What we collect, why we collect it, how we protect it, and your rights over it — explained clearly.
We collect information that you provide directly, information generated by your use of the Platform, and information from third-party services you connect to your account. Below is a complete inventory of the categories of data we collect.
For users who register as Buyers or apply for Buyer tier verification, we additionally collect:
When you use the Platform's skip-trace integration, we log: the property address queried, the data fields returned (phone numbers, forwarding addresses), the timestamp of the query, and how many credits were consumed. We do not store the personal data of property owners obtained through skip tracing beyond what is necessary to provide the skip-trace result to you within the Platform session. Users are responsible for their own storage and use of skip-trace results.
We do not collect: full payment card numbers (handled entirely by Stripe); Social Security Numbers, EINs, or government ID numbers except as submitted on W-9 forms by competition winners (see Section 5); real-time location data or GPS coordinates; biometric identifiers.
We use the data we collect only for the purposes described below. We do not use your data for any purpose inconsistent with what you would reasonably expect given the nature of our Platform.
Your subscription status and billing information are used to authenticate your active subscription and process recurring payments via Stripe. We use your payment history internally for billing dispute resolution and fraud detection.
Usage data and device data are used to understand how users interact with the Platform, identify features that are underperforming, improve the Smart Matching algorithm's accuracy, and prioritize product development. Analytics are performed at an aggregated and pseudonymized level wherever possible.
Deal submission counts, activity scores, and competition entry data are used to calculate leaderboard rankings, determine competition winners, verify eligibility, and fulfill prize obligations including required tax reporting. Competition winners' names may be published on the Platform's leaderboard and in promotional materials unless you opt out in writing.
Affiliate click data and referral codes are used to attribute subscriptions and conversions to the correct affiliate partner for commission calculation purposes. We share only click-level attribution data with affiliate partners — not your name, contact information, or any personal data beyond the fact that a conversion occurred.
We analyze usage patterns, deal submission characteristics, account behavior, and device data to detect and prevent fraud, including fabricated property leads, fake buyer profiles, multi-accounting, and attempts to manipulate the matching algorithm or leaderboard.
We process data as required to comply with applicable law, respond to valid legal process, enforce our Terms of Service, and resolve disputes. We retain data for the periods described in Section 5 to meet our legal obligations.
We use your email address to send: (a) transactional messages required to operate your account (billing receipts, deal alerts, match notifications, competition results); (b) product updates about material Platform changes; and (c) optional marketing emails about new features, promotions, or educational content, only if you have opted in. You can manage your communication preferences in Account Settings at any time.
| Other Platform Users |
When a Smart Match is identified, we share a limited profile with the matched counterparty. For Sellers: buyer's tier badge, stated investment criteria, general deal volume range (not specific deals). For Buyers: property address, asking price, deal photos, and submitter's username. Full contact information is exchanged only after both parties initiate contact within the Platform. |
| Hosting / Platform Infrastructure |
AbandonedAssetsOS operates on cloud hosting infrastructure. Our hosting provider has access to Platform data as a service provider for purposes of hosting, security, and infrastructure operations. They are contractually bound to use this data only to provide services to us. |
| Stripe (Payments) |
Your billing information is shared with Stripe, Inc. for payment processing. Stripe is a PCI-DSS Level 1 certified processor. We share your name, email, billing address, and payment method details required to process your subscription. We do not share property data or deal history with Stripe. |
| Affiliate Partners |
We share click-level attribution data with affiliate partners to calculate commissions. This means we confirm that a click from their link resulted in a subscription — we do not share your name, email, contact information, or any personal data with affiliate partners. |
| Law Enforcement / Legal Process |
We will disclose data to law enforcement, government agencies, or courts when required by valid legal process (subpoena, court order, warrant) or when we reasonably believe disclosure is necessary to prevent imminent harm, fraud, or to protect our legal rights. We will notify you of such requests where legally permitted to do so. |
| Business Transfers |
In the event of a merger, acquisition, sale of substantially all assets, or bankruptcy, your data may be transferred to the acquiring entity as part of the transaction. We will notify you by email and provide a 30-day window to request data deletion before the transfer completes, where practicable. |
| Data Brokers / Ad Networks |
We do not share your data with data brokers, ad networks, social media platforms, or any party for the purpose of targeting you with advertising on other platforms. |
| Property Owners (Skip-Trace Subjects) |
We do not proactively disclose to property owners that their contact information was located through our Platform's skip-trace tool, unless required by applicable law. |
We implement technical and organizational measures designed to protect your data against unauthorized access, disclosure, alteration, and destruction. Our security posture is built around the following controls:
At Rest: All user data stored in our databases is encrypted using AES-256 encryption. This includes account data, property records, deal history, communications, and buyer verification documents. Encryption keys are managed using a dedicated key management system with access restricted to infrastructure personnel on a need-to-know basis.
In Transit: All data transmitted between your browser and our servers is protected using TLS 1.3, the current industry standard for transport security. We enforce HTTPS across all Platform endpoints and do not accept unencrypted HTTP connections.
The Contract Vault, which stores sensitive documents including proof of funds submissions and deal contracts, maintains an additional layer of access control beyond standard database encryption. Documents stored in the Contract Vault are encrypted with per-document keys, and access is logged at the individual document level. Only the account holder and explicitly authorized parties (e.g., a matched buyer for a specific deal) can access Contract Vault contents.
Access to user data by AbandonedAssetsOS personnel is governed by a role-based access control system. The principle of least privilege is applied — staff members access only the data necessary to perform their specific job functions. Access to production user data requires multi-factor authentication and is logged in our audit trail system. We conduct periodic access reviews to remove unnecessary access rights.
No security system is impenetrable. While we work to maintain robust security practices, we cannot guarantee that unauthorized parties will never circumvent our security measures. If we become aware of a security incident affecting your data, we will notify you as described in Section 7.
While your account is active, we retain all data associated with your account to provide the Platform's full functionality. This includes your profile data, deal history, match history, communications, and Platform activity.
After you close your account or your subscription is terminated, we retain your data according to the following schedule:
Documents submitted to the Contract Vault — particularly executed contracts, assignment agreements, and proof of funds associated with completed transactions — are permanently retained in our encrypted archive for legal compliance and post-closing dispute resolution purposes. This retention is necessary given that real estate transaction disputes can arise years after closing. If you wish to be excluded from this permanent retention policy, you may opt to store your documents outside the Contract Vault, in which case we will not retain copies beyond the standard 90-day deletion window.
Competition entry records, leaderboard history, and prize distribution records are retained historically as part of our program administration and tax reporting obligations. Aggregate competition statistics may be published indefinitely. Individual winner identities may be retained for up to 7 years for IRS 1099 compliance purposes. After 7 years, winner records are anonymized rather than deleted to preserve historical program integrity records.
Database backups may retain your data for up to 30 additional days after the applicable deletion date above, as a result of our backup rotation schedule. Data in backup is encrypted and is not accessible for standard processing; it exists solely for disaster recovery purposes.
You have meaningful rights over your data. We provide tools in Account Settings to exercise most of these rights directly. For requests that require manual processing, contact us at privacy@abandonedassets.live and we will respond within 30 days.
| Your Right | What It Means |
|---|---|
|
Data Portability Request Your Data Export |
You can request a complete export of all personal data we hold about you, delivered as a structured, machine-readable file in CSV and/or JSON format. This includes your account data, property submissions, deal history, match history, and communication records. Exports are prepared within 30 days and delivered securely to your registered email address. This right is available to all users regardless of your state of residence. |
|
Right to Delete Request Account Deletion |
You can request deletion of your personal data. We will delete all data subject to the legal retention obligations in Section 5. We will confirm what data has been deleted and what data must be retained for legal reasons and why. Deletion requests are processed within 30 days. Note: deleting your account also cancels your subscription with no refund for the remaining billing period. |
|
Marketing Opt-Out Unsubscribe from Marketing |
You can opt out of marketing and promotional emails at any time by clicking the unsubscribe link in any marketing email or by updating your preferences in Account Settings. Opting out of marketing does not affect transactional emails required to operate your account (billing receipts, security alerts, deal match notifications). |
|
Right to Access View All Stored Data |
You can request a summary of all categories of personal data we hold about you, including the purposes for which each category is processed, the retention period applicable to each category, and any third parties with whom data in that category has been shared. This request can be made via email to privacy@abandonedassets.live. |
|
Right to Correct Fix Inaccurate Data |
If you believe we hold inaccurate or incomplete personal data about you, you can correct most account data directly in Account Settings. For data that cannot be self-corrected (such as match history or deal records that were already shared with other users), contact privacy@abandonedassets.live with the specific correction requested and supporting evidence. We will review and respond within 30 days. |
In the event of a data security incident that results in the unauthorized access to, disclosure of, or loss of your personal data, AbandonedAssetsOS commits to notifying all affected users within 72 hours of our discovery of the incident. This commitment exceeds the notification timelines required by all 50 U.S. states, most of which require notification within 30–90 days.
Our 72-hour notification policy reflects our belief that you deserve to know about potential compromises to your data as quickly as possible so you can take protective action — not at the pace of the slowest regulatory requirement.
What constitutes a reportable incident: Unauthorized access to encrypted databases; unintended exposure of personal data to unauthorized third parties; loss or theft of devices containing unencrypted personal data; or any other event that reasonably creates a risk of harm to affected users.
What does not require notification: Attempted unauthorized access that was blocked by our security systems without any data being accessed; incidents affecting only de-identified or aggregated data that cannot be traced to specific individuals.
For security incidents that do not meet the threshold for personal data breach notification (e.g., blocked intrusion attempts, infrastructure anomalies with no confirmed data exposure), we maintain an internal security log and conduct post-incident reviews to improve our security posture. We do not publicly disclose these incidents unless required by law or unless disclosure would serve the security interests of our users.
We use the following categories of cookies and similar tracking technologies:
On your first visit to the Platform, we display a consent banner allowing you to accept or decline non-essential cookies (analytics and preference cookies). Affiliate tracking cookies are placed only when you arrive via an affiliate link. You can change your cookie preferences at any time in Account Settings or by clearing your browser's cookies. Declining analytics cookies does not affect your ability to use the Platform.
You can opt out of analytics cookies at any time by: (a) updating your preferences in Account Settings; (b) using your browser's built-in cookie controls to block or delete cookies from our domain; or (c) enabling the "Do Not Track" browser setting (we honor DNT signals for non-essential cookies). Opting out of analytics cookies does not delete historical analytics data collected prior to opt-out.
We do not place or allow any third-party advertising cookies on the Platform. We do not participate in cross-site tracking or behavioral advertising networks. The cookie inventory above is the complete list of cookies we place.
If you are under 18, you are not permitted to create an account or use this Platform. The nature of our services — real estate deal facilitation, subscription services, and competition prizes — requires legal adulthood to participate.
If we become aware that we have collected personal data from an individual under 18, we will take immediate steps to delete that data and close the associated account. If you are a parent or guardian and believe your child has created an account on our Platform, please contact us immediately at privacy@abandonedassets.live with the subject line "MINOR ACCOUNT REPORT." We will investigate and respond within 48 hours.
Our Platform does not appeal to children and does not contain content, games, or features designed to attract minor users. Age verification is requested during account registration, and accounts are subject to termination if we discover the registered user is under 18.
If you are a California resident, you have additional privacy rights under the California Consumer Privacy Act ("CCPA") and the California Privacy Rights Act ("CPRA"). This section describes those rights and how to exercise them. These rights apply in addition to the rights described in Section 6.
You have the right to know: (a) the categories of personal information we have collected about you in the last 12 months; (b) the categories of sources from which that information was collected; (c) our business or commercial purpose for collecting that information; (d) the categories of third parties with whom we share your information; and (e) the specific pieces of personal information we have collected about you. You can exercise this right by submitting a request to privacy@abandonedassets.live.
You have the right to request deletion of personal information we have collected about you, subject to certain exceptions permitted by law (including our legal retention obligations described in Section 5). We will confirm deletions in writing.
You have the right to opt out of the "sale" of your personal information. As stated in Section 3, we do not sell personal information. Therefore, there is no opt-out mechanism needed for this right — we already do not engage in the activity the right is designed to prevent.
We will not discriminate against you for exercising any of your CCPA rights. Exercising your rights will not result in: denial of services, different prices or rates for services, a different level of quality of services, or suggestions that you will receive a lower level of service. The exception is that we may offer financial incentives for data sharing where permitted by law — any such program will be fully disclosed before your participation.
Under CPRA, you have the right to request correction of inaccurate personal information that we maintain about you. We will use commercially reasonable efforts to correct the information within 45 days of a verified request, with one permissible 45-day extension if reasonably necessary.
Under CPRA, you have the right to limit our use of sensitive personal information to only what is necessary to perform the services you have requested. The sensitive personal information we collect (if any) is limited to: (a) financial account information (last 4 digits of payment card) — used only for billing; and (b) precise location data — we do not collect precise location data. You may request limitation of sensitive data use by contacting privacy@abandonedassets.live.
To exercise any of your California rights, submit a verifiable consumer request to privacy@abandonedassets.live with the subject line "CALIFORNIA PRIVACY REQUEST." Only you, or a person you have designated in writing as your authorized agent, may make a request related to your personal information. We will respond within 45 days, with one permissible 45-day extension for complex requests. We will provide responses free of charge unless requests are manifestly unfounded, excessive, or repetitive.
For all privacy-related questions, data rights requests, breach reports, or concerns about our data practices, please contact our Privacy team:
We commit to acknowledging all privacy inquiries within 5 business days and providing a substantive response within 30 days. California residents are entitled to a response within 45 days as specified by CCPA. We will not charge you for submitting a privacy rights request, except in cases of manifestly unfounded or excessive requests.
This Privacy Policy was last updated in March 2026. We will notify you of material changes to this Policy in accordance with the modification provisions in the Terms of Service. The most current version of this Privacy Policy is always available at /privacy.