Privacy Policy

1. Information We Collect

We collect the following categories of information:

Personal Information

• Name, email address, phone number, mailing address, and, where applicable, company name.
• Account credentials (password hash — we never store your password in plaintext).
• For tenants: tenancy details (unit, lease dates, rent amount) and emergency contact information.
• For property managers, landlords, and vendors: business information necessary for payment onboarding, including taxpayer identification (IRS Form W-9) and bank account details used to receive payouts.
• For rental applicants: application data (employment history, income, references, consent forms) required for screening.

Payment Information

Payment card and bank account data is collected and stored by Kadima Payments ("Kadima"), our PCI-DSS-compliant payment processor. DoorStax does not store full payment card numbers on its own systems; we retain only tokens and last-four-digit identifiers returned by Kadima.

Technical Information

• Device, browser, operating system, and IP address data for security, debugging, and analytics.
• Cookies and similar technologies — see our Cookie Policy.
• Audit-log records of sensitive actions taken within the Service.

2. How We Use Information

We use collected information to:

• Provide, operate, and improve the Service.
• Process rent payments, vendor payouts, and owner distributions through Kadima.
• Verify identity, conduct fraud prevention, and comply with anti-money-laundering and know-your-customer obligations.
• Facilitate tenant screening (with the applicant's explicit consent) through partner services.
• Communicate with you about your account, transactions, and platform updates, including transactional emails and, where permitted, marketing communications.
• Enforce our Terms of Service and Acceptable Use Policy.
• Comply with legal obligations (tax reporting, 1099 issuance, subpoenas, court orders).

3. How We Share Information

We share information only in the following circumstances:

• Payment partner (Kadima). Transaction, vault, and payout data is shared with Kadima to process payments.
• Service providers. Vendors supporting our infrastructure — hosting (Vercel), email delivery (Resend), blob storage, error monitoring — receive only the data necessary to perform their function and are contractually bound to confidentiality.
• Property manager access. Tenants' and vendors' data is visible to the property manager servicing their unit or work order. This is inherent to the platform.
• Legal compliance. We disclose information when required by law, subpoena, court order, or to protect ourselves or others from fraud, harm, or violation of our Terms.
• Business transfers. In the event of a merger, acquisition, or sale of assets, user information may transfer to the successor entity, subject to the terms of this policy.

We do not sell your personal information. We do not share personal information for cross-context behavioral advertising.

4. Data Retention

We retain personal information for as long as necessary to provide the Service and meet our legal, tax, and compliance obligations:

• Payment and tax records (payment history, W-9s, 1099 data): retained for at least seven (7) years after the tax year in which the transaction occurred, as required by IRS recordkeeping rules.
• Account data (profile, messages, documents): retained for the life of the account plus a buffer period of up to thirty (30) days after account deletion.
• Audit logs (sensitive admin + financial actions): retained indefinitely for security and compliance investigation purposes.
• Marketing contacts (lead forms, newsletter signups): until you unsubscribe, at which point we retain suppression-list records so that we do not email you again.

5. Security

We implement industry-standard administrative, technical, and physical safeguards to protect your information. These include encryption in transit (TLS 1.2+) and at rest, access controls, audit logging, and regular security reviews. Payment card data is handled exclusively by Kadima Payments under their PCI DSS Level 1 attestation; DoorStax does not store full PANs on its own systems.

No system is 100% secure. If we become aware of a breach affecting your personal information, we will notify you and the appropriate authorities as required by applicable law.

6. Your Rights

You have the right to:

• Access the personal information we hold about you.
• Correct inaccurate information.
• Request deletion of your personal information, subject to legal retention requirements.
• Export your data in a portable format (available to property managers through the admin dashboard; tenants may request export by contacting support).
• Opt out of marketing communications at any time.

To exercise these rights, email privacy@doorstax.com. We will respond within the timeframes required by applicable law.

7. California Privacy Rights (CCPA / CPRA)

California residents have additional rights under the California Consumer Privacy Act ("CCPA") and California Privacy Rights Act ("CPRA"):

• Right to know what personal information we have collected, used, disclosed, and (if applicable) sold about you over the past 12 months.
• Right to delete personal information we have collected from you, subject to statutory exceptions.
• Right to correct inaccurate personal information.
• Right to opt out of the sale or sharing of your personal information. DoorStax does not sell or share personal information for cross-context behavioral advertising, so there is nothing to opt out of — but you still have the right to ask.
• Right to limit use of sensitive personal information (e.g. financial account data) to the purposes permitted by the CPRA.
• Right to non-discrimination when you exercise any of the above rights.

To exercise CCPA/CPRA rights, email privacy@doorstax.com with the subject line "California Privacy Request." You may designate an authorized agent to act on your behalf; we may require reasonable verification of both your identity and the agent's authorization.

8. Children's Privacy

The Service is not intended for anyone under the age of 18. DoorStax does not knowingly collect personal information from children under 13 in compliance with the Children's Online Privacy Protection Act (COPPA). If we become aware that we have inadvertently collected such information, we will delete it promptly.

9. International Users

DoorStax operates in the United States. If you access the Service from outside the U.S., you consent to the transfer and processing of your information in the United States under applicable U.S. law, which may differ from the privacy laws of your home jurisdiction.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or through the platform dashboard, and the "Last updated" date at the top of this page will be revised. Continued use of the Service after such notice constitutes acceptance of the updated policy.

11. Contact

Privacy questions, requests, or complaints:

Email: privacy@doorstax.com

Mailing address: DoorStax Privacy Team, c/o Kadima Payments, 26565 Agoura Road, Suite 200, Calabasas, CA 91302.