RE·INVEST
Legal

Privacy

RE-Invest is a small two-person operation. We try to collect only what we need to run the tool, and we don't sell, share, or monetize your data. This page describes exactly what we store, who sees it, and how to remove it.

What we store

  • Account. Your email address, account creation and last-login timestamps, and (for email-password sign-ins) a bcrypt hash of your password — never the password itself. If you sign in with Google we also store the display name and avatar URL Google returns.
  • Disclaimer acknowledgement. The date and version of the Terms / Disclaimer you accepted, so we know whether to ask you to re-acknowledge after a material update.
  • Analyses you create. The property addresses, financial inputs, and outputs of any analysis you save, plus your per-user defaults (filing status, hold horizon, depreciation settings, etc.). These are your records — only you can see them.
  • Rent-estimate usage. Each time you ask for a comp-based rent estimate we log a single timestamped row so we can enforce the per-quarter quota.
  • Server logs. Standard request logs (timestamp, IP address, path, status code, user agent) retained by our hosting provider for operational and abuse-prevention purposes.

Who else sees it

  • Google — only if you choose to sign in with Google. They handle the authentication itself and receive whatever their standard OAuth flow needs (your IP, browser, timestamp). See Google's privacy policy.
  • Resend — our transactional email provider. Receives your email address when we send a verification link or password reset.
  • RentCast — receives a property address (and nothing else) when you request a comp-based rent estimate.
  • HUD User (U.S. Department of Housing and Urban Development) — receives the property ZIP code when we look up Fair Market Rent (FMR) data for the same rent estimate.
  • Neon — our managed Postgres provider; stores the database described above on your behalf.
  • Vercel — our hosting provider; routes requests and produces server logs.

We do not use third-party analytics, advertising cookies, session-replay tools, or marketing trackers.

Cookies

We use HTTP-only, encrypted cookies set by our authentication library for sign-in sessions and CSRF protection during OAuth flows. These are strictly necessary for the service to work and are transmitted only over TLS. No tracking, analytics, or marketing cookies are set.

Security

  • All traffic is served over TLS.
  • Passwords are hashed with bcrypt before storage; we cannot recover a forgotten password and will only issue a reset link.
  • Database traffic is encrypted in transit (over HTTPS to our managed Postgres provider) and authenticated with a server-side credential never exposed to the browser.

Retention & deletion

We keep your data for as long as your account is active. To delete your account and all associated analyses, contact us at the address below — we will remove your row from the users table, which cascades to your saved analyses, profiles, and verification tokens. Server log retention is bounded by our hosting provider's own policy.

Your rights

You can request a copy of the data we hold for your account, or its deletion, at any time. If you are a resident of a jurisdiction with a statutory right of access, correction, portability, or erasure (e.g. GDPR, CCPA), we will honor those rights — please reach out.

Changes

Material updates to this page will be reflected by an updated version label on the Terms & Disclaimer and may require you to re-acknowledge before continuing to use the tool.

Contact

Questions, deletion requests, or data-access requests: support@re-invest.app.