EnvironmentalHQ
LEGAL

Privacy Policy

EFFECTIVE APRIL 19, 2026

Plain-language pre-launch draft. A final, attorney-reviewed version will replace it before paid plans launch.

Summary

We collect the minimum we need to run the product: your email if you sign up, the addresses you search, basic product-usage telemetry, and payment metadata through Stripe. We do not sell your personal information. We do not use your searches to train models.

What we collect

  • Email address — when you sign up, join the waitlist, or contact support.
  • Searches — the addresses you look up and the scores returned, so you can revisit them and so we can measure product usage.
  • Saved addresses & notes — if you use the Consumer or Agent feature.
  • Billing data — processed by Stripe. We receive plan, country, last 4 digits of your card, and renewal state; we never see the full number.
  • Product telemetry — pages visited, features used, approximate location derived from IP, and device/browser metadata.
  • Cookies — a session cookie for login; a small number of analytics cookies described below.

What we never do

  • Sell or rent your personal information.
  • Share your individual searches with data brokers, real-estate platforms, or insurers.
  • Use your searches or saved addresses to train AI models.
  • Publish any individual user's search history. Aggregate anonymous trends (“most-searched ZIPs this week”) may be used in marketing.

Why we collect it

To run the product, honor search quotas, send service emails and weekly alerts you subscribe to, support debugging, prevent fraud, and measure whether the product is useful. Legal basis under GDPR is contractual necessity for account and billing data, and legitimate interest for product analytics (with opt-out).

Who we share it with

Service providers acting on our instructions only: Supabase (database + auth), Vercel (hosting), Stripe (payments), Buttondown (email list), Mapbox (geocoding — we send only the address you search), Anthropic (score-explanation generation — we send the score numbers and facility metadata, not your account identity), Sentry (error monitoring), and PostHog (product analytics). We share information with law enforcement only when compelled by a valid legal process.

How long we keep it

Account data for as long as your account is active, plus 90 days after deletion so we can handle billing disputes and comply with tax-record requirements. Anonymous product analytics are retained for up to 24 months. Geocoding and explanation request logs are retained for 30 days for debugging.

Your rights

If you're in the EU, UK, California, or other jurisdictions with data-protection laws, you can access, export, correct, or delete your personal information, and object to processing based on legitimate interest. Email privacy@environmentalhq.io. We'll respond within 30 days.

Children

EnvironmentalHQ is not directed at children under 13 (or 16 in the EU). We do not knowingly collect information from them. If you believe we have, email us and we will delete it.

Security

Data in transit is encrypted with TLS. Data at rest in Supabase is encrypted with AES-256. Secrets live in Vercel environment variables. We review access logs. No system is perfectly secure; we will notify affected users of a material breach without undue delay.

Changes

We'll post material changes at least 14 days before they take effect and email account holders.

Contact

Privacy questions: privacy@environmentalhq.io.