Privacy Policy

Who we are

BoroBeacon is a product operated by a New York, NY–based team. For the purposes of data-protection law, BoroBeacon acts as a data controller with respect to account and marketing data and as a data processor with respect to building and compliance data you upload on behalf of your organization.

Information we collect

We collect the following categories of information:

• Account information. Name, email, role, hashed password, and authentication tokens managed by our identity provider. You control what you enter here.
• Portfolio information. Building addresses, BINs, block/lot identifiers, portfolio tags, and alert email recipients you configure.
• Compliance data. Publicly available violations, complaints, hearings, permits, and inspection results retrieved from NYC Open Data on your behalf. We associate this data with buildings in your portfolio.
• Communications. Emails you forward to the Service for parsing; your replies to our support team; delivery metadata from our email provider.
• Usage data. Pages you visit, features you use, error logs, IP address, user agent, approximate geolocation derived from IP. Used for security, debugging, and product analytics.
• Billing information. Billing contact, last four of your card, and billing country. The full card number is handled by our PCI-compliant payment processor (Stripe) and never touches BoroBeacon servers.

How we use information

• Provide and operate the Service you signed up for.
• Send compliance alerts, reminders, and digests you requested.
• Process payments and send receipts.
• Respond to support, security, and privacy inquiries.
• Detect, investigate, and prevent abuse, fraud, and security incidents.
• Improve the product (aggregated, anonymized usage analytics only).
• Comply with legal obligations and enforce our Terms.

We do not sell or rent personal information. We do not use your data to train AI models. We do not allow third-party advertising cookies on the Service.

Legal bases (EU/UK/EEA residents)

If you are located in the European Union, United Kingdom, or European Economic Area, we rely on the following legal bases under the GDPR:

• Contract. To provide the Service, bill you, and respond to your requests.
• Legitimate interests. To secure the Service, prevent abuse, and run aggregated analytics, balanced against your rights and expectations.
• Consent. For any optional marketing emails or non-essential cookies, where required.
• Legal obligation. To comply with applicable tax, fraud, and record-keeping laws.

Who we share information with

We share personal information only with service providers that help us operate the Service. Each provider is bound by a data processing agreement and only processes data on our documented instructions.

We may also disclose information when required by law, subpoena, or court order, or when we believe in good faith that disclosure is necessary to protect the rights, property, or safety of BoroBeacon, our users, or the public.

In the event of a merger, acquisition, or asset sale, personal information may be transferred to the acquiring entity. We will notify you of any such change and your choices before your data becomes subject to a different privacy policy.

Data retention

We keep personal information only as long as we need it:

• Account data: for the life of your account, plus 30 days after closure unless you request immediate deletion.
• Portfolio & compliance data: for the life of your account. You can export or delete at any time.
• Support messages: up to 3 years for training and quality review.
• Billing records: up to 7 years as required by tax law.
• Server logs: 14–30 days.

Security

We protect personal information using TLS 1.2+ in transit, AES-256 at rest, row-level security on every database table, scoped access controls, and regular dependency and secret audits. See our Security & Trust page for full detail and our incident-response process.

Your rights

Depending on where you live, you may have the right to:

• Access the personal information we hold about you.
• Correct inaccurate or incomplete information.
• Delete your personal information (subject to legal exceptions).
• Export your personal information in a portable format.
• Object to or restrict certain processing.
• Withdraw consent at any time where we rely on consent.
• Lodge a complaint with your local data-protection authority.

To exercise these rights, email privacy@borobeacon.com. We will verify your identity and respond within 30 days.

International transfers

BoroBeacon is operated from the United States and our service providers are all located in the United States. If you access the Service from outside the US, your information will be transferred to, stored in, and processed in the US. We rely on Standard Contractual Clauses (SCCs) where required for transfers from the EU/UK/EEA.

Cookies

We use only strictly necessary cookies to keep you signed in and remember your session. We do not use advertising cookies or cross-site tracking. For details see our Cookie Policy.

Children

The Service is not directed to children under the age of 18 and we do not knowingly collect personal information from children. If you believe a child has provided us with personal information, email privacy@borobeacon.com and we will delete it.

Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify account holders by email at least 30 days before the changes take effect. The "Effective" date at the top of this page always reflects the most recent version.

Contact us

Questions about this policy or your data? Email privacy@borobeacon.com. For general product questions, see our contact page.