Privacy Policy

HOAfy, Inc. ("HOAfy," "we," "us," "our") is committed to protecting your privacy and providing transparent information about how we collect, use, and safeguard your personal information. This Privacy Policy describes our practices in connection with the HOAfy website at https://www.hoafy.com and the HOAfy platform and services (collectively, the "Services").

By accessing or using our Services, you consent to the collection and handling practices described in this policy. If you do not agree with this Privacy Policy, please do not use the Services.

1. Our Role — Processor vs. Controller

HOAfy primarily collects and processes personal information as a data processor (service provider) on behalf of homeowners associations and property management companies (collectively, "Clients"). Our Clients are the data controllers who determine the purpose and means of collecting and using personal information.

When you interact with the HOAfy website (e.g., requesting a demo, subscribing to our newsletter, or contacting us), HOAfy acts as the data controller for the information you provide directly to us.

2. Information We Collect

Information You Provide

Account information: Name, email address, phone number, mailing address, and role within your association.
Payment information: Credit card or bank account details processed securely through our payment processor (Stripe). HOAfy does not store full payment card numbers on its servers.
Community data: Association name, addresses, unit information, governing documents, financial records, meeting minutes, and other association-related content uploaded by Clients or their Authorized Users.
Communications: Messages, emails, comments, and other content you send through the Services or to our support team.

Information Collected Automatically

Usage data: Pages visited, features used, click patterns, session duration, and referring URLs.
Device information: IP address, browser type and version, operating system, device type, and screen resolution.
Cookies and similar technologies: We use cookies, web beacons, and similar technologies to operate the Services, analyze usage, and personalize your experience. See Section 9 for more details.

Information from Third Parties

We may receive information about you from third parties, including your HOA or property management company, payment processors, and analytics services.

3. How We Use Your Information

We use the information we collect to:

Provide, operate, maintain, and improve the Services;
Process payments and manage billing;
Send transactional communications (account confirmations, invoices, security alerts, support messages);
Send marketing communications with your consent (you can opt out at any time);
Respond to your inquiries and support requests;
Analyze usage patterns to improve the Services and develop new features;
Detect, prevent, and address fraud, security issues, and technical problems;
Comply with legal obligations and enforce our Terms of Service.

4. How We Share Your Information

We do not sell your personal information. We may share your information in the following limited circumstances:

Service providers: We share information with trusted third-party vendors who help us operate the Services (e.g., payment processing, cloud hosting, email delivery, analytics). These providers are contractually obligated to protect your data and use it only for the services they provide to us.
Your HOA or property manager: If you are a homeowner or resident, the information you provide may be accessible to your association's board members or property manager through the Services.
Legal requirements: We may disclose information to comply with applicable law, legal process, or government request, or to protect the rights, property, or safety of HOAfy, our users, or the public.
Business transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of the transaction. We will notify you of any such change.
Aggregated data: We may share anonymized, aggregated data that cannot be used to identify you for analytics, research, and benchmarking purposes.

5. Bank Account Connections via Plaid

HOAfy uses Plaid Inc. ("Plaid") to enable homeowners associations and property managers to securely connect an association's bank account to the Services so that HOAfy can retrieve transaction and balance information for accounting, reconciliation, and financial reporting. Plaid is used for read-only access to association banking data; HOAfy does not use Plaid to initiate payments or transfers. By using the Services to link a financial account, you authorize HOAfy to transmit your information to Plaid and authorize Plaid to access and transmit information about the account to and from your financial institution.

Payments to and from HOAfy (such as HOA dues, special assessments, and refunds) are processed separately by our payment processor, Stripe. See Section 5A below for information about Stripe.

Information Plaid Collects and Shares

When you connect a bank or financial account, Plaid collects and shares with HOAfy information necessary to provide the connection and related services, which may include:

Account credentials and authentication tokens provided to or generated by Plaid to authorize access to your financial institution. HOAfy does not see or store your online banking username or password — these are entered directly into Plaid's secure interface.
Account and routing numbers for the account you choose to link.
Account balances, including current and available balances.
Transaction history (date, amount, description, category, and counterparty information).
Account holder identity information, such as name, address, email, and phone number associated with the financial account.
Account metadata, such as account type (checking, savings), institution name, and account nickname.

How HOAfy Uses Information Received from Plaid

We use information obtained through Plaid solely for the purposes of providing and improving the Services, including:

Importing and reconciling association bank transactions and balances against the HOAfy ledger and accounting records;
Producing financial reports, budgets, and audit trails for board members and property managers;
Verifying account ownership and detecting potential fraud, duplicate entries, or unauthorized activity in the linked account;
Displaying account information you have chosen to share within your HOAfy account;
Complying with applicable financial, anti-fraud, and anti-money-laundering obligations.

We do not use information received from Plaid for advertising purposes, and we do not sell this information.

Plaid's Role and Privacy Policy

Plaid acts as an independent data controller with respect to its own collection and use of your information. Plaid's collection, use, storage, and disclosure of your information is governed by the Plaid End User Privacy Policy. By using the Services to link a financial account, you acknowledge and agree to Plaid's End User Privacy Policy.

Your Choices and Controls

Connection is optional. Linking a financial account through Plaid is voluntary. You can use many features of the Services without connecting a bank account, although some payment features will not be available.
Disconnect at any time. You may disconnect a linked account from within the HOAfy application. Disconnecting instructs HOAfy to stop accessing the account through Plaid.
Manage your data with Plaid. You may also manage connections, view connected applications, and request deletion of data Plaid holds about you through Plaid Portal.
Questions about Plaid's practices. For questions specifically regarding Plaid's handling of your information, contact Plaid at privacy@plaid.com or review the Plaid End User Privacy Policy linked above.

5A. Payment Processing via Stripe

HOAfy uses Stripe, Inc. ("Stripe") as its payment processor for collecting HOA dues, special assessments, and other association charges, and for issuing refunds. When you make or receive a payment through the Services, your payment information is transmitted to and processed by Stripe.

Information Stripe Collects

Depending on the payment method you choose, Stripe may collect and process:

Card details (card number, expiration date, CVC) for credit and debit card payments;
Bank account and routing numbers for ACH payments;
Billing information such as name, billing address, email, and phone number;
Transaction details such as amount, currency, date, and the association the payment relates to;
Device and risk signals Stripe uses to detect and prevent fraud.

Card numbers and full bank account credentials are entered directly into Stripe-hosted payment fields and are not stored on HOAfy servers. HOAfy receives only a tokenized reference and limited metadata (e.g., last four digits, card brand, payment status) needed to display and reconcile the payment.

How HOAfy Uses Information from Stripe

Processing payments and refunds and recording them in the HOAfy ledger;
Generating receipts, invoices, and payment history for residents, board members, and property managers;
Detecting and preventing payment fraud, chargebacks, and duplicate transactions;
Complying with financial record-keeping, tax, and anti-money-laundering obligations.

Stripe's Role and Privacy Policy

Stripe acts as an independent data controller with respect to its own collection and use of your payment information. Stripe is a PCI DSS Level 1 service provider; HOAfy operates under PCI DSS SAQ A scope, meaning HOAfy never receives or stores full card numbers. Stripe's collection, use, and disclosure of your information is governed by the Stripe Privacy Policy. By making or receiving a payment through the Services, you acknowledge and agree to Stripe's Privacy Policy.

6. Data Retention

We retain your personal information for as long as necessary to provide the Services, comply with legal obligations, resolve disputes, and enforce our agreements. When a Subscriber cancels their account, User Data is preserved for 30 days, after which it may be permanently deleted.

Website visitor data (such as analytics and cookie data) is typically retained for up to 26 months.

7. Data Security

We implement industry-standard security measures to protect your information, including:

Encryption of data in transit (TLS/SSL) and at rest (AES-256);
Access controls and role-based permissions;
Regular security assessments and vulnerability testing;
Secure cloud infrastructure hosted on Amazon Web Services (AWS);
Incident response procedures for data breaches.

While we strive to protect your information, no method of electronic transmission or storage is 100% secure. If we become aware of a security breach that affects your personal information, we will notify you and the appropriate authorities as required by law.

8. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal information:

Access: Request a copy of the personal information we hold about you.
Correction: Request correction of inaccurate or incomplete information.
Deletion: Request deletion of your personal information, subject to legal and contractual obligations.
Portability: Request a copy of your data in a portable, machine-readable format.
Opt out: Opt out of marketing communications at any time by clicking the "unsubscribe" link in any email or by contacting us.
Restrict processing: Request that we limit how we use your information in certain circumstances.

If your data is processed by HOAfy on behalf of your HOA or property manager (i.e., HOAfy is acting as a data processor), please direct your request to your HOA or property manager first. We will assist them in fulfilling your request.

To exercise any of these rights, contact us. We will respond to verified requests within 45 days.

9. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

The right to know what personal information is collected, used, shared, or sold;
The right to delete personal information held by us;
The right to opt out of the sale of personal information — we do not sell personal information;
The right to non-discrimination for exercising your privacy rights.

To submit a CCPA request, contact us.

10. Cookies and Tracking Technologies

We use cookies and similar technologies for the following purposes:

Essential cookies: Required for the Services to function properly (e.g., authentication, security).
Analytics cookies: Help us understand how visitors use the website and improve our Services.
Preference cookies: Remember your settings and preferences.

You can control cookies through your browser settings. Disabling cookies may affect the functionality of the Services.

We do not currently respond to "Do Not Track" signals, as there is no industry-standard method for honoring these requests.

11. Children's Privacy

The Services are not intended for children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us immediately and we will take steps to delete such information.

12. Third-Party Links

The Services may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to read their privacy policies before providing any personal information.

13. International Data Transfers

Your information may be stored and processed in the United States or other countries where our service providers operate. By using the Services, you consent to the transfer of your information to countries that may have different data protection laws than your country of residence.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Effective Date" at the top of this page and, where appropriate, notify you by email or through the Services. Your continued use of the Services after changes are posted constitutes your acceptance of the updated policy.

15. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us: