Legal
Privacy Policy
Last updated May 19, 2026.
The short version: we collect your email so we can send you the digest, your payment info via Stripe so we can bill you, and a small amount of technical data so we don't get scraped or attacked. We don't sell any of it. To delete everything, email [email protected] and we'll get it done.
1. What we collect
| Data | Why | Where it lives |
|---|---|---|
| Email address | Account identity, digest delivery, magic-link login | Our database |
| Filter preferences (counties, trades, value range) | Choosing which permits to send you | Our database |
| Payment information (card details, billing address) | Charging your subscription | Stripe — we never see or store your card number directly |
| IP address & user agent | Rate limiting, abuse prevention, troubleshooting | Server logs, retained 30 days |
| Email engagement (opens, link clicks) | Detecting deliverability issues and removing inactive recipients | Our email-sending provider |
| Support correspondence | Replying to you | Our email inbox |
We do not collect: your location beyond IP-level granularity, contacts from your address book, anything from third-party data brokers, browsing activity outside our site, or device identifiers.
2. How we use it
- To deliver the digest to your inbox Tuesday through Saturday at 7 AM ET.
- To authenticate you when you log in via magic link.
- To charge you on the cadence you agreed to at signup.
- To respond when you email us, or send infrequent service notices (e.g. a price change, an extended outage).
- To protect the service — rate-limiting suspicious traffic, blocking abuse, debugging issues.
We do not use your data to train AI models. We do not use your data for advertising. We do not maintain a tracking pixel network or share data with ad platforms.
3. What we share
We share data only with the service providers we need to run the product:
- Stripe — payment processing.
- Our transactional email provider (a reputable mainstream sender, e.g. Postmark or Resend) — sending the digest and magic-link emails.
- Our hosting and database provider — running the application.
Each of these processes data on our behalf, under contract, and only as needed to provide their service. They are not allowed to use your data for any other purpose.
We do not sell your data. We will only disclose data to law enforcement under a valid legal request — and where we are not legally prohibited from doing so, we will notify you first.
4. Cookies
We use a small number of strictly necessary cookies for login session state. We do not use third-party analytics cookies, advertising cookies, or cross-site tracking. We do not display a cookie banner because we don't operate the kind of tracking that requires one.
5. Retention
- Account data (email, filters): retained while your account is active and for 60 days after cancellation, then deleted, unless we need to keep records longer to comply with tax or legal obligations.
- Billing records: retained as long as required by U.S. tax and accounting law (typically 7 years).
- Server logs: 30 days.
- Support emails: retained until manually archived or deleted.
6. Your rights
Regardless of where you live, you can:
- See the data we have on you — ask and we'll send it.
- Correct anything wrong — most of it you can update from your dashboard; for the rest, email us.
- Delete your account and associated personal data — we'll process the deletion within 30 days, retaining only what we're legally required to keep.
- Export your filter history and digest preferences in a machine-readable format on request.
If you're in a jurisdiction with specific data rights (California, EU, UK, Virginia, etc.), those rights apply, and the contact below is your route to exercise them.
7. Permit applicants and addresses
Our digest contains data about commercial permit applicants and project addresses, sourced from public county portals. We are not the original collector of that data, and the data is already publicly available. If you are a permit applicant and want your information handled differently, your route is the county that issued the permit, not us.
We expect subscribers to use that information for legitimate B2B outreach only, in compliance with applicable law. See section 6 of our Terms of Service.
8. Security
We use industry-standard practices: TLS in transit, encryption at rest where the platform supports it, hashed login tokens, no password storage, principle-of-least-privilege access by maintainers. We are a small operation and won't pretend to be SOC 2 certified — we're not. If you need that level of assurance, this product likely isn't the right fit yet.
9. Children
The service is for businesses. It is not directed to children under 13, and we do not knowingly collect data from anyone under 13. If you believe we have, email us and we'll delete it.
10. Changes
If we materially change this policy, we'll email active subscribers at least 30 days before the change takes effect.
11. Contact
For any privacy question, request, or complaint: [email protected]. A real human reads that inbox.