Privacy Policy

Template notice. This is a starting-point policy generated 2026-06-03. It reflects the architecture and data flows of HOA Watch as of this date but has not been reviewed by counsel. Before relying on it for compliance, contact a qualified attorney. If you're a customer with specific concerns, email legal@hoawatch.us.

Last updated: 2026-06-03

1. Overview

HOA Watch ("we", "us") is a service operated by HOA Watch, Inc., a Delaware corporation, that helps homeowners' association boards triage resident complaints and issues across multiple inbound channels. This policy describes what personal data we collect, how we use it, who we share it with, and the rights you have over it. It applies to everyone who interacts with the service — board members, residents, and anonymous portal submitters.

2. Information we collect

The data we collect depends on how you use HOA Watch.

  • Board members — name, email address, your HOA affiliation and role, account activity in the app, and billing details (collected and stored by Stripe, our payment processor — we never see your full card number).
  • Residents — name, email address, the HOA you belong to, address-verification information your board uses to approve your account, and the issues you submit.
  • Anonymous portal submitters — the content of the issue you submit, an optional email address if you want a status update, and a one-time Cloudflare Turnstile token used only to confirm you are not a bot.
  • Ingested content — when your HOA's board explicitly configures a source, we ingest posts, messages, and transcripts from that channel. Sources may include Facebook Group posts (via the official Facebook Pages API, with board OAuth consent — we do not scrape), SMS messages sent to the HOA's dedicated number, emails sent to the HOA's inbox, and voicemail transcripts. No source is enabled by default.
  • Diagnostic data — server logs, request IDs, IP addresses, and error reports collected through Azure Monitor and Application Insights. We use these to keep the service running and to investigate abuse.

3. How we use it

  • To provide the core service — receive issues, summarize them, route them to the right board members, and let your board triage them.
  • To generate AI summaries and suggested actions via Azure OpenAI (model gpt-4o in centralus). Microsoft does not use your data to train the underlying models — this is contractual under our Azure OpenAI service terms.
  • To bill board accounts and manage subscriptions (via Stripe).
  • To send transactional notifications about activity in your HOA.
  • To detect and prevent abuse, spam, and security incidents.

We do not sell personal data. We do not run advertising on HOA Watch and we do not share data with ad networks.

4. Who we share it with (sub-processors)

We use the following service providers to run HOA Watch. Each is bound by a written data-processing agreement.

  • Microsoft Azure — hosting, database, queueing, storage, secrets, and serverless compute (US, centralus region).
  • Microsoft Entra External ID — authentication for board members and residents.
  • Azure OpenAI — AI classification and summarization (US, centralus).
  • Stripe — billing and payment processing (board accounts only).
  • Azure Communication Services — SMS ingest/delivery and transactional email.
  • Cloudflare — Turnstile bot protection on the public portal, plus CDN.
  • GitHub — source-code hosting and deployment automation. No customer data lives in GitHub.

See our Data Processing Addendum for the same list with the contractual context.

5. Data residency

All customer data is stored and processed in the United States (Microsoft Azure centralus region). If you are an EU or UK resident and sign up, your data will be transferred to the United States under Standard Contractual Clauses. We do not currently offer EU-region data residency.

6. Retention

While your HOA's subscription is active, issues, configurations, and audit logs are retained indefinitely so your board can pull historical records. When an HOA cancels, we enter a 30-day soft-delete grace period during which a board member can reactivate. After 30 days a background worker hard-deletes the HOA's data, including issues, attachments, and identities tied to that tenant. Stripe retains billing records under its own retention policy, which we cannot override.

7. Your rights

California residents (CCPA / CPRA). You have the right to know what we collect, to access and delete your data, to correct inaccuracies, and to opt out of any "sale" or "sharing" — which, for the record, we do not do. To exercise these rights, email legal@hoawatch.us.

Texas residents (TDPSA). The same rights are available to Texas residents under the Texas Data Privacy and Security Act.

EU / UK residents (GDPR / UK GDPR). You have the rights of access, rectification, erasure, restriction, portability, and objection. The lawful basis for processing is the contract between us, your consent (for optional channels like Facebook ingest), and our legitimate interest in running the service. Contact us at the email above to exercise any of these rights.

8. Cookies and Turnstile

The marketing site uses only essential first-party cookies. The application uses authentication cookies issued by Microsoft Entra External ID. The public portal loads Cloudflare Turnstile, which is designed to confirm you are human without tracking you across sites — Turnstile does not use behavioral fingerprinting in the way traditional CAPTCHAs do.

9. Children

HOA Watch is not directed at children under 13 and we do not knowingly collect data from them. If you believe a child has submitted information to us, please contact us and we will delete it.

10. Changes to this policy

We may update this policy from time to time. Material changes will be announced inside the application at least 30 days before they take effect. The "Last updated" date at the top of this page always reflects the current version.

Contact

Questions? Email legal@hoawatch.us.