Privacy Policy

1. Introduction

Quovio LLC (“Quovio,” “we,” “us,” “our”) operates the Quovio property management platform. This Privacy Policy explains how we collect, use, disclose, and protect information when you use our Service.

We are committed to responsible data practices, including full compliance with:

• Washington State Privacy Act (WMYPA)
• California Consumer Privacy Act (CCPA) / CPRA
• California AB 325 (rental pricing data isolation)
• Federal Fair Housing Act (data use in AI decision-making)
• HUD 2024 Guidance on AI in residential housing

2. Data We Collect

2.1 Property Managers

• Account information: name, email, phone, business name, professional credentials
• Portfolio data: property addresses, unit details, lease terms, rent amounts, maintenance history
• Payment information: billing details (processed by Stripe; we store only last 4 digits and card type)
• KYC/identity verification data: government ID (processed by third-party KYC provider; not stored by us beyond verification status)
• Usage data: feature usage, session logs, API calls

2.2 Landlords

• Account information: name, email, phone
• Financial information: bank account details for ACH rent collection (processed via Stripe Connect; we store only account metadata)
• Property and portfolio data accessible through PM-managed relationship

2.3 Tenants

• Contact information: phone number (required for SMS triage), email (optional)
• Maintenance request data: description, photos, location within property
• Communication history: all SMS and portal interactions with AI triage bot
• SMS consent record: timestamp and method of consent (required by TCPA)
• Application data (if applying for tenancy): income, employment, rental history (used only for the specific application; not shared across landlords)

2.4 Contractors

• Account information: name, email, phone, business name
• License and insurance information
• Job history and performance data
• Payment information for dispatch fee processing

2.5 Automatically Collected Data

• Log data: IP addresses, browser type, pages visited, timestamps
• Device information: device type, operating system, app version
• Location data: GPS coordinates for contractor GPS verification (“On-Site” confirmation) — only collected when explicitly enabled by the contractor in the mobile app

2.6 Data We Do NOT Collect

• Social Security Numbers (we do not store SSNs; KYC is handled by a certified third-party processor)
• Full credit card numbers (Stripe tokenizes all payment data)
• Biometric data beyond device-native authentication (FaceID/BiometricPrompt authenticate locally on-device)

3. How We Use Your Data

We do not use your data for advertising, sell it to data brokers, or share it with third-party marketers.

4. CA AB 325 — Data Isolation Commitment

California AB 325 (effective January 1, 2026) prohibits the use of algorithms that aggregate rental pricing data across multiple landlords to influence pricing or tenancy decisions.

Our commitment and technical implementation:

• Every property record is scoped to a specific landlord. No query in our system aggregates pricing, maintenance cost, or tenancy data across different landlords’ portfolios.
• Our AI pricing and cost prediction features use only per-property historical data and publicly available market data (HUD Fair Market Rents, Zillow Research API).
• This isolation is enforced throughout our application layer with landlord-scoped data access controls on every request.
• We will not build, and contractually prohibit third parties from building, cross-landlord aggregation features using our data.

5. Sharing Your Data

5.1 Service Providers (Processors)

We use vetted processors who are contractually bound to handle data only as directed:

• Stripe — payment processing
• Twilio — SMS delivery
• Google Cloud Platform — infrastructure, hosting, database
• DocuSign — e-signature processing
• Brevo — transactional email
• Sentry — error monitoring (anonymized crash data only)
• KYC Provider — identity verification (PM and Contractor onboarding only)

5.2 Within the Platform

• PMs can see all data for properties in their managed portfolio.
• Landlords can see data for their own properties only — not other landlords’ data.
• Tenants can see only their own requests and communications.
• Contractors can see only jobs dispatched to them.

5.3 Legal Requirements

We may disclose data if required by law, court order, or to protect the rights, property, or safety of Quovio, our users, or the public.

5.4 Business Transfers

In connection with a merger, acquisition, or sale of assets, data may be transferred. We will notify affected users before their data is transferred and becomes subject to a different privacy policy.

5.5 We Do Not Sell Your Data

We do not sell, rent, or trade personal information to third parties for their own marketing or commercial purposes.

6. Data Retention

You may request deletion of your data subject to legal retention requirements (see Section 9).

7. Security

We implement industry-standard security measures:

• Encryption in transit: TLS 1.2+ for all data transmission
• Encryption at rest: AES-256 for all data stored in Google Cloud SQL
• Access control: Role-based access control (RBAC) with least-privilege principles
• Authentication: JWT tokens stored in browser LocalStorage (web) and AsyncStorage (mobile) with configurable expiry; biometric authentication available in mobile app
• Secrets management: All credentials and API keys stored in Google Cloud Secret Manager
• Audit logging: Immutable audit trail of all AI actions and sensitive user actions stored in a tamper-evident append-only log
• Vulnerability management: Dependency scanning via GitHub Dependabot; security patches applied promptly

We do not guarantee absolute security. In the event of a data breach affecting your personal information, we will notify you as required by applicable law (within 72 hours to regulators where required; within a reasonable period to affected users).

8. Cookies and Tracking

Web Applications

We use:

• Browser LocalStorage (authentication): Your JWT authentication token is stored in your browser's LocalStorage so you remain logged in across page refreshes. This data stays on your device and is never shared with third parties. Clearing your browser storage will log you out.
• Browser LocalStorage (preferences): UI preferences (sidebar state, cookie consent choice) are stored locally on your device.
• Error monitoring: Anonymized crash and error data is collected via Sentry only if you have consented to error tracking. No personally identifiable information is included in error reports.
• Analytics: We do not use third-party advertising cookies or tracking pixels. Server-side logging only.

We do not use session cookies for authentication, and we do not use Google Analytics, Meta Pixel, or similar third-party tracking technologies.

Mobile Application

The mobile app stores your authentication token and preferences in device-local AsyncStorage. No advertising SDKs are used. Anonymized crash reporting is provided via Sentry, enabled only after you consent to error tracking in the app settings.

9. Your Rights

Depending on your jurisdiction, you may have the following rights:

All Users

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate data.
• Portability: Request your data in a structured, machine-readable format (within 30 days of account termination).
• Withdraw consent: Where processing is based on consent (e.g., SMS marketing), withdraw at any time.

California Residents (CCPA/CPRA)

• Right to know what personal information is collected and how it is used
• Right to delete personal information (subject to retention obligations)
• Right to opt out of sale of personal information (we do not sell data)
• Right to non-discrimination for exercising privacy rights
• Right to correct inaccurate personal information
• Right to limit use and disclosure of sensitive personal information

Washington State Residents (WMYPA)

• Right to access, correct, delete, and port personal data
• Right to opt out of profiling that produces legal or similarly significant effects
• Right to appeal our decisions regarding your privacy rights request

To exercise any of these rights, contact us at privacy@quovio.ai or through your account settings. We will respond within 45 days (extendable by 45 days with notice).

Identity verification: We may require verification of your identity before processing rights requests to protect against fraudulent requests.

10. Children's Privacy

The Service is not directed to individuals under 18. We do not knowingly collect personal information from minors. If you believe we have inadvertently collected data from a minor, contact us immediately at privacy@quovio.ai and we will delete it promptly.

11. AI and Automated Decision-Making

11.1 What AI Does

Our AI system assists with: maintenance request categorization, work order priority scoring, compliance alerts, contractor matching, and maintenance cost prediction.

11.2 What AI Cannot Do

Per our system architecture and HUD 2024 guidance:

• The AI cannot deny a rental application.
• The AI cannot initiate eviction proceedings.
• The AI cannot terminate a lease.
• Any output that could constitute an adverse action under the Fair Housing Act requires human review by the Property Manager of Record before any communication to tenants.

11.3 Bias Testing

We are committed to bias testing our AI models against protected class proxies in compliance with the Fair Housing Act and HUD 2024 guidance prior to general availability. We will make bias testing a standard part of our model evaluation process before expanding to new markets or user segments.

11.4 Opt-Out of AI Triage

Tenants may opt out of AI-assisted communication and request direct human contact by replying HUMAN to any SMS from the platform, or by contacting their property manager directly.

12. SMS Communications and TCPA Compliance

Tenants receive recurring automated SMS messages related to:

• Maintenance request confirmations and status updates
• Work order assignment and completion notifications
• Appointment and scheduling confirmations
• Emergency property alerts
• AI-assisted triage responses

Data collected: When you participate in our SMS program, we collect your mobile phone number, SMS consent record (timestamp, IP address, and method of consent), and the content of messages you send and receive through the program.

How SMS data is used: Your phone number and message data are used solely to deliver property management notifications, process maintenance requests, and provide service updates as described in this program. SMS data is not used for advertising or any purpose unrelated to the property management services you receive.

No mobile information collected as part of the Quovio SMS program will be shared with third parties or affiliates for marketing or promotional purposes. Mobile opt-in data, consent records, and phone numbers will not be shared with or sold to third parties for any purpose.

Consent: SMS communications require prior express written consent, recorded at the time of onboarding via the Tenant Portal consent flow, text-in opt-in, or as part of a lease agreement that includes SMS communication consent. Consent is not a condition of any purchase, service, or tenancy.

Opt-Out: Reply STOP, CANCEL, QUIT, UNSUBSCRIBE, or END at any time to stop all SMS messages. You will receive a one-time confirmation. Text START to re-subscribe. Reply HELP for assistance or contact support@quovio.ai / (989) 886-9966. Message and data rates may apply.

SMS data deletion: You may request deletion of your SMS consent records and message history by contacting privacy@quovio.ai. Upon processing your request, we will delete your SMS consent data and message content, except where retention is required for legal compliance (see Section 6). Deletion of SMS consent records will be treated as an opt-out from future SMS communications.

Program: Quovio — Property Management Notifications. Message frequency varies (typically 2–10 per month). For full SMS terms, see our SMS Messaging Terms of Service.

13. International Data Transfers

Our Service is operated from the United States. If you are located outside the US, your data will be transferred to and processed in the US. By using the Service, you consent to this transfer. We ensure appropriate safeguards are in place for any international transfers.

14. Changes to This Policy

We will notify you of material changes via email or in-app notification at least 30 days before changes take effect. The “Last Updated” date at the top reflects the most recent revision. Your continued use after the effective date constitutes acceptance.

15. Contact Us

For privacy inquiries, rights requests, or concerns:

• Email: privacy@quovio.ai
• Legal inquiries: legal@quovio.ai
• Security vulnerabilities: security@quovio.ai

Quovio LLC — 522 W Riverside Ave #6202, Spokane, WA 99201 — https://quovio.ai

For unresolved complaints, Washington residents may contact the Washington State Attorney General's Office. California residents may contact the California Privacy Protection Agency (CPPA).