Privacy Policy

We collect the minimum information needed to run a property management service: who you are, what organization you belong to, the property records you enter, and what you do in the app so we can keep it working. We do not sell your data. We do not run third-party advertising trackers. Payment card numbers are handled by Stripe and never touch our servers.

Account information. Your name, email, organization name, and role. Created when you sign up or are invited.

Authentication credentials. A bcrypt hash of your password. We never store passwords in plain text and we cannot recover them; resets generate a new hash.

Payment information. When you subscribe, your billing details (card number, expiration, billing address) are submitted directly to Stripe and stored on their systems. We receive a Stripe customer ID, the subscription status, the last four digits of the card, and invoice metadata. We never see or store full card numbers.

Property and financial data. The records you create in the app: properties, parcel IDs, bills, vendors, contracts, tenants, leases, assessments, protests, documents, and so on. This is your business data; we hold it on your behalf.

Uploaded documents. Files you attach to records (appraisal notices, contracts, photos, COIs) are stored in encrypted object storage and scoped to your organization.

Usage and diagnostic data. Server logs (request paths, response codes, timestamps, IP addresses) for security and debugging. Error reports captured by Sentry when something breaks, including stack traces and the user or organization context at the time of the error. We do not run third-party advertising or behavioral analytics.

Cookies. A session cookie to keep you signed in (essential) and a theme-preference cookie so the app loads in your chosen light or dark mode (essential). No third-party tracking cookies, no advertising pixels.

We use the information we collect to:

• Provide, operate, and maintain the service.
• Bill subscriptions and process payments through Stripe.
• Send transactional email (account confirmations, billing receipts, alerts you have configured in the app).
• Detect, investigate, and prevent security incidents, fraud, and abuse.
• Diagnose errors and improve the product. Diagnostic data may be aggregated and anonymized for product analytics.
• Comply with legal obligations.

We do not sell personal information, and we do not share it with third parties for their own marketing.

To run the service we rely on a small set of vendors. Each one processes a defined slice of data on our behalf under a data processing agreement.

We will update this list as the subprocessor set changes. We may also disclose information when required by law, court order, or to protect the rights, safety, or property of Miskari, our users, or the public.

Each organization's records are isolated at the database row level using PostgreSQL row-level security (RLS), with the organization identifier enforced on every read and write. Files in object storage are namespaced by organization ID and access is authorized per request.

Connections to the application are served over TLS. Database storage is encrypted at rest by the database provider. Passwords are stored as bcrypt hashes. We rate-limit sensitive endpoints (login, signup, uploads) to deter abuse.

We keep your data while your subscription is active. If you cancel, we retain it for 90 days afterward so that you can reactivate or export it. After that window, we delete it from our active systems.

Backups may retain copies for a further 30 days as part of normal disaster-recovery rotation, after which those backups are overwritten. We may retain limited records longer if required by law (for example, tax and invoicing records).

You can:

• Access the personal information we hold about you by viewing your account in the app.
• Correct inaccurate information through your account settings or by contacting us.
• Export your data using the in-app export features (Excel, PDF, ICS, and JSON exports are available for most modules).
• Delete your account and request deletion of the associated data, subject to records we are required to retain.
• Object or restrict processing in some circumstances, and lodge a complaint with your local data protection authority.

To exercise any of these rights, email privacy@miskari.com. We will respond within 30 days and may ask for verification before acting on requests that affect account data.

If you are a California resident, you have the rights described above plus the right to know the categories of personal information we collect, the right to request deletion, and the right not to be discriminated against for exercising these rights. We do not sell or "share" (as those terms are defined under California law) personal information.

If you are in the EEA, the UK, or Switzerland, our legal bases for processing are: performance of the contract (delivering the subscribed service), legitimate interests (security, fraud prevention, product improvement), consent (where required, for example for non-essential cookies - which we do not currently set), and legal obligation.

For the rights described above, you may contact privacy@miskari.com. You can also lodge a complaint with your national supervisory authority. For data transfers outside the EEA we rely on Standard Contractual Clauses or equivalent safeguards with subprocessors.

We work hard to protect your data, including:

• TLS encryption for all traffic.
• Encryption at rest for the database and object storage, provided by our infrastructure vendors.
• Row-level security policies in PostgreSQL that enforce multi-tenant isolation at the database engine.
• bcrypt password hashing with a high work factor.
• Rate limiting on authentication and other sensitive endpoints.
• Regular automated backups with disaster-recovery procedures.
• Audit logging of sensitive mutations.
• Same-origin request checks and modern HTTP security headers.

No system is perfectly secure. If we become aware of a personal data breach that is likely to affect you, we will notify you and the relevant authorities without undue delay, and in any event within 72 hours of confirmation where required by law.

The service is intended for business use and is not directed to children. We do not knowingly collect personal information from anyone under 13 years of age. If you believe a child has provided information to us, contact privacy@miskari.com and we will delete it.

We may update this policy from time to time. For material changes we will notify you by email or by an in-app notice before the changes take effect. The "Last updated" date at the top of this page always reflects the current version.

For any privacy question, request, or concern, write to privacy@miskari.com.