Privacy Policy

1. Introduction

ValiFit LLC ("ValiFit," "we," "our," or "us") operates the ValiFit platform at valifit.com. This Privacy Policy explains what information we collect, how we use it, who we share it with, and your rights regarding your data. By using our Service, you agree to the collection and use of information as described in this policy.

We are committed to protecting your privacy and handling your data responsibly. We do not sell your personal data. We do not use data for discriminatory purposes. Our scoring methodology measures infrastructure investment, not demographics, in full compliance with the Fair Housing Act (FHA).

2. Information We Collect

2.1 Information You Provide Directly

• Account information: Name and email address when you create an account or sign in.
• Property search queries: Addresses, cities, and ZIP codes you search for.
• Intake preferences: Budget range (minimum and maximum), desired bedrooms and bathrooms, property types, commute destinations and maximum commute time, community setting preference (urban/suburban/rural), timeline for purchase or rental, deal breakers (e.g., no flood zone, no HOA), and lifestyle priorities ranked by importance (affordability, commute, schools, safety, healthcare, livability, appreciation, environment).
• Financial readiness indicators:Pre-approval status (pre-approved, pre-qualified, cash buyer, or not yet), mortgage type preference (conventional, FHA, VA, USDA), and down payment percentage. These are collected as behavioral readiness signals to help agents understand where you are in the buying process. We label this "Buyer Preparedness" -- it measures process completion, not financial profile.
• Household information: Household type (solo, couple, family, roommates, multi-generational), household members (age and role), pets, and household income. Important: This data is collected for your own property reports only. It is firewalled from the lead matching engine and is never shared with agents, used in matching algorithms, or visible to any third party before you explicitly approve a connection.
• Payment information: Processed securely by Stripe. We do not store full credit card numbers.
• Agent profile information: For real estate professionals: license number and state, brokerage name and address, years of experience, specialties, service area declarations (municipalities and counties), bio, certifications, and profile photo.

2.2 Information Collected Automatically

• Device information (browser type, operating system, screen resolution)
• Usage data (pages visited, features used, search frequency)
• IP address and approximate geographic location
• Cookies and session identifiers (see Section 9)
• Intake completeness percentage (calculated from the number of preference fields you have filled out)
• Last activity date (used to determine if your profile is stale -- see Section 5.2)
• Error and performance data collected by Sentry for debugging purposes (stack traces, browser metadata -- no personally identifiable information)

2.3 Information We Do Not Collect

• We do not track your phone number, GPS location, or device location beyond the addresses and cities you voluntarily enter.
• We do not collect race, color, religion, sex, national origin, familial status, or disability status.
• We do not use advertising cookies, tracking pixels, or behavioral advertising networks.

3. How We Use Your Information

3.1 Property Intelligence Reports

We use your search queries and intake preferences to generate personalized property intelligence reports containing data from federal and state sources. Your Fit Score (0-100) is calculated based on how well a property or town matches the priorities you ranked in your intake across five composites: Budget, Commute, Safety ROI, Health ROI, and Education ROI.

3.2 Two-Sided Lead Matching

ValiFit operates a two-sided matching system. Buyers provide their preferences through our intake process. Real estate agents list their properties and declare their service markets. Our algorithm scores every buyer-listing combination based on objective, preference-weighted criteria (budget alignment, bedroom/bathroom match, property type, location, timeline, and buyer preparedness).

3.3 What Agents See Before You Approve

When an agent runs a match against their listing, they see an anonymized summary of your preferences:

• Budget range (rounded to nearest $50,000)
• Bedroom and bathroom requirements
• Timeline (e.g., "1-3 months")
• Buyer Preparedness status (e.g., "Pre-Approved")
• Top 3 ranked priorities (e.g., "Schools, Safety, Commute")
• Activity status (active, recent, or stale)
• Fit Score for the listing

Agents do NOT see: Your name, email, phone number, household composition, household income, credit score range, or any personally identifiable information until you explicitly approve a connection.

3.4 What Happens When You Approve a Connection

When an agent sends you an introduction and you approve it, the following occurs:

• The agent receives your name and email address.
• The agent receives your full (non-household) preference profile: budget, bedrooms, bathrooms, property types, commute details, deal breakers, top priorities, and setting preference.
• A connection is established. The agent has 4 hours to send their first message or the connection expires automatically.
• You may decline or block an agent at any time. Declinations are invisible to the agent -- they are never notified that you declined.

Household data (household type, members, income, pets) is never shared with agents, even after you approve a connection.

3.5 Credit Economy

Agents use a credit-based system to access buyer profiles. Credits are spent to reveal anonymized preferences and to send introductions. Credits buy access to your anonymized profile -- they do not buy priority placement. The order in which agents appear in your daily digest is determined solely by match score. No agent can pay to appear first.

3.6 Automated Decision-Making

ValiFit uses automated scoring to match buyers with listings and agents. Specifically:

• Match Score: Calculated from budget alignment, bedroom match, bathroom match, property type, location, timeline urgency, buyer preparedness, and recency. All factors are derived from your self-reported intake preferences.
• Hot Lead designation: Based on behavioral signals only -- ASAP timeline, pre-approved or cash status, active within 7 days, and intake at least 80% complete. Budget size, income, and credit score are never used in the hot lead calculation.
• Buyer Responsiveness Score: Measures your binary response rate (did you respond to introductions within 24 hours, yes or no). Used to ensure agents are matched with engaged buyers.
• Agent Quality Score:Measures agent responsiveness, buyer acceptance rate, follow-through, listing activity, tenure, and buyer feedback. Scores are relative to each agent's market cohort, not global.
• Intake Completeness Gate: Buyers must complete at least 80% of intake fields to enter the matching pool. Partial profiles are not shared with agents.

You may request a human review of any automated decision that significantly affects your access to agents or listings by contacting us at [email protected].

3.7 Distribution Caps and Buyer Protection

• A maximum of 3 agents may connect with any one buyer per calendar month.
• A maximum of 2 agents from the same brokerage may connect with any one buyer per calendar month.
• Connections that fail (agent does not respond within SLA windows) do not count against your monthly cap.
• You may pause matching at any time (hidden for 30 days) or permanently close your profile.
• You may block any agent permanently.

3.8 Email Notifications

We send the following email notifications via Resend:

• Daily digest (buyers): Sent containing pending agent introductions. Maximum 5 per week (configurable).
• Connection alerts (agents): Sent when a buyer approves an introduction.
• Re-engagement emails: Sent at 75 days if your intake has not been updated, asking if you are still looking.
• Transactional emails: Account creation, subscription confirmation, payment receipts.

All marketing and digest emails include a functioning unsubscribe link in compliance with the CAN-SPAM Act. We honor all unsubscribe requests within 10 business days. We do not send SMS notifications without your prior express written consent. Our physical mailing address is included in every marketing email as required by CAN-SPAM.

3.9 Other Uses

• Process payments and manage subscriptions
• Improve our scoring methodology and platform features
• Ensure platform security and prevent fraud
• Detect and prevent template-based spam outreach by agents
• Enforce SLA (service level agreement) clocks on agent-buyer connections

4. Information Sharing and Third-Party Services

4.1 Sharing with Agents

Your data is shared with real estate agents only after you explicitly approve an introduction. Before approval, agents see anonymized preference summaries with no personally identifiable information. After approval, agents receive your name, email, and non-household preference data. Household composition, income, and credit score range are never shared with agents.

4.2 Agent Codes and Attribution

If you visit ValiFit through an agent's referral code (e.g., VF-XXXX), we record which agent referred you for analytics purposes only. The referring agent does not receive any economic benefit in the matching pipeline (no free reveals, no priority distribution). Agent codes are used strictly for attribution tracking.

4.3 Third-Party Service Providers

• Stripe: Payment processing. Stripe receives your payment information directly and is governed by their own Privacy Policy.
• Authentication: We use secure, signed session cookies (HMAC-SHA256) to manage your login state. No third-party authentication provider has access to your credentials.
• Resend: Email delivery. Receives your email address to deliver transactional and marketing emails on our behalf.
• Sentry: Error monitoring and performance tracking. Sentry collects anonymized error data (stack traces, browser type, URL) to help us fix bugs. No personally identifiable information is intentionally transmitted to Sentry.
• Vercel: Hosting, analytics, and infrastructure. Vercel Analytics collects anonymized page view data. Vercel Speed Insights collects anonymized Core Web Vitals performance metrics.
• Google Cloud Platform: Database hosting. Your data is stored in a PostgreSQL database hosted on Google Cloud SQL in the United States.
• Cloudflare: CDN and DDoS protection. Cloudflare may process your IP address for security purposes.

4.4 Government Data Sources

Our reports aggregate publicly available data from federal and state agencies including the U.S. Census Bureau (ACS), NCES, FBI UCR, FEMA, EPA, HUD, HRSA, CMS, Redfin, and county assessor records. No personal data is shared with these agencies.

We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

5. Data Retention

5.1 Retention Periods

• Account data: Retained for the duration of your account plus 30 days after deletion.
• Property search history: Retained for 24 months from the date of search.
• Intake preferences: Retained for 24 months or until you request deletion.
• Payment records: Retained for 7 years as required by tax and financial regulations.
• Connection records: Agent-buyer connection history retained for 24 months.
• Usage analytics: Aggregated and anonymized after 12 months.

5.2 Stale Intake Decay

If your intake has not been updated or confirmed in 90 days, your profile is automatically hidden from the matching pool. You will receive a "still looking?" email at 75 days. If you do not respond within 14 days, your profile becomes dormant. Dormant profiles reactivate immediately upon login and confirmation. Your data is not deleted -- only your visibility in the matching pool is suspended.

6. Your Rights

Regardless of where you live, we extend the following rights to all ValiFit users:

• Right to access: Request a copy of the personal data we hold about you.
• Right to correction: Request correction of inaccurate or incomplete data.
• Right to deletion: Request deletion of your personal data, subject to legal retention requirements.
• Right to opt-out of matching:Set your matching visibility to "hidden" at any time from your settings. You may also permanently close your profile.
• Right to block agents: Permanently block any agent from contacting you.
• Right to opt-out of emails: Unsubscribe from marketing and digest emails at any time via the link in any email.
• Right to data portability: Request your data in a structured, machine-readable format.
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time.
• Right to human review: Request human review of any automated decision affecting your access to agents or listings.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days (45 days for complex requests, with notice).

7. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• Right to know: You may request details about the categories and specific pieces of personal information we have collected about you in the past 12 months, the sources of that information, the business purposes for collection, and the categories of third parties with whom we share it.
• Right to delete: You may request deletion of your personal information, with certain exceptions (e.g., legal compliance, completing transactions).
• Right to correct: You may request correction of inaccurate personal information.
• Right to opt-out of sale/sharing:We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. If this changes, we will provide a "Do Not Sell or Share My Personal Information" link.
• Right to limit use of sensitive personal information: To the extent we process sensitive personal information (financial information), we use it only for the purposes disclosed in this policy.
• Right to non-discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.
• Automated decision-making:You have the right to opt out of automated decision-making technology. Our matching algorithm determines which agents can see your anonymized profile. You may opt out by setting your visibility to "hidden."

To make a CCPA/CPRA request, email [email protected] with the subject line "CCPA Request." We may verify your identity before processing your request. You may also designate an authorized agent to make a request on your behalf.

8. Additional State Privacy Rights

If you are a resident of Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, or Virginia, you may have additional privacy rights under your state's comprehensive privacy law. These generally include rights to access, correct, delete, and port your data, and to opt out of targeted advertising and profiling.

We apply California-level protections to all users nationwide. To exercise any state-specific privacy rights, contact us at [email protected].

9. Cookies, localStorage, and Tracking

9.1 Cookies We Set

• vf_session: Authentication session cookie. Essential for keeping you signed in. HMAC-signed for security. Expires after 30 days or when you log out.
• Session cookie (vf_session): Signed, httpOnly cookie that manages your login state. Contains no personal data.
• Stripe cookies: Set by Stripe during payment processing for fraud prevention.
• Cookie consent preference: Remembers whether you have accepted or dismissed the cookie notice.

9.2 localStorage

We use browser localStorage to store your intake preferences locally so they persist between sessions. This data stays on your device and is not transmitted to our servers until you submit your intake form. You can clear localStorage at any time through your browser settings.

9.3 Analytics

• Vercel Analytics: Collects anonymized, privacy-friendly page view data. No personally identifiable information is transmitted.
• Vercel Speed Insights: Collects anonymized Core Web Vitals performance data (page load times).
• Sentry: Collects error data (stack traces, URL, browser type) for debugging. No PII is intentionally collected.

We do not use third-party advertising cookies, tracking pixels, or behavioral advertising networks. We do not participate in cross-site tracking.

10. Data Security

• Encryption in transit (TLS/HTTPS) for all data transmission.
• Encryption at rest for stored personal data (Google Cloud SQL).
• Content Security Policy (CSP) headers with per-request nonces to prevent XSS attacks.
• HMAC-SHA256 signed session tokens to prevent cookie tampering.
• Rate limiting on API endpoints to prevent abuse.

No method of electronic storage or transmission is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. If you become aware of a security vulnerability, please contact us immediately at [email protected].

11. Fair Housing Act Compliance

ValiFit is designed in full compliance with the Fair Housing Act (FHA). Our data practices include:

• Scoring methodology: All composite scores (Education ROI, Safety ROI, Health ROI, Budget, Commute) measure publicly available infrastructure investment data, not demographic outcomes. School scores use per-pupil spending and student-teacher ratios from NCES, not test scores or school ratings that correlate with racial composition. Safety scores use police/fire/EMS staffing ratios and public safety outcome data (crime rates as a measure of government service effectiveness, not as a demographic proxy).
• Household data firewall:Household type, household members (age/role), household income, and pets are collected for the buyer's own property reports only. This data is never passed to the matching algorithm, never visible to agents before or after connection, and never used in scoring or lead distribution. Matching uses functional equivalents: bedroom count and bathroom count.
• No protected characteristics: Race, color, religion, sex (including gender identity and sexual orientation), national origin, familial status, and disability are never collected, inferred, proxied, or used anywhere in our matching, scoring, or distribution systems.
• Buyer Preparedness: We use pre-approval and pre-qualification status as a behavioral readiness signal (measuring process completion), not as a financial profile or proxy for protected characteristics.
• Neutral ordering: Agent introductions in buyer digests are ordered by match score. No agent can pay for priority placement. Credits buy access to profiles, never position.

12. Real Estate Settlement Procedures Act (RESPA)

ValiFit charges a flat monthly subscription fee for access to our lead matching platform. This fee is not conditioned on the volume of referrals, the number of closed transactions, or any transaction outcome. We do not collect referral fees, commission splits, or success-based fees.

Agent referral codes (VF-XXXX) are used for attribution tracking only and provide no economic benefit in the matching pipeline. Credits buy access to buyer profiles -- they do not buy priority placement or favorable ordering in buyer-facing communications.

13. International Users (GDPR)

ValiFit is based in the United States and primarily serves U.S. users. If you access our Service from outside the United States, your data will be transferred to and processed in the United States. We respect international privacy standards, including the principles of the GDPR. If you are located in the EU/EEA, you have the right to access, rectify, port, and erase your data, and to restrict and object to certain processing. Contact us at [email protected] to exercise these rights.

14. Children's Privacy

ValiFit is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected data from a child under 18, we will delete it promptly. If you believe a child has provided us with personal information, please contact us at [email protected].

15. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notice at least 14 days before taking effect. The "Last updated" date at the top of this page indicates when the policy was last revised. Continued use of the Service after changes constitutes acceptance of the updated policy.