Privacy Policy

We use the information we collect to:

• Generate the lease document you asked us to build.
• Deliver signing invitation emails and audit trail records to the parties on a signing session.
• Secure your account and detect/prevent fraud or abuse.
• Process subscription payments (handled by Stripe — see §5).
• Provide customer support when you contact us.
• Analyze aggregate, pseudonymous product usage via PostHog to improve our templates, UX, and underlying legal research.
• Comply with our legal obligations (subpoenas, audits, tax).
• Monitor application errors and performance via Sentry to maintain service reliability.

We do not sell your information to advertisers or data brokers, ever. We do not use your document content or tenant information for advertising targeting, model training, or profiling for purposes unrelated to operating the Service.

We share information only when necessary to run the product or when required by law:

• Service providers (subprocessors) — hosting, authentication, storage, email delivery, payments, analytics, and error monitoring. See §6 for the full list. Each vendor is contractually limited to using your data only to provide the service.
• Other parties on your signing session— when you invite a tenant to sign, the tenant sees your name, email, and the lease document. The tenant’s signed copy and audit trail are also delivered to you as the landlord. That’s the point of the invite, but it’s worth saying out loud.
• Legal requirements — if served with a valid subpoena, court order, or other lawful request, we will disclose the minimum information required to comply, after challenging overbroad requests. Where permitted by law, we will notify the affected user before disclosing.
• Successor entities — if LawLease is acquired or merges with another company, your data transfers under the same obligations described in this policy.

Depending on where you live, you may have the right to access, correct, delete, port, or restrict the processing of your personal information. This includes rights under the EU GDPR, UK GDPR, California CCPA/CPRA, Texas TDPSA, Virginia CDPA, Colorado CPA, Connecticut CTDPA, and similar laws. To exercise these rights, email privacy@lawlease.org. We’ll respond within 45 days (with one 45-day extension if reasonably necessary). We never charge to honor a rights request, and we won’t retaliate against you for making one. For detailed opt-out and state-specific rights, see Your Privacy Choices.

All subscription billing is handled by Stripe, Inc. LawLease never sees or stores your full credit card number. We receive only the last 4 digits, the card brand, and a Stripe customer/subscription ID, which we use to show your billing history and reconcile subscription status.

We use the following service providers (“subprocessors”) to operate LawLease. Each is bound by a written Data Processing Agreement that limits them to processing your information only on our instructions and only for the purposes listed.

• Supabase, Inc.— account data, lease drafts, signed documents, and audit-trail records (database and object storage). United States.
• Stripe, Inc.— payment processing, subscription management, and tax records. United States.
• Resend (Resend.com Inc.)— transactional email delivery, including signing invitations and account notifications. United States.
• Vercel, Inc.— web application hosting, edge networking, and request/error logs. United States and EU edge regions.
• PostHog, Inc.— product analytics and feature flags. Data is proxied through our own infrastructure before being forwarded; United States.
• Functional Software, Inc. (Sentry)— application error monitoring and performance tracing. May receive user IDs and request metadata associated with errors. United States.
• Google LLC— sign-in via Google Identity Services (OAuth 2.0). We receive your name and email from Google only when you choose to sign in with Google. United States.

We will update this list before adding any new subprocessor that will access personal data. If you object to a new subprocessor, you may close your account before the change takes effect.

We use TLS in transit, encrypted-at-rest storage, role-scoped database access (Supabase Row Level Security), and short-lived signed URLs for any document download. Signing tokens are hashed before they’re stored — only the recipient’s email contains the raw token. Signature audit trails include the signer email, timestamp, IP address, user agent, and a hash of the signed document for tamper-evidence.

We run security reviews of every release. If we ever detect a breach involving personal data, we will notify affected users within 72 hours to the extent required by applicable law, and will notify relevant supervisory authorities as required.

LawLease is built for adult landlords and tenants signing residential leases. We do not knowingly collect information from anyone under 16. If you believe a child has used LawLease, email privacy@lawlease.org and we will delete the account.

We keep your account and lease drafts as long as your account is active. After account deletion, we retain executed leases and associated audit trails for 7 years to comply with US contract and tax retention norms, after which they are deleted. Payment records are retained as required by Stripe and applicable tax law. Draft documents and render files are deleted within 30 days of account deletion. Tenant signing data (email, IP, signature image, audit trail) is retained as part of the executed lease record for the same 7-year period, since it constitutes evidence of the legally executed agreement.

LawLease does not alter its data collection practices in response to browser Do Not Track (DNT) signals, as there is no uniform industry standard for how to interpret such signals. However, we do not sell your personal information regardless of DNT status. For opt-out options, visit Your Privacy Choices.

In addition to the rights in §4, California residents have the following rights under the CCPA/CPRA:

• Right to know the categories of personal information collected, the purposes for collection, and the categories of third parties with whom we share it.
• Right to opt out of sale or sharing for cross-context behavioral advertising. LawLease does not sell or share personal information in this way, so there is nothing to opt out of. See Your Privacy Choices.
• Right to limit use of sensitive personal information. We do not use sensitive PI (which for us includes lease-related financial terms, government ID data if collected, and signature images) for purposes beyond those necessary to provide the Service.
• No financial incentive. We do not offer any financial incentive tied to the collection or retention of your personal information.

Categories of personal information we collect: identifiers (name, email, IP address); commercial information (subscription plan, payment records); internet activity (pages visited, features used); professional information (property address, rental terms); and inferences drawn from usage data to improve the Service.

To exercise your rights, email privacy@lawlease.org from the address associated with your account.

Residents of Texas (Texas Data Privacy and Security Act, effective July 2024), Virginia (CDPA), Colorado (CPA), and Connecticut (CTDPA) have rights similar to those in §4, including the right to access, correct, delete, and port personal data, and to opt out of the sale of personal data and targeted advertising. As noted above, LawLease does not sell personal data or conduct targeted advertising. To exercise your rights, email privacy@lawlease.org. You may also appeal a denial of your rights request to your state attorney general.

LawLease is operated in the United States. If you access the Service from outside the US, your information will be transferred to, processed in, and stored in the United States. If you are located in the European Economic Area, United Kingdom, or Switzerland, the legal basis for processing your personal data is performance of a contract (operating the Service you have requested) and, where applicable, legitimate interests (product analytics and security monitoring). We use Standard Contractual Clauses (SCCs) where required for transfers to our non-EEA subprocessors.

LawLease is primarily designed for use by US landlords and tenants under US state law. If you are outside the US, please consult local counsel before using our templates.

We’ll post the updated policy here and update the “Last updated” date above. For material changes (anything that expands what we collect or how we share it), we’ll email registered users at least 14 days before the change takes effect.

Questions about this policy or your data? Email privacy@lawlease.org or use our support page. For everything else, email hello@lawlease.org.