Alerra, Inc. ("Alerra", "we", "us", or "our") operates the Alerra property management platform (the "Service"). This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use our Service.

1. Information We Collect

1.1 Account Information

When you register for an account, we collect your name, email address, and organization name. Authentication is managed through a dedicated identity service and we do not store your password directly.

1.2 Property & Operational Data

You may upload or enter data about your properties, equipment, vehicles, contacts, documents, maintenance records, and other operational information. This data belongs to you and your organization.

1.3 Usage Data

We automatically collect information about how you interact with the Service, including pages visited, features used, browser type, device information, IP address, timestamps, and marketing attribution data such as referring page and UTM campaign parameters when you arrive via a tracked link. This helps us improve the Service, understand which acquisition channels perform best, and diagnose issues.

1.4 Payment Information

Payment processing is handled by a PCI DSS-compliant third-party payment processor. We do not store your credit card numbers. We receive only a payment confirmation identifier, plan type, and billing status from our payment processor. Their privacy policy governs how they handle your payment data.

1.5 Audio & AI Data

If you use voice dictation features, audio recordings are transmitted to our servers for transcription and then deleted. AI Chat messages are processed by third-party language model providers under data-processing agreements and are not used to train models. Transcripts may be retained for the duration of your chat session.

1.6 Telemetry & Observability Data

We collect technical telemetry to monitor the health, performance, and security of the Service. This includes:

Frontend Performance Telemetry: Browser-side metrics (Web Vitals such as LCP, FID, CLS, TTFB), JavaScript errors, page navigation events, HTTP request traces, and anonymous session identifiers — collected by an observability SDK embedded in the web application.
API Request Logs: Every API request is logged with your user identifier, tenant identifier, IP address, user-agent string, endpoint path, HTTP method, response status, response time, and bytes transferred.
Security Event Logs: Authentication attempts, permission denials, rate-limit events, and suspected abuse patterns — logged with one-way hashed (SHA-256) user identifiers.
Usage Quota Tracking: Daily counters of document uploads, downloads, bandwidth, and API calls per user, used to enforce subscription-tier limits.
Application Metrics: Aggregated, non-personally-identifiable performance metrics (request counts, error rates, latency histograms) collected via our metrics infrastructure.
Distributed Traces: W3C Trace Context headers link frontend and backend operations for performance diagnosis. Trace spans are stored temporarily in our tracing infrastructure.

When you are logged in, telemetry is associated with your email and user identifier. After logout, telemetry is anonymous.

1.7 AI Observability Data

When AI Features are used in deployed environments, prompts, completions, token counts, and associated costs may be logged by a third-party AI observability platform for quality monitoring and cost management. This data includes your tenant and user identifiers but does not include your Content beyond what you submit to AI Features. Our AI observability provider operates under a data-processing agreement with us.

2. How We Use Your Information

Provide, operate, and maintain the Service
Process transactions and manage your subscription
Respond to support requests and communicate with you
Enforce our terms, conditions, and policies
Monitor usage to enforce quota limits and prevent abuse
Detect, investigate, and respond to security incidents and unauthorized access
Diagnose performance issues and optimize application reliability
Generate aggregated, anonymized analytics to improve the Service
Comply with legal obligations

3. Data Sharing & Third Parties

We do not sell your personal data. We share information only with:

Cloud Infrastructure Provider: Cloud hosting, authentication, database, storage, compute, and infrastructure monitoring — SOC 2, ISO 27001 certified.
Payment Processor: Payment processing — PCI DSS compliant. We do not store your card details.
AI Model Providers: Process AI Chat content — under data-processing agreements that prohibit training on your data.
AI Observability Provider: Quality monitoring — processes prompt/completion metadata under a data-processing agreement. AI observability data is sent to this third-party provider's cloud platform.
Google Tag Manager / Google Analytics: Optional website analytics and conversion measurement, loaded only after consent on the marketing site or when otherwise permitted by law.
Performance & Infrastructure Monitoring: We run self-hosted observability tools on our own infrastructure for application metrics, logging, and distributed tracing. This performance telemetry is not sent to any external cloud service.
Legal Obligations: If required by law, regulation, or valid legal process.
Business Transfers: In connection with a merger, acquisition, or sale of assets, with notice to you.

4. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. Retention periods vary by data type and may be adjusted from time to time based on operational, legal, and cost considerations. In general:

Performance metrics, logs, and distributed traces: Retained on a short rolling window sufficient for operational monitoring and troubleshooting.
API request logs and usage data: Retained while your account is active; deleted within a reasonable period following a fulfilled deletion request.
Audit logs and EULA acceptance receipts: Retained as required by applicable law. EULA receipts are stored in immutable, tamper-proof storage.
Security event logs: Retained as required for incident investigation and legal compliance.
AI observability data: Retained for quality monitoring purposes; deletion can be requested through our compliance endpoints.
Operational data: Deleted within a reasonable period following a fulfilled deletion request.
Aggregated, anonymized analytics: May be retained indefinitely.

5. Multi-Tenant Data Isolation

Alerra employs a multi-tenant architecture where your organization's data is strictly isolated from other organizations at the database level. No organization can access another organization's data. Telemetry data is similarly partitioned by tenant identifier.

6. Security

We protect your data with:

Encryption in transit (TLS 1.2+) and at rest (AES-256)
Cloud infrastructure with SOC 2 and ISO 27001 certifications
Role-based access controls and multi-tenant data isolation
Web Application Firewall (WAF) and rate limiting
Automated security monitoring, IP-based threat blocking, and user-agent filtering
Security event logging with PII stored in encrypted, secure storage
Regular security monitoring and audit logging
Immutable, tamper-proof storage for EULA acceptance receipts (non-repudiation)

7. Your Rights

Depending on your jurisdiction, you may have the right to:

Access: Request a copy of the personal data we hold about you.
Rectification: Correct inaccurate personal data.
Erasure: Request deletion of your personal data (subject to legal retention requirements).
Data Portability: Receive your data in a structured, machine-readable format.

To exercise these rights, contact us at privacy@alerra.io.

7.1 Do Not Track

We respect the Do Not Track (DNT) signal. When your browser sends DNT, optional analytics tracking is automatically disabled.

8. Cookies & Local Storage

The Service uses essential browser storage (localStorage, sessionStorage) for authentication session management, user preferences, and remembering cookie consent choices. On the marketing site, we also offer optional analytics cookies and similar technologies through Google Tag Manager / Google Analytics to measure visits and conversions. Those optional analytics tools are disabled unless you accept analytics cookies or another lawful basis applies.

9. Geographic Availability

The Service is currently available only to users located in the United States. The Service is hosted on cloud infrastructure located in the United States. By using the Service, you confirm that you are located in the United States and consent to having your data processed within the United States.

10. Children's Privacy

The Service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last Updated" date. Your continued use of the Service after changes constitutes acceptance.

12. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at:

Alerra, Inc.
Email: privacy@alerra.io
Support: support@alerra.io