Skip to main content
HawkHOA

FishHawk Ranch Document Assistant

Privacy Policy · HawkHOA for FishHawk Ranch

Version 1.1, effective 2026-05-04

Privacy Policy v1.1, effective 2026-05-04. This policy is reviewed periodically with counsel. Privacy questions and corrections to privacy@hoastream.com.

Data controller

The data controller for HOAStream and any community-specific product offering operated under it is JeLe Ventures LLC, a Florida limited-liability company. Once the Florida fictitious-name registration is approved, the controller name will read JeLe Ventures LLC d/b/a HOAStream”.

Our privacy philosophy

We collect almost nothing. HawkHOA is designed around a minimal-data principle: the less we collect, the less there is to leak, mishandle, or misuse.

What we collect

  • Your questions. We log the question you ask and the answer HawkHOA gives for audit purposes (3-year retention).
  • A session identifier. An anonymous UUID in your browser so we can rate-limit abuse. Not tied to your identity.
  • A hashed IP address. For abuse detection, the rate-limit cache discards it after 24 hours. We do not retain raw IP addresses in our application database; sub-processors may process IP as described in the sub-processor list below.
  • Consent acknowledgment. When you accept the first-session disclaimer, we log that you accepted (with a timestamp) so we can prove the disclaimer was shown.
  • A residency check on your street address. To enter the member-only preview, HawkHOA sends your address to the public Hillsborough County property appraiser and confirms it is a real FishHawk Ranch parcel. Your address is not stored. Only an anonymous HMAC-signed residency cookie is kept in your browser (30-day expiry), so you don't have to re-verify on every visit.

What we do NOT collect

  • Your real name or address
  • Your HOA lot or unit number
  • Location data
  • Cross-site tracking (no Google Analytics, no Facebook pixel)
  • Payment information

Who processes your data

Your question is transmitted to:

  • Anthropic (Claude API), generates the AI response. Anthropic does not train on commercial API inputs per its commercial data policy.
  • Voyage AI, generates search embeddings. Does not train on commercial API inputs per its data policy.
  • Supabase, stores the audit log with Row-Level Security isolating FishHawk Ranch data from other tenants. Specific enforcement layers are described in the Security section below.
  • Vercel, hosts this web interface.
  • Upstash, rate limiting.
  • Postmark, sends transactional email (verification codes, board signup confirmations, drafts-ready notifications). Receives only the recipient email address, the message body, and standard delivery metadata (IP at send time, bounce status).
  • Stripe, processes payments. If you subscribe to a paid plan, Stripe receives your name, email, and payment-card metadata to bill the subscription. We do not store card numbers.

Your rights

Close the browser tab to delete your client-side chat history. Audit-log deletion requests will be handled through the operator contact channel published before public launch. Because your audit-log entries are tied only to an anonymous session UUID, not to your name, address, or unit, we cannot identify which entries belong to you unless you provide your session UUID at the time of the request.

Security

All data is encrypted in transit (TLS 1.3) and at rest. Tenant isolation is enforced today through (a) parameterized queries scoped to the authenticated tenant context, (b) automated tenant-isolation test suites that run on every deploy, and (c) a nightly database-level audit that alerts the operator to any unexpected cross-tenant exposure or grant drift. Postgres Row-Level Security is enabled schema-wide and all anonymous-role grants have been revoked. A dedicated application database role (NOBYPASSRLS) cut-over is staged and pending so that RLS becomes the database-layer enforcement in addition to the application-layer controls described above. The /trust page lists this milestone.

Breach notification

If we determine that a security incident has resulted in unauthorized access to or acquisition of customer data, we will notify affected customers in writing within 30 days of that determination, consistent with section 501.171, Florida Statutes, and applicable law.

Operator access logging

Operator actions that affect your account are logged with the operator identity, the action taken, a timestamp, and a reason. These access logs are retained for 7 years.

Privacy contact

Privacy requests and data-rights inquiries: privacy@hoastream.com (monitored by JeLe Ventures LLC, the operator of HOAStream and the HawkHOA community product). Accessibility-specific inquiries: accessibility@hoastream.com.

Note: CIRA / RealManage at FishRan@ciramail.com handles HOA-related questions but is not the data controller for HawkHOA for FishHawk Ranch.

Back to chat
Privacy Policy | HawkHOA for FishHawk Ranch