PRIVACY POLICY

GovernUp Solutions, LLC ("GovernUp," "we," "us") provides the Covenant community management platform. This Privacy Policy describes how we collect, use, disclose, and protect personal information in compliance with the Maryland Online Data Privacy Act (MODPA), California Consumer Privacy Act (CCPA), and General Data Protection Regulation (GDPR).

1. Information We Collect

We collect only the data reasonably necessary to provide and improve the Services. Categories include:

Account & Identity Data

• Name, email address, phone number, mailing address
• Password (stored as a bcrypt hash — we never store plaintext passwords)
• User role and board position within your community
• Emergency contact name and phone number

Household & Community Data

• Household member names and type (Adult, Senior, Child, Infant)
• Vehicle information: make, model, color, license plate number
• Pet information: name, type, breed
• Unit address, occupancy status, and unit role (owner, tenant, co-owner, spouse, roommate)
• Guest pass details you submit (guest name, phone, email, vehicle info, visit date)
• Move-in/move-out requests, including forwarding address and moving company details

Financial Data

• Payment card and billing details (processed securely via Stripe — we do not store full card numbers)
• Payment history, ledger entries, assessment balances, and payment method type
• Stripe customer and subscription identifiers linked to your account

Communications Data

• SMS messages sent to and received from the platform (content, phone number, timestamps)
• In-app messages and notification history
• Social feed posts, comments, likes, and forum contributions
• Announcement and event interaction data

Technical & Security Data

• IP address, browser type, device information, and user-agent string
• Session data: login timestamps, last-activity time, and session duration
• Security event logs: failed login attempts, account lockouts, and suspicious activity flags
• Audit trail: actions performed within the platform (e.g., document uploads, setting changes)

Location Data

• Community address data (city, state, ZIP) used for weather and geocoding services
• Browser geolocation coordinates, if you grant permission, for local weather display only — this data is not stored

2. AI Processing and Data Use

Covenant uses artificial intelligence powered by OpenAI (GPT-4o and GPT-4o-mini) to provide features including:

• Resident Advisor (community Q&A based on your governing documents)
• Document drafting, meeting minute summaries, and policy lookups
• CEO and board portfolio briefings with AI-generated commentary
• Suggested message replies for management teams

When you use AI features, your messages and relevant community documents (bylaws, CC&Rs, policies) are sent to OpenAI for processing. OpenAI's API does not use your data to train its models, per their data processing agreement.

All AI interactions are logged (your message, the AI response, model used, and confidence score) for quality assurance and safety. Low-confidence responses may be flagged for human review by your community manager. Communities may disable AI features at any time.

3. SMS and Email Communications

SMS (Text Messages): By providing your phone number and opting in to SMS notifications, you consent to receive text messages from the Covenant platform via Twilio. Messages may include community announcements, emergency alerts, maintenance updates, violation notices, and replies from management.

• Message frequency varies based on community activity.
• Message and data rates may apply depending on your carrier and plan.
• You may opt out at any time by replying STOP to any message or by updating your notification preferences in your account settings.
• Reply HELP for assistance.
• Inbound text messages you send to the platform number are recorded and visible to your community's management team.

Email: We send transactional emails for account activation, password resets, announcement notifications, emergency alerts, and community updates. You may manage email preferences in your notification settings.

Emergency Alerts: Messages classified as "emergency" priority are delivered across all channels (SMS, email, and in-app) regardless of your notification preferences, to ensure critical safety information reaches all residents.

4. Cookies and Session Management

We use a single essential cookie (covenant_token) to maintain your authenticated session. This cookie contains an encrypted JSON Web Token (JWT) with your user ID, role, and community context. It expires when your session ends or after 4 hours of inactivity.

We do not use third-party advertising cookies, tracking pixels, or analytics cookies. We do not participate in cross-site tracking.

5. How We Share Information

We do not sell your personal information. We share data only with:

• Service Providers:
  • Stripe — payment processing
  • Twilio — SMS messaging
  • OpenAI — AI-powered features
  • SendGrid / SMTP provider — email delivery
  • AWS S3 — document and file storage
  • Railway — application and database hosting
  • Vercel — frontend hosting
  • Open-Meteo — weather data and geocoding (receives community city/state/ZIP only)
• Community Leadership: Your HOA board, management company, and authorized community administrators have access to resident data, household information, financial records, and communications for governance and operational purposes. The scope of access depends on each user's role.
• Legal Requirements: When required by law, subpoena, or to protect our legal rights.

6. Data Access by Role

Covenant uses role-based access controls. The data visible to each user depends on their role:

• Residents see their own unit data, balances, documents, and community announcements.
• Board Members see community-wide metrics, financial summaries, and resident overviews for governance.
• Managers have full operational access to all community data, resident records, communications, and audit logs. Managers may oversee multiple communities.
• Platform Administrators have cross-community access for technical support, security audits, and platform maintenance. Administrative access is logged and follows the principle of least privilege.

7. Your Rights and Choices

Depending on your location (including Maryland and California), you have the right to:

• Access and Portability: Request a copy of your personal data in a machine-readable format.
• Correction: Request that we fix inaccurate or incomplete data.
• Deletion: Request removal of your personal data, subject to legal retention requirements and community governance obligations.
• Opt-Out of SMS: Reply STOP to any text message or adjust your notification preferences.
• Opt-Out of Non-Essential Emails: Manage email preferences in your account settings (transactional emails required for account security cannot be disabled).
• Do Not Sell: We do not sell personal information. No opt-out is necessary, but you may contact us to confirm.
• Sensitive Data Consent: We require affirmative, explicit consent before processing sensitive data.

To exercise any right, email support@governupsolutions.com. We will respond within 30 days.

8. Data Retention

• Account data: Retained while your account is active. Upon account deletion or community termination, personal data is removed within 30 days, except backups retained for up to 90 days.
• Financial records: Retained for 7 years as required by tax and accounting regulations.
• Communications (SMS, email, in-app): Message content is retained for the duration of your community membership. SMS records are retained for up to 3 years for compliance purposes.
• AI interaction logs: Retained for 2 years for quality assurance and safety review.
• Audit and security logs: Retained for 2 years.
• Documents: Retained until deleted by an authorized community administrator.

9. Children's Privacy

Covenant is not directed at children under 13. While household member profiles may include minors (for community directory purposes), we do not knowingly collect personal information directly from children under 13. Household member data for minors is submitted by their parent or guardian. If you believe a child has provided us personal data directly, contact us and we will delete it promptly.

10. Security

We protect your data using:

• TLS/HTTPS encryption for all data in transit
• AES-256 encryption for data at rest
• Bcrypt password hashing with salting
• Role-based access controls and least-privilege administrative access
• Automated brute-force detection and account lockout
• Security headers (HSTS, Content-Security-Policy, X-Frame-Options)
• Comprehensive audit logging of all administrative actions

We will notify you and applicable authorities of a confirmed data breach within 48 hours.

11. Third-Party Data (Guests)

When you submit a guest pass, you provide personal information about a third party (your guest). By submitting this data, you represent that you have the guest's consent to share their name, contact information, and vehicle details with the community for access control purposes. Guest data is retained only for the duration relevant to the visit.

12. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements. We will notify you of material changes via email or through the platform. Your continued use of the Services after an update constitutes acceptance of the revised policy.