Aftermath

Privacy Policy

Last updated: May 19, 2026

Your privacy matters to us. This policy explains what data Aftermath collects, how we use it, and the choices you have.

At a Glance

  • ·We never sell or share your personal data for advertising.
  • ·Your inventory, photos, and policy documents are yours, and you can delete them anytime.
  • ·AI features (Google Gemini) only run after you grant explicit in-app consent, and you can revoke it anytime from Profile → AI and Data Sharing.
  • ·We use only essential cookies for login and security. No advertising or cross-site trackers.
  • ·California, EEA, and UK users have additional rights described in Sections 12–13.
  • ·We notify affected users of any qualifying data breach within 72 hours of discovery.

This summary is for convenience only and does not replace the full Policy below.

1. Information We Collect

  • ·ACCOUNT INFORMATION: name, email address, password (hashed), home address, phone number, profile photo, and account preferences.
  • ·HOME INVENTORY CONTENT: item names, descriptions, purchase values, purchase dates, serial numbers, brands, conditions, room assignments, notes, and photographs you upload to your Vault.
  • ·INSURANCE POLICY DOCUMENTS: PDFs and images of insurance policies you upload for AI analysis, plus extracted coverage details (carrier, limits, deductibles, dates, perils covered).
  • ·CLAIM INFORMATION: incident details, dates, descriptions, photos, and report drafts you create.
  • ·PAYMENT INFORMATION: subscription status and limited billing metadata. Full card numbers are processed and stored by Stripe. We never see or store your full card details.
  • ·USAGE DATA: pages visited, features used, time spent in the app, and error/crash reports for diagnostics and product improvement.
  • ·DEVICE & TECHNICAL DATA: browser type, operating system, device type, language, time zone, IP address, and approximate location derived from IP for security and fraud prevention.
  • ·COMMUNICATIONS: messages you send to our support team and your responses to in-app prompts.

2. Categories of Personal Information (CCPA Disclosure)

  • ·In the past 12 months, we may have collected the following categories of personal information about California residents, as defined under the California Consumer Privacy Act ("CCPA") / California Privacy Rights Act ("CPRA"):
  • ·Identifiers (e.g., name, email, postal address, IP address, account ID).
  • ·Personal information categories listed in the California Customer Records statute (e.g., name, address, phone number, financial account info via Stripe).
  • ·Commercial information (e.g., subscription history, products purchased).
  • ·Internet or other electronic network activity (e.g., browsing within the Service, interactions with features).
  • ·Geolocation data (approximate, derived from IP address; we do not collect precise GPS location).
  • ·Sensory data (photographs of belongings and policy documents you upload).
  • ·Inferences drawn from the above (e.g., coverage gaps detected from your documented inventory).
  • ·Sensitive Personal Information may include precise account credentials and government-issued ID numbers if you choose to add them (e.g., serial numbers of items, policy numbers). We use sensitive PI only for the purposes described in this Policy and will not use or disclose it for purposes that require the right to limit under the CPRA.

3. Sources of Personal Information

  • ·DIRECTLY FROM YOU when you create an account, upload content, complete forms, contact support, or interact with features.
  • ·AUTOMATICALLY when you use the Service, through cookies, log files, and similar technologies (see Section 6).
  • ·FROM THIRD-PARTY SERVICE PROVIDERS, including Stripe for subscription and payment data; Supabase for authentication events; and any future identity providers (e.g., Sign in with Apple) you choose to use.

4. How We Use Your Information (Business & Commercial Purposes)

  • ·To provide, operate, and maintain the Service, including storing your inventory, processing policy documents, generating claim reports, and authenticating your account.
  • ·To analyze uploaded policy documents using third-party AI (currently Google Gemini) to extract coverage information for your reference.
  • ·To personalize your experience (e.g., showing your name and tailored coverage suggestions on your dashboard).
  • ·To send transactional and account-related communications, including confirmation emails, password resets, billing receipts, security alerts, and important policy or service updates.
  • ·To process subscription payments through Stripe.
  • ·To monitor for security incidents, prevent fraud, debug errors, and improve performance and reliability.
  • ·To improve the Service through aggregated and anonymized analytics that do not identify any individual.
  • ·To comply with legal obligations, respond to lawful requests, and enforce our Terms of Service.
  • ·WE DO NOT SELL OR SHARE YOUR PERSONAL INFORMATION as those terms are defined under the CCPA/CPRA. We do not engage in cross-context behavioral advertising.

5. Legal Bases for Processing (GDPR / UK GDPR)

  • ·If you are located in the European Economic Area, United Kingdom, or Switzerland, we process your personal data on the following legal bases:
  • ·PERFORMANCE OF A CONTRACT: to provide the Service you request and fulfill our obligations under our Terms of Service.
  • ·LEGITIMATE INTERESTS: to operate, secure, debug, and improve the Service, prevent fraud, and communicate about your account, where these interests are not overridden by your rights and freedoms.
  • ·CONSENT: for any optional processing where we ask for your consent (e.g., non-essential analytics, marketing emails). You may withdraw consent at any time.
  • ·LEGAL OBLIGATION: to comply with applicable laws, regulatory requirements, and lawful requests from authorities.

6. Cookies & Similar Technologies

  • ·We use cookies and local browser storage that are STRICTLY NECESSARY for the Service to function, including authentication cookies set by Supabase to keep you logged in, and security tokens to prevent CSRF attacks. These cannot be disabled without breaking core functionality.
  • ·We may also use first-party analytics (e.g., Vercel Analytics) to measure aggregate site performance, and Sentry to capture diagnostic data (including, for sessions that hit an error, a recorded session replay with sensitive fields masked). These do not use third-party advertising cookies and do not track you across other websites.
  • ·We do not currently use third-party advertising cookies, retargeting pixels, or social-media tracking pixels. If we add any non-essential tracking in the future, we will update this Policy and, where required by law, present a consent banner before such cookies load.
  • ·You can clear cookies in your browser settings; doing so will sign you out of the Service.

7. Third-Party Service Providers (Including Google Gemini AI)

  • ·We share personal information with carefully selected service providers that help us run the Service. Each is bound by contract to use the data only for the purposes we specify and to protect it appropriately:
  • ·SUPABASE (database, authentication, file storage): supabase.com/privacy
  • ·VERCEL (web hosting and infrastructure analytics): vercel.com/legal/privacy-policy
  • ·GOOGLE GEMINI / GOOGLE AI STUDIO (policy-document analysis, item identification, claim-statement drafting, claim review, and product link lookups using Google Search grounding): ai.google.dev/gemini-api/terms and policies.google.com/privacy. The data sent to Google is limited to the content you select for a specific AI action: a photo of an item, a photo or PDF of an insurance policy, item metadata (name, brand, model, serial number, value), and claim notes or statements you choose to analyze. We do not send your full vault, full claim history, account credentials, payment information, or location data. AI FEATURES ARE GATED BY EXPLICIT IN-APP CONSENT: no content is transmitted to Google until you have read the AI consent disclosure inside the app and tapped "Allow AI Features." You can revoke this consent at any time in Profile → AI and Data Sharing, which immediately disables all AI features. Per Google's published Gemini API terms, paid-tier inputs are not used to train or improve Google's general AI models. We do not retain copies with Google beyond what is required to complete the analysis request. AI outputs are informational only and are not insurance, legal, or financial advice. See our Terms of Service Section 9 for additional limitations.
  • ·AMAZON.COM (public product-page lookups): amazon.com/privacy. When you scan an item, our server may fetch the corresponding public Amazon product page to retrieve the current retail price and title. These requests are made server-to-server and do not transmit your name, email, IP address, or account identifier to Amazon.
  • ·STRIPE (subscription billing for web purchases): stripe.com/privacy. Stripe stores your full payment card details; we do not.
  • ·APPLE (subscription billing for purchases made inside the iOS app): apple.com/legal/privacy. When you subscribe through the iOS app, your purchase, billing, and renewal data are handled by Apple under your Apple ID. We receive only the receipt and subscription status needed to grant Pro access.
  • ·SENTRY (error monitoring, performance tracing, and session replay): sentry.io/privacy. Sentry receives error events, performance metrics, and, only for sessions that hit an error, a recorded replay of the affected session, with form inputs and sensitive fields masked by default. Your IP address and an internal user identifier are included so we can correlate errors to support tickets.
  • ·RESEND (transactional email delivery for in-app support tickets and account notifications): resend.com/legal/privacy-policy. When you submit a support ticket through the in-app form, your message and email address are transmitted to Resend so we can email our support team and reply to you.
  • ·We may add or change service providers as the product evolves. We will update this list when material changes occur.

8. International Data Transfers

  • ·Aftermath is operated from the United States. Our service providers (Supabase, Vercel, Google, Stripe) primarily process data on infrastructure located in the United States.
  • ·If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States and other countries where our service providers operate. These countries may have data-protection laws that differ from those in your jurisdiction.
  • ·For users in the EEA, UK, or Switzerland, where we transfer personal data outside those regions we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) with our service providers, supplementary measures where required, and the EU-U.S. Data Privacy Framework where applicable.
  • ·By using the Service, you understand and agree to the transfer of your information to the United States and other countries where we and our service providers operate.

9. Data Storage & Security

  • ·Data is stored in encrypted databases and object storage provided by Supabase. Backups are encrypted at rest.
  • ·All data transmitted between your device and our servers is protected with industry-standard TLS encryption (HTTPS).
  • ·Access to your data is enforced at the database level using Row Level Security (RLS). Only your authenticated session can read or modify your records.
  • ·We require strong passwords, hash all passwords using industry-standard algorithms, and offer password reset via verified email.
  • ·Despite reasonable safeguards, no system is completely secure. You should use a strong, unique password and notify us immediately if you suspect unauthorized access to your account.

10. Data Breach Notification

  • ·If we discover a breach of personal information that creates a risk to affected users, we will notify those users without undue delay and, where feasible, within seventy-two (72) hours of discovery, by email or in-app notification.
  • ·Notifications will describe the nature of the breach, the categories of data affected, the steps we are taking, and recommended actions for affected users.
  • ·We will also notify supervisory authorities and other parties as required by applicable law (e.g., GDPR Article 33, U.S. state breach-notification statutes).

11. Data Retention

  • ·We retain personal data only as long as necessary to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements.
  • ·If you delete your account, your active-system data, including profile, vault items, photos, and policy documents, is permanently deleted within thirty (30) days.
  • ·Encrypted backups may retain copies for up to ninety (90) days after deletion for disaster-recovery purposes, after which they are permanently purged.
  • ·We may retain limited records (e.g., billing receipts, abuse reports, anonymized usage logs) for longer where required by law (e.g., tax, accounting, fraud prevention).

12. Your Privacy Rights

  • ·Subject to applicable law, you have rights regarding your personal information, which you can generally exercise from Profile Settings or by contacting support@aftermathvault.com.
  • ·ACCESS: request a copy of the personal data we hold about you.
  • ·CORRECTION: update inaccurate or incomplete information.
  • ·DELETION: permanently delete your account and associated data.
  • ·PORTABILITY: request your data in a structured, machine-readable format.
  • ·OBJECT / RESTRICT: object to or restrict certain processing where we rely on legitimate interests (GDPR users).
  • ·WITHDRAW CONSENT: withdraw any consent you previously gave (this does not affect prior lawful processing).
  • ·COMPLAIN: lodge a complaint with your local data-protection authority (EEA/UK/Swiss users) or applicable regulator.
  • ·We will verify your identity before responding to a rights request and will respond within the timeframes required by applicable law (typically 30 days under GDPR, 45 days under CCPA, extendable as permitted).

13. California Residents (CCPA / CPRA Rights)

  • ·If you are a California resident, you have the following rights in addition to those in Section 12:
  • ·RIGHT TO KNOW the categories and specific pieces of personal information we have collected about you, the sources, the business or commercial purposes, and the third parties with whom we share it.
  • ·RIGHT TO DELETE personal information we have collected from you, subject to legal exceptions.
  • ·RIGHT TO CORRECT inaccurate personal information.
  • ·RIGHT TO OPT OUT OF SALE OR SHARING: we do not sell or share personal information for cross-context behavioral advertising. There is no opt-out required because no such activity occurs.
  • ·RIGHT TO LIMIT USE OF SENSITIVE PERSONAL INFORMATION: we use sensitive PI only for the purposes described in this Policy and not for inferring characteristics about you.
  • ·RIGHT TO NON-DISCRIMINATION: we will not deny service, charge different prices, or provide a different level of service because you exercised any of these rights.
  • ·AUTHORIZED AGENTS: you may designate an authorized agent in writing to make a request on your behalf. We may require verification of the agent's authority and your identity.
  • ·To exercise any of these rights, email support@aftermathvault.com with the subject "California Privacy Request."

14. Children's Privacy

  • ·Aftermath is intended for users 18 years of age and older. The Service is not directed at children, and we do not knowingly collect personal information from anyone under 18.
  • ·If we learn that we have collected personal information from a person under 18 without verifiable parental consent, we will delete that information promptly.
  • ·If you are a parent or guardian and believe your child has provided personal information to Aftermath, please contact support@aftermathvault.com.

15. Marketing Communications

  • ·We may send you transactional emails (e.g., billing receipts, password resets, security alerts, important service updates). You cannot opt out of these while you maintain an account, as they are essential to the Service.
  • ·If we send any promotional or marketing emails, each will include an unsubscribe link, and you can opt out at any time without affecting your ability to use the Service. We do not send marketing emails by default.

16. Business Transfers

  • ·If Aftermath is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or part of its assets, your information may be transferred to the successor entity as part of that transaction, subject to this Privacy Policy or a successor policy with comparable protections.
  • ·We will provide notice (by email or in-app notification) before your information becomes subject to a different privacy policy, and where required by law, give you the opportunity to delete your account before the transfer takes effect.

17. Changes to This Policy

  • ·We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects the most recent changes.
  • ·If we make material changes, we will provide reasonable advance notice (typically at least 14 days) by email or in-app notification before the changes take effect.
  • ·Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.

18. Contact Us

  • ·For general privacy questions and rights requests: support@aftermathvault.com
  • ·For all other inquiries: support@aftermathvault.com
  • ·We aim to respond promptly to all inquiries.

Questions? Email us at support@aftermathvault.com