Privacy Policy
PrecordAI LLC (precord.ai)
Effective Date: April 5, 2026
Contact: hello@precord.ai
1. Introduction and Scope
PrecordAI LLC ("Company," "we," "us," "our") operates precord.ai, an artificial intelligence-powered home inventory documentation and analysis service ("Service"). This Privacy Policy applies to all data processing activities related to the Service, regardless of jurisdiction of use.
Service Overview: Users submit photographs of residential rooms and inventory items. Our AI technology analyzes these images and generates comprehensive home inventory reports. Reports may be exported in PDF format and retained for documentation purposes.
Jurisdictional Coverage: This policy complies with applicable privacy laws in all US states, the European Union (GDPR), the United Kingdom (UK GDPR), Canada (PIPEDA), and other jurisdictions where the Service operates.
2. Data Controller and Processors
Data Controller: PrecordAI LLC is the data controller responsible for determining the purposes and means of processing your personal data. Contact: hello@precord.ai
Data Processors and Subprocessors: We engage third-party data processors to deliver the Service. All processors are bound by contractual Data Processing Agreements (DPAs) that impose equivalent privacy protections.
| Processor Name | Data Categories | Privacy Policy |
|---|---|---|
| Anthropic Claude AI | Photographs, metadata (EXIF, timestamps) | anthropic.com/privacy |
| Stripe | Name, email, billing address, payment method (tokenized) | stripe.com/privacy |
| Tally | Name, email, photos, inventory descriptions | tally.so/privacy |
| Resend | Email address, name, account information | resend.com/privacy |
| Google Sheets | Customer ID, name, email, service tier, transaction data | policies.google.com/privacy |
| n8n Cloud | Workflow orchestration and secure automation of report-generation steps; no independent data use by the processor | n8n.io/privacy |
| Hostinger | Visitor IP address, browser information, device type | hostinger.com/privacy |
| Twilio | Phone number, name, SMS content for message delivery | twilio.com/legal/privacy |
3. Types of Data Collected
3.1 Personal Data
- Identity Data: Full name, email address, phone number
- Contact Data: Email address, phone number, mailing address
- Payment Data: Billing name, billing address, payment method details (processed securely via Stripe; we do not store full card numbers)
- Technical Data: IP address, browser type and version, operating system, device type, pages visited, time and date of access
- Transaction Data: Customer ID, service tier purchased, subscription renewal dates, transaction history
- Service Usage Data: Reports generated, features utilized, customer support interactions
3.2 Photographic Data
Image Metadata and Content: When you submit photographs to the Service, we collect and process: (1) raw photograph files including all embedded metadata (EXIF data, location data, timestamps). Location metadata contained in photographs is used only for report generation context and is not used for tracking, monitoring, or behavioral analysis; (2) textual descriptions you provide about the items depicted; (3) AI-extracted inventory information derived from image analysis.
Important Notice—Biometric and Health Data: Photographs of residential rooms may incidentally capture individuals' faces or bodies, as well as household medications, medical equipment, or health-related items. We treat all such incidental captures as sensitive data (biometric data under GDPR and California law; health data under applicable state laws). Photographs are deleted within 30 days of report delivery; retained image descriptions and inventory reports may contain health-related inferences.
3.3 Data Collection Methods
- Direct submission via web forms (Tally)
- Automatic capture via server logs (IP address, user agent)
- Cookies and similar tracking technologies (essential cookies only)
- Payment processor webhooks (Stripe)
4. Legal Basis for Processing (GDPR/UK GDPR)
Where GDPR or UK GDPR applies, we process personal data under the following legal bases:
| Processing Purpose | Legal Basis (GDPR Article 6) |
|---|---|
| Service Delivery | Contract (Article 6(1)(b)) |
| Payment Processing | Contract (Article 6(1)(b)) |
| Account Management & Support | Contract (Article 6(1)(b)) |
| Fraud Prevention, Service Improvement, Security Monitoring | Legitimate Interests (Article 6(1)(f)) |
| Tax Compliance, Legal Requests | Legal Obligation (Article 6(1)(c)) |
| Marketing Communications | Consent (Article 6(1)(a)) |
| SMS Notifications | Contract or Consent |
5. Purposes of Data Processing
- Service Delivery: To analyze photographs, generate inventory reports, and deliver the Service
- Payment Processing: To process subscription payments via Stripe
- Account Management: To authenticate users, maintain account records, and provide customer support
- Transactional Communications: To send invoice notifications, order confirmations, and service-related alerts via email (Resend) and SMS (Twilio)
- Legal Compliance: To comply with law enforcement requests, court orders, and tax reporting obligation
- Service Improvement: To analyze usage patterns, fix bugs, and enhance features (based on aggregated, anonymized data)
- Fraud Prevention: To detect unauthorized access and prevent payment fraud
6. Data Retention Schedule
| Data Category | Retention Period | Reason |
|---|---|---|
| Photographs | 30 days | Deleted after AI analysis and report generation |
| PDF Reports | Up to 7 years | Retained for account record-keeping and proof of service, unless earlier deleted at the user's request where legally permitted; deleted upon user request or account termination |
| Account Information (Name, Email, Address) | Duration of account + 3 years | Required to maintain account and meet tax/legal obligations; deleted upon request subject to legal holds |
| Payment Information | Duration of account + 7 years | Tax reporting requirements; tokenized card data retained for subscription renewal only |
| Transaction Records | Up to 7 years | Tax reporting, fraud prevention, chargeback defense |
| Server Logs (IP, User Agent) | 30 days | Security monitoring and debugging; auto-purged after 30 days |
| Customer Support Records | 3 years | Dispute resolution and quality assurance |
| SMS Records | 30 days | Compliance with SMS regulations; deleted per Twilio's retention policy |
| Email Communications | Duration of account + 3 years | Customer support history and proof of consent/opt-out requests |
| AI-Extracted Inferences (Health, Property, Lifestyle Data) | Up to 7 years (in PDF report only) | Part of inventory report; not separately disclosed to third parties |
7. Data Sharing and Processors
No Selling of Personal Data: We do NOT sell, share for cross-context behavioral advertising, or disclose personal data to third parties for their independent use.
Contextual Recommendations and Partner Integrations: PrecordAI may provide contextual product recommendations, replacement suggestions, or integrations with service providers related to documented inventory items. These recommendations are based solely on report contents and do not involve cross-context behavioral advertising. Any future partner marketing beyond contextual recommendations will require separate user consent. Reports may be shared by users with insurance professionals, attorneys, or advisors at their discretion. PrecordAI does not independently disclose reports to such professionals unless directed by the user.
Processor Sharing Only: Data is shared exclusively with data processors who perform services on our behalf under contractual confidentiality obligations. See Section 2 for the complete processor list and privacy policy links.
7.1 International Data Transfers
Some processors are located outside the European Union. We rely on the following mechanisms to ensure adequate safeguards:
- Standard Contractual Clauses (SCCs): All DPAs include EU Commission-approved SCCs for transfers from the EU/UK to third countries.
- Adequacy Decisions: Where applicable (e.g., United Kingdom data transferred to EU), we rely on EU adequacy decisions.
- Binding Corporate Rules: Where available, group-company transfers are authorized via BCRs.
8. Automated Decision-Making and AI Processing
AI Processing Disclosure (GDPR Article 22): The PrecordAI Service relies on automated decision-making: photographs are analyzed by Anthropic's Claude AI model to extract inventory information and generate reports without human review of individual images before delivery.
No Solely Automated Legal or Financial Decisions: We do NOT use automated processing alone to make decisions that produce legal or similarly significant effects (e.g., credit decisions, eligibility determinations). Inventory analysis is for informational purposes only.
Right to Explanation: If you dispute the accuracy or completeness of an AI-generated inventory report, you may request a manual review by contacting hello@precord.ai. We will provide an explanation of the AI analysis within 30 days.
9. Cookies and Tracking Technologies
Essential Cookies Only: We use only essential cookies necessary for authentication, account security, and session management. We do NOT use analytics cookies, advertising pixels, or cross-site tracking technologies.
Cookie Consent: No prior consent is required for essential cookies under GDPR and ePrivacy Directive. Access to the Service implicitly consents to essential cookies for functionality.
Do Not Track (DNT) Signals: If your browser sends a DNT signal, we honor it by not enabling any optional tracking features (though essential functionality is not affected).
10. Security Measures
- Encryption in transit (HTTPS/TLS 1.2+)
- Secure payment processing via PCI-DSS compliant Stripe
- Role-based access controls and authentication
- Regular security assessments and vulnerability testing
- Secure data deletion procedures
11. Data Minimization Principles
We adhere to data minimization: we collect only data necessary to provide the Service and fulfill legal obligations. Specifically:
- Photographs are deleted within 30 days of report delivery
- Payment card data is not stored; only tokenized references are retained
- Server logs are automatically purged after 30 days
- Inferences and health data extracted from images are retained only as part of the PDF report
12. Your Privacy Rights
12.1 General Rights (EU/UK GDPR, California CCPA/CPRA, and other jurisdictions)
- Right to Access: Request a copy of personal data we hold about you in a portable format
- Right to Rectification: Request correction of inaccurate or incomplete data
- Right to Erasure ('Right to Be Forgotten'): Request deletion of personal data, subject to legal obligations and exceptions
- Right to Restrict Processing: Request limitation of how we use your data
- Right to Data Portability: Request your data in a structured, commonly used, machine-readable format
- Right to Object: Object to processing for legitimate interests or direct marketing
- Right to Appeal: If we deny a data request, you may appeal the decision within 30 days
- Right Not to Be Subject to Solely Automated Decisions: Request human review of automated AI-generated inventory reports
12.2 Authorized Agent
You may authorize an agent (family member, attorney, or representative) to submit requests on your behalf. Authorized agents must provide proof of authority and your written consent.
12.3 State-Specific Rights
California (CCPA/CPRA)
- Right to Know what personal information is collected, used, shared, or sold
- Right to Delete personal information collected from you
- Right to Correct inaccurate personal information
- Right to Opt-Out of sale or sharing of personal information for cross-context behavioral advertising (we do not sell or share; this right is not applicable)
- Right to Limit Use and Disclosure of Sensitive Personal Information
- Right to Non-Discrimination: We will not discriminate against you for exercising CCPA rights
Virginia (VCDPA), Connecticut (CTDPA), Colorado (CPA), Texas (TDPSA), Oregon (OCPA)
- Right to Know and access personal data
- Right to Delete personal data
- Right to Correct inaccuracies
- Right to Opt-Out of targeted advertising, sale of personal data, and profiling
- Right to Appeal denial of rights requests
Nevada (NRS 603A)
- Right to Opt-Out of the sale of covered information (non-publicly available personal information). We do not sell your data; this right is not applicable.
12.4 How to Exercise Your Rights
Submission Method: To exercise any privacy right, submit a request to hello@precord.ai
Include:
- Description of the right you are exercising
- Your full name
- Email address
- Any account information you have
- Proof of authority if requesting on behalf of another
Response Timeline: We will respond to verified requests within 45 calendar days (California CCPA standard; GDPR allows 30 days, and we will honor the shorter timeframe for EU residents). If we require additional information to verify your identity, the response period may be extended by up to 30 additional days. Complex requests may require additional time; we will notify you of any delays.
Verification: We will verify your identity by requesting information that matches our records before fulfilling requests. We do not charge fees for requests unless they are frivolous, repetitive, or manifestly unfounded; we will notify you of any applicable fees before processing.
13. SMS and Text Notifications (TCPA Compliance)
SMS Notifications via Twilio: When you provide a phone number, we may send transactional SMS notifications (order confirmations, report delivery alerts, account status updates) via Twilio, our SMS delivery processor.
TCPA Compliance: SMS messages are sent only for transactional purposes in compliance with the Telephone Consumer Protection Act (TCPA). We do NOT send promotional or marketing SMS without your explicit opt-in consent.
Opt-In and Opt-Out: You may opt out of SMS notifications at any time by replying 'STOP' to any SMS message, or by contacting hello@precord.ai with your request. Opt-out requests are processed within 24 hours. Transactional SMS may still be sent if required by law.
Twilio Privacy: Twilio's privacy practices apply to SMS data. See Twilio's Privacy Policy.
14. Health Data and Sensitive Information
14.1 Health Data (Washington My Health My Data Act)
If you reside in Washington State or your data is subject to the Washington My Health My Data Act (WMHMDA), the following applies: Photographs may incidentally capture prescription medications, medical devices, health monitors, or related health information. Such health data will not be sold, licensed, shared, or used for targeted advertising without your explicit opt-in consent (separate from Service consent).
Health Data Opt-In: To opt in to use of health data, contact hello@precord.ai with your explicit written request. Without opt-in, health data inferences are not shared with third parties.
14.2 Biometric Data
Photographs may incidentally capture individuals' faces, which constitute biometric data under GDPR and California privacy laws. Biometric data is treated as sensitive and is subject to heightened protection. Biometric data is deleted along with photographs within 30 days of report delivery.
14.3 Inferred Data
We process inferred data from photographs (e.g., household composition, property value estimates, lifestyle inferences). Under CPRA, inferences are treated as personal information. Inferred data derived from AI analysis is retained only in the final PDF report (up to 7 years) and is not disclosed to third parties.
15. Children's Privacy
Age Restrictions: The Service is not intended for children under the age of 18 (or 16 in jurisdictions governed by GDPR). We do not knowingly collect personal data from children under these ages.
COPPA Compliance (USA): If you are a parent or guardian and believe we have collected data from a child under 13, please contact hello@precord.ai immediately. We will delete such data within 30 days.
GDPR Compliance (EU): Users under 16 in the EU require parental consent. If you are a parent authorizing use by a minor, you agree to be responsible for the minor's use and to receive all communications on the minor's behalf.
16. Data Breach Notification
Breach Definition: A breach is an unauthorized or unlawful access, disclosure, or loss of personal data that compromises the security or confidentiality of your information.
Notification Timeline (Jurisdiction-Specific):
| Jurisdiction | Timeline | Notify |
|---|---|---|
| EU/UK (GDPR) | 72 hours after discovery | Data Protection Authority (if high risk); affected individuals |
| California (CCPA) | Without unreasonable delay (typically 30-60 days) | Affected residents; California Attorney General (if 500+ residents affected) |
| Virginia (VCDPA) | Without unreasonable delay | Affected residents; Virginia Attorney General |
| Colorado (CPA) | As expeditiously as possible | Affected residents; Colorado Attorney General |
| Connecticut (CTDPA) | Without unreasonable delay | Affected residents; Connecticut Attorney General |
| Texas (TDPSA) | Without unreasonable delay | Affected residents; Texas Attorney General |
| Oregon (OCPA) | Without unreasonable delay | Affected residents; Oregon Attorney General |
| Nevada (NRS 603A) | Without unreasonable delay | Affected residents; Nevada Attorney General (if unsecured data) |
Notification Content: Breach notices will include the nature of the breach, data affected, likely consequences, and remedial measures taken.
17. Third-Party Links and Services
The Service may contain links to third-party websites and services. This Privacy Policy does not apply to external sites. We are not responsible for third-party privacy practices. We encourage you to review the privacy policies of any third-party service before providing personal information.
18. Financial Incentive Disclosure
Under California CCPA and similar state laws, we must disclose: We do NOT offer any financial incentives (discounts, rebates, or benefits) in exchange for personal data collection or deletion. If we introduce such a program in the future, we will disclose it here and obtain your explicit written consent.
19. Data Processing Agreements (DPA)
All third-party data processors are bound by Data Processing Agreements (DPAs) that include: (1) scope and purpose of processing, (2) data categories and individuals affected, (3) duration of processing, (4) processor obligations including confidentiality and security, (5) sub-processor authorization and notification, (6) EU Standard Contractual Clauses (SCCs) for transfers outside the EEA, (7) data subject rights mechanisms, (8) audit and compliance provisions, (9) data deletion or return obligations. Copies of DPAs are available upon request to hello@precord.ai.
20. Policy Changes
We may update this Privacy Policy to reflect legal changes, technology updates, or operational improvements. Any material changes will be notified to you via email at least 30 days before taking effect. Continued use of the Service after changes indicates your acceptance of the updated policy.
The "Effective Date" at the top of this policy indicates the last update. Version history is available upon request.
21. Contact and Grievance Procedures
Data Controller Contact:
PrecordAI LLC
Email: hello@precord.ai
Website: precord.ai
Data Protection Authority (EU/UK): If you are in the EU or UK and believe we have violated your privacy rights, you have the right to lodge a complaint with your national data protection authority. Contact details are available at https://edpb.ec.europa.eu/.
Last Updated: April 5, 2026
Authorized by: Mike, Owner, PrecordAI LLC