BuyReady.ai
Back to Home

Privacy Policy

Last updated: April 25, 2026

1. Introduction

BuyReady.ai ("Service") is operated by Klyon Labs LLC ("Company," "we," "us," or "our"). This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use our Service. We are committed to protecting your privacy and handling your data transparently.

2. Information We Collect

2.1 Account Information

  • Email address
  • Full name (optional)
  • Password (hashed by Supabase Auth; we never see or store your plain-text password)

2.2 Financial Profile (Voluntarily Provided)

To generate personalized reports, you may choose to provide the following financial information. All financial fields are optional — you can use the Service without providing them, though personalized sections will be limited.

  • Annual household income
  • Monthly debt obligations
  • Monthly expenses
  • Credit score range(e.g., "Good: 700-749"). We never ask for or store your exact credit score or Social Security Number.
  • Down payment savings
  • Household size

2.3 Property Searches, Roadmaps & Onboarding

  • Property addresses you search or generate reports for
  • Report content and scores
  • A snapshot of your financial profile at the time each report is generated
  • Your target home price, estimated Home Date, and the AI-generated roadmap built from your profile
  • Onboarding responses (first-time buyer status, veteran status, essential-worker status) used for grant matching

2.4 Personal Guidance Submissions (Standard/Pro only)

If you submit a Personal Guidance request, we store the category tags you select, the free-text description you write, and timestamps for when we review and respond. Our admin team sees the submission alongside your account email and current financial profile so we can respond in context without asking you to re-explain. Do not include Social Security Numbers, bank account numbers, or other highly sensitive identifiers — the submission form warns you of this.

2.5 Payment Information

Payment processing is handled entirely by Stripe. We never see, receive, or store your credit card number, CVV, or bank account details. We store only your Stripe customer ID, subscription status, and payment history (amounts and dates).

2.6 Usage Data

  • UTM parameters and referral sources (for marketing analytics)
  • Pages visited and features used
  • Error logs (sanitized — never containing financial data)

3. How We Use Your Information

  • Generate personalized reports: Your financial profile is combined with property and neighborhood data to produce AI-generated analysis tailored to your situation.
  • Process payments: Your Stripe customer ID is used to manage subscriptions and credit purchases.
  • Improve the Service: Aggregated, anonymized usage patterns help us improve report quality and features.
  • Communicate with you: Account-related notifications, report completion alerts, credit-expiration warnings, reminder emails when you have been inactive for 30+ days or when mortgage rates change materially, and important service updates.

4. AI Processing and Anthropic

Your financial profile data is sent to Anthropic's Claude API to generate personalized report content. This is essential to the core function of the Service. Specifically:

  • Your income, debt, expenses, credit score range, down payment, and household size are embedded in prompts sent to Claude for AI analysis.
  • Anthropic processes this data according to their own Privacy Policy. Under Anthropic's commercial API terms, prompts and outputs are not used to train their models.
  • Property addresses are also sent to Claude as part of the analysis prompts.

AI-generated content is inherently variable. Due to the probabilistic nature of large language models, the same inputs may produce different analysis text, scores, and recommendations if a report is regenerated. This is a fundamental characteristic of the technology, not a defect.

5. Third-Party Data Sources

We retrieve property and neighborhood data from the following sources. None of these services receive your financial profile data. They receive only property addresses or geographic coordinates.

  • RentCast — property details, valuations, comparable sales
  • FBI Crime Data Explorer — state-level crime statistics
  • SchoolDigger — school ratings and rankings
  • U.S. Census Bureau — demographic and economic data
  • Walk Score — walkability, transit, and bike scores
  • FEMA — flood zone and disaster risk data
  • Freddie Mac PMMS — current mortgage rate benchmarks

6. Data Storage and Security

6.1 Where Data is Stored

Your data is stored in a Supabase-hosted PostgreSQL database. Supabase provides infrastructure-level encryption at rest and all data in transit is encrypted via HTTPS/TLS.

6.2 Security Measures

  • Row-Level Security (RLS):Database policies ensure that each user can only access their own data. No user can view, modify, or delete another user's profile, reports, or payment history.
  • Authentication: Managed by Supabase Auth with industry-standard session management and password hashing.
  • Payment security: All payment processing is handled by Stripe (PCI DSS Level 1 compliant). We never handle raw credit card data.
  • API security: All API endpoints require authentication. Stripe webhooks are verified via cryptographic signatures. Rate limiting prevents abuse (5 reports/hour, 20 reports/day per user).
  • Error handling: Financial data is explicitly excluded from all error logs, client-side error messages, and diagnostic output.

6.3 Encryption Disclosure

Financial profile data (income, debt, expenses, credit score range, down payment) is stored in our database with the following protections:

  • In transit: All data between your browser and our servers is encrypted via HTTPS/TLS.
  • At rest: Supabase provides infrastructure-level encryption for the entire database (AES-256).
  • Column-level encryption: Financial fields are not individually encrypted at the database column level. They are protected by row-level security policies and infrastructure encryption.
  • Credit score:We store only a range category (e.g., "Good: 700-749"), never an exact numerical score.

7. Data Retention

  • Profile data: Retained as long as your account is active. You can update or delete your financial profile at any time.
  • Reports: Reports are marked with a 30-day expiration for freshness purposes. Report content and associated financial snapshots are retained in the database beyond the expiration date for your reference.
  • Roadmaps and onboarding responses: Retained as long as your account is active so your roadmap can be recalculated when you update your profile.
  • Credit ledger: Per-credit purchase, consumption, and expiration records are retained for accounting, refund handling, and dispute resolution.
  • Personal Guidance requests: Retained along with our admin notes and response timestamps so we can reference prior context on follow-up requests.
  • Payment records: Retained for accounting and legal compliance purposes.
  • Account deletion: When you request account deletion, we will delete your profile, financial data, reports, roadmap, onboarding responses, and guidance submissions. Some data may be retained in anonymized form for analytics, and payment records and credit-ledger entries may be retained as required by law.

8. Data Sharing

We do not sell your personal information. We share data only with:

  • Anthropic (Claude API): Financial profile and property address for AI-generated analysis. See Section 4.
  • Stripe: Email address and payment details for billing. Stripe does not receive your financial profile.
  • Supabase: Database hosting provider. All data is stored in Supabase infrastructure.
  • Resend: Transactional email delivery. We share your email address and the content of service emails (account confirmations, password resets, receipts, report-ready notifications, credit-expiration warnings) with Resend so they can be delivered to your inbox. Resend does not receive your financial profile. See Resend's Privacy Policy.
  • Sentry: Error monitoring. When an unhandled error occurs, a sanitized error report is sent to Sentry for triage. Financial profile fields are explicitly stripped before sending, and before-error session replays are captured with all rendered text masked and all media blocked so no financial content leaves your browser. See Sentry's Privacy Policy.
  • Cloudflare: We route traffic through Cloudflare for DDoS protection and use Cloudflare Turnstile as a bot-protection challenge on sign-in, sign-up, and password-reset forms. Turnstile may inspect browser characteristics to distinguish real users from automated traffic. See Cloudflare's Privacy Policy.
  • Law enforcement: We may disclose information if required by law, court order, or government request.

9. Your Rights

9.1 All Users

  • Access: View your financial profile and reports at any time through the Service.
  • Correction: Update your financial profile at any time via the Profile page.
  • Deletion: Request deletion of your account and all associated data by contacting [email protected].
  • Portability: Request an export of your data by contacting support.

9.2 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

  • Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of collection, the business purpose for collecting it, and the categories of third parties with whom we share it.
  • Right to Delete: You may request that we delete the personal information we have collected from you, subject to certain exceptions (legal obligations, fraud prevention, completing transactions).
  • Right to Correct: You may request correction of inaccurate personal information.
  • Right to Opt-Out of Sale:We do not sell personal information. If this practice changes, we will provide a "Do Not Sell My Personal Information" link.
  • Right to Limit Use of Sensitive Personal Information: Financial information (income, debt, credit score range) is considered sensitive personal information under CPRA. You may request that we limit the use of this data to what is necessary to provide the Service. Currently, we use sensitive data only for generating personalized reports — its sole intended purpose.
  • Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise your California privacy rights, contact us at [email protected]with the subject line "California Privacy Rights Request." We will verify your identity and respond within 45 days.

9.3 California Financial Information Privacy Act (SB-1)

BuyReady.ai is not a financial institution as defined under the California Financial Information Privacy Act (SB-1 / California Financial Privacy Act). We do not offer financial products, credit, loans, or insurance. The financial information you provide is used solely for generating informational property analysis reports, not for making credit, lending, or insurance decisions about you.

10. Cookies and Tracking

  • Essential cookies: We use session cookies managed by Supabase Auth for authentication, and a short-lived cookie during password reset to pin the recovery session to the reset page. These are necessary for the Service to function.
  • Bot protection: Cloudflare Turnstile sets a short-lived token cookie on sign-in, sign-up, and password-reset pages to verify that you are a real user. Turnstile does not track you across other sites.
  • No advertising cookies: We do not use third-party advertising trackers or sell cookie data.
  • Error monitoring (Sentry): We use Sentry to capture unhandled application errors so we can fix them. Our error logger explicitly strips financial profile fields before anything is sent. Session replays are recorded only around errors, with all rendered text masked and all media blocked, so no financial content leaves your browser. Sentry does not track browsing behavior across other websites.

11. Children's Privacy

The Service is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If we learn that we have collected information from a child under 18, we will promptly delete it.

12. International Users

The Service is designed for U.S. properties and residents. If you access the Service from outside the United States, your data will be transferred to and processed in the United States. By using the Service, you consent to this transfer.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice on the Service. The "Last updated" date at the top of this page reflects the most recent revision.

14. Contact Us

For privacy-related questions, requests, or complaints, contact us at:

[email protected]
Klyon Labs LLC
New York, United States

For California privacy rights requests, include "California Privacy Rights Request" in the subject line.