Privacy Policy
Last updated: April 20, 2026
Version: 2026-04-20.1
1. Notice at Collection
Recover My Deposit (“we,” “us”) is operated by Byron Hood as a sole proprietorship. This Notice at Collection is provided in accordance with the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). It summarizes what we collect and why. Full detail is in the sections below.
- Categories of personal information we collect: identifiers (name, email, phone, date of birth, IP address, account ID); customer records (mailing/billing address); commercial information (payment records, service history); internet or network activity (pages viewed, device/browser metadata); coarse geolocation (derived from IP); audio/visual (photos and documents you upload); professional information (landlord and lease details you provide); and inferences drawn from the foregoing (case analysis and draft letters prepared with AI assistance).
- Sources: directly from you (forms, uploads, messages); automatically from your device (cookies, IP address, browser headers); from our payment processor (transaction metadata, card last-four, zip); from our subprocessors as described in section 7.
- Business and commercial purposes: to operate the service, analyze your case, generate demand letters, prepare court document packages, process payments, deliver notifications, connect you with an attorney at your request, respond to support, prevent fraud, comply with law, and improve the service.
- Third-party disclosure: we disclose personal information only to subprocessors listed in section 7 and, at your explicit request, to a licensed attorney you choose to connect with. We do not sell or share your personal informationas those terms are defined under CCPA/CPRA, and we do not use or disclose sensitive personal information for purposes that would trigger a right to limit under Cal. Civ. Code § 1798.121.
- Retention: see the retention schedule in section 5.
2. Categories of Personal Information
The table below maps the CCPA statutory categories to what we actually collect.
| CCPA category | What we collect |
|---|---|
| Identifiers | Name, email address, phone number, date of birth, IP address, account ID. |
| Customer records (Cal. Civ. Code § 1798.80(e)) | Mailing address, billing address. |
| Protected classifications | None. We do not collect race, religion, national origin, disability, marital status, or similar protected attributes. |
| Commercial information | Payment records, products/services purchased, service history. Card numbers are handled by Stripe and never stored on our servers. |
| Biometric information | None. |
| Internet or network activity | Pages viewed, actions taken in the service, device/browser metadata, timestamps. |
| Geolocation | Coarse location only, inferred from IP address. We do not collect precise GPS coordinates. |
| Audio, electronic, visual | Photos and documents you upload (e.g., lease agreements, move-in/move-out photos, correspondence). |
| Professional or employment information | Landlord name and contact details, property manager information, lease terms — as you provide them. |
| Education information | None. |
| Inferences | Case analysis, draft demand letters, and recommendations prepared with AI assistance from your case details. |
| Sensitive personal information | We do not collect government IDs (SSN, driver's license, passport), precise geolocation, racial or ethnic origin, religious beliefs, union membership, genetic or biometric data, health information, or information about sex life or sexual orientation. |
3. Files You Upload
Important:the documents and photos you upload — leases, receipts, emails, text screenshots, move-in/move-out photos, and similar — may contain information we do not list individually in this policy. That can include your home address, prior addresses, co-signer or roommate names, other people's contact details, financial account numbers, images of third parties, or other sensitive content.
We do not ask you to redact uploads, and we do not inspect them before they are processed. You are responsible for reviewing each file before you upload it and for removing anything you do not want processed.
By uploading a file, you consent to our processing of everything the file contains — including any sensitive or third-party information — for any and all purposes listed in this Privacy Policy, including storage on our infrastructure, transmission to the subprocessors listed in section 7 (including AI analysis by Anthropic), use in generating demand letters and court packages, and, at your request, disclosure to an attorney you choose to connect with.
We still do not sell or share the contents of your uploads, and our retention schedule in section 5 still applies.
4. How We Use Your Information
We use the information we collect to:
- Create and manage your account
- Analyze your case details and generate demand letters
- Prepare and organize documents for your court date
- Process payments for our services
- Send notifications about your case status by email or SMS
- Forward your case information to a licensed attorney, at your request
- Respond to your support requests
- Detect and prevent fraud and violations of our Terms of Service
- Monitor and improve the performance, security, and reliability of the service
- Comply with legal obligations and respond to lawful requests
5. Data Retention
We retain each category of personal information only for as long as necessary to serve the purpose for which it was collected, per the schedule below.
| Data category | Retention period |
|---|---|
| Account information (name, email, phone) | For the life of the account. Erased within 30 days of a verified deletion request, subject to legal holds. |
| Documents you upload (lease, photos, correspondence) | Erased within 30 days of a verified deletion request. Otherwise, 7 years after the case reaches resolved or closed. |
| Documents RMD generated about your case (demand letters, attorney packages) | Retained up to the applicable statute of limitations (typically 4 years) under Cal. Civ. Code § 1798.105(d), so we can respond to chargebacks, tax audits, and legal challenges to work we performed for you. |
| Redacted case record (status, dates, case ID) | Retained after deletion, with landlord name, property address, deposit amount, and AI analysis erased. Ties a retained generated document to the case it was written about. |
| Payment records (Stripe metadata, receipts) | 7 years, to comply with tax and financial-records obligations. |
| Email and SMS logs (delivery status, bounces) | 2 years, for deliverability and compliance audit. |
| Server and application logs | 90 days. |
| Deletion-request records | 2 years, as required under 11 CCR § 7101(a) to document our handling of consumer requests. |
| Backups | 35 days rolling; data purged from live stores is purged from backups within this window. |
When you submit a deletion request, we apply a 30-day grace window during which we can reverse the deletion if it is made in error. After that window we erase the documents you uploaded (lease, photos, correspondence) and their cloud copies. We retain a redacted case record and the documents RMD generated about your case (demand letters, attorney packages) for up to the applicable statute of limitations (typically 4 years), so we can respond to chargebacks, tax audits, and legal challenges to work we performed for you. The backup and legal-hold exceptions above still apply.
6. Attorney Connection
If you choose to connect with a licensed attorney through our platform, we will share your case information with that attorney for the purpose of evaluating and potentially representing you. This sharing only occurs at your request. Once shared, the attorney's handling of your information is governed by their own privacy practices and engagement agreement with you.
7. Subprocessors
We share personal information with the following subprocessors to deliver the service. Each subprocessor is bound by a Data Processing Addendum (DPA) that restricts their processing of your personal information to the purposes we direct. The DPA column links to each vendor's public agreement.
| Subprocessor | Service | Data categories shared | Location | DPA |
|---|---|---|---|---|
| Amazon Web Services | Cloud hosting (database, compute, object storage, CDN, identity); transactional email (SES); SMS delivery (AWS End User Messaging). | All categories listed in section 2 — AWS is our primary processor and the same master DPA covers SES and AWS End User Messaging. | United States (us-east-1). | AWS DPA |
| Stripe | Payment processing; card tokenization. Card data is handled directly by Stripe. | Identifiers (name, email, billing address, IP), commercial information (payment records, card last-four, zip), internet activity (Stripe.js device metadata). | United States. | Stripe DPA |
| Anthropic | AI analysis of case details and demand-letter drafting (Claude API). Under Anthropic's commercial terms, your data is not used to train foundation models. | Audio/visual uploads (text extracted from documents and photos at request time), professional information (landlord and lease details), inferences (analysis prepared with AI assistance). | United States. | Anthropic DPA |
We review this registry annually. To request the executed DPA on file for any vendor above, use our contact form.
We never sell, rent, or share your personal information with any third party outside of these subprocessors without your explicit permission. We will not disclose your information to any party not involved in providing the service unless required by law or with your consent.
8. Data Storage and Security
Your data is stored on secure servers provided by Amazon Web Services in the United States. We use industry-standard security measures, including encryption in transit (TLS 1.2+) and at rest, least-privilege IAM, private VPC subnets for our database, and regular security monitoring.
9. Your Rights
Most of the rights listed below are granted by the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), and apply only to California residents.If you reside in another U.S. state you may have analogous rights under that state's privacy law; we will review and honor any such request consistent with applicable law. Certain rights — for example the right to close your account and the right to opt out of marketing communications — are available to all users regardless of residence.
Subject to applicable law, you have the right to:
- Know and access the categories and specific pieces of personal information we have collected about you in the last 12 months (CA residents — CCPA)
- Delete personal information we hold about you (CA residents — CCPA; other states as applicable)
- Correct inaccurate personal information (CA residents — CPRA)
- Port/export your personal information in a portable, machine-readable format (CA residents — CCPA)
- Opt out of the sale or sharing of your personal information (CA residents — CCPA/CPRA) — note that we do not sell or share personal information as those terms are defined under CCPA/CPRA
- Limit use of sensitive personal information (CA residents — CPRA) — we do not use sensitive PI for purposes that would trigger this right
- Non-discrimination for exercising a privacy right (CA residents — CCPA; extended to all users as a matter of policy)
- Appeal a denial of any of the above requests
- Close your account and opt out of non-essential communications (all users)
To submit a request, use our contact form with the subject line “Privacy Request” and a short description of what you want us to do. Authorized agents may submit requests on your behalf with written proof of authorization. A self-serve export tool is planned at /account/export; until it ships, the contact form is the intake path.
We will confirm receipt within 10 business days and respond substantively within 45 days. We may extend that window by an additional 45 days where reasonably necessary, and will notify you if we do. To protect your data, we verify the identity of the requester before acting; we may ask you to confirm the email address associated with your account or provide other information reasonably necessary to match the request to a person in our records.
You may also visit your profile page to update basic account information or close your account.
10. California Rights (CCPA/CPRA)
If you are a California resident, you have the rights described in section 9 above under the California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100–1798.199.100) and the California Privacy Rights Act.
Do Not Sell or Share My Personal Information.We do not sell personal information and do not share it for cross-context behavioral advertising. We therefore do not offer a separate “Do Not Sell or Share” link. If that changes, we will add a link at this anchor and update this policy.
Shine the Light (Cal. Civ. Code § 1798.83). We do not share personal information with third parties for their direct-marketing purposes.
Notice of Financial Incentive. We do not offer financial incentives or price/service differences in exchange for personal information.
Metrics.We publish annual metrics on consumer requests received, complied with, and denied when the threshold in 11 CCR § 7102 is met.
Authorized agents and appeals. Authorized agents may submit requests on your behalf per section 9. If we deny a request, you may appeal by replying to our response email within 30 days; we will respond to the appeal within 45 days.
11. Children's Privacy
The service is restricted to individuals 18 or older, and this is enforced at sign-up. We do not knowingly collect personal information from anyone under 18. If we become aware that we have collected information from a person under 18, we will delete it promptly. To report such a collection, use our contact form.
12. SMS Notifications
We use phone numbers you provide to send case-milestone notifications and one-time verification codes at sign-in, under the program name Recover My Deposit SMS. Message frequency is up to a few messages per case milestone, plus verification codes on sign-in. Message and data rates may apply. Reply STOP to any message to unsubscribe, or HELP for assistance; for customer care, use our contact form.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date and version number at the top of this page and, where appropriate, notify you by email. Prior versions are preserved in our public git history. Your continued use of the service after any changes constitutes your acceptance of the revised policy.
14. Contact
For privacy requests or questions about this policy, use our contact form.