This describes the data Leasr collects, why, and how we share it. It's a placeholder — replace with attorney-reviewed copy that also addresses CCPA/CPRA (California), VCDPA (Virginia), CPA (Colorado), and other applicable state privacy laws before launch.
1. Data we collect
Account data from Clerk (name, email, phone). Search profile and guardrail data you provide. Inventory and offer data from MarketCheck and dealers. Email, SMS, and call transcripts produced during your negotiations. Usage events generated by the AI agent and the app.
2. Why we collect it
To run negotiations on your behalf, audit AI behavior, comply with TCPA and CAN-SPAM, debug and improve the service, and provide customer support. We do not sell or rent your personal data.
3. Subprocessors
Vercel (hosting), Supabase (Postgres), Clerk (authentication), Resend (email delivery + inbound), Twilio (SMS + voice), Anthropic (Claude API), OpenAI (Realtime voice), Inngest (background jobs), Sentry (error monitoring), Axiom (logs). Replace this list with the DPA-signed list at your launch date.
4. Retention
Active negotiation data is retained while the negotiation is open and for 90 days after closing. Call recordings live in Twilio for 30 days and then are deleted automatically. You can request earlier deletion of any negotiation by emailing privacy@leasr.xyz.
5. Your rights
Subject to applicable law, you may request access to, correction of, or deletion of personal data we hold about you. For California residents, this includes the right to know, the right to delete, the right to correct, and the right to opt out of sale or sharing (Leasr does not sell or share your data).
6. Children
Leasr is intended for users 18 or older. We don't knowingly collect data from minors.
7. Security
Data is encrypted in transit and at rest. Access is limited to Leasr engineers under least-privilege controls. Report suspected incidents to security@leasr.xyz.
8. Contact
privacy@leasr.xyz — we'll route requests to the right team within five business days.