Privacy Policy

Effective Date: March 10, 2026 — Last Updated: March 21, 2026

Rezzly LLC (“Company,” “we,” “us,” or “our”) is committed to protecting the privacy of individuals who use our HOA covenant violation documentation and management platform (the “Service”). This Privacy Policy explains how we collect, use, disclose, retain, and protect your information when you access or use the Service.

This Privacy Policy is incorporated into and forms part of our Terms of Service. By using the Service, you agree to the practices described in this Privacy Policy. If you do not agree, please do not use the Service.

1. Scope and Applicability

This Privacy Policy applies to all Users of the Service, including HOA board members, property management company representatives, residents who submit potential violations, and homeowners who access the Service to view or pay violation-related fines. It covers information collected through the Service’s web application, APIs, email communications, and any other interactions with the Company related to the Service.

This Privacy Policy does not apply to third-party websites or services that may be linked from or integrated with the Service. We encourage you to review the privacy policies of any third-party services you access.

2. Information We Collect

2.1 Information You Provide Directly

Category	Examples	When Collected
Account Information	Name, email address, phone number, mailing address, password, role within the HOA or management company	Account registration and profile updates
Organization Information	HOA name, community name, management company name, business address, tax identification number (for billing)	Organization account setup
Governing Documents	CC&Rs, bylaws, architectural guidelines, community rules, and other enforceable covenant documents	Document upload
Violation Reports	Photographs of alleged violations, written descriptions, property addresses, unit or lot numbers, dates and times of alleged violations, names of involved parties	Violation submission
Payment Information	Billing name, billing address, payment method details (processed and stored by our third-party payment processor; we do not store full credit card numbers)	Subscription purchase and violation fine payments
Communications	Messages, emails, support tickets, and other correspondence with us or through the Service	Customer support and in-app messaging

2.2 Information Collected Automatically

Category	Examples	Purpose
Device and Browser Information	IP address, browser type and version, operating system, device type, screen resolution, language preferences	Service optimization, security, and analytics
Usage Data	Pages viewed, features used, click patterns, time spent on pages, search queries within the Service, referring URLs	Service improvement and analytics
Log Data	Access times, error logs, API call records, server logs	Security monitoring and troubleshooting
Cookie and Tracking Data	Session cookies, persistent cookies, pixel tags, web beacons (see Section 7 for details)	Authentication, preferences, and analytics

2.3 Photo Metadata (EXIF Data)

Photographs uploaded to the Service may contain embedded metadata (EXIF data), including GPS coordinates, date and time of capture, device make and model, and camera settings. We extract GPS coordinates and date/time of capture solely for the purpose of associating a violation report with a specific property and establishing when the photograph was taken. Extracted geolocation data is stored separately from the photograph with restricted access and is not used for any purpose beyond violation documentation. Non-essential EXIF fields (such as device make and model, camera settings, and other technical metadata) are discarded upon upload and are not retained.

You may strip EXIF data from photographs before uploading them to the Service. Subscribing organizations may also configure whether geolocation data is extracted and retained through their organization settings. Removing or disabling geolocation data may reduce the evidentiary value of violation reports. We recommend consulting with your HOA’s legal counsel regarding photo evidence standards.

2.4 Information from Third Parties

We may receive information about you from third parties, including: identity verification services used to confirm account holder identity; payment processors providing transaction confirmations and fraud detection data; HOA board members or management companies who add you as a User; and publicly available property records used to verify property ownership or addresses.

3. How We Use Your Information

3.1 Providing and Operating the Service

Creating and managing User accounts and organizational accounts
Processing and displaying Governing Documents, violation reports, and related records
Facilitating communication between HOA representatives, residents, and homeowners through the Service
Processing subscription payments and violation fine payments
Providing customer support

3.2 AI-Assisted Analysis

Using uploaded Governing Documents, violation reports, photographs, and descriptions to provide AI-assisted categorization, flagging, and assessment of potential violations
Collecting User feedback on AI-generated outputs (such as approval/disapproval ratings and written comments) to evaluate and improve the quality and accuracy of the Service’s AI-assisted features, including refining how results are presented and identifying areas for improvement. This feedback is used for product quality assurance and is not used to train or fine-tune machine learning models.

3.3 Voluntary AI Training Programs

From time to time, we may offer Users the opportunity to voluntarily participate in programs designed to improve our AI capabilities through model training. Participation in any such program is entirely optional and requires your explicit, informed consent before any of your data is used for training purposes. We will clearly describe what data would be used, how it would be processed, and how long it would be retained before requesting your consent. You may withdraw your consent at any time, and withdrawal will not affect your access to or use of the Service.

3.4 Service Improvement and Analytics

Analyzing usage patterns to improve the Service’s features, performance, and user experience
Conducting research and development on new features
Generating aggregated, de-identified analytics and benchmarking reports

3.5 Security and Fraud Prevention

Detecting, investigating, and preventing fraudulent, unauthorized, or illegal activity
Monitoring for security threats and protecting the integrity of the Service
Enforcing our Terms of Service

3.6 Legal Compliance and Communications

Complying with applicable laws, regulations, and legal processes
Sending transactional communications (account confirmations, billing notices, security alerts)
Sending product updates and service announcements (you may opt out of non-essential communications)

4. How We Share Your Information

We do not sell your personal information. We share information only in the following circumstances:

4.1 Within Your Organization

Information you submit through the Service, including violation reports and associated photographs, is accessible to authorized Users within your HOA or management company account in accordance with role-based access controls. Board members and management company representatives can view all violation data for their community. Residents can view information related to their own submissions and, where the HOA permits, violation records pertaining to their property. Homeowners with payment accounts can view violation notices and payment records pertaining to their property.

4.2 Service Providers

We share information with third-party service providers who perform services on our behalf, including:

Cloud hosting and infrastructure providers
Payment processors
Analytics providers
Email and communication service providers
Customer support tools
AI and machine learning infrastructure providers

These providers are contractually obligated to use your information only as necessary to provide services to us and are bound by confidentiality obligations.

4.3 Legal Requirements

We may disclose your information if we believe in good faith that disclosure is necessary to: comply with applicable law, regulation, or legal process (such as a subpoena, court order, or government request); protect the rights, property, or safety of the Company, our Users, or the public; detect, prevent, or address fraud, security, or technical issues; or enforce our Terms of Service.

4.4 Business Transfers

If the Company is involved in a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of its assets, your information may be transferred as part of that transaction. We will provide notice before your information becomes subject to a different privacy policy.

4.5 With Your Consent

We may share your information for purposes not described in this Privacy Policy with your explicit consent.

4.6 Aggregated and De-Identified Data

We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify you. This includes industry benchmarking data and aggregate violation trend reports.

5. Your Privacy Rights

Depending on your state of residence, you may have specific privacy rights under applicable law. We honor the following rights for all Users, regardless of location, to the extent technically feasible:

5.1 Right to Know and Access

You have the right to request information about the categories and specific pieces of personal information we have collected about you, the sources of that information, the purposes for which it was collected, and the categories of third parties with whom it has been shared. You may access and download your personal data through your account settings or by contacting us.

5.2 Right to Correction

You have the right to request correction of inaccurate personal information we hold about you. You may update most account information directly through your account settings.

5.3 Right to Deletion

You have the right to request deletion of your personal information, subject to certain exceptions. We may retain information where necessary to: complete a transaction or provide the Service; comply with legal obligations; detect and prevent fraud or security incidents; exercise or defend legal claims; or fulfill the purposes described in this Privacy Policy where retention is reasonably necessary.

Please note that deletion of personal information within violation records may affect the integrity of your HOA’s enforcement documentation. We recommend consulting with your HOA before requesting deletion of violation-related data.

5.4 AI Training Consent

We do not use your data to train or fine-tune machine learning models unless you have explicitly opted in to a voluntary AI training program (see Section 3.3). If you have opted in, you may withdraw your consent at any time by contacting us at legal@rezzly.co or adjusting your preferences in your account settings. Withdrawal of consent will not affect your access to or use of the Service. Upon withdrawal, we will cease using your data for training purposes and will delete any training data derived from your content within thirty (30) days, except where such data has already been irreversibly incorporated into a trained model.

5.5 Right to Limit Use of Sensitive Personal Information

You have the right to direct us to limit our use and disclosure of your sensitive personal information (such as precise geolocation data extracted from photo EXIF metadata) to only what is necessary to provide the Service. To exercise this right, contact us at legal@rezzly.co or adjust your preferences in your account settings.

5.6 Right to Data Portability

You have the right to request that we transmit your personal information to another entity in a structured, commonly used, machine-readable format, to the extent technically feasible. You may also export your data directly through the Service’s data export feature (see Section 8.2).

5.7 Right to Opt Out of Sale or Sharing

We do not sell personal information as defined under the California Consumer Privacy Act (CCPA) or similar state laws. To the extent that sharing personal information with analytics providers constitutes a “sale” or “sharing” under applicable law, you may opt out by adjusting your cookie preferences (see Section 7) or by contacting us.

5.8 Right to Non-Discrimination

We will not discriminate against you for exercising your privacy rights. We will not deny you the Service, charge you different prices, or provide a different level or quality of Service as a result of your exercise of privacy rights.

5.9 Authorized Agents

You may designate an authorized agent to submit privacy requests on your behalf. We may require the agent to provide written authorization and verify your identity before processing the request.

5.10 How to Exercise Your Rights

To exercise any of these rights, contact us at legal@rezzly.co or submit a request through your account settings. We will respond to verifiable requests within forty-five (45) days. If we need additional time, we will notify you of the extension and the reason for it. We may request additional information to verify your identity before fulfilling your request.

5.11 Appeals

If we decline your privacy request, you have the right to appeal our decision by contacting us at legal@rezzly.co with the subject line “Privacy Request Appeal.” We will respond to appeals within sixty (60) days. If your appeal is denied, we will provide information on how to contact your state attorney general’s office, if applicable.

5.12 Rights of Non-User Data Subjects

The Service may process personal information about individuals who are not registered Users, including homeowners, residents, and other individuals who are the subject of violation reports submitted by subscribing organizations. If you are not a registered User but believe the Service contains personal information about you (such as photographs of your property, your address, or geolocation data associated with your property), you have the right to:

Request confirmation of whether we hold personal information about you
Request access to the specific personal information we hold about you
Request correction of inaccurate personal information
Request deletion of your personal information, subject to the exceptions described in Section 5.3

To exercise these rights, contact us at legal@rezzly.co with the subject line “Non-User Privacy Request” and include your name, property address, and a description of your request. We will coordinate with the subscribing organization as necessary to verify your identity and process your request. We will respond to verifiable requests within forty-five (45) days.

6. State-Specific Privacy Disclosures

6.1 California (CCPA / CPRA)

If you are a California resident, you have the rights described in Section 5, including the right to know, access, delete, and correct your personal information, the right to opt out of the sale or sharing of personal information, the right to limit use of sensitive personal information (Section 5.5), and the right to data portability (Section 5.6). In the preceding twelve (12) months, we have collected the categories of personal information described in Section 2. We do not sell personal information as defined by the CCPA. We collect and use sensitive personal information (including precise geolocation from photo EXIF data) only for the purposes of providing the Service and as described in this Privacy Policy. California residents may submit requests as described in Section 5.10.

6.2 Virginia (VCDPA)

Virginia residents have the right to access, correct, delete, and obtain a portable copy of their personal data, and the right to opt out of the processing of personal data for targeted advertising, sale, or profiling. To exercise these rights, contact us as described in Section 5.10.

6.3 Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and Other States

Residents of Colorado, Connecticut, Utah, and other states with comprehensive privacy laws have rights similar to those described above. We will comply with applicable state privacy laws and honor all verifiable consumer requests in accordance with those laws. We will update this section as additional state privacy laws take effect.

6.4 Illinois (BIPA)

We do not collect biometric identifiers or biometric information as defined under the Illinois Biometric Information Privacy Act (BIPA). Our AI analysis does not use facial recognition technology. Photo EXIF data (including GPS coordinates) is not considered biometric information under BIPA.

7. Cookies and Tracking Technologies

7.1 Types of Cookies We Use

Cookie Type	Purpose	Duration
Strictly Necessary	Authentication, session management, security (CSRF protection), load balancing. These cookies are essential for the Service to function and cannot be disabled.	Session or up to 30 days
Functional	Remembering your preferences (language, display settings, notification preferences) and providing enhanced functionality.	Up to 1 year
Analytics	Understanding how Users interact with the Service, measuring feature adoption, identifying performance issues. We use third-party analytics tools (such as Google Analytics) that may set their own cookies.	Up to 2 years

7.2 Managing Cookies

You can manage your cookie preferences through the cookie settings banner displayed when you first visit the Service, or at any time by accessing “Cookie Preferences” in your account settings or in the footer of our website. You may also configure your browser to block or delete cookies, though this may affect the functionality of the Service.

7.3 Google Analytics

We use Google Analytics to collect and analyze usage data. Google Analytics uses cookies to collect information about your use of the Service, which is transmitted to and stored by Google. Google may use this data to contextualize and personalize ads within its own advertising network. You may opt out of Google Analytics by installing the Google Analytics Opt-Out Browser Add-On. For more information on Google’s privacy practices, visit Google’s Privacy Policy.

7.4 Do Not Track and Global Privacy Control

Some browsers transmit “Do Not Track” (DNT) signals. There is no uniform standard for responding to DNT signals. Currently, the Service does not respond to DNT signals. However, you can manage tracking through your cookie preferences as described above.

The Service does recognize and honor Global Privacy Control (GPC) signals. When we detect a GPC signal from your browser, we will treat it as a valid request to opt out of the sale or sharing of your personal information as required by the California Consumer Privacy Act and other applicable state privacy laws.

8. Data Retention

8.1 Retention Periods

Data Category	Retention Period	Rationale
Account Information	Duration of account plus three (3) years after termination	Service provision and post-termination data export
Governing Documents	Duration of the subscribing organization’s Subscription plus three (3) years	Service provision and data export
Violation Reports and Photos	Duration of the subscribing organization’s Subscription plus three (3) years, or longer if required by applicable law or an active legal hold	HOA enforcement records, legal compliance
Photo GPS Coordinates	Same as associated violation report (stored separately from photographs with restricted access). Non-essential EXIF fields are discarded upon upload.	Property association and evidentiary integrity
Payment Records	Seven (7) years after the transaction	Tax and financial regulatory compliance
Usage and Analytics Data	Three (3) years from collection	Analytics and service improvement
Server Logs	Ninety (90) days	Security monitoring and troubleshooting
Product Feedback Data	Duration of account plus one (1) year after termination	Product quality assurance and service improvement

8.2 Data Export

During your Subscription and for three (3) years following termination, you may export your data through the Service’s data export feature. Exported data will be provided in commonly used, machine-readable formats (such as CSV and JSON for structured data, and original file formats for uploaded documents and images).

8.3 Deletion After Retention Period

After the applicable retention period, we will securely delete or de-identify your personal information using industry-standard methods. Some information may persist in encrypted backups for a limited period; such backups are not actively used and are overwritten according to our standard backup rotation schedule.

9. Data Security

We implement administrative, technical, and physical safeguards designed to protect your information, including:

Encryption of data in transit using TLS 1.2 or higher
Encryption of data at rest using AES-256 or equivalent
Role-based access controls limiting employee and contractor access to personal data on a need-to-know basis
Regular security assessments and penetration testing
Multi-factor authentication available for all User accounts
Automated monitoring for unauthorized access attempts
Incident response procedures for data breaches

While we take reasonable measures to protect your information, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security and are not responsible for the actions of unauthorized third parties who breach our security measures despite our efforts.

10. Data Processing Roles

10.1 Company as Service Provider / Data Processor

When the Service processes personal data of residents, homeowners, or other individuals on behalf of a subscribing HOA or management company, the subscribing organization acts as the business (or data controller) and the Company acts as the service provider (or data processor). The subscribing organization determines the purposes and means of processing personal data and is responsible for ensuring that its use of the Service complies with applicable privacy laws, including providing any required notices to consumers and data subjects before submitting their personal information to the Service.

The Company will cooperate with subscribing organizations in fulfilling their obligations to data subjects, including by facilitating responses to access, correction, and deletion requests submitted by non-User data subjects (see Section 5.12). Where the Company receives a privacy request directly from a non-User data subject, we will notify the relevant subscribing organization and coordinate with them to process the request.

10.2 Company as Business / Data Controller

The Company acts as the business (or data controller) for information collected directly from Users for account management, billing, analytics, and Service improvement purposes.

10.3 Data Processing Agreement

Subscribing organizations that require a formal Data Processing Agreement (DPA) may request one by contacting us at legal@rezzly.co. Our standard DPA addresses sub-processor disclosures, data transfer safeguards, breach notification obligations, and audit rights.

11. Geolocation Data

We extract precise geolocation data from EXIF metadata embedded in photographs uploaded to the Service solely for the purpose of associating violation reports with specific properties. Geolocation data is stored separately from the photograph with restricted access and is treated as sensitive personal information under applicable state privacy laws.

We do not collect real-time or continuous geolocation data from your device. We do not use geolocation data for advertising, profiling, or any purpose unrelated to violation documentation. Subscribing organizations may disable geolocation extraction through their organization settings. Users may also remove EXIF metadata from photographs before uploading by using their device’s privacy settings or a metadata removal tool.

12. Children’s Privacy

The Service is not intended for use by individuals under the age of eighteen (18). We do not knowingly collect personal information from children under 18. If we learn that we have inadvertently collected personal information from a child under 18, we will take steps to delete that information as promptly as possible. If you believe that a child under 18 has provided us with personal information, please contact us at legal@rezzly.co.

Photographs uploaded as part of violation reports may incidentally capture images of minors. Users must not upload photographs that prominently depict identifiable children. By using the Service, subscribing organizations agree to establish and enforce internal policies that prohibit the upload of photographs in which identifiable minors are a primary subject. If we become aware that a photograph prominently depicting an identifiable minor has been uploaded, we reserve the right to remove or require removal of the photograph. If you believe a photograph containing an image of your child has been uploaded to the Service, please contact us at legal@rezzly.co and we will promptly investigate and take appropriate action, including removal of the photograph if warranted.

13. Data Breach Notification

In the event of a data breach that compromises personal information, we will: notify affected Users and subscribing organizations without unreasonable delay, and in any event within the timeframes required by applicable state breach notification laws (which range from thirty to sixty days depending on the state); provide a description of the nature of the breach, the categories and approximate number of individuals affected, the likely consequences, and the measures taken to address the breach; and cooperate with subscribing organizations in their own breach notification obligations to affected data subjects.

We maintain an incident response plan and conduct periodic tabletop exercises to ensure preparedness for security incidents.

14. International Data Transfers

The Service is operated from and data is stored in the United States. If you access the Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States, where data protection laws may differ from those of your jurisdiction. By using the Service, you consent to the transfer of your information to the United States.

15. Third-Party Links and Integrations

The Service may contain links to third-party websites or integrate with third-party services. This Privacy Policy does not apply to those third-party services. We are not responsible for the privacy practices of third parties and encourage you to review their privacy policies before providing them with any personal information.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated Privacy Policy on the Service and updating the “Last Updated” date. For material changes that substantively affect how we collect, use, or share your personal information, we will provide at least thirty (30) days’ advance notice via email to the address associated with your account. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

17. Contact Us

If you have questions or concerns about this Privacy Policy, your personal information, or our data practices, please contact us at:
Rezzly LLC — Attn: Privacy — Email: legal@rezzly.co

For privacy-specific requests (access, deletion, correction, opt-out), please email legal@rezzly.co with the subject line “Privacy Request” and include your name, account email, and a description of your request.