Privacy policy.

This Privacy Policy describes how HavenScore(“we,” “us,” or “our”) collects, uses, shares, and protects information when you use havenscore.app and related services (the “Service”). It applies to visitors, registered users, newsletter subscribers, and paying customers.

Reading this alongside our Terms of Service will give you the full picture.

We collect information in three buckets:

Information you provide

• Account info: email address and password (passwords are hashed by our auth provider; we never see them).
• Profile and preferences: persona, saved ZIPs, MyScore weights, saved searches, and notification preferences.
• Newsletter and alert opt-ins, including email addresses for users who subscribe without an account.
• Customer-support correspondence and any feedback you send us.

Information collected automatically

• Device and connection data: IP address, user-agent, approximate location derived from IP, referring URL, and the pages you visit on the Service.
• Product telemetry: which features you used, anonymous usage events, web-vital performance metrics, and long-task reports used to diagnose UI performance issues.
• Cookies and similar identifiers — see the cookies section.

Information collected from third parties

• Payment metadata from Stripe — last-four card digits, card brand, billing country, subscription status, and Stripe customer/price IDs. We do not receive or store full card numbers.
• Email-delivery events from Resend (sent, bounced, complained).

We do not knowingly collect biometric data, government identifiers, or precise GPS location.

We use the information we collect to:

• Provide, operate, and improve the Service.
• Authenticate users, secure accounts, prevent fraud and abuse, and enforce rate limits.
• Process payments, manage subscriptions, and send billing receipts and renewal notices.
• Send transactional emails — password resets, security notifications, account changes, and saved-search alerts.
• Send our weekly newsletter and other marketing email to people who have opted in. You can unsubscribe at any time.
• Measure product usage and performance, diagnose bugs, and decide what to build next.
• Comply with legal obligations and respond to lawful requests from authorities.

We do not sell your personal information, and we do not share it with third parties for cross-context behavioral advertising.

For most processing, we rely on (a) the contract you enter into with us when you use the Service, (b) your consent (for example, when you subscribe to the newsletter), (c) our legitimate interests in operating, improving, and securing the Service, and (d) compliance with legal obligations. Where we rely on consent, you may withdraw it at any time.

We use cookies and similar technologies to keep you signed in, measure how the Service is used, throttle anonymous traffic, and remember small UI preferences. The most common categories are:

• Authentication (e.g., sb-*-auth-token): session cookies set by Supabase Auth so you can stay signed in.
• Anonymous usage meter (hs_meter): a short-lived cookie that counts ZIP views for visitors without an account so we can apply a fair-use limit.
• Banner and preference cookies: small cookies used to remember dismissed banners and other non-essential UI choices.
• Payments: Stripe sets cookies needed for fraud prevention and the Stripe Checkout / customer portal flows. See Stripe's cookie policy.
• Analytics: Vercel Analytics measures aggregate page views and Core Web Vitals. Matomo measures privacy-respecting usage in our hosted instance. Both are configured to limit personally identifying collection.

You can clear or block cookies in your browser. Blocking authentication cookies will prevent you from signing in; blocking payment cookies will prevent purchases.

We use a small set of privacy-respecting analytics tools to understand how the Service is used and to keep it fast:

• Vercel Analytics measures aggregate page views and timing.
• Matomo collects pseudonymous usage events (pages visited, basic interactions) without selling data to advertisers.
• Web Vitals and long-task reporting send anonymous performance measurements (Largest Contentful Paint, Interaction to Next Paint, long-running script reports) so we can diagnose slowness.

We use the following providers to operate the Service. Each is bound by a data-processing agreement and uses your information only as needed to provide their part of the Service.

• Supabase — authentication, database, and session storage. Privacy policy.
• Stripe — payment processing and subscription management. Privacy policy.
• Vercel — application hosting, serverless compute, content delivery, and Vercel Analytics. Privacy policy.
• Resend — transactional and newsletter email delivery. Privacy policy.
• Matomo — privacy-respecting product analytics. Privacy policy.

We send three categories of email:

• Transactional — account confirmations, password resets, billing receipts, subscription change notices. You cannot opt out of these while you have an active account.
• Saved-search alerts — sent when criteria you saved are met. Each alert email includes a one-click HMAC-signed unsubscribe link.
• Newsletter and marketing — a weekly market digest you can opt into or out of from your account, or by clicking the unsubscribe link at the bottom of any newsletter.

To opt out of all non-essential email, click the unsubscribe link in any newsletter or alert, change your preferences in account settings, or write to privacy@havenscore.app.

We keep account data for as long as your account is active. After you delete your account, we remove your profile, saved searches, and MyScore preferences within thirty (30) days, subject to backups that age out on a routine cycle.

We retain transactional records (billing history, security logs) for the period required by law, typically up to seven years. Aggregate analytics and de-identified product telemetry may be retained indefinitely because it cannot reasonably be linked back to you.

We protect information using a combination of technical and organizational measures. Traffic is encrypted in transit with HTTPS (the .app top-level domain enforces it). Passwords are hashed and managed by Supabase Auth — we never see plaintext passwords. Sensitive operations require re-authentication. Database access is restricted, audited, and protected by row-level security where applicable.

No system is perfectly secure. If you become aware of a security issue, please report it to security@havenscore.app.

The Service is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, contact us at privacy@havenscore.app and we will delete it.

Depending on where you live, you may have the right to:

• Know what personal information we hold about you.
• Receive a copy of that information in a portable format.
• Correct inaccurate information.
• Delete your information.
• Opt out of the “sale” or “sharing” of personal information for cross-context behavioral advertising. We do not sell or share personal information for this purpose.
• Limit the use of sensitive personal information.

California residents have these rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). Residents of other US states with comparable laws (including but not limited to Colorado, Connecticut, Virginia, and Utah) have similar rights. To exercise your rights, email privacy@havenscore.app. We will verify your request and respond within the time frame required by law. You may also designate an authorized agent to act on your behalf.

The Service is operated from the United States and is intended for users in the United States. If you access the Service from outside the United States, you understand that your information will be transferred to, processed, and stored in the United States, where data-protection laws may differ from those of your jurisdiction.

We may update this Privacy Policy from time to time. When we do, we will update the “Effective” date at the top of this page and, for material changes, give notice through the Service or by email. Your continued use of the Service after changes take effect means you accept the updated policy.

Questions about this policy or about your information?

• Privacy: privacy@havenscore.app
• Security: security@havenscore.app
• General support: support@havenscore.app