service. Specifically:

• —Account data is retained for the duration of your subscription and for up to 90 days following account deletion, after which it is permanently purged from production systems.
• —Report data (neighborhood analyses you have generated) is retained for 24 months from the date of generation, or until you delete your account, whichever comes first.
• —Billing records are retained for 7 years as required by applicable tax and accounting regulations, even after account closure.
• —Server logs are retained for 30 days for security and diagnostic purposes, then deleted automatically.
• —Backup systems may retain data for an additional 30-day window beyond the periods described above. Backups are encrypted and access is strictly controlled.

You may request deletion of your account and associated personal data at any time by contacting us at privacy@patchly.com. We will process deletion requests within 30 days, subject to legal retention obligations described above.

We implement and maintain administrative, technical, and physical security measures designed to protect personal information from unauthorized access, disclosure, alteration, and destruction. These measures include:

• —All data in transit is encrypted using TLS 1.2 or higher.
• —Data at rest is encrypted using AES-256.
• —Authentication tokens and session credentials are managed via Supabase Auth with Row Level Security (RLS) policies enforced at the database layer.
• —Payment card data is handled exclusively by Stripe, which is PCI DSS Level 1 certified.
• —Access to production systems is restricted to authorized personnel and protected by multi-factor authentication.
• —We conduct periodic reviews of our security practices and update them as threats evolve.

No method of transmission over the Internet or electronic storage is 100% secure. While we take the protection of your data seriously and use industry-standard measures, we cannot guarantee absolute security. In the event of a data breach that affects your personal information, we will notify you as required by applicable law.

Depending on your jurisdiction, you may have the following rights with respect to your personal information:

• —Access: the right to request a copy of the personal information we hold about you.
• —Rectification: the right to request correction of inaccurate or incomplete personal information.
• —Erasure ('right to be forgotten'): the right to request deletion of your personal information, subject to legal retention obligations.
• —Restriction: the right to request that we restrict processing of your personal information in certain circumstances.
• —Portability: the right to receive your personal information in a structured, commonly used, machine-readable format.
• —Objection: the right to object to processing of your personal information based on our legitimate interests.
• —Withdrawal of consent: where processing is based on consent, the right to withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.
• —Non-discrimination: we will not discriminate against you for exercising any of these rights.

To exercise any of these rights, contact us at privacy@patchly.com. We will respond within 30 days (or the period required by applicable law). We may require verification of your identity before processing your request.

If you believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with the relevant data protection supervisory authority in your jurisdiction.

We use the following categories of cookies and similar technologies:

• —Strictly necessary cookies: required for the Service to function. These include session authentication tokens managed by Supabase. You cannot opt out of these without losing access to the Service.
• —Preference cookies: remember settings such as language or display preferences. You may disable these in your browser settings, though some features may be affected.
• —Analytics cookies: used to understand how users interact with the Service (e.g., pages visited, features used). We use pseudonymized identifiers and do not link this data to your name or email address unless you are logged in.

You may control cookies through your browser settings. Most browsers allow you to refuse new cookies, delete existing cookies, or be notified when a cookie is set. Note that disabling strictly necessary cookies will impair your ability to use the Service.

The Service may contain links to third-party websites, including data sources referenced in neighborhood reports (e.g., FEMA flood maps, Census Bureau). These links are provided for informational purposes only. Patchly, Inc. is not responsible for the privacy practices or content of third-party websites. We encourage you to review the privacy policy of any third-party site you visit.

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe we may have any information from or about a child under 18, please contact us immediately at privacy@patchly.com.

Patchly, Inc. is based in the United States. If you access the Service from outside the United States, your personal information will be transferred to, stored in, and processed in the United States and potentially other countries where our service providers operate. These countries may have data protection laws that differ from those in your country.

Where required by applicable law, we rely on appropriate transfer mechanisms (such as Standard Contractual Clauses or equivalent safeguards) to ensure that transfers of personal information to countries without adequate protections are lawfully made.

We reserve the right to modify this Privacy Policy at any time. If we make material changes, we will notify you by updating the effective date at the top of this page and, where required by law, by sending you an email notification or displaying a prominent notice within the Service at least 30 days before the changes take effect.

Your continued use of the Service after the effective date of any modification constitutes your acceptance of the updated Privacy Policy. If you do not agree to the modified policy, you must stop using the Service and may request deletion of your account.

If you have questions, concerns, or requests relating to this Privacy Policy or our privacy practices, please contact us: