Privacy Policy
This Privacy Policy explains how Building Status NYC ("we", "us") collects, uses, shares, and protects information when you use buildingstatusnyc.com.
Plain English. Short paragraphs. Skim the headings; read the sections that matter to you.
1. Who we are
Building Status NYC is an independent, US-based service operated out of New York. We are not affiliated with the City of New York or any NYC agency. See Data Sources for the public-records we surface.
Contact us any time:
- Privacy:
privacy@buildingstatusnyc.com - Security:
security@buildingstatusnyc.com - Accessibility:
accessibility@buildingstatusnyc.com
2. Data we collect
2.1 Account data
- Email address (required to create an account)
- Name, display name, role (landlord / filing rep / property manager / other)
- Phone number (optional — only if you opt in to SMS alerts or use phone for 2FA)
- Profile timezone
- Authentication state (sessions, verification timestamps) — stored via
better-auth
2.2 Payment data
We use Stripe to process payments. Your card number, expiration, and CVC go directly to Stripe over TLS. We never see, store, or log your full card number. We keep a Stripe customer ID, a subscription ID, a masked last-4, and invoice history to run your account.
2.3 Usage and analytics
- Pages you visit and features you use
- Search queries (building addresses, BINs, BBLs)
- Events such as "viewed violation detail", "saved a building", "exported a report"
- Performance telemetry (response times, error counts)
2.4 Device and network
- IP address
- User-agent, browser, OS, viewport (useful for debugging)
- Approximate location inferred from IP (country and US state)
2.5 User-contributed entries
Building Status NYC lets you add buildings, permits, licenses, and notes on top of city-sourced data. If you upload a document (for example, a permit PDF or license certificate), we store it in private object storage on Vercel Blob. See ADR 0005 for the product model.
2.6 Communications
If you email support, we keep the email thread so we can pick up where you left off. If you opt in to alerts or marketing, we keep opt-in timestamps, IP, and user-agent — these are required by the TCPA and CAN-SPAM Act for us to prove consent.
2.7 Cookies
See the Cookies Policy. Short version: essential cookies always on, analytics cookies gated on consent in the EU, UK, and California.
3. How we use your data
We use your data to:
- Provide the service you signed up for (contract basis — GDPR Article 6(1)(b))
- Keep the service secure and detect fraud or abuse (legitimate interest — GDPR Article 6(1)(f))
- Bill you, recover failed payments, and prevent chargeback fraud (contract + legitimate interest)
- Send you transactional email (account confirmations, billing receipts, security alerts) — required for the service
- Send you product updates and educational content (consent — you can opt out any time)
- Measure and improve product performance (legitimate interest; analytics in the EU/UK/CA gated on consent)
- Comply with law
We do not use your data to train general-purpose models. We do not sell your data.
4. Legal bases under GDPR
Even though Building Status NYC is a US-focused service, if you are in the EEA or the UK, our legal bases are:
- Contract (Art. 6(1)(b)) — to deliver the service and manage your account
- Consent (Art. 6(1)(a)) — marketing email, SMS, analytics cookies where required, and any optional features you turn on
- Legitimate interest (Art. 6(1)(f)) — security, fraud prevention, defending claims, product analytics where consent is not required
- Legal obligation (Art. 6(1)(c)) — tax records, consent audit trails (TCPA), and responding to lawful process
You can withdraw consent at any time without affecting processing that already happened.
5. How we share your data
We share your data only with service providers who help us run the product, and only to the extent they need it. We do not sell your data.
5.1 Service providers
| Vendor | Purpose | Data categories |
|---|---|---|
| Neon (Postgres) | Primary database hosting | Account, billing, user-contributed entries |
| Vercel | Web hosting, edge network, object storage (Blob), product analytics (Vercel Analytics) | All request data; uploaded files |
| Stripe | Payment processing, subscription billing, tax calculation | Payment credentials, billing address, invoice history |
| Amazon Web Services (SES) | Transactional and marketing email delivery | Email address, email content |
| Twilio | SMS alert delivery and OTP for phone verification | Phone number, SMS body | | Sentry | Error monitoring | Error traces, IP (scrubbed of PII where possible), user ID | | PostHog | Product analytics | Anonymized event data, user ID (hashed), IP (truncated) | | Inngest | Background job orchestration (email sends, alert polling, DSAR processing) | Whatever the specific job needs | | Upstash (Redis) | Rate limiting and short-lived caching | IP, user ID, rate-limit counters | | Cloudflare (if applicable, via Vercel edge) | Bot detection, DDoS protection | Request metadata |
Each vendor has its own privacy and security practices. We enter into data-processing agreements with them and limit them to acting on our documented instructions.
5.2 NYC data sourced via LeadMatch
The NYC violation, permit, complaint, and building data we display is sourced from our ingestion partner, LeadMatch. LeadMatch fetches public records from NYC Open Data (and a small set of NYC agency web pages) and stores them in a Postgres database that we query read-only.
Tenant personal information — names, phone numbers, email addresses, and complaint narrative text that may contain personal information — is redacted at ingest, in LeadMatch, before it is ever visible to Building Status NYC. Our application never receives, stores, or displays that information.
LeadMatch is invisible infrastructure; you have no separate account or contract with LeadMatch. We are responsible to you for what Building Status NYC displays.
5.3 Legal process
We may share information when we are legally required to (subpoena, court order, regulatory request), or when we in good faith believe disclosure is needed to prevent fraud, protect someone's safety, or enforce the Terms. Where the law permits, we will tell you first.
5.4 Business transfers
If we are acquired, merged, or go through bankruptcy, your data may transfer with the business. Any successor will be bound by a privacy policy no less protective than this one, or we will give you notice and a chance to delete your data first.
5.5 No sale, no "share" for cross-context advertising
We do not sell your personal information for money or other consideration, and we do not share it for cross-context behavioral advertising, as those terms are defined in the CCPA / CPRA. See Section 10 for your California rights.
6. Cookies and tracking
See the full Cookies Policy. Our cookie banner asks for consent where required (EU, UK, California). Essential cookies (session, CSRF, theme) run without consent because the service cannot function without them.
7. Data retention
| Category | How long we keep it |
|---|---|
| Account data | Until you delete your account, plus 30 days (soft-delete grace period), then purged |
| User-contributed entries | Until you delete them or delete your account |
| Payment records, invoices | 7 years (tax and accounting requirements) |
| Consent audit trail (TCPA, CAN-SPAM) | 4 years after revocation, per TCPA limitations period |
| Server logs | 90 days, then deleted or aggregated |
| Analytics (event-level) | 12 months |
| Security and fraud investigation records | As long as reasonably needed to investigate or defend a claim |
8. Your rights
Depending on where you live, you have some or all of these rights:
- Access — ask what we have on you
- Correction — ask us to fix inaccurate info
- Deletion — ask us to erase your data (subject to legal holds)
- Portability — get a copy of your data in a machine-readable format
- Objection / restriction — tell us to stop or limit certain processing
- Opt out of "sale" or "share" (California / other US states with similar laws)
- Do Not Sell or Share My Personal Information — we already don't sell, but you can set the signal in your profile
- Withdraw consent — for marketing email, SMS, and non-essential cookies
8.1 How to exercise
- Self-serve:
/dashboard/settings→ Privacy → Export my data / Delete my account / Do Not Sell - Email:
privacy@buildingstatusnyc.comwith the subject "Privacy request"
We respond within 30 days (45 days with notice in complex cases). We may need to verify your identity before we act; for California requests we follow CCPA verification standards.
8.2 Appeals
If we deny your request and you live in a state that requires an appeals process (e.g., Colorado, Virginia), email privacy@buildingstatusnyc.com with "Privacy appeal" in the subject and we will review.
9. California-specific rights (CCPA / CPRA)
If you are a California resident:
- Right to know the categories and specific pieces of personal information we have collected in the past 12 months, the sources, the purposes, and the categories of third parties we shared it with
- Right to correct inaccurate personal information
- Right to delete your personal information, subject to legal exceptions
- Right to opt out of sale or sharing — we do not sell or share for cross-context ads; the setting is available anyway in
/dashboard/settings - Right to limit the use of sensitive personal information (we do not currently use sensitive PI for secondary purposes beyond providing the service)
- Right to non-discrimination for exercising any right
Financial incentives. We do not offer a price or service difference conditioned on your personal information, and we do not operate a loyalty or rewards program.
Sensitive personal information. We may collect your phone number (for 2FA and SMS alerts) and precise city/state from your IP. We use these only to provide the service, secure it, and bill you.
Authorized agents. You may designate an agent to make a request. We will verify the agent and you before acting.
10. NY SHIELD Act
We maintain reasonable administrative, technical, and physical safeguards for New York residents' private information under the NY SHIELD Act. See Section 13 for our security practices. If we have a qualifying breach, we will notify affected New York residents and the NY Attorney General as required by law.
11. GDPR baseline (EU / UK visitors)
The service is designed for US users. If you live in the EEA, UK, or Switzerland and use the service anyway, this policy applies to you, and you may contact us at privacy@buildingstatusnyc.com to exercise your GDPR rights (access, rectification, erasure, restriction, objection, portability, complaint to a supervisory authority).
Supervisory authority — EEA residents can lodge a complaint with the supervisory authority in their country. UK residents can contact the Information Commissioner's Office (ICO).
12. International transfers
We are based in the United States and use US-based service providers. When you use the service from outside the US, your data is transferred to and processed in the US. US law does not always offer the same protections as your home country's law. By using the service you consent to this transfer.
For EEA / UK users, we rely on the EU-US Data Privacy Framework (where our processors are certified) or Standard Contractual Clauses with appropriate supplementary measures. Contact privacy@buildingstatusnyc.com for details.
13. Security
We use industry-standard safeguards:
- TLS 1.2+ in transit, AES-256 at rest (Neon, Vercel Blob)
- Strict least-privilege access for employees and contractors
- Multi-factor authentication on all admin accounts
- Automated monitoring (Sentry, rate limits, bot detection)
- Regular dependency updates and security patches
- Incident response plan with defined notification timelines
No system is perfectly secure. If you discover a vulnerability, email security@buildingstatusnyc.com.
14. Children
Building Status NYC is not intended for anyone under 16. We do not knowingly collect personal information from children under 16. If you believe a child has created an account, email privacy@buildingstatusnyc.com and we will delete the account and associated data.
15. Automated decision-making
We do not make any decisions that produce legal or similarly significant effects about you through purely automated means. Violation-severity coloring is a display convenience, not a judgment about you.
16. Changes to this policy
We may update this policy. For material changes we will give you at least thirty (30) days' advance notice by email and a banner in-app. The version and effectiveDate at the top of this page are the source of truth. Prior versions are available on request.
17. Contact
- Privacy:
privacy@buildingstatusnyc.com - Mailing address (for legal notices): available on request at
legal@buildingstatusnyc.com - Data Protection Officer / Privacy Lead:
privacy@buildingstatusnyc.com