Privacy Policy

Last updated: April 29, 2026

1. Introduction

OneStopReal LLC ("we", "us", "our") respects your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our platform.

2. Information We Collect

We collect the following categories of information:

Account information: your name, email address, and password (stored in hashed form).
Project data: the financial models, inputs, calculations, scenarios, capital stack structures, waterfall configurations, lease rollover assumptions, BRRRR chain data, and any other project content you create, import, or generate within the platform. This includes data extracted from files you upload for AI-assisted import.
Usage data: pages visited, features used, and timestamps for analytics and service improvement.
Payment data: handled entirely by Paddle, our Merchant of Record. We never see, process, or store your credit card numbers or payment details.

2a. Aggregated and Anonymized Analytics

We may aggregate and anonymize usage data, platform interaction data, and other non-identifying information to produce internal analytics, product improvement insights, and service benchmarks. All such aggregated data will be fully anonymized so that no individual, company, project, or specific property can be identified.

We will never publish, sell, distribute, or otherwise use your identifiable project data - including your financial models, deal assumptions, or calculation results - without your explicit written consent. All aggregated analytics are derived exclusively from anonymized platform usage data, not from the content of your projects.

3. How We Use Your Information

We use the information we collect to:

Provide, maintain, and improve the OneStopReal platform.
Process subscription billing through Paddle.
Send transactional emails such as proforma Excel exports (via Resend).
Analyze usage patterns to improve the platform experience.
We do NOT sell, rent, or share your personal data with third parties for marketing purposes.
We do NOT use your project data for any purpose other than providing the service directly to you.

4. Third-Party Services

We use the following trusted third-party services to operate our platform:

Supabase - database and authentication (hosted on AWS).
Paddle - payment processing and subscription management (Merchant of Record).
Resend - transactional email delivery.
Cloudflare Turnstile - anti-spam protection on signup and login.
Netlify - website hosting and deployment.
PostHog (EU-hosted) - product analytics to understand how visitors interact with our platform. Uses a single first-party cookie. No data is shared with third parties. You can opt out via our cookie banner.
OpenAI - powers our AI assistant and document import features. When you use these features, relevant project context and prompts are sent to OpenAI's API for processing. OpenAI does not use API data to train its models. No data is sent to OpenAI unless you actively use the AI assistant or document import features.
Anthropic - also powers certain AI assistant features within the platform. When you use these features, relevant project context and prompts are sent to Anthropic's API for processing. Anthropic does not use API data to train its models. No data is sent to Anthropic unless you actively use the AI assistant features.
AI Interaction Data. When you use AI-assisted features, we may collect and temporarily retain prompts, responses, project context snippets, and related metadata (such as timestamps and usage metrics) for the purposes of providing the feature, enforcing safety controls, troubleshooting issues, and improving service quality. We do not use your identifiable project data to train AI models, and we do not share AI interaction data with third parties beyond the API providers listed above. For full details on how AI features work and what they may and may not be used for, see our AI Use Policy.

5. Cookies

We use essential cookies for session authentication and storing your cookie consent preference. If you accept analytics cookies, we use PostHog (hosted in the EU) which places a single first-party cookie to understand how visitors use our platform. PostHog does not use third-party cookies and no data is shared with external parties. You can opt out of analytics cookies at any time via our cookie banner.

6. Data Storage & Security

Your data is stored in Supabase hosted on Amazon Web Services (AWS) in the US East (North Virginia) region. Row Level Security (RLS) is enforced at the database level. All connections are encrypted via TLS/SSL. Access to data is restricted to authenticated users viewing only their own workspace data. We follow industry best practices for data protection.

6a. Data Breach Notification

In the event of a data breach that affects your personal information, OneStopReal LLC will notify affected users without undue delay and, where required by applicable law, within 72 hours of becoming aware of the breach. Notifications will be sent to the email address associated with your account and will include: a description of the nature of the breach, the categories of data affected, the likely consequences of the breach, and the measures we have taken or propose to take to address it.

If you believe your account has been compromised, please contact us immediately at info@onestopreal.com.

7. Project Sharing & Collaboration

OneStopReal allows you to share projects with other users by granting them viewer or editor access. When you share a project, the recipient can view (and, if granted editor access, modify) the financial data within that project. You are responsible for managing who has access to your shared projects. We recommend sharing only with trusted parties such as lenders, investors, or team members.

8. Data Retention

Your data is retained for as long as your account is active. Upon account deletion, all associated project data is permanently removed from our systems within 30 days.

9. Your Rights (GDPR)

Under applicable data protection laws, you have the following rights:

Right to access - request a copy of the personal data we hold about you.
Right to rectification - request correction of inaccurate or incomplete data.
Right to erasure - request deletion of your account and all associated data.
Right to data portability - export your data via our Excel export feature.
Right to object - object to certain processing of your personal data.

To exercise any of these rights, contact us at info@onestopreal.com.

9a. Additional Rights for California Residents (CCPA/CPRA)

If you are a resident of California, you have the following additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Right to Know: You may request information about the categories and specific pieces of personal data we have collected about you, the sources from which it was collected, and the purposes for which it is used.
Right to Delete: You may request deletion of your personal data, subject to certain exceptions permitted by law.
Right to Correct: You may request correction of inaccurate personal data we hold about you.
Right to Opt Out of Sale or Sharing: We do not sell, rent, or share your personal data with third parties for their marketing purposes. There is nothing to opt out of, but we include this statement for your assurance.
Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

To exercise any of these rights, contact us at info@onestopreal.com. We will respond to verifiable requests within 45 days as required by law.

10. Children

OneStopReal is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated effective date. We encourage you to review this page periodically.

12. Contact

If you have any questions about this Privacy Policy, please contact us at info@onestopreal.com.