ResourcefulAI LLC ("Company," "we," "us," or "our") operates the AI Damage Report Generator service at https://app.resourcefulai.org (the "Service"). This Privacy Policy explains how we collect, use, disclose, retain, and protect your personal information when you use our Service.

By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with these practices, do not use the Service.

1. Information We Collect

1.1 Information You Provide Directly

We collect the following categories of information that you provide:

Account Information: Name, email address, phone number, company name, business address — used for account creation, authentication, and communications
Billing Information: Payment card details (processed by Stripe), billing address, transaction history — used for payment processing, invoicing, and subscription management
Property Data: Property addresses, claim numbers, dates of loss, policy numbers, client names — used for report generation and record keeping
Uploaded Content: Photographs, images, documents related to property damage — used for AI analysis and report generation
Communications: Support requests, emails, feedback, survey responses — used for customer support and service improvement

1.2 Information Collected Automatically

Usage Data: Pages visited, features used, click patterns, session duration, report generation activity
Device Information: Browser type and version, operating system, device type, screen resolution
Network Information: IP address, approximate location (city/region level), internet service provider
Log Data: Access times, error logs, referral URLs, API calls

1.3 Cookies and Similar Technologies

We use the following types of cookies:

Essential Cookies: Authentication, session management, security (duration: session or up to 30 days)
Preference Cookies: Remember your settings and preferences (duration: up to 1 year)
Analytics Cookies: Understand how users interact with the Service (duration: up to 2 years)

We do NOT use: Third-party advertising cookies, cross-site tracking cookies, or social media tracking pixels.

You can disable cookies in your browser settings. Disabling essential cookies may prevent you from using the Service.

1.4 Information We Do NOT Collect

Social Security numbers
Driver's license numbers
Biometric identifiers (we do not extract or store biometric data from photos)
Protected health information (PHI) as defined by HIPAA
Financial account numbers (payment data is processed directly by Stripe)

Important Note on Photos: While uploaded photos may incidentally contain images of people, we do not use facial recognition technology, extract biometric identifiers, or process photos for any purpose other than property damage assessment.

2. How We Use Your Information

2.1 Primary Uses

Provide, maintain, and improve the Service
Process uploaded photos through AI analysis
Generate property damage reports
Process payments and manage subscriptions
Send transactional communications (receipts, account updates)
Respond to support requests
Detect, prevent, and address fraud and security issues
Comply with legal obligations

2.2 What We Do NOT Do

Sell your personal information to third parties
Use your photos for AI training without explicit consent
Share your data with advertisers
Create consumer profiles for marketing purposes
Make automated decisions that produce legal effects without human review

3. How We Share Your Information

3.1 Third-Party Service Providers

We share information with service providers who assist in operating the Service:

Anthropic (Claude AI): Uploaded photos (temporarily during processing) for AI-powered damage analysis. See: Anthropic Privacy Policy
Amazon Web Services (AWS): Photos, reports, account data for cloud storage and hosting (S3, EC2). See: AWS Privacy Policy
Stripe: Payment information, billing address, email for payment processing. See: Stripe Privacy Policy
MongoDB: Account data, reports, usage data for database services. See: MongoDB Privacy Policy

All service providers are bound by data processing agreements that require them to process data only as instructed by us, implement appropriate security measures, delete data upon termination of services, and not use data for their own purposes.

3.2 Legal Disclosures

We may disclose your information if required by law or in response to:

Valid legal process (subpoenas, court orders, warrants)
Government requests with proper legal authority
Enforcement of our Terms of Service
Protection of our rights, property, or safety
Protection of users or the public from harm

We will notify you of legal requests for your data unless prohibited by law or court order.

3.3 Business Transfers

If ResourcefulAI LLC is involved in a merger, acquisition, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email and/or prominent notice on the Service before your information becomes subject to a different privacy policy.

4. Data Retention

Account Information: Duration of account + 30 days after deletion
Uploaded Photos: 2 years from upload date, or until you delete them
Generated Reports: 2 years from generation date, or until you delete them
Payment Records: 7 years (tax and legal compliance)
Usage Logs: 90 days
Support Communications: 3 years

Upon account deletion:

Active data is deleted within 30 days
Backups containing your data are purged within 90 days
Anonymized, aggregated data may be retained indefinitely

5. Data Security

5.1 Technical Measures

Encryption in Transit: TLS 1.3 for all connections
Encryption at Rest: AES-256 for stored data
Password Security: Bcrypt hashing with salt
Access Controls: Role-based access, principle of least privilege
Infrastructure Security: AWS security groups, VPC isolation
Monitoring: Automated threat detection, audit logging

5.2 Security Limitations

No system is 100% secure. While we implement industry-standard protections, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials.

5.3 Data Breach Notification

In the event of a data breach affecting your personal information, we will:

Notify affected users within 72 hours of discovery (where feasible)
Notify relevant supervisory authorities as required by law
Provide information about the breach and steps to protect yourself
Document the breach and remediation measures

6. Your Privacy Rights

6.1 Rights for All Users

Access: Request a copy of your personal data
Correction: Update inaccurate or incomplete information
Deletion: Request deletion of your data
Portability: Download your data in a machine-readable format
Opt-Out: Unsubscribe from marketing communications

How to Exercise: Settings → Export Data or Delete Account, or email privacy@resourcefulai.org

Response Time: We will respond to verifiable requests within 30 days. Complex requests may take up to 45 days with notice.

6.2 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights:

Right to Know: Categories and specific pieces of personal information collected, sources, purposes, and third parties with whom we share
Right to Delete: Request deletion of your personal information, subject to certain exceptions
Right to Correct: Request correction of inaccurate personal information
Right to Opt-Out of Sale/Sharing: We do not sell personal information or share it for cross-context behavioral advertising. No opt-out is necessary.
Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information for purposes beyond those permitted by the CPRA
Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

Verification: We will verify your identity before fulfilling requests by confirming account ownership via email.

Authorized Agents: You may designate an authorized agent to make requests on your behalf with proper verification.

6.3 European Economic Area, UK, and Switzerland (GDPR)

If you are located in the EEA, UK, or Switzerland, you have the following additional rights:

Legal Bases for Processing:

Contract: Processing necessary to provide the Service you requested
Legitimate Interests: Processing for our legitimate business interests (e.g., security, improvement)
Consent: Where you have given explicit consent
Legal Obligation: Where processing is required by law

Your GDPR Rights:

Access: Obtain confirmation of processing and a copy of your data
Rectification: Correct inaccurate or incomplete data
Erasure ("Right to be Forgotten"): Delete your data in certain circumstances
Restriction: Restrict processing in certain circumstances
Portability: Receive your data in a structured, machine-readable format
Object: Object to processing based on legitimate interests
Withdraw Consent: Withdraw consent at any time (without affecting prior processing)
Lodge Complaint: File a complaint with your local supervisory authority

Data Protection Contact: For GDPR-related inquiries, contact privacy@resourcefulai.org

Response Time: We will respond to GDPR requests within 30 days, extendable by 60 days for complex requests with notice.

6.4 Other Jurisdictions

Brazil (LGPD): Brazilian users have similar rights to those under GDPR, including access, correction, deletion, portability, and information about sharing.
Canada (PIPEDA): Canadian users may access and correct their personal information and withdraw consent to processing.
Nevada: Nevada residents may opt out of the sale of personal information. We do not sell personal information.
Virginia, Colorado, Connecticut: Residents of these states have rights similar to CCPA. We do not engage in targeted advertising or sale of data.

7. International Data Transfers

Your data may be transferred to and processed in the United States, where our servers are located.

Transfer Mechanisms: For transfers from the EEA, UK, or Switzerland to the United States, we rely on:

Standard Contractual Clauses (SCCs) approved by the European Commission
UK International Data Transfer Agreement (IDTA) for UK transfers
Supplementary measures as needed based on transfer impact assessments

We currently store all data in AWS us-east-1 (N. Virginia). Contact us if you require information about data localization options.

8. Data Processing Agreement

Business customers who require a Data Processing Agreement (DPA) for compliance purposes may request one by contacting legal@resourcefulai.org. Our DPA includes Standard Contractual Clauses, technical and organizational security measures, sub-processor list, and data breach notification procedures.

9. Children's Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children.

If we discover that we have collected personal information from a child under 18, we will delete that information immediately. If you believe we have collected information from a child, please contact us at privacy@resourcefulai.org.

10. Do Not Track Signals

Some browsers have a "Do Not Track" (DNT) feature. Our Service does not currently respond to DNT signals because there is no industry standard for DNT. We do not track users across third-party websites.

11. Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to read their privacy policies.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes will be effective when posted.

For material changes, we will:

Update the "Last Updated" date at the top
Notify you by email at least 30 days before changes take effect
Display a prominent notice in the Service

Your continued use of the Service after changes take effect constitutes acceptance of the updated Privacy Policy. If you do not agree with changes, you must stop using the Service and delete your account.

13. AI and Automated Processing

Our Service uses artificial intelligence (Claude by Anthropic) to analyze uploaded photos and generate reports. This automated processing:

Does not make decisions that produce legal effects on you
Does not result in profiling for marketing purposes
Is subject to human oversight and review by you (the user)

You have the right to request human review of any AI-generated output.

Photo Processing Disclosure

When you upload photos:

Photos are uploaded to AWS S3 (encrypted storage)
Photos are sent to Anthropic's Claude API for analysis
Claude processes photos and returns analysis text
Analysis is stored in our database
You can delete photos at any time

Anthropic's data handling: Per Anthropic's API terms, uploaded photos are not used to train AI models and are deleted after processing.

14. Contact Information

For privacy-related questions, requests, or complaints:

Email: privacy@resourcefulai.org
Company: ResourcefulAI LLC

Response Time: We aim to respond to all inquiries within 5 business days.

attorney for legal advice specific to your situation.