Privacy Policy

This policy explains what information Tenora-AI collects when you use our property management platform, how we use that information, who we share it with, and the choices you have.

1. Who we are

This Privacy Policy applies to the Tenora-AI service ("Service"), available at tenora-ai.com and app.tenora-ai.com. The Service is owned and operated by ConnectUP LLC ("Tenora-AI," "we," "us," or "our"). When we refer to "you," we mean any person who interacts with the Service — whether you are a landlord or property manager who subscribes to the Service ("Customer") or a tenant whose information is processed through the Service.

2. Information we collect

2.1 Information you provide directly

• Account and contact information. When you request access to the Service or create an account, we collect your name, email address, phone number, and the name of your business.
• Authentication credentials. We collect a password that we store only in hashed form. We never see or store your password in plain text.
• Tenant records. Customers upload information about their tenants, which may include the tenant's name, email address, phone number, mailing address, emergency contact details, date of birth, and — at the Customer's election — a Social Security Number for use in third-party tenant screening.
• Property and lease information. Customers add details about their properties (address, unit composition, photos) and leases (rent amount, start/end dates, terms, security deposits).
• Payment information. When a Customer subscribes to the Service, payment-card and bank-account details are collected directly by our payment processor, Stripe, on PCI-DSS-compliant payment forms; we do not see or store full card or bank-account numbers. We do receive limited metadata such as the last four digits, the card brand, transaction amounts, and Stripe-issued identifiers.
• Maintenance and message content. Tenants submit maintenance requests including descriptions and optionally photographs of the issue. Customers and tenants may exchange messages or comments through the Service.
• Communications with us. If you contact us by email or through a form, we retain the content of that communication and your contact details.

2.2 Information we collect automatically

• Log and device data. Our servers automatically log information such as your IP address, browser type and version, operating system, the pages you view, referring URLs, and timestamps. We use this information for security, fraud prevention, and to operate the Service.
• Authentication cookies. When you sign in to the application at app.tenora-ai.com, we set an HTTP-only, secure cookie containing a refresh token so you can stay signed in across visits. This is a first-party, strictly-necessary cookie.
• Audit trail. We record certain actions you take in the Service — for example, recording a rent payment, marking a payment paid, refunding a charge, or changing organization settings — along with the IP address and browser user-agent of the request. We use these audit logs for security, dispute resolution, and to investigate suspected misuse.

2.3 Information from third parties

• From our payment processor. Stripe shares transaction status, dispute notifications, and (for our Customers who use Stripe Connect to receive rent payments) account-verification status with us. We do not receive raw card or bank-account numbers from Stripe.
• From our AI provider. When a tenant submits a maintenance request, we send the title and description of that request to Anthropic's Claude model to suggest a category and priority. Anthropic processes that text under its API terms and does not use it to train its models. The model's response (a category, a priority, and a short summary) is stored with the maintenance request.

3. How we use information

We use the information described above to:

• Provide, maintain, and operate the Service, including authentication, billing, sending invoices, processing rent payments, generating lease PDFs, and routing maintenance requests.
• Send transactional and account-related communications, including rent reminders, maintenance updates, account-security alerts, password resets, and invoices.
• Send SMS notifications to phone numbers that have opted in to receive them (see Section 9).
• Detect, investigate, and prevent fraud, security incidents, and other prohibited or illegal activity.
• Comply with legal obligations, including tax, accounting, and law-enforcement requests.
• Analyze how the Service is used so we can improve it.

We do not sell your personal information. We do not use your personal information for cross-context behavioral advertising. We do not allow third parties to track you on our Service for advertising.

4. How we share information

4.1 Between Customers and tenants

Tenora-AI is, by design, a tool that Customers use to manage their tenants. When a Customer uploads a tenant record into the Service, the information in that record is visible to the Customer's authorized team members (owners, managers, and maintenance staff). When a tenant accepts a portal invitation and signs in, the tenant can see their own lease, payments, maintenance history, and lease documents, but not records of other tenants.

4.2 Service providers

We share information with third-party service providers who help us operate the Service. Each provider receives only the information needed for its function and is contractually required to protect that information:

• Stripe, Inc. — payment processing for the Service subscription and, via Stripe Connect, rent payments routed directly from tenants to Customers.
• Twilio Inc. — delivery of SMS notifications.
• Resend, Inc. — delivery of transactional email.
• Anthropic, PBC — AI-assisted categorization and prioritization of maintenance requests. The model does not train on your data.
• Cloudflare, Inc. — object storage (R2) for documents you upload, such as lease PDFs and maintenance photos.
• Railway Corp. — cloud hosting for our API and background workers and managed database services.
• Netlify, Inc. — hosting for our website and the application's front-end.

When we choose service providers, we look for providers that handle data inside the United States. We do not currently transfer data outside the United States for routine processing.

4.3 For legal reasons

We may disclose information if we believe in good faith that disclosure is necessary to (i) comply with a law, regulation, subpoena, court order, or other legal process; (ii) protect the safety of any person; (iii) protect Tenora-AI's rights, property, or interests; or (iv) investigate or prevent fraud or security incidents.

4.4 In a corporate transaction

If Tenora-AI is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, information we hold may be transferred as part of that transaction. We will notify you of any such change in ownership or control of your personal information.

4.5 With your consent or at your direction

We share information for purposes other than those described above when you tell us to.

5. Cookies and similar technologies

We use a small number of first-party cookies for essential Service functions, including authentication. The marketing site at tenora-ai.com uses no third-party analytics or advertising cookies. Because we do not use cookies for tracking or advertising, we do not present a cookie banner. We honor browser "Do Not Track" signals where they apply by not engaging in tracking in the first place.

6. Data retention

We retain account, tenant, lease, and payment information for as long as you maintain an account with us and for a reasonable period afterward to comply with our legal obligations (typically up to seven years for tax and accounting records). Audit logs are retained for a similar period. Authentication tokens, password-reset tokens, and one-time SMS opt-out records are retained only as long as necessary to perform their function (typically less than 30 days for transient tokens; indefinitely for opt-out elections).

When you close your account, you may request deletion of your personal information by emailing us at the address in Section 13. We will delete or de-identify your information within 30 days of receiving a verified deletion request, except where we are required by law to retain it (for example, tax records or audit logs related to financial transactions).

7. Data security

We use reasonable administrative, technical, and physical safeguards designed to protect your information:

• Data is transmitted to and from the Service over TLS (HTTPS).
• Passwords are stored using bcrypt with a per-password salt; we never see or store your password in plain text.
• Refresh tokens and password-reset tokens are single-use and rotated on every authentication.
• Sensitive uploads (such as lease PDFs and maintenance photos) are stored in private, signed-URL-only object storage.
• Production access is limited to a small number of authorized engineers and is logged.
• Payment card and bank-account data is collected directly by Stripe on PCI-DSS-compliant payment forms; this data does not pass through our servers.

No security program is perfect. If you have reason to believe your account has been compromised, please contact us immediately at the address in Section 13.

8. Your choices and rights

8.1 Access and correction

You can review and update the information in your account by signing in to the Service. If you cannot make a change through the application, contact us and we will help.

8.2 Deletion

You can request deletion of your personal information by emailing us at the address in Section 13. We will respond to verified deletion requests within 30 days. Note that certain information must be retained for legal or operational reasons even after a deletion request.

8.3 SMS opt-out

You can opt out of SMS notifications at any time by replying STOP to any text message you receive from us. Reply HELP for assistance. Opt-outs are processed within minutes and recorded against your phone number; once you opt out, we will not send you further SMS unless you reply START to opt back in.

8.4 Email opt-out

Most of our email is transactional (rent reminders, payment receipts, account alerts) and cannot be turned off without affecting the Service. We do not currently send marketing emails.

9. Industry-specific notices

9.1 Real estate and fair housing

Tenora-AI is a software platform that provides tools to landlords and property managers to operate their rental businesses. We do not directly select tenants, deny applications, or make leasing decisions; those decisions are made by our Customers. Our platform is designed to support our Customers' compliance with applicable fair-housing laws, including the federal Fair Housing Act (42 U.S.C. § 3601 et seq.) and the Connecticut Fair Housing Law (Conn. Gen. Stat. § 46a-64c), which prohibit discrimination on the basis of race, color, national origin, religion, sex, familial status, disability, age, marital status, lawful source of income, sexual orientation, gender identity, or status as a victim of domestic violence. Our Customers are solely responsible for ensuring their leasing practices comply with all applicable fair-housing laws.

9.2 SMS communications and the TCPA

When you opt in to receive text messages from Tenora-AI, you provide your express written consent to be contacted by SMS for account-related notifications. Message frequency varies based on your account activity. Standard message and data rates may apply. You may opt out at any time by replying STOP as described above. We maintain records of your consent and any opt-out elections in compliance with the Telephone Consumer Protection Act (47 U.S.C. § 227) and applicable FCC regulations.

9.3 Payment processing and PCI compliance

We use Stripe, Inc. as our third-party payment processor. We do not store, transmit, or otherwise handle full credit-card numbers, debit-card numbers, or bank-account routing numbers on our servers; all payment-card and bank-account data is collected directly by Stripe through their PCI-DSS-certified payment forms. We receive only limited payment metadata. Rent payments routed through Stripe Connect flow directly from the tenant to the Customer's connected Stripe account; Tenora-AI does not handle or hold tenant rent funds.

9.4 Tenant information and consumer reports

Our Customers may upload sensitive tenant identifiers, including Social Security Numbers, for use in third-party tenant screening. Where such identifiers are provided, we store them in encrypted form and restrict access to authorized personnel within the Customer's organization. Tenora-AI does not itself perform tenant background checks, credit checks, or consumer reports. If a Customer engages a third-party consumer reporting agency, that agency's collection and use of tenant information is governed by the Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.) and the consumer reporting agency's own disclosure and consent procedures.

10. Children's privacy

The Service is intended for use by adults. We do not knowingly collect personal information from children under 13 (or under 16 in jurisdictions where that is the applicable age). If you believe a child has provided us with personal information, please contact us and we will delete the information.

11. State and regional notices

11.1 California residents

If you are a California resident, you have rights under the California Consumer Privacy Act ("CCPA") to know, access, delete, correct, and limit the use of certain personal information, and to not be discriminated against for exercising those rights. We do not sell or share personal information for cross-context behavioral advertising as those terms are used in the CCPA. To exercise your CCPA rights, contact us using the information in Section 13.

11.2 Connecticut residents

If you are a Connecticut resident, you have rights under the Connecticut Data Privacy Act ("CTDPA") to access, correct, delete, and obtain a copy of certain personal information, and to opt out of certain processing. To exercise your CTDPA rights, contact us using the information in Section 13.

11.3 Other U.S. state residents

Residents of Virginia, Colorado, Utah, Texas, Oregon, Montana, Iowa, Tennessee, Indiana, Delaware, and New Hampshire may have similar rights under their respective state privacy laws. To exercise these rights, contact us using the information in Section 13.

11.4 International users

The Service is hosted in the United States and is intended for users in the United States. If you access the Service from outside the United States, you understand that your information will be transferred to and processed in the United States.

12. Changes to this Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last Updated" date at the top of this page. If we make material changes, we will notify Customers by email and post a prominent notice in the Service before the changes take effect. Your continued use of the Service after the changes take effect constitutes your acceptance of the updated Policy.

13. Contact us

If you have questions about this Privacy Policy or want to exercise any of your rights, contact us at: