Privacy Policy

We collect three categories of information. Information you provide: your name, email address, password (stored only as a one-way bcrypt hash, never in plaintext), and any preferences you save such as alert criteria. Billing information: processed by Stripe at checkout — PermitMap never receives or stores raw card numbers. We retain only Stripe-issued identifiers and the high-level subscription status. Automatically collected information: standard server-side technical data such as IP address, user-agent string, request timestamps, and the pages you visit on the Service.

We do not collect special categories of personal data (such as health, biometric, or precise location data) and we do not knowingly collect personal information from children under 13 (see Section 14).

We collect information directly from you when you sign up, configure alerts, complete a payment, or contact us through the website or by email. We collect information automatically when your browser interacts with the Service — through standard server logs, our own application telemetry, and a small set of cookies (see Section 4).

In limited cases we receive information from third parties on your behalf — for example, Stripe sends us the result of a payment attempt and webhook events about your subscription. We do not buy contact lists or otherwise enrich your account from outside sources.

We use a small number of cookies and similar technologies. Strictly necessary cookies keep you signed in, protect against cross-site request forgery, and maintain your session. Functional cookies remember preferences such as the dismissed state of in-product notices. Analytics: we use privacy-respecting, aggregate-only analytics to understand how the Service is used and to identify performance issues.

We do not use third-party advertising cookies, retargeting pixels, or cross-site tracking. You can disable non-essential cookies in your browser; some Service features will not work without strictly necessary cookies.

We use the information we collect to provide and operate the Service: authenticating you, processing your subscription, sending the transactional and alert email you've requested, responding to your support requests, and keeping the Service secure and reliable.

We also use information for limited operational purposes: detecting and preventing abuse, enforcing our Terms of Service, complying with applicable law, and improving the product. We do not use your information for advertising or to build profiles for sale.

Where the EU or UK GDPR applies to our processing of your information, we rely on the following legal bases: performance of a contract (operating the Service for you, processing payments, delivering alerts you configured); legitimate interest (security, fraud prevention, product improvement, abuse detection); consent where required (for example, for non-essential cookies in jurisdictions that require it); and legal obligation (tax, accounting, lawful requests).

Where consent is the legal basis, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.

We share information with the third-party service providers listed in Section 8, strictly to operate the Service on our behalf. We may share information to comply with applicable law, respond to lawful requests from public authorities, enforce our Terms, or protect the rights, safety, or property of PermitMap, our users, or the public. In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction, subject to this Policy.

We do not sell your personal information. We do not share it with third parties for their own independent marketing or advertising purposes.

To run the Service we rely on the following providers, who process information only on our instructions and under contract: Stripe for payment processing, subscription management, and tax handling; Resend for transactional and alert email delivery; our cloud hosting and content-delivery providers; mapping and address-autocomplete providers (such as Photon and OpenStreetMap-based services), which receive only the address fragments you type, never your account identifiers; and an application-monitoring provider that receives server-side telemetry such as request paths, error context, and IP addresses.

Each of these providers has its own privacy policy governing data we share with them. We may add or change providers from time to time and will keep this section accurate.

We keep account information for as long as your account is active and for a reasonable period afterward to satisfy our legal, tax, and accounting obligations and to defend against potential disputes. Server logs and similar operational data are typically retained on a rolling 90-day window. Billing records are retained for the period required by applicable tax-record retention rules.

Permit data displayed on the Service is sourced from the New York City Department of Buildings via NYC Open Data; it is part of the public record and is not deleted on user request. See Section 7 of our Terms of Service for the full data-retention statement on government records.

We protect your information using industry-standard practices: TLS encryption for data in transit, encryption at rest where applicable, one-way password hashing (bcrypt), restricted administrative access on a least-privilege basis, and routine application updates. We tokenize payment information through Stripe so that raw card data never reaches our servers.

No system is perfectly secure. If we ever experience a breach that affects your information, we will notify you and any applicable regulators in accordance with applicable law.

The Service is hosted in the United States. If you access the Service from outside the U.S., you understand that your information will be transferred to, processed in, and stored in the United States, where data-protection laws may differ from those of your country.

Where required, we use appropriate safeguards for international transfers, including standard contractual clauses with our subprocessors. By using the Service from outside the U.S., you consent to this transfer.

Depending on your jurisdiction, you may have the right to access the personal information we hold about you, to correct or update it, to delete it, to receive a portable export of it, to object to or restrict certain processing, and to withdraw consent where consent is the legal basis for processing.

You can update most account details from your dashboard. For deletion, export, or any other rights request, email legal@permitmap.io. We aim to respond to verified requests within 30 days. We will not discriminate against you for exercising these rights.

If you are a California resident, the California Consumer Privacy Act and the California Privacy Rights Act give you specific rights. In the past 12 months we have collected the categories of personal information described in Section 2 (identifiers, commercial information related to your subscription, and internet/network activity) and disclosed those categories only to the service providers listed in Section 8, for the operational purposes described in Section 5. We do not sell or share personal information for cross-context behavioral advertising.

You have the right to know, the right to delete, the right to correct, the right to opt out of sale or sharing (which we do not engage in), and the right to non-discrimination. You may submit a request through legal@permitmap.io; an authorized agent may submit on your behalf with proof of authorization. We will verify your identity using the information already associated with your account.

The Service is not directed at children under the age of 13, and we do not knowingly collect personal information from children under 13.

If you are a parent or guardian and you believe your child has provided personal information to the Service, please contact us at legal@permitmap.io. We will delete the information and close the associated account.

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page and, where the change is material, give you reasonable notice — typically by email or by a prominent in-product notice — before the change takes effect.

Continuing to use the Service after a change takes effect means you accept the updated Policy. If you do not agree, you may stop using the Service and request deletion of your account.

If you have questions, requests, or complaints about this Privacy Policy or our handling of your information, contact us at legal@permitmap.io.

If you are not satisfied with our response, you may have the right to lodge a complaint with the data-protection authority in your country or state of residence.