Privacy Policy

Last updated: April 24, 2026

Summary

We collect the minimum needed to run ClaimTally: your account info, the photos and audio you capture, the inventory you produce, and basic usage logs. We do not sell your data. We share it only with the service providers we use to operate the product (Supabase, Firebase, Google Vertex AI, Resend) and only to the extent needed.

1. What we collect

  • Account: email, display name, role (policyholder / agent), optional agency name and license number for agents.
  • Inventory content: photos, audio recordings, transcripts, item names, descriptions, categories, values, conditions, dates.
  • Usage: timestamps for captures and edits, which agent edited which field (audit log), device type from browser/app.
  • Technical: IP address (for rate-limiting and abuse prevention), error logs.

2. How we use it

Only to operate the service: authenticate you, run AI analysis on your photos and audio, compute valuations, organize the inventory, send transactional emails (invite links, verification notifications), and maintain the audit trail linking agents to the data they act on. No ads, no third-party marketing.

3. Who we share it with

  • Supabase — database, authentication, and file storage (hosted on AWS us-east-1).
  • Firebase Cloud Functions — the AI pipeline that transcribes audio and analyzes photos.
  • Google Vertex AI (Gemini) — vision and language model calls for item detection, transcription, and valuation grounding.
  • Resend — transactional email delivery.
  • Your agent— if you accept an agent’s invitation, that agent can read and write your inventory until you revoke the link from Settings.
We do not sell personal data and do not use it to train third-party AI models beyond the direct API calls needed to process your request.

4. Agent access and audit

When an agent acts on your behalf, every mutation is recorded in an activity log you can review at Settings → Recent activity or in the mobile app’s Activity screen. You can remove an agent at any time from Settings.

5. Retention and deletion

You can delete individual items, rooms, policies, or your entire account from Settings. Account deletion cascades through the database and removes your photos, audio, and transcripts. Backups may retain data for up to 30 days before being overwritten.

6. Security

All data is transmitted over TLS. Photos and audio are stored in private buckets with row-level access policies enforced by Supabase RLS. Admin operations are logged and scoped. No security is absolute — report vulnerabilities to security@waterspout.live.

7. Your rights

Depending on your jurisdiction (GDPR, CCPA), you may have the right to access, correct, export, or delete your data. Most of these actions are available self-service in Settings. For anything else, email us at hello@waterspout.live.

8. Changes

We will update this page and note the revised date at the top. Material changes will be announced via email.

9. Contact

Email hello@waterspout.live for any question about this policy.