Privacy Policy

Last updated: May 10, 2026

This policy explains what data PermitFocus collects, how we use it, and the choices you have. We aim to be plain about it.

What we collect

• Account info: email, password (hashed with scrypt), organization name, your trade focus, and which states you subscribe to.
• Usage data: pages you load, searches you run, watchlist additions, CRM notes you write, and analyses you save. We use this to make the product work and to improve it.
• Logs: IP address, user agent, and session metadata for security and debugging. Logs auto-expire within 90 days.
• Billing data: if you subscribe, our payment processor (Stripe, when wired) holds your card details. We never see or store full card numbers.
• Public records: the building-permit, contractor-license, and demographic data on the platform comes from US Census, county permit portals, state license registries, and other public sources. None of this is collected from you.

What we don't collect

• We don't run third-party analytics or ad trackers in the customer app.
• We don't sell, rent, or share your usage data with anyone.
• We don't track you across the web.

How we use it

• To run the Service: authenticate you, render your dashboard, save your watchlists and notes.
• To send you transactional email (account verification, password reset, weekly watchlist digest).
• To support and bill you.
• Aggregated, anonymized usage stats may inform product decisions (e.g. "average trial user adds X watchlist items"). We never publish identifiable data.

Sharing

We share data only with subprocessors that help us run the Service:

• Hosting infrastructure (the server running this app).
• Email delivery (Gmail SMTP today; Postmark or similar in production).
• Payment processing (Stripe, when subscriptions go live).

We do not sell or share your account data or usage with marketers, data brokers, or any other third party.

Your rights

You can:

• Export all of your account data (watchlists, notes, settings) at any time from your settings page or by emailing us.
• Delete your account at any time. Deletion is permanent and removes your data within 30 days, except where law requires retention (e.g. tax records).
• Correct any inaccurate account info from settings.

If you're in California, the EU, or another jurisdiction with specific privacy rights (CCPA, GDPR, etc.), you have the additional rights granted by those laws. Email us to exercise any of them.

Cookies

We use one cookie: a session cookie (HttpOnly, Secure, SameSite=Lax) that keeps you signed in. We don't set tracking cookies. We don't use third-party advertising cookies. You can sign out at any time to clear the session.

Security

Passwords are hashed with scrypt. Sessions are random 32-byte tokens. Traffic is HTTPS-only. Data at rest is encrypted at the disk level. No system is perfectly secure, but we treat your data with the seriousness it deserves.

Children

The Service is for business users 18 and older. We don't knowingly collect data from anyone under 18.

Changes

We'll post material changes here and email active subscribers 30 days before they take effect.

Contact

Questions, exercise rights, or just curious — email cameronelsea517@gmail.com.