Privacy Policy

1. Introduction

HOAReview, LLC ("HOAReview," "Company," "we," "us," or "our") operates HOAReview.com, a platform that allows current and former HOA residents to submit, read, and respond to community reviews. This Privacy Policy ("Policy") applies to all personal information we collect through the website, mobile-optimized interfaces, APIs, and any related services (collectively, the "Service").

This Policy is incorporated into and made part of our Terms of Service. By using the Service, you agree to the collection and use of personal information as described in this Policy. If you do not agree, please do not use the Service.

HOAReview, LLC is the controller of personal information collected through the Service for purposes of U.S. state privacy laws, including the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), the Virginia Consumer Data Protection Act (CDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), the Texas Data Privacy and Security Act (TDPSA), and other applicable state laws. We are a for-profit business. We do not meet the thresholds for GDPR applicability as a primary matter; however, we apply data minimization and purpose limitation principles consistent with internationally recognized privacy standards.

2. Information We Collect

We collect personal information through three channels: information you provide directly, information collected automatically when you use the Service, and information received from third parties.

2.1 Information You Provide Directly

When you register for an account, submit a review, claim an HOA profile, make a payment, or contact us, you provide personal information that may include:

• Identity data — full name, username or display name
• Contact data — email address; mailing address (used for residency verification only and not stored beyond verification unless you elect otherwise)
• Authentication data — password (stored as a one-way bcrypt hash; we cannot retrieve your plain-text password)
• Review content — all text, ratings, tags, and metadata you submit in connection with a review, including any pros, cons, title, and body text
• Residency declaration — your self-reported current or former HOA community, used to verify review eligibility and display a verified-resident badge
• HOA profile data — for board members and management company representatives claiming a profile: business name, board role, contact information, and supporting documentation
• Communications — the content of emails, support tickets, or legal inquiries you send to us
• Payment information — for paid subscriptions (HOA board dashboards), we collect billing name and address. Payment card numbers and bank account details are collected and processed directly by Stripe, Inc. and are never transmitted to or stored on HOAReview.com servers
• Marketing preferences — your opt-in or opt-out selection for promotional emails at registration and in account settings
• Consent records — timestamps, IP addresses, and the specific version of Terms and Privacy Policy you accepted at registration, retained for legal compliance

2.2 Information Collected Automatically

When you access or use the Service, our infrastructure and third-party analytics tools automatically collect certain technical and behavioral data, including:

• Device and browser data — IP address, browser type and version, operating system, device type (desktop, mobile, tablet), screen resolution, and device identifiers
• Log data — server access logs recording the date and time of each request, the URL requested, HTTP status code, bytes transferred, referrer URL, and user agent string. Log data is retained for up to 90 days for security and debugging purposes
• Usage data — pages viewed, HOA profiles browsed, search queries entered, reviews read, features used, time spent on pages, scroll depth, and click patterns
• Session data — session duration, entry and exit pages, and navigation paths through the Service
• Location data — country and approximate region inferred from your IP address. We do not collect precise GPS or device-level location data
• Cookie and local storage data — see our Cookie Policy for a complete description of cookies and local storage keys we use, their purpose, and how to manage them
• Performance data — page load times, API response times, and error reports used to identify and resolve technical issues

We collect this data using server logs, cookies, web beacons, and local storage. Our infrastructure is hosted on Microsoft Azure. Our web application is served through Vercel's edge network. Both platforms may process technical metadata as part of delivering the Service.

2.3 Information Received from Third Parties

We may receive personal information about you from the following third-party sources:

• OAuth providers — if you register or sign in using Google OAuth, we receive your name, primary email address, and profile photo from Google, subject to your privacy settings with Google. We do not receive your Google password
• Stripe — Stripe shares with us metadata about payment events, including payment status, billing postal code (for fraud detection), and subscription tier, but not full payment card numbers
• Public government records — we import HOA profile data (community name, address, unit count, county, and general location) from county assessor databases, state HOA registries, and other publicly available government records. This data relates to HOA entities and does not constitute personal information about individuals
• HUD and state housing agency data — publicly available HOA regulatory filings and enforcement records may be referenced in community profiles
• User referrals — if another user provides your email address to invite you to the platform, we use that email to send a single invitation and do not create an account without your consent

2.4 Newsletter Subscribers

If you subscribe to the HOAReview newsletter without creating an account, we collect only your email address, the source page where you subscribed, and a timestamp. We use a double opt-in process: after you submit your email address, we send you a confirmation email containing a unique link. Your address is only added to our mailing list after you click that link. We do not use your newsletter subscription to infer your identity, link your address to other platform activity, or build an advertising profile. You may unsubscribe at any time using the one-click unsubscribe link included in every newsletter email, or by visiting /subscribe/unsubscribe. We honor unsubscribe requests immediately and do not send any further marketing communications after processing your request. We retain a soft-deleted record of your email address and unsubscribe timestamp solely to honor future unsubscribe requests and to comply with CAN-SPAM and similar regulations; this record is not used for any other purpose and is not shared with third parties for marketing.

3. How We Use Your Information

We use the personal information we collect for the following purposes, each of which constitutes a legitimate business purpose under applicable privacy law. Where processing requires your consent, we obtain it separately.

• Account creation and authentication — to create, maintain, and secure your account; to authenticate your identity when you log in; and to enforce the one-account-per-user rule
• Service delivery — to publish, display, and distribute your reviews and ratings on HOA community profiles; to operate the search, discovery, and voting features of the platform; and to display verified-resident badges to eligible users
• Review eligibility verification — to verify that you meet the eligibility criteria for submitting a review, including cross-referencing your declared address with the HOA community you are reviewing
• Content moderation — to screen, analyze, and moderate user-generated content for compliance with our Review Guidelines, Terms of Service, and applicable law, including through automated AI-assisted tools and human review
• Transactional communications — to send you account verification emails, password reset emails, review status notifications (published, rejected, or flagged), and other service-related communications necessary to operate your account
• Marketing communications — to send you newsletters, product updates, and promotional offers about the Service, but only if you have opted in at registration or subsequently through account settings. You may opt out at any time using the unsubscribe link in any marketing email or through your account settings
• Payment processing and subscription management — to process your subscription payments through Stripe, manage your subscription tier, issue receipts, and handle billing disputes or refunds
• Analytics and product improvement — to analyze aggregate and anonymized usage data to understand how users interact with the Service, identify popular features, diagnose performance issues, and inform product development decisions
• Security, fraud prevention, and legal compliance — to detect, investigate, and prevent fraudulent activity, abuse, spam, coordinated review manipulation, and security incidents; to enforce our Terms of Service; to comply with applicable legal obligations; and to respond to lawful government requests, court orders, and legal process
• Dispute resolution — to investigate reports and flags submitted by users or HOA representatives; to process appeals of moderation decisions; and to respond to and defend against legal claims, including DMCA notices and counter-notices
• Aggregated research and data products — to create anonymized, aggregated statistical datasets about HOA communities, regional HOA trends, and fee benchmarks. These aggregated products do not identify individual users and may be published, licensed, or used commercially

We do not use your personal information to make automated decisions that produce legal or similarly significant effects about you without human review. AI moderation scores inform human moderator review but do not independently determine final content decisions.

4. How We Share Your Information

4.1 We Do Not Sell Personal Information

4.2 Service Providers

We share personal information with third-party vendors and service providers that process data on our behalf under written data processing agreements that prohibit them from using your information for their own independent purposes. Current service providers include:

• Microsoft Azure (United States) — cloud infrastructure, database hosting, and blob storage for uploaded files. Azure stores all primary application data in U.S. data centers. Azure processes data under its Data Protection Addendum and is certified under ISO 27001 and SOC 2 Type II
• Vercel, Inc. (United States) — edge network and Next.js application hosting. Vercel may cache page responses in global edge locations; no personal account data is stored at the edge
• Stripe, Inc. (United States) — payment processing for HOA board subscriptions. Stripe independently processes cardholder data as a PCI-DSS Level 1 certified service provider. Stripe's privacy policy governs Stripe's handling of payment card information
• SendGrid (Twilio Inc., United States) — transactional and marketing email delivery. We transmit your email address and email content to SendGrid solely for the purpose of delivering emails you have triggered or consented to receive
• Anthropic, PBC (United States) — AI-assisted content moderation. Review text may be submitted to Anthropic's Claude API for automated quality scoring and policy compliance assessment prior to publication. Review text submitted to Anthropic is not used by Anthropic to train its models under our enterprise agreement
• Google LLC (United States) — web analytics via Google Analytics 4. Analytics tracking is activated only after you grant analytics consent through our cookie banner. We use IP anonymization and Consent Mode v2; GA4 defaults to "denied" for all consent types until you explicitly accept. We do not enable advertising features. GA4 collects aggregated behavioral signals (pages visited, session duration, navigation patterns) to help us understand how users interact with the Service. We do not transmit personally identifiable information (name, email address) to Google Analytics

4.3 Legal Disclosures

We may disclose your personal information to third parties — including government agencies, courts, and law enforcement — when we believe in good faith that disclosure is required or permitted by applicable law, including:

• In response to a valid court order, subpoena, search warrant, or other legally compelled process
• To comply with a legal obligation under federal or state law
• To protect the rights, property, or safety of HOAReview, LLC, our users, or the public
• To detect, prevent, or address fraud, security incidents, or technical problems
• In response to a valid DMCA takedown notice or counter-notification (to the extent required by 17 U.S.C. § 512)

Where legally permitted, we will notify affected users before disclosing their information in response to legal process, particularly when we believe a request is overbroad, legally deficient, or relates to speech protected by the First Amendment or applicable anti-SLAPP statutes.

4.4 Business Transfers

If HOAReview, LLC is involved in a merger, acquisition, financing, reorganization, bankruptcy, receivership, or sale of all or a material portion of its assets, your personal information may be transferred as part of that transaction. We will provide notice on the Service and, where feasible, by email at least 30 days before your personal information becomes subject to a materially different privacy policy as a result of such a transaction. Following notice, you may request deletion of your personal information pursuant to Section 8.

4.5 Publicly Displayed Review Content

Reviews you submit are displayed publicly on HOA community profile pages and may be indexed by search engines, accessed through our API, and distributed to third-party integration partners. If you post a review under your account name (non-anonymously), your display name will be associated with the review publicly. If you post anonymously, only a verified-resident badge (if applicable) and aggregate rating data will be visible; your name and account will not be disclosed. You may request deletion of your review at any time by contacting privacy@hoareview.com.

4.6 Aggregated and De-Identified Data

We may share aggregated, anonymized, or de-identified data — such as regional HOA fee benchmarks, average governance scores by state, or review volume trends — with research partners, journalists, real estate platforms, and the public. This data does not identify individual users and is not subject to the data rights described in Section 8. De-identification is performed using reasonable technical safeguards, and we do not attempt to re-identify de-identified data or permit our partners to do so.

5. Data Retention

We retain personal information only for as long as necessary to fulfill the purposes described in this Policy, unless a longer retention period is required or permitted by law.

• Active account data — retained for the life of your account and used as described in Section 3
• Review content — published reviews are retained indefinitely to preserve the integrity of the public HOA database. If you request deletion of your account, your reviews will be anonymized (name and account association removed) within 90 days of account closure, unless you simultaneously request review deletion under your applicable privacy rights
• Server and application logs — retained for up to 90 days for security monitoring and debugging, then automatically purged
• Consent and audit records — records of your consent to Terms of Service and this Privacy Policy (timestamp, IP, version accepted) are retained for seven (7) years to support legal compliance and dispute resolution
• Payment records — transaction records and billing metadata are retained for seven (7) years as required by tax and financial recordkeeping obligations. Stripe retains cardholder data independently per its own retention policies
• Legal hold data — when we receive a litigation hold notice, preservation request, or government inquiry relating to specific user data, we retain that data beyond our standard retention schedule for as long as legally required
• Backup data — encrypted backups are retained for up to 30 days on a rolling basis. Your data may persist in encrypted backups for up to 30 days after deletion from primary storage

If you delete your account and simultaneously request deletion of your review content, we will complete primary deletion within 90 days of receiving your request and will confirm deletion by email. Backup purge occurs on the backup rotation schedule described above.

6. Security

HOAReview, LLC implements reasonable and industry-standard technical, administrative, and physical safeguards designed to protect your personal information from unauthorized access, disclosure, alteration, and destruction.

• Encryption in transit — all data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher (HTTPS). Our Strict-Transport-Security header enforces HTTPS on all connections
• Encryption at rest — all personal information stored in Microsoft Azure databases and blob storage is encrypted at rest using AES-256 encryption managed by Azure's Key Vault service
• Password security — user passwords are never stored in plain text. We use bcrypt with a cost factor of 12 to hash passwords at rest
• Access controls — access to production systems and personal data is restricted to authorized personnel on a need-to-know basis. All administrative access requires multi-factor authentication
• Infrastructure security — the Service is hosted on Microsoft Azure, which maintains SOC 2 Type II, ISO 27001, and FedRAMP certifications. Network-level protections include firewalls, DDoS mitigation, and intrusion detection
• Vulnerability management — we conduct periodic security reviews and address critical vulnerabilities in a timely manner. We accept responsible disclosure reports at legal@hoareview.com

No method of transmission over the Internet or electronic storage is 100% secure. While we use commercially reasonable measures to protect your information, we cannot guarantee absolute security. You are responsible for maintaining the security of your account credentials.

In the event of a security breach that affects your personal information, we will notify you and applicable regulatory authorities as required by applicable state data breach notification laws, including but not limited to California Civil Code § 1798.82, the Wyoming Data Breach Notification Act (W.S. § 40-12-501 et seq.), and analogous statutes. We will provide notice within the timeframe required by the applicable law of the affected individuals' states of residence, and in no event later than 72 hours after we confirm that a breach has occurred, for states with specific notification windows.

7. Children's Privacy

The Service is intended solely for individuals who are 18 years of age or older. We do not knowingly collect personal information from anyone under the age of 18. By creating an account, you represent and warrant that you are at least 18 years old.

If we discover that we have inadvertently collected personal information from a person under 18, we will promptly delete that information and terminate the associated account. If you are a parent or guardian and believe that your child under 18 has provided personal information to us, please contact us immediately at privacy@hoareview.com with the subject line "Minor Account." We will take steps to investigate and remove the information within a reasonable timeframe.

The Service is not subject to the Children's Online Privacy Protection Act (COPPA) because it does not knowingly collect information from children under 13 and is not directed at that audience. Our minimum age requirement of 18 exceeds the COPPA threshold.

8. Your Privacy Rights

Depending on your state of residence, you have certain rights regarding your personal information. We do not discriminate against users who exercise their privacy rights. We will not deny you access to the Service, charge you different prices, or provide a lower quality of service because you exercised a right described in this section.

8.1 Rights Available to All Users

All users of the Service, regardless of state of residence, may exercise the following rights:

• Access — request a summary of the categories and specific pieces of personal information we hold about you
• Correction — request correction of inaccurate personal information we hold about you
• Deletion — request deletion of your account and personal information, subject to our legal retention obligations described in Section 5
• Portability — request a copy of your personal information in a structured, commonly used, machine-readable format (JSON or CSV)
• Opt-out of marketing — opt out of receiving promotional emails at any time using the unsubscribe link in any marketing email or through your account settings
• Withdrawal of consent — where our processing of your personal information is based on your consent (e.g., marketing communications), you may withdraw that consent at any time without affecting the lawfulness of processing before withdrawal

To exercise any of these rights, submit a request through our Legal & Privacy contact form at /legal/contact (select "Privacy Rights Request") or email privacy@hoareview.com. We will verify your identity before processing your request by confirming access to the email address associated with your account. We will respond within 45 days of receiving your verifiable request; we may extend this period by an additional 45 days where reasonably necessary, with notice.

8.2 California Residents — CCPA/CPRA Rights

If you are a California resident, the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (CCPA/CPRA) provides you with additional rights regarding your personal information. HOAReview, LLC qualifies as a "business" under CCPA/CPRA for purposes of users residing in California.

California residents have the following rights:

• Right to Know (Categories) — the right to request disclosure of the categories of personal information we have collected about you, the categories of sources from which it was collected, the business or commercial purpose for collecting it, the categories of third parties with whom we share it, and the categories of personal information we have sold or disclosed for a business purpose in the preceding 12 months. We have not sold any personal information in the preceding 12 months
• Right to Know (Specific Pieces) — the right to request the specific pieces of personal information we have collected about you in the preceding 12 months
• Right to Delete — the right to request deletion of personal information we have collected from you, subject to exceptions for information we are legally required to retain, information necessary to complete transactions you requested, information needed to detect fraud or security incidents, and other exceptions permitted by CCPA/CPRA
• Right to Correct — the right to request correction of inaccurate personal information we maintain about you
• Right to Opt-Out of Sale or Sharing — the right to opt out of the sale of your personal information or the sharing of your personal information with third parties for cross-context behavioral advertising. As stated in Section 4.1, we do not sell personal information and do not share personal information for cross-context behavioral advertising. Your opt-out right is already honored as a matter of our default practice
• Right to Limit Use of Sensitive Personal Information — to the extent we process any sensitive personal information as defined under CPRA (which may include precise geolocation or account login credentials), you have the right to limit our use of that information to the uses necessary to perform the Service
• Right to Non-Discrimination — we will not discriminate against you for exercising any CCPA/CPRA right, including by denying goods or services, charging different prices, or providing a different level of service quality
• Right to Data Portability — the right to receive your personal information in a portable, structured, commonly used, and machine-readable format
• Authorized Agent — you may designate an authorized agent to submit rights requests on your behalf by providing written permission or, for deletion and opt-out requests, by providing a power of attorney executed pursuant to California Probate Code Sections 4000–4465. We may verify your identity directly with you even when a request is submitted through an authorized agent

To submit a CCPA/CPRA rights request, email privacy@hoareview.com or use the form at /legal/contact. We will verify your identity and respond within 45 days (extendable by an additional 45 days with notice). You may submit up to two (2) free requests per 12-month period.

Categories of personal information we collect and their sources, as required by CCPA/CPRA for disclosure:

• Identifiers (name, email address, IP address, user ID) — collected directly from you and automatically
• Commercial information (subscription tier, transaction history) — collected directly from you and from Stripe
• Internet or other electronic network activity (pages viewed, features used, log data) — collected automatically
• Geolocation data (approximate region inferred from IP address) — collected automatically
• User-generated content (review text, ratings, votes) — collected directly from you
• Inferences drawn from the above to create a profile about service usage preferences — derived internally

8.3 Residents of Virginia, Colorado, Connecticut, Texas, and Other States

Residents of states that have enacted comprehensive consumer data protection laws — including Virginia (CDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), and other states with similar laws — have privacy rights that substantially overlap with those listed in Sections 8.1 and 8.2. Specifically, these residents have the right to:

• Access — confirm whether we are processing your personal data and access a copy of it
• Correct — correct inaccuracies in your personal data
• Delete — request deletion of personal data you have provided to us or that we have collected about you
• Data Portability — obtain a copy of your personal data in a portable format
• Opt-Out of Targeted Advertising — opt out of the processing of your personal data for the purpose of targeted advertising. HOAReview, LLC does not conduct targeted advertising and does not share data for this purpose
• Opt-Out of Sale — opt out of the sale of your personal data. HOAReview, LLC does not sell personal data
• Opt-Out of Profiling — opt out of profiling in furtherance of decisions that produce legal or similarly significant effects. We do not engage in such profiling
• Appeal — if we deny your privacy rights request in whole or in part, you have the right to appeal our decision. Submit an appeal to privacy@hoareview.com with the subject line "Privacy Rights Appeal" within 30 days of receiving our response. We will respond to your appeal within 60 days (Virginia, Colorado) or 45 days (Connecticut, Texas) and will provide a written explanation if we uphold our denial. If your appeal is denied, you may contact your state attorney general's office to submit a complaint

Nevada residents may opt out of the sale of covered information under Nevada SB 220 by emailing privacy@hoareview.com with the subject line "Nevada Opt-Out." As stated in Section 4.1, we do not sell personal information, so this opt-out is honored as a matter of default practice.

We do not use your personal data in ways that require consent under applicable state privacy laws without first obtaining that consent. We do not process sensitive personal data (as defined by applicable state law) beyond what is necessary to provide the Service.

9. Changes to This Policy

We may update this Privacy Policy from time to time as our practices change, as we add new features to the Service, or as required by applicable law. When we make material changes, we will:

• Update the "Last Updated" date at the top of this page
• Post a conspicuous notice on the Service for at least 30 days
• Send an email notification to the address associated with your account at least 14 days before the changes take effect, where feasible and where the changes materially affect how we use your personal information

Your continued use of the Service after the effective date of a revised Privacy Policy constitutes your acceptance of the changes. If you do not agree with a material change to this Policy, you may request account deletion pursuant to Section 8 before the effective date.

For non-material changes — such as clarifications of existing practices, corrections of typographical errors, or changes that do not affect the substance of how we process personal information — the updated Policy will be effective immediately upon posting without individual notification.

10. Contact Us

For questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact our Privacy team. We will respond to all privacy inquiries within 10 business days of receipt.

If you are not satisfied with our response to a privacy inquiry or rights request, you may contact your state attorney general's office, the California Privacy Protection Agency (cppa.ca.gov) for California residents, or the Colorado Attorney General's Office (coag.gov) for Colorado residents.