Communities

Legal

Privacy Policy

Effective date: April 16, 2026

1. Who we are

Communities (“Communities,” “we,” “our,” or “us”) is an AI-native HOA management platform operated by Stellar Rentals LLC(doing business as “Communities”), a Delaware limited liability company. We operate the website and application at aiforhoa.com and any related subdomains (collectively, the “Service”).

This Privacy Policy explains what information we collect, how we use and share it, how long we keep it, and the choices you have. It applies to visitors to our public site, board members who create HOA workspaces, residents who register for a resident portal, and anyone who uses one of our free tools (the CC&R Health Check, Manager Comparison Calculator, Resident Handbook Generator, Manager Breakup Kit, or Instant Board Packet).

Questions about this policy or requests concerning your data can be sent to rentstellar@gmail.com.

2. Information we collect

We collect only what is necessary to provide the Service. The categories below describe every class of data we touch.

a. Information you provide

  • HOA governing documents. CC&Rs, bylaws, rules, architectural guidelines, meeting minutes, and any other PDFs you upload. We extract text, chunk it, and generate vector embeddings so the AI concierge can answer questions grounded in your documents.
  • Board workspace data. HOA name, address, home count, community code, optional referral slug, reserve-fund balance, and other metadata about your community.
  • Board member profile. Name, email address, role (owner, admin, member), invite history, and onboarding-wizard progress state.
  • Resident account. If you sign up through the resident portal, we store your name, email, and the community code you used to join. One authenticated user maps to exactly one community.
  • Violation reports. Property address, description of the alleged violation, optional photographs you upload, and (optional) your email address if you want updates. Anonymous reports are allowed. See Section 11 regarding photographs of people or private property.
  • Financial records. Budget lines, expenses, vendor names, receipts (uploaded images or PDFs), assessment definitions, and related metadata. We do not currently process credit-card numbers or bank account numbers; payment integration is not yet live.
  • Board packet inputs. Meeting month, prior action items, upcoming agenda items, and any notes you paste into the generator.
  • Free-tool inputs. Information you type into the Manager Comparison Calculator (current manager name, monthly fee, home count, state), the Manager Breakup Kit (HOA name, state, current manager, renewal date), or the CC&R Health Check and Resident Handbook Generator (the document you upload and the email address you use to unlock the result).
  • Lead and waitlist submissions. Name, email, HOA name, and any note you leave when you request a demo, pilot, or feature-upgrade waitlist spot.
  • Chat and Q&A content. Questions you ask the bylaw concierge and the answers we return. Chats are stored to power rate-limiting, shared session links, and product improvement.
  • Support communications. If you email us, we retain the correspondence and any attachments you include.

b. Information collected automatically

  • Device and log data. IP address, user agent, timestamps, referring URL, and request path. We use this data for security, rate limiting, debugging, and abuse prevention.
  • Analytics events. Page views, feature interactions, and high-signal product events (for example, sign_up_completed, violation_submitted, board_packet_generated). We collect these through PostHog in both the browser and server runtimes. Events are attached to a pseudonymous user id; we do not sell or cross-pollinate this data with ad networks.
  • Rate-limit counters. Upstash Redis stores short-lived counters keyed to IP addresses and document IDs. Records expire automatically (typically within 24 hours).
  • Error reports. If Sentry is enabled in production, unhandled errors from the browser and server runtimes — including the URL, the authenticated user id (if any), and a stack trace — are sent to Sentry for debugging.
  • Cookies and local storage. We use functional cookies for authentication (Supabase session cookies), and analytics cookies for PostHog. We do not use advertising or cross-site tracking cookies. See Section 13.

3. How we use your information

  • Operate the Service and answer your queries against your own documents.
  • Generate AI artifacts you request — violation notices, board packets, resident handbooks, CC&R health checks, Manager Breakup Kit letters, and Manager Comparison reports.
  • Authenticate users, enforce role-based access to HOA workspaces, and route resident signups to the correct community via community code.
  • Send transactional email: account confirmations, board invites, accepted-invite notifications, violation notices that a board approves for delivery to a resident, and (when enabled) a weekly activity digest to board members.
  • Secure the Service: rate limiting, abuse detection, application logging, and incident response.
  • Analyze aggregate product usage to improve features and prioritize the roadmap. This analysis uses PostHog event data in a de-identified form wherever possible.
  • Respond to support requests and comply with legal obligations.

We do not sell or rent your personal information. We do not share HOA governing documents or Q&A content with any third party other than the infrastructure sub-processors listed in Section 5. We do not authorize our AI providers to use your inputs or outputs to train their foundation models; see Section 6.

4. Legal bases for processing (EU/UK/EEA residents)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, we process your personal data on the following bases under the GDPR / UK GDPR:

  • Performance of a contract — to provide the Service you signed up for.
  • Legitimate interests — to secure, improve, and analyze the Service.
  • Consent — for optional marketing emails or analytics cookies where required.
  • Legal obligation — to comply with applicable law.

Communities is based in the United States. By using the Service, you consent to your data being transferred to and processed in the United States. See Section 16.

5. Service providers and sub-processors

We rely on the following vendors to host, store, process, and transmit data on our behalf. Each is bound by its own privacy terms and, where applicable, a Data Processing Addendum.

  • Vercel Inc. — web hosting, serverless functions, edge CDN, and Vercel Blob storage (uploaded PDFs, violation photos, receipt images).
  • Supabase, Inc. — managed Postgres database, authentication, and row-level security enforcement.
  • OpenAI, L.L.C. — large-language-model inference (chat completions) and text embeddings for document retrieval. API usage is sent through OpenAI’s API tier; per OpenAI’s policies at time of writing, API inputs and outputs are not used to train OpenAI’s models and are retained for up to 30 days for abuse monitoring.
  • Anthropic, PBC — if enabled, Claude-family models for AI inference on the same terms as described above.
  • Resend, Inc. — transactional email delivery (invites, violation notices, lead notifications, weekly digests).
  • PostHog Inc. — product analytics, including page views and server events.
  • Upstash, Inc. — Redis used for short-lived rate-limit counters.
  • Functional Software, Inc. (Sentry) — error monitoring and performance tracing, when enabled.

We will update this list as we onboard or retire sub-processors. Material changes will be surfaced through the change notice described in Section 17.

6. AI processing

When you ask the bylaw concierge a question, we send your question along with the most relevant snippets of your own governing documents to our AI provider (OpenAI, and optionally Anthropic). The provider returns a generated answer, which we display to you and store in our database.

Under our current API agreements with these providers:

  • Your inputs and the model’s outputs are not used to train or fine-tune the providers’ foundation models.
  • Providers retain inputs and outputs for a limited time for abuse and safety monitoring only.
  • Providers act as data processors and are subject to contractual confidentiality obligations.

AI outputs may contain errors or hallucinations. We describe the limits of those outputs in our Terms of Service. Please review the Terms before relying on any AI-generated document or letter.

7. Data retention

Retention varies by data category. We hold data no longer than needed for the purpose for which it was collected or as required by law.

  • Anonymous demo uploads. Documents uploaded through the public bylaw concierge without an account are retained for up to 30 days and are purged thereafter.
  • Board workspace data. Retained for as long as your board account is active, plus a short archive window after deletion in case of accidental removal.
  • Resident portal data. Retained while your resident account is active. You can request deletion at any time.
  • Free-tool submissions. Inputs and outputs from the CC&R Health Check, Manager Comparison, Resident Handbook, Manager Breakup Kit, and Instant Board Packet are retained so your shareable URL continues to work. You may request deletion at any time.
  • Lead and waitlist entries. Retained until you ask us to delete them or until they are manually cleared after we determine we will not follow up.
  • Log and rate-limit data. Short-lived: typically purged within 24 hours (rate-limit counters) to 90 days (application logs).
  • Backups. Encrypted backups may retain deleted data for up to 30 days before they roll over.

When you delete your account or ask us to delete your data, we delete or irreversibly anonymize it within 30 days, except where law requires longer retention (e.g., tax, accounting, or law-enforcement holds).

8. Security

We implement administrative, technical, and organizational measures designed to protect your information. These include encryption in transit (TLS) and at rest (provider-managed), row-level security policies in our database, scoped service credentials, least-privilege access, and rate limiting on public endpoints. No system is perfectly secure; we cannot guarantee absolute security.

If we become aware of a security incident that materially affects your personal information, we will notify affected users and relevant regulators without undue delay and in accordance with applicable law.

9. Your rights

Depending on where you live, you may have one or more of the following rights:

  • Access — request a copy of the personal data we hold about you.
  • Correction — ask us to correct inaccurate or incomplete data.
  • Deletion — ask us to delete your data, subject to legal retention obligations.
  • Portability — receive your data in a portable format.
  • Objection / restriction — ask us to stop or limit certain processing.
  • Withdraw consent — where processing is based on consent.
  • Complain — lodge a complaint with your local data-protection authority.

To exercise any of these rights, email rentstellar@gmail.com. We will respond within 30 days (or 45 days in certain California cases, with notice of the extension). We may ask you to verify your identity before acting on a request.

We will not discriminate against you — for example, by degrading your service level — for exercising any privacy right.

10. California residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (as amended by the California Privacy Rights Act) gives you specific rights, including the rights listed in Section 9 and the right to limit the use and disclosure of your sensitive personal information.

We do not sell your personal information as that term is defined by the CCPA, and we do not share it for cross-context behavioral advertising. We therefore do not offer a “Do Not Sell or Share My Personal Information” toggle, but you may still contact us at any time to exercise your rights.

The categories of personal information we collect, the purposes for which we use them, and the categories of third-party recipients are described in Sections 2, 3, and 5 of this policy.

11. Photographs and third-party information in uploads

Residents and board members may upload photographs and documents that contain information about other people (neighbors, homeowners, vendors). You are responsible for ensuring that you have the right to upload such content. Do not upload photographs taken inside a private residence without the resident’s permission, and do not upload images whose primary subject is a person’s face unless you have a reasonable basis for doing so (for example, documenting an unsafe act).

If you are the subject of a photograph or description in a violation report and would like it removed, contact rentstellar@gmail.com. We will investigate and remove content that violates this policy or applicable law.

12. Children’s privacy

The Service is not directed to children under 16, and we do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, please contact us and we will delete it.

13. Cookies and similar technologies

We use two kinds of cookies and browser storage:

  • Functional — required for authentication, remembering your preferences, and keeping your session alive. Disabling these will break sign-in and the dashboard.
  • Analytics — PostHog cookies used to distinguish anonymous visitors for aggregate metrics. You can disable analytics cookies in your browser without breaking the Service.

We do not use advertising cookies, cross-site tracking cookies, or session-replay tools that record keystrokes.

14. Links to other sites

The Service may link to third-party websites, including state HOA statutes, vendor directories, and payment processors. We are not responsible for the privacy practices or content of those sites. Review their privacy policies before sharing information with them.

15. Marketing and transactional email

We send transactional email (invites, notices, digests) tied to actions you or your HOA take. These are essential to the Service. Where we send optional marketing email — product updates, onboarding tips, occasional newsletters — every message includes an unsubscribe link. Unsubscribing does not stop transactional email.

16. International data transfers

We store and process data in the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States. Where required, we rely on appropriate safeguards such as the Standard Contractual Clauses and supplementary technical measures.

17. Changes to this policy

We may update this policy as the product evolves. Material changes will be communicated through the Service or by email to registered users at least 14 days before they take effect (except where a shorter notice period is required by law). The effective date at the top of this page always reflects the most recent version.

18. Contact

For privacy questions, data-subject requests, or to report a suspected security incident:

Stellar Rentals LLC (d/b/a Communities)
Attn: Privacy
rentstellar@gmail.com