Privacy Policy

StreetWell is operated by StreetWell Holdings LLC (the technology and systems entity) on behalf of Rising Gold LLC (the real estate / asset management entity). Both are Maryland limited liability companies. The two organizations work together inside a small housing ecosystem that acquires, renovates, and rents urban properties, and the StreetWell platform is the internal system of record those teams use to run that work.

This policy explains what data you give us when you use the StreetWell web app, what we do with it, and how to ask us to delete or export it.

The platform stores only the information needed to run it:

• Account email and password. Passwords are never stored in plain text — we keep an Argon2 hash and salt only, and we never see your original password.
• IP address and user-agent on each session and on failed login attempts. We use these for rate limiting and to investigate suspicious access.
• Financial transactions you enter — ledger entries, invoices, leases, properties, budgets, and any notes or comments you attach to them.
• Photos and other files you upload — property photos, scanned receipts, supporting documents.
• An audit log recording who changed which record and when. We need this to satisfy our own bookkeeping and to give administrators a way to investigate mistakes.

We do not collect device fingerprints, browsing history outside the app, geolocation, or analytics events.

We use your data only to:

• Run the service — sign you in, render your records, save edits.
• Protect the service from abuse — detect brute-force logins, throttle suspicious traffic, and investigate incidents.
• Provide an audit trail so administrators can answer “who changed this and when?”
• Send transactional email — password resets, approval notifications, and the occasional service announcement. We do not send marketing email.

We do not sell, rent, or share your data with advertisers, data brokers, or analytics vendors.

• Audit log entries are retained for 90 days by default (this is the configured window for routine activity records). Entries tied to security investigations may be retained longer until the investigation closes.
• Financial records (ledger entries, invoices, tax-relevant transactions) are retained for seven years to comply with U.S. tax record keeping requirements.
• Comments you delete are soft-deleted — they remain in the database marked as removed, indefinitely, so an administrator can recover them if a record turns out to be contested.
• Files you upload stay until you (or an administrator) delete them. Deleting a file removes both the underlying blob and its database row.
• Account records are kept until you request deletion. After deletion we retain the minimum residual information needed to honor financial-record retention above.

StreetWell uses a small number of infrastructure providers. None of them have access to your account contents for any purpose other than hosting:

• Vercel — hosts the web frontend (this site).
• Hetzner — hosts the API server and the Postgres database that holds your records.

We do not use analytics tools (no Google Analytics, no Plausible, no Mixpanel), and we do not embed advertising networks or social tracking pixels.

The site uses three cookies:

• Session cookie (sw_session) — keeps you signed in between page loads. Without this you cannot use the authenticated parts of the app.
• CSRF cookie — a paired token used to prevent cross-site request forgery on form submissions.
• Language preference cookie — remembers which UI language you picked.

We do not use advertising, tracking, or analytics cookies. The cookie consent banner you see on first visit covers these functional cookies and our intent to keep the set small.

You can ask us to export the data we hold about you, correct something that’s wrong, or delete your account. The fastest way is to email dev.mhany@gmail.com from the address on your account. We typically reply within a few business days.

If you’re in a jurisdiction with formal data-protection rights (e.g. the EU/UK under GDPR, or California under CCPA), those rights apply to you here and we’ll honor them. The same email address is the right place to start.

Questions, complaints, or data requests: dev.mhany@gmail.com.