Value AddCalculator

Privacy Policy

Last updated: April 19, 2026

1. Overview

This Privacy Policy explains what information Value Add Calculator ("VAC", "we", "us") collects, how we use it, who we share it with, how long we keep it, and your rights over it. It applies to the VAC web application, the public API, transactional emails, and the contractor portal. By using VAC you agree to this Policy. If you do not agree, do not use VAC.

2. Information We Collect

2.1 Account information. Email address, display name, hashed password, organization name, plan tier, role (owner, member), and any avatar image you upload.

2.2 Deal & business data you enter. Property addresses, purchase and ARV figures, rehab budgets, rent rolls, loan terms, calculator inputs and outputs, scope-of-work line items, task lists, milestones, expense records, draw requests, contractor contact info, notes, tags, and any files or photos you upload. This is Your Content under our Terms of Service.

2.3 Contractor information. If you invite a contractor to a deal, we collect and store the name, email, and phone number you provide, plus any files, comments, or draw requests the contractor submits through their limited portal access.

2.4 Billing information. If you subscribe to a paid plan, we receive a Stripe customer ID, subscription status (trialing, active, past due, canceled), plan tier, billing cycle, invoice history, and the last four digits and card brand of your payment method. We do not see or store full card numbers, CVC, or bank credentials. Full payment data is collected and stored by Stripe.

2.5 Usage & diagnostic data. We log application events needed to operate and secure the Service: page paths visited, feature interactions (e.g., "created deal", "exported PDF", "generated SOW"), API request metadata (endpoint, timestamp, status code, API key identifier), rate-limit counters, approximate IP-derived region, browser type, and device type. We record error and performance telemetry via Sentry.

2.6 Communications. When you contact support, email us, or use the in-app live chat, we keep the content of the messages and any metadata needed to respond. Transactional emails we send (verification, receipts, invitations, password resets) are delivered through Resend, which records basic delivery metadata (sent, delivered, bounced, complained).

2.7 Cookies & local storage. We use a small number of strictly necessary cookies and localStorage entries to keep you signed in, to protect against CSRF attacks, to remember your UI preferences (e.g., sidebar state), and to measure aggregate product usage with PostHog. We do not use advertising cookies or share data with ad networks.

3. How We Use Information

  • Provide the Service — authenticate you, save and sync deal data, generate reports, deliver emails, run calculators and AI features you trigger.
  • Billing — create and manage your subscription through Stripe, send receipts, enforce seat limits and quotas.
  • Security & abuse prevention — rate-limit requests, detect unauthorized access, maintain audit logs of sensitive actions.
  • Support — respond to your questions, diagnose issues, recover data from backups when appropriate.
  • Improve the product — analyze aggregate usage, crash reports, and feature-adoption funnels to prioritize improvements. Where feasible, this analysis uses de-identified or aggregated data.
  • Legal & compliance — comply with applicable laws, respond to lawful requests from authorities, enforce our Terms, and protect our rights and the rights of users.

We do not sell your personal information, and we do not share it with third parties for their own advertising or marketing.

4. AI Features & Third-Party Processing

When you use AI-assisted features such as scope-of-work generation, the inputs you submit (including photos you upload, property details, and any notes) are transmitted to our AI provider (currently Anthropic) to generate the output. Inputs and outputs may be transiently logged by the provider for abuse detection and reliability, subject to the provider's own policies. We do not use your data to train general-purpose AI models.

Do not submit to AI features any content you are not authorized to share with a third-party AI provider, and do not submit sensitive personal information, protected health information, or regulated data.

5. Third-Party Services (Subprocessors)

We use the following service providers to operate VAC. Each has access only to the data needed for the function described and is contractually required to protect it:

  • Supabase — database, authentication, and file storage. Privacy
  • Vercel — application hosting, edge network, and deploy infrastructure. Privacy
  • Stripe — payment processing, subscription management, billing portal. Privacy
  • Resend — transactional email delivery. Privacy
  • Anthropic — AI model provider for scope-of-work generation. Privacy
  • Rentcast — property and comparable-sales data lookups (address-based queries only). Privacy
  • Sentry — error and performance monitoring. Stack traces and request metadata may include user IDs and URLs. Privacy
  • PostHog — product analytics and feature-funnel measurement. Privacy
  • Better Stack — uptime monitoring and status page. Privacy
  • Crisp — in-app live chat for customer support. Privacy
  • Upstash — rate-limit and webhook-idempotency storage. Privacy

6. Sharing of Information

We share personal information only as follows:

  • Within your organization. Deal data and related files are visible to the teammates and contractors you explicitly add to the organization or deal.
  • Service providers. As listed in Section 5, for the functions described.
  • Legal process. When we believe in good faith that disclosure is required by law, subpoena, or court order, or is necessary to protect rights, safety, or the integrity of the Service.
  • Business transfer. If we are involved in a merger, acquisition, reorganization, financing due diligence, or sale of assets, personal information may be transferred to the counterparty subject to confidentiality obligations and this Policy.

7. Data Retention & Deletion

Active accounts. We retain your data for as long as your account is active or as needed to provide the Service.

Account deletion. When you delete your account from settings, we immediately (a) cancel your Stripe subscription, (b) revoke all API keys, (c) delete your deals, contractor portals, notifications, financial records, and third-party integration tokens, (d) remove you from all organizations, and (e) delete your profile and authentication record. Aggregate, de-identified analytics records that cannot reasonably be linked back to you may be retained.

Backups. Encrypted database backups are retained by our infrastructure providers for up to 30 days before being overwritten. Deleted content may persist in those rolling backups until the window rolls over.

Email & billing records. We retain invoice and billing records for the period required by applicable tax and accounting law (typically up to 7 years).

Inactive accounts. We may delete accounts that have been inactive for an extended period (24+ months) after reasonable notice to the account email.

8. Data Security

We use industry-standard safeguards to protect your data, including:

  • HTTPS/TLS for all data in transit.
  • Encrypted storage at rest for database, file uploads, and integration tokens (for example, Google Calendar OAuth tokens are encrypted with a dedicated application key).
  • Password hashing via Supabase Auth (bcrypt).
  • Row-level security policies so users can only read and write their own data.
  • CSRF protection, rate limiting, and webhook signature verification on sensitive endpoints.
  • Audit logging of destructive actions.

No system is 100% secure. You share responsibility for security by using a strong password, enabling any available multi-factor authentication, rotating API keys if exposed, and not sharing your credentials.

9. Your Rights & Choices

Regardless of where you live, you may:

  • Access the personal information we hold about you.
  • Correct inaccurate information through your account settings or by emailing us.
  • Export your deal data in a machine-readable format (for example, CSV or PDF).
  • Delete your account from account settings, which triggers the deletion described in Section 7.
  • Object to or restrict certain processing, subject to applicable law.
  • Withdraw consent where processing relies on consent.
  • Opt out of marketing emails via the unsubscribe link in any marketing message. Transactional messages needed to operate the Service (receipts, security alerts, password resets) will continue.

To exercise rights that are not self-service, email us at the address below. We may need to verify your identity before acting. We will respond within the timeframe required by applicable law.

10. California Residents (CCPA / CPRA)

If you are a California resident, you have the right to know the categories of personal information we collect, the sources, the business purpose, and the categories of third parties with whom we share it — all of which are described in this Policy. You also have the right to request access, deletion, correction, and portability, and to opt out of "sales" and "sharing" of personal information as defined by California law. We do not sell or share personal information as those terms are defined under the CCPA/CPRA. To exercise your rights, contact us at the email address below. We will not discriminate against you for exercising your rights.

11. International Users & Data Transfers

VAC is operated from the United States and our primary infrastructure is located in the United States. If you access the Service from outside the United States, you understand that your information will be transferred to, stored in, and processed in the United States, which may have data-protection laws different from those in your jurisdiction. Where required by law, we rely on appropriate safeguards (such as standard contractual clauses) for international transfers.

12. Children's Privacy

VAC is not directed to individuals under 18. We do not knowingly collect personal information from anyone under 18. If you believe a child has provided us with personal information, contact us and we will take reasonable steps to delete it.

13. Changes to This Policy

We may update this Policy from time to time. For material changes we will give reasonable notice by email or in-app notice before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.

14. Contact

Questions about this Policy, or requests to exercise your rights, should be sent to:

Email: cameron@creativehomespro.com

Terms of ServiceSign InCreate Account