Privacy Policy

1. Information we collect

Account information

When you create an account, we collect your email address and name (if provided). Authentication is handled by Clerk; please review Clerk’s Privacy Policy for how they process credentials.

Billing information

Payment is processed by Stripe. We do not store your card number, CVV, or full bank details. We retain a Stripe customer ID linking your account to your Stripe billing record, plus billing-state metadata (current balance, free reports remaining, transaction history). See Stripe’s Privacy Policy for what they collect.

API keys and usage logs

We store SHA-256 hashes of your API keys (never the plaintext) and metadata such as label, environment (live/test), creation date, and last-used timestamp. For each API request we log the endpoint, HTTP status, latency, billable units, originating IP address, and User-Agent string. We use these logs for billing, abuse detection, and performance monitoring.

Property data you submit

When you call the API or run a report from the dashboard, you provide property addresses and optional fields (acreage, listing price, county, lat/lng, ZIP, metadata). We store these inputs alongside the generated report so you can fetch it later.

Property addresses are not personally identifiable information about you, but they may identify the parcel’s owner via public records. You are responsible for ensuring you have the right to query addresses you submit.

Webhook URLs

If you configure a webhook URL we store it (as configured) and use it to deliver event payloads. We deliver only to public HTTPS URLs and validate that target hostnames do not resolve to private/loopback IPs.

Cookies and similar technologies

AcreLens uses session cookies (set by Clerk) to maintain your authenticated state in the dashboard. We use first-party analytics cookies (Vercel Analytics) for aggregate traffic measurement. We do not use third-party advertising cookies, cross-site tracking, or marketing pixels.

2. How we use information

We use the information we collect to:

• Provide, maintain, and improve the Services.
• Generate and deliver reports in response to your API and dashboard requests.
• Bill your account for usage and process top-ups.
• Detect and prevent abuse, fraud, and security incidents (including unauthorized API key usage).
• Send transactional notifications (e.g. failed payments, security alerts).
• Comply with legal obligations.

We do not sell personal information. We do not use your inputs or outputs to train AI models marketed to other customers.

3. Subprocessors and third-party recipients

AcreLens uses the following subprocessors to deliver the Services. Each receives only the information necessary for its function.

• Clerk — account authentication and session management. Receives email, name, and authentication events.
• Stripe — payment processing. Receives billing identifiers and amounts; AcreLens does not transmit card data.
• Anthropic — AI analysis (Claude models). Receives the property metadata + intermediate research findings required to generate the report narrative. Anthropic does not retain customer prompts for model training when accessed through the standard API.
• OpenAI — fallback AI provider. Same data flow as Anthropic; used only when Anthropic is unavailable.
• Perplexity — real-time web research for county and access analysis. Receives the county/state context plus the question being researched.
• Geocodio — address geocoding. Receives the property address.
• Vercel — application hosting and edge delivery. Receives all HTTP traffic to acrelens.com.
• Inngest — background job processing. Holds report-generation event metadata while jobs execute.
• Sentry — error monitoring. Receives error stack traces and request context (with PII headers like authorization scrubbed before transmission).
• Public data APIs (NREL PVWatts, USGS Water Services / OGC API, FEMA NFHL) — one-way reads. AcreLens sends a coordinate or bounding box; these services do not receive your identity.

We may share information with law enforcement or regulators where required by valid legal process, or to investigate fraud or security incidents. Where possible, we will notify the affected user.

4. Data retention

• Account records: kept while your account is active and for a reasonable period after closure for billing and audit purposes.
• Reports: kept indefinitely so you can retrieve them, unless you request deletion.
• API request logs: retained for up to 12 months for security and billing investigation, then aggregated and de-identified.
• Webhook delivery records: retained for 90 days after the final attempt.
• Idempotency cache: 24 hours.

On account closure or upon a verified deletion request, we delete or de-identify your personal information except where retention is required by law (e.g. tax records).

5. Your rights

Access, correction, deletion

You may access and update most account information through the dashboard. To request a copy of your data or to delete your account, email support@acrelens.com from the email on file. We will respond within 30 days.

Residents of the EU/EEA, UK, and Switzerland (GDPR)

If you are in a region governed by GDPR or equivalent law, you have rights to access, rectify, erase, restrict processing, port your data, and object to processing. You may also lodge a complaint with your local data-protection authority. Our legal basis for processing is contract performance (delivering the Services you requested) and legitimate interest (security and fraud prevention).

Residents of California (CCPA/CPRA)

If you are a California resident, you have rights to know, delete, correct, and opt-out of the sale or sharing of personal information. AcreLens does not sell or share personal information for cross-context behavioral advertising. To exercise your rights, email support@acrelens.com.

6. International data transfers

AcreLens is operated from the United States. If you are located outside the US, your data will be transferred to and processed in the US and other countries where our subprocessors operate. By using the Services, you consent to these transfers. Where required, we rely on Standard Contractual Clauses or equivalent transfer mechanisms with our subprocessors.

7. Children’s privacy

AcreLens is not directed to individuals under 18 and we do not knowingly collect personal information from children. If you believe a minor has created an account, contact us at support@acrelens.com and we will delete the account.

8. Security

We use industry-standard practices to protect your information, including TLS in transit, encryption at rest for sensitive fields, SHA-256 hashing of API keys, HMAC-SHA256-signed webhook deliveries, SSRF protection on outbound webhook calls, and access controls on our production systems. No system is perfectly secure; if you suspect your account has been compromised, contact us immediately.

9. Changes to this Policy

We may update this Policy. Material changes will be announced via email to your account’s primary address and posted to this page with an updated “Last updated” date. Your continued use of the Services after the effective date of a change constitutes acceptance.

10. Contact

Questions, requests, or complaints about this Policy? Email support@acrelens.com.