DRAFT -- pending counsel review

Privacy notice

Version 2026-05-18 · Summit Estate Management, LLC

What this notice covers

This notice describes how Summit Estate Management, LLC ("Summit Estate Management", "we", "us") collects, uses, and shares personal information when you use our property management platform ("Service"). If you have questions, write to demo@oakwright.co.

What we collect

Account information. Your name, email, role (admin, manager, crew, owner), display name, optional phone, and an encrypted password hash. For owner accounts, optional mailing address, assistant contact details, and preferred contact method.
Property information. Address, household contacts, vendor preferences, appliance inventory, access codes (encrypted at rest), photos, documents, service history, scheduled tasks, stays, walkthrough records, invoices.
Operational data. Tickets you open or are assigned to, notes attached to those tickets, time stamps on actions you take.
Security telemetry. Login attempts (success and failure) including IP address, MFA enrollment status, audit log entries for material actions you take. We do NOT log passwords, MFA secrets, or recovery codes.
Operational usage telemetry. First-party page-view logs: which authenticated users navigate to which application routes, the role of the user, and whether the request came from a mobile or desktop user-agent. No third-party vendors or trackers are involved. The route pattern (e.g. /admin/properties) is recorded; the raw URL containing your specific record UUIDs is not. If your browser sends the Sec-GPC: 1 header (Global Privacy Control), nothing is recorded.
Browser metadata. User agent string and IP address on each session, used for rate limiting and lockout enforcement.
Feedback you submit through the in-app widget. Your name, role, the page URL you submitted from, your message, and an optional star rating.

What we do NOT collect

We do not process credit card or banking information through this Service. Payments happen outside the platform.
We do not collect SSNs or other government IDs in v1.
We do not run third-party analytics, advertising pixels, or cross-site tracking.
We do not sell or share personal information for cross-context behavioral advertising.

How we use the information

To operate the Service: schedule visits, route tickets, generate invoices, send notifications.
To secure the Service: enforce authentication, rate-limit brute-force attempts, audit privileged actions, investigate incidents.
To improve the Service: review feedback you submit, identify bugs from error reports.
To meet legal obligations: respond to lawful requests, enforce our Terms.

How we share it

Within Summit Estate Management: information is visible only to users in roles that need it. Owners see only their own properties and the documents marked client-facing. Crew see only tickets assigned to them and walkthrough checklists. Managers see their own portfolio. Admin sees everything.

Outside Summit Estate Management: we use a small set of service providers (the DigitalOcean droplet that hosts the platform; Cloudflare for DNS; observability tools when wired). These providers do not receive personal information beyond what is necessary to run the Service. We do not sell personal information.

How long we keep it

Active account data. For as long as your account is active.
Audit log. Append-only and retained for the life of the deployment, per security policy.
Backups. 14 rolling daily snapshots on the production host. Weekly off-host copies (planned).
Deleted records. Soft-deletion where applicable. Hard-delete on consumer-rights request within 45 days.

Your rights under California (CCPA / CPRA) and other state privacy laws

You have the right to:

Know what we have collected about you (request a JSON export at /account/data-export when signed in).
Correct inaccuracies (submit a correction request at /account/correction-request).
Delete your personal information (submit a deletion request at /account/deletion-request; we fulfill within 45 days unless we have a legal obligation to retain).
Opt out of any sale or sharing for cross-context behavioral advertising. We do not engage in either; see /do-not-sell.
Limit use of sensitive personal information. Same.

Request acknowledgment: within 10 days of receipt. Request fulfillment: within 45 days. You can exercise these rights without retaliation. We do not require a paid account to access free rights.

Global Privacy Control (GPC)

We honor the GPC signal. If your browser sends Sec-GPC: 1, we treat that as a valid opt-out request for any data sale or sharing for advertising. Since we do not do either, the practical effect is that we set no non-essential cookies for your session.

Cookies

We use one strictly-necessary session cookie for authentication. No advertising cookies, no analytics cookies, no third-party trackers.

Security

We use bcrypt password hashing, optional TOTP multi-factor authentication (required for admin and manager roles), per-request CSP, HSTS, append-only audit logging, field-level encryption for property access codes, progressive login lockout, and nightly database backups. Full disclosure policy at /security.

Children

The Service is for adult business use. We do not knowingly collect personal information from children under 13.

Changes to this notice

We will update this notice when our practices change. The version line at the top of the page reflects the current effective date.

Contact

Summit Estate Management, LLC
120 Crestline Drive, Beacon Hollow, MT 59001
demo@oakwright.co
(555) 010-2200