Permitify, Inc. Privacy Policy

1) What Permitify is

Permitify is a B2B web platform that aggregates and analyzes zoning, ordinance, parcel, and regulatory data to help developers, architects, and engineers identify buildable land and ensure projects comply with local regulations. It combines interactive maps, AI-assisted code interpretation, and feasibility reporting in one tool.

2) Who this policy covers

This policy applies to users at land-development firms, architects, engineers, consultants, and (occasionally) municipal staff who use Permitify. We do not target or knowingly collect data from children or minors.

3) Personal data we collect

Account & contact data: name, work email, hashed password, role/title, company, phone, mailing address.

Usage/technical data: IP address, device/browser type, pages viewed, feature interactions, timestamps, diagnostic logs (via PostHog and our systems).

Approximate location: derived from IP address for security/abuse-prevention and analytics.

Project content: uploaded documents/plan sets, notes, parcel selections, addresses/coordinates, other files you choose to store.

Support data: messages you send to us (email/chat) and attachments.

Marketing data: newsletter preferences, campaign/UTM data, and engagement with our emails.

Payments: handled by Stripe; we receive limited billing metadata (e.g., payment status, last four digits) but not full card numbers.

We also process public-source data (e.g., municipal ordinances, zoning maps, parcels, census). Public data isn't "personal data" unless it identifies a person.

4) Where we get data

• Directly from you (account creation, uploads, support).
• Automatically via cookies/SDKs/logs (analytics, security, diagnostics).
• From integrated third parties you connect or we use (e.g., Stripe for billing).
• From public/government sources (ordinances, maps, parcels, demographics).

5) How we use data (purposes)

• Provide and secure the Service: authentication, hosting, storage, core features, fraud/abuse prevention, debugging, and incident response.
• Improve the Service: analytics (e.g., PostHog), A/B testing, product performance.
• AI-assisted features: analyze uploaded docs and public codes to produce summaries, classifications, feasibility checks, and related outputs.
• Customer support & operations: respond to inquiries, manage accounts, billing, and recordkeeping.
• Marketing (B2B): send newsletters or product updates (opt-out anytime).
• Legal compliance: tax, accounting, regulatory obligations.

6) AI and model use

We may send user content to Google Cloud Platform (e.g., Vertex AI) for AI processing. We configure vendors so prompts/outputs are not used to train their models.

We use customer data to improve and train models that power Permitify. Where feasible, we de-identify and/or aggregate data prior to training and apply technical/organizational safeguards. If your contract or law requires additional restrictions, contact us at founders@permitify.com.

AI outputs are informational only and are not legal, engineering, or planning advice; you must independently verify all outputs before relying on them.

7) Cookies and tracking

We use strictly necessary cookies (security, session) and analytics cookies/SDKs (PostHog).

We currently do not display a cookie banner.

Do Not Track / GPC: We honor recognized browser-level opt-out signals (e.g., Global Privacy Control) where required.

8) Marketing & advertising

We send B2B marketing emails; every message includes a one-click unsubscribe.

We may run retargeting/look-alike campaigns. Under certain state laws (e.g., CPRA), this can be considered "sharing" for cross-context behavioral advertising. You can opt out by enabling a recognized browser signal (e.g., GPC) and/or emailing founders@permitify.com with the subject "Do Not Share My Personal Information."

9) Service providers (subprocessors)

We use vetted service providers under data-processing terms:

• Amazon Web Services (AWS), US: hosting/infrastructure.
• Google Cloud Platform (GCP), US: AI and cloud compute.
• PostHog, US: product analytics.
• HighLevel, US: marketing automation/CRM.
• Stripe, US: payments processing.

We may update vendors as our stack evolves; material updates will be reflected in our subprocessors page or available on request.

10) How we share data

We share personal data only with:

• Service providers acting on our behalf (see above).
• Legal authorities when required by law, subpoena, or court order.
• Business transfers (e.g., merger, acquisition, financing) subject to this policy's protections.

We do not sell personal information. We may "share" limited data for cross-context behavioral advertising as noted in §8, with opt-out rights.

11) Data retention

We retain data only as long as needed for the purposes above, then delete or de-identify it.

• Account & profile: while your account is active + 24 months.
• Project content: while your subscription is active + 6 months (or sooner at your request), then deletion or archival in backups until standard rotation.
• Analytics & logs: 12–18 months (security logs may be kept up to 24 months).
• Support records: 24 months after closure.
• Billing records: as required by law (typically 7 years).

You can ask us to delete data sooner where legally permissible.

12) Security

We employ commercially reasonable technical and organizational measures, including:

• Encryption in transit (TLS) and at rest; key management.
• Access controls/least privilege; MFA/SSO for admin tools.
• Network security, vulnerability management, and regular backups.
• Subprocessor due diligence and data-processing agreements.
• Incident response and breach notification consistent with applicable law.

13) International data transfers

We're US-based. If you're in the EEA/UK, your data may be transferred to the US and other countries that may not provide the same level of protection. Where required, we rely on Standard Contractual Clauses/UK Addendum and additional safeguards.

14) Your privacy rights

Subject to your location and applicable law, you may have rights to:

• Access the personal data we hold about you.
• Correct inaccurate data.
• Delete your data.
• Portability (receive a copy in a portable format).
• Limit/opt out of certain processing (e.g., targeted advertising "sharing").
• Appeal a decision if we deny your request (where required).

How to exercise your rights: email founders@permitify.com or call (801) 701-3085.

We'll verify your identity and respond within the time required by law (usually 30–45 days). You may designate an authorized agent where permitted.

15) State-specific disclosures (US)

California (CCPA/CPRA): We do not "sell" personal information. We may "share" limited identifiers/usage data for cross-context behavioral advertising; you can opt out via GPC and/or by contacting us (see §8 & §14). We honor access, deletion, correction, and limit-use rights as applicable.

Colorado, Connecticut, Virginia, Utah: We support applicable rights to access, correction, deletion, portability, and opt-out of targeted advertising; submit requests per §14.

16) Children's privacy

Permitify is B2B and not intended for children. We do not knowingly collect personal information from individuals under 16. If you believe a child has provided data, contact us and we will delete it.

17) Third-party links

Our Service may link to third-party sites or services. Their privacy practices are governed by their own policies; please review them.

18) Changes to this policy

We may update this policy to reflect changes to our practices or applicable laws. We'll post updates here and, for material changes, notify account admins by email or in-app notice. The "Effective date" above shows when this policy last changed.

19) Contact us

Permitify, Inc.
Draper, Utah, USA
founders@permitify.com · (801) 701-3085