Legal
Privacy Policy
Last updated: April 2026
1. Introduction
Provelo (“we,” “our,” “us”) operates the commercial lease intelligence platform at provelo.app. This Privacy Policy describes how we collect, use, store, and protect your information when you use our platform and services. By using Provelo, you agree to the collection and use of information in accordance with this policy.
2. Information We Collect
Account Information
Name, email address, company name, and profile information provided during registration or through third-party authentication (Google OAuth).
Lease Documents and Data
Lease agreements, amendments, commencement letters, CAM reconciliation statements, rent rolls, and other commercial real estate documents you upload for AI-powered analysis. This data belongs to you.
AI Interaction Data
Questions you ask through the lease chat, AI-generated responses, risk scores, CAM audit findings, dispute letter content, and lease summaries. These are generated from your documents and belong to you.
Payment Information
Payment details are processed and stored by Stripe, our payment processor. We do not store credit card numbers or bank account details on our servers. We receive only confirmation of payment status and basic billing information (email, subscription tier, payment dates).
Usage Data
We collect information about how you interact with the platform, including pages visited, features used, documents uploaded, AI queries made, and session duration, to improve our services.
Device and Technical Data
IP address, browser type and version, operating system, device type, referring URLs, and access timestamps.
3. How We Use Your Information
We use your information to:
- Provide and maintain the Provelo platform and your account
- Process uploaded documents using AI (Anthropic’s Claude) to extract lease data, generate risk scores, identify billing errors, and answer lease-related questions
- Generate CAM audit reports, dispute letters, and lease comparisons you request
- Process subscription payments through Stripe
- Send transactional emails (account verification, password resets, critical date reminders)
- Improve platform functionality, accuracy of AI outputs, and user experience
- Monitor for security threats and prevent unauthorized access
- Comply with legal obligations
We do NOT use your information to:
- Sell or rent your personal information or lease data to third parties
- Use your uploaded documents or lease data to train AI models
- Share your lease data with landlords, property managers, or any third party
- Send marketing communications without your consent
- Profile you for advertising purposes
- Make automated decisions that produce legal or similarly significant effects without human review
4. AI Processing and Document Analysis
Provelo uses Anthropic’s Claude AI to analyze uploaded lease documents. When you upload a document and use AI features:
- The document content is sent to Anthropic’s API for processing
- Anthropic does NOT use API data to train its AI models (per Anthropic’s commercial API terms and their Usage Policy)
- Anthropic retains API inputs and outputs for up to 30 days for trust and safety monitoring, after which they are automatically deleted
- AI-generated outputs (lease summaries, risk scores, CAM findings, chat responses, dispute letters) are provided for informational purposes only and must be independently verified by qualified professionals
- All AI outputs include a disclaimer: “AI-Generated Analysis — Not Legal Advice — Review with Qualified Professional Before Use”
IMPORTANT: AI-generated lease analysis, risk scores, and dispute letters may contain errors or inaccuracies. You must verify all AI outputs with qualified legal and financial professionals before relying on them for any business decision, negotiation, or legal proceeding.
5. Data Storage and Security
- All data is stored in Supabase’s cloud infrastructure (hosted on AWS) with encryption at rest (AES-256) and in transit (TLS 1.2+)
- Database access is protected by Row Level Security (RLS) policies ensuring users can only access their own data
- Authentication is handled through Supabase Auth with industry-standard protocols (OAuth 2.0, bcrypt password hashing)
- Password changes require email verification — passwords cannot be changed from within the app
- File uploads (lease PDFs) are stored in isolated, access-controlled Supabase Storage buckets
- We implement rate limiting on AI endpoints to prevent abuse
- Document uploads are validated for file type, size, and content to prevent malicious uploads
- We conduct regular security reviews of our codebase and infrastructure
6. Data Sharing and Sub-Processors
We share data with the following service providers who assist in delivering our platform:
| Sub-Processor | Purpose | Data Processed |
|---|---|---|
| Supabase | Database, authentication, file storage | All platform data |
| Anthropic (Claude API) | AI document analysis, chat, risk scoring | Uploaded document content, user queries |
| Stripe | Payment processing | Payment and billing information |
| OAuth authentication | Name, email, profile photo | |
| Vercel | Application hosting | Usage data, session data |
All sub-processors are located in the United States. We do not sell, rent, trade, or otherwise share your personal information or lease data with third parties for their own marketing or commercial purposes.
We may disclose your information if required by law, subpoena, court order, or governmental regulation, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others. We will notify you of such requests unless legally prohibited from doing so.
7. Data Retention
- Account data: Retained for the duration of your account. Upon account deletion, your data enters a 30-day retention window and is then permanently purged
- Lease documents and analysis: Retained until you delete them individually or close your account
- Uploaded documents: Retained until you delete them or close your account. Files are removed from storage when documents are deleted
- Payment records: Payment data is stored by Stripe. Transaction records are retained by Stripe for 7 years per tax and financial regulations
- Usage and technical data: Retained for 24 months, then automatically purged
- AI processing logs (at Anthropic): Retained by Anthropic for a maximum of 30 days per their commercial API terms, after which they are automatically deleted. Provelo does not retain copies of AI processing logs
Upon account deletion, ALL of your data — including uploaded documents, AI-generated analyses, chat history, risk scores, and personal information — is permanently and irrecoverably deleted within 30 days. During that window recovery is possible by contacting support; after 30 days deletion is final.
8. Your Rights
All Users
- Access your personal data — view your profile, leases, and activity in the platform
- Export your data — download all your data including uploaded documents, AI-generated analyses, lease summaries, risk scores, and account information (self-service data export available in Settings)
- Correct inaccurate data — edit your profile and lease information directly in the platform
- Delete your account and all associated data — available in Settings
- Delete uploaded documents — delete individual documents or all documents at once
- Opt out of AI processing — you may choose not to use AI features; however, core platform functionality relies on AI analysis
European Economic Area (GDPR)
- Right to data portability — receive your data in a structured, commonly used, machine-readable format
- Right to restrict processing
- Right to object to processing
- Right to lodge a complaint with a supervisory authority
- Right to be informed about automated decision-making
- Legal basis for processing: contract performance (providing the service), legitimate interest (security, improvement), consent (marketing communications)
California (CCPA/CPRA)
- Right to know what personal information is collected
- Right to delete personal information
- Right to opt-out of the sale of personal information (we do not sell personal information)
- Right to non-discrimination for exercising your rights
- Right to correct inaccurate personal information
- Right to limit use and disclosure of sensitive personal information
Other U.S. States
Residents of Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, Iowa, Indiana, Tennessee, Delaware, New Hampshire, New Jersey, Nebraska, Maryland, Minnesota, Rhode Island, and Kentucky may have additional rights under their respective state privacy laws. We honor all applicable state privacy rights. Contact privacy@provelo.app for assistance.
For any requests that cannot be handled through the platform’s self-service tools, contact us at privacy@provelo.app. We will respond within 30 days (or sooner if required by applicable law).
9. International Data Transfers
Provelo is based in the United States. If you access our platform from outside the United States, your information will be transferred to and processed in the United States. We rely on Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework to ensure adequate protection for international data transfers.
10. Cookies and Tracking
We use essential cookies for authentication and session management. We do not use third-party advertising cookies, tracking pixels, or retargeting technologies. We do not participate in cross-site tracking or ad networks. Analytics, if used, are anonymized and used solely to improve platform functionality.
11. Data Breach Notification
In the event of a data breach affecting your personal information, we will:
- Investigate and contain the breach promptly
- Notify affected users within 30 days of discovery (or sooner if required by applicable state law)
- Notify applicable state attorneys general as required by law
- Provide information about the nature of the breach, the data affected, and steps you can take to protect yourself
- Take reasonable steps to prevent future breaches
12. Children’s Privacy
Provelo is designed for business professionals and is not intended for use by individuals under 18 years of age. We do not knowingly collect personal information from children. If we learn we have collected personal information from a child under 18, we will delete it promptly.
13. Do Not Track / Global Privacy Control
We honor Global Privacy Control (GPC) signals. When we detect a GPC signal from your browser, we treat it as a valid opt-out request under applicable state laws. We do not sell personal information and do not engage in cross-context behavioral advertising, so GPC signals do not change our default behavior.
14. Account Cancellation and Data Export
If your subscription is canceled or expires:
- Your account enters a 30-day grace period during which you retain read-only access to your data
- During this period you can view leases, download documents, and export your data
- You may resubscribe at any time during the grace period to restore full access
- After the grace period expires, your account is scheduled for deletion following the standard 30-day retention window described in Section 7
15. Business Transfers
If Provelo is acquired, merged, or sells assets, your data may be transferred to the acquiring entity. We will notify you before your data becomes subject to a different privacy policy.
16. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-Platform notification at least 30 days before taking effect. We will post the updated policy on this page and update the “Last Updated” date. Continued use of the platform after changes constitutes acceptance of the updated policy.
17. Contact Us
For privacy-related inquiries or to exercise your data rights:
Email: privacy@provelo.app
Website: provelo.app
For general questions:
Email: support@provelo.app