Skip to main content

Privacy Policy

Last updated: May 28, 2026

1. Information We Collect

CapVeri.com collects information you provide directly, including:

  • Account information (name, email, company name)
  • Property and financial data you upload for reconciliation, including lease PDFs and general-ledger entries
  • Communication preferences and support inquiries
  • Usage and analytics data, including automatically captured product-analytics events, session recordings (with inputs masked), and error logs

2. How We Use Your Information

We use collected information to:

  • Provide and improve our CRE FinOps services
  • Process your uploaded financial data for analysis
  • Send service updates and respond to inquiries
  • Ensure security and prevent fraud

3. Data Security

We implement security measures including:

  • Encryption in transit and at rest
  • Organization-scoped access controls
  • Append-only audit logging for all financial record changes

4. Data Retention

  • Financial records (ledger entries, reconciliations, invoices): retained for 10 years per IRS § 6001 and Rev. Proc. 98-25.
  • Operational records (tenant data, invitations, feedback): retained for 2-3 years for business and legal compliance.
  • Transient records (job logs, notifications, webhook events): automatically purged on a weekly schedule (48 hours to 365 days depending on type).
  • Upon account deletion, personal data is anonymized within 30 days; financial records are retained for the full statutory period.

5. Third-Party Services

We share data only with service providers that process it on our behalf. We do not sell your data.

  • Supabase - database, authentication, and file storage (US-hosted PostgreSQL)
  • Cloudflare - R2 document storage
  • OpenRouter - AI model gateway for document and general-ledger processing. We send lease PDFs and extracted document text for structured lease extraction, and aggregated general-ledger data for anomaly analysis, to downstream models (Google Gemini, Moonshot Kimi, OpenAI GPT, and Z.ai GLM) routed through OpenRouter under product data-handling controls. These AI processing practices are described in our AI Transparency Statement.
  • Stripe - payment processing (PCI-DSS compliant)
  • Resend - transactional email delivery
  • PostHog - product analytics, session replay, heatmaps, and error monitoring (US-hosted; recording inputs are masked)
  • Sentry - error tracking (when enabled)
  • Google Tag Manager / Google Analytics - tag management and web analytics (when enabled)

6. California Resident Rights (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act gives you the following rights:

  • Right to Know - request the categories and specific pieces of personal information we have collected about you
  • Right to Delete - request deletion of your personal information (financial records subject to IRS § 6001 retention requirements cannot be deleted during the statutory window); submit requests to [email protected]
  • Right to Correct - request correction of inaccurate personal information
  • Right to Opt-Out of Sale or Sharing - we do not sell or share (including for cross-context behavioral advertising) personal information with third parties for their own commercial purposes
  • Right to Limit Use of Sensitive Information - we do not use sensitive personal information beyond providing the service
  • Non-Discrimination - we will not discriminate against you for exercising any of these rights; your pricing and service level remain the same
  • Authorized Agent - you may designate an authorized agent to submit requests on your behalf with written authorization

7. Your Rights

You have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Request data deletion
  • Export your data in a portable format
  • Opt out of marketing communications

8. EU/UK Data-Subject Rights (GDPR)

If you are located in the European Economic Area or the United Kingdom, you have the rights of access, rectification, erasure, restriction, data portability, and objection to processing, and the right to lodge a complaint with a supervisory authority. Where we transfer EU/UK personal data to the United States or to our sub-processors, we rely on appropriate safeguards such as Standard Contractual Clauses. Because some processing (such as product analytics and session replay) involves monitoring of behavior, EU/UK users may have additional consent rights. Submit requests to [email protected].

9. Contact Us

For privacy inquiries, contact us at [email protected].