Privacy Policy

1. Introduction

Welcome to Well Kept. We respect your privacy and are committed to protecting your personal data. This privacy policy explains how we collect, use, and safeguard your information when you use our home management application.

2. Information We Collect

We collect the following types of information:

• Account Information: Email address, username, and securely hashed password for authentication.
• Home Data: Information about your home items, maintenance schedules, expenses, contractors, and renovation projects.
• Calendar Data: Appointments, maintenance schedules, and reminders you create within the app.
• Financial Information: Expense records, receipts, monthly bills, and Venmo usernames for payment facilitation. We do not store or process bank account numbers or credit card details directly.
• Third-Party Integration Data: Data from Google Calendar and other services you choose to connect.
• Usage Data: Internet Protocol (IP) address, browser type and version, device type, operating system, unique device identifiers, and device fingerprinting data for security verification.

3. How We Use Your Information

We use your information to:

• Provide and maintain the Well Kept application.
• Process and store your home management data securely.
• Send you notifications and reminders based on your preferences.
• Sync data with third-party services you authorize (Google Calendar, etc.).
• Generate AI-powered maintenance recommendations using Google Gemini.
• Process receipt uploads and expense tracking.
• Facilitate Venmo payment links for expense settlements.
• Send monthly reconciliation emails and expense summaries.
• Improve our services and develop new features.
• Ensure security and prevent fraud.

4. Data Storage and Security

We take data security seriously:

• Your data is stored securely using Supabase PostgreSQL database with enterprise-grade security.
• Passwords are encrypted using bcrypt hashing and never stored in plain text.
• Receipt images and documents are stored separately in Vercel Blob Storage with CDN delivery.
• All API communications use secure HTTPS protocols.
• Authentication uses industry-standard JWT tokens with automatic refresh.
• Row Level Security (RLS) ensures household data isolation.
• Regular automated database backups protect your data.

5. Third-Party Services

Well Kept integrates with the following third-party services. When you use these integrations, you are also subject to their respective privacy policies. We do not share more data than necessary with these services.

• Supabase (Database & Auth)Data Shared: All user account info, home data, and encrypted passwords.
  Reason: Primary database hosting and authentication handling.
  Retention: Data is retained until your account or specific records are deleted.
• Vercel (Hosting & Storage)Data Shared: Receipt images, documents, and application traffic logs.
  Reason: Storing uploaded files and hosting the web application.
  Retention: Files are retained until deleted by you; request logs are retained for up to 30 days.
• Resend (Email Service)Data Shared: Email address and content of notifications (e.g., "Bill Due").
  Retention: Logs and message content are retained for 30 days for delivery troubleshooting.
• Stripe (Payments)Data Shared: Payment amount, currency, and customer ID. Credit card details are entered directly into Stripe's secure element and never touch our servers.
  Retention: Transaction records are retained as required by financial regulations (typically 7 years).
• Venmo (Link generation)Data Shared: Only the Venmo username you provide is used to generate a deep link on your device.
  Retention: No transaction data is retained by our service; Venmo retains data per their policy.
• hCaptcha (Security)Data Shared: Mouse movements, scroll position, and browser interaction events during login/registration.
  Retention: Behavioral data is processed in real-time and not stored long-term; statistical data may be retained by hCaptcha.
• FingerprintJS (Device Security)Data Shared: Technical properties of your device (browser version, screen resolution, OS).
  Retention: Device identifiers are securely stored for security history; raw signal data is transient.
• Google Gemini (AI)Data Shared: Text descriptions of home items or maintenance tasks you submit for analysis.
  Retention: Data is retained by Google for 30 days to check for abuse and misuse, after which it is deleted. It is not used to train Google's AI models.
• Google Calendar & Outlook (Integrations)Data Shared: Event details (title, time, description) for items you explicitly choose to sync.
  Retention: Sync tokens are retained until you disconnect the integration; calendar events remain on your provider's servers.
• Sentry (Error Monitoring)Data Shared: Error reports, stack traces, performance traces, and anonymized user context (hashed user ID). Email addresses and other PII are explicitly scrubbed before transmission.
  Reason: Detecting and diagnosing application errors and performance issues.
  Retention: Event data is retained for 90 days.
• RevenueCat (iOS In-App Purchases)Data Shared: Purchase history, subscription status, and anonymized device identifiers used for purchase verification. Applies only to iOS app users.
  Reason: Managing and verifying in-app subscription purchases on iOS through the Apple App Store.
  Retention: Transaction records are retained per RevenueCat and Apple App Store policies.
• Apple Push Notification Service – APNs (iOS Notifications)Data Shared: Your device push token and notification content (title, body, and in-app action). Applies only to iOS app users who have granted notification permission.
  Reason: Delivering timely maintenance reminders and bill due alerts to your iOS device.
  Retention: Push tokens are stored until you revoke notification permission or uninstall the app; Apple does not retain notification content.

Google Limited Use Disclosure: Well Kept's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

6. Data Sharing and Disclosure

We do not sell your personal data. We may share your information only in the following circumstances:

• With your explicit consent.
• With household members you invite to join your household.
• With third-party services you choose to integrate (e.g., Google Calendar) to fulfill specific features.
• To comply with legal obligations or respond to lawful requests.
• To protect our rights, privacy, safety, or property.
• In connection with a business transfer or merger.

California Residents: We do not sell or share your personal information for cross-context behavioral advertising purposes as defined under California law (CCPA/CPRA).

7. Your Rights and Choices

You have the following rights regarding your data:

• Access: View all your stored data at any time through the app.
• Update: Modify your information directly in the application.
• Delete: Remove your data by deleting items, expenses, or your entire account.
• Export: Download your data in JSON format for backup or migration (Pro feature).
• Disconnect: Revoke third-party integrations at any time through settings.
• Notification Preferences: Control email notifications and reminders for different event types.

8. Cookies and Tracking

Well Kept uses minimal cookies and local storage to:

• Maintain your secure login session with JWT tokens.
• Remember your preferences and settings.
• Cache data for better performance and offline functionality.
• Perform device fingerprinting for security verification.

We do not use third-party advertising cookies or tracking pixels. We do not sell your browsing data.

Do Not Track Signals: We do not support Do Not Track ("DNT"). Do Not Track is a preference you can set in your web browser to inform websites that you do not want to be tracked.

9. Data Retention

We retain your data for as long as your account is active or as needed to provide our services. You can delete your data at any time through the app. Activity logs may be retained for up to 90 days for security and operational purposes. Deleted receipt images are permanently removed from our blob storage.

10. International Transfer

Your information, including Personal Data, is processed at the Company's operating offices and in any other places where the parties involved in the processing are located. This means that this information may be transferred to—and maintained on—computers located outside of your state, province, country, or other governmental jurisdiction where the data protection laws may differ than those from your jurisdiction. Your consent to this Privacy Policy followed by your submission of such information represents your agreement to that transfer. Transfers are made under legally approved mechanisms, such as Standard Contractual Clauses, to ensure your data remains protected.

11. Children's Privacy

Well Kept is not intended for use by children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us immediately and we will take steps to remove that information. If a parent or guardian becomes aware that their child has provided us with personal information without their consent, they should contact us.

12. Changes to This Privacy Policy

We may update this privacy policy from time to time. We will notify you of any changes by posting the new privacy policy on this page and updating the "Last Updated" date at the top. For significant changes, we may send you an email notification. We encourage you to review this privacy policy periodically.

13. Contact Us

If you have any questions about this privacy policy or our data practices, please contact us:

• By Email: support@wellkeptapp.com