Privacy Policy

Your record stays where you put it.

This Privacy Policy describes how HandoffHQ (“HandoffHQ,” “we,” “us,” or “our”) collects, uses, discloses, and protects information in connection with the HandoffHQ platform, websites, mobile applications, and related services (collectively, the “Service”). It is incorporated by reference into our Terms of Service.

Effective
May 21, 2026
Last updated
May 21, 2026
Controller
HandoffHQ · Miami, FL
Three commitments
  • We do not sell your data. Not to vendors, not to insurers, not to data brokers. Ever.
  • We do not train AI on your data. Customer Content is never used to train third-party AI or machine-learning models.
  • Your record is yours. You can export it at any time, and we hold it for ten years aligned with Florida's statute of repose.
01

Scope and Roles

This Policy applies to all visitors and users of the Service. When HandoffHQ provides the Service to a developer, property manager, vendor, or other organization (the “Customer”), the Customer is the controller of personal data submitted through its account, and HandoffHQ acts as a processor on its behalf. For our own marketing site, demonstration previews, and account administration, HandoffHQ acts as the controller.

02

Information We Collect

Account information. When you sign in or create an account, we collect your name, email address, role, organization, and authentication metadata.

Customer Content.The Service stores the building's record: punch items, photographs, inspections, drawings, certificates of insurance, messages, signatures, statutory deliveries, and warranty-window activity submitted by Customers and their Authorized Users. This content may include personal data of residents, contractors, and other individuals.

Device and usage data. We collect technical information necessary to operate the Service securely: IP address, device type, operating system, browser, app version, timestamps, and error/diagnostic logs. We do not run third-party advertising trackers and we do not build behavioral profiles of Customer users for marketing.

Communications. If you contact us, we retain the communication and any attached information for the purpose of responding and maintaining a record of the request.

03

How We Use Information

We process information to:

  • operate, maintain, secure, and improve the Service;
  • authenticate users and prevent unauthorized access;
  • respond to support requests and communicate about the Service;
  • fulfill legal obligations and respond to lawful process;
  • produce de-identified, aggregated statistics that do not identify any Customer, individual, building, or unit; and
  • protect against, investigate, and deter fraudulent, unauthorized, or illegal activity.

We rely on the following lawful bases where applicable: (a) performance of a contract, (b) our legitimate interests in operating a secure and effective Service, (c) compliance with legal obligations, and (d) your consent where required.

04

No Sale of Personal Information

HandoffHQ does not sell personal information. We do not share personal information with third parties for their independent marketing or advertising purposes. We do not engage in “cross-context behavioral advertising” as defined under California law.

05

No AI Training on Customer Content

We do not use Customer Content to train, fine-tune, or otherwise develop third-party artificial intelligence or machine-learning models. If you use a Service feature powered by AI (for example, a concierge query or a voice-to-punch capture), the request is processed transiently and is not retained by the AI provider outside the Service without the Customer's prior written approval.

06

How We Share Information

We disclose information only as follows: (a) with subprocessors who perform services on our behalf under written confidentiality and data-protection obligations (hosting, authentication, storage, email delivery, error monitoring); (b) to comply with law, legal process, or enforceable governmental request; (c) to defend the rights, property, or safety of HandoffHQ, our Customers, or the public; (d) with the Customer's consent or at its direction; and (e) in connection with a merger, acquisition, or sale of assets, subject to confidentiality obligations and continued protection of personal data.

A current list of HandoffHQ subprocessors is available on request. Paying Customers may execute a Data Processing Agreement (DPA) by writing to privacy@handoffhq.com.

07

Security

We use commercially reasonable administrative, technical, and physical safeguards designed to protect the Service against unauthorized access, disclosure, alteration, and destruction. These include encryption in transit and at rest, role-based access controls, row-level security at the database boundary, audit logging, least-privilege production access, and incident-response procedures.

No security program is impenetrable. You are responsible for safeguarding your credentials and promptly notifying us of any suspected unauthorized access at security@handoffhq.com.

08

Retention

We retain Customer Content for ten (10) years following substantial completion of the building, aligned with the Florida statute of repose for improvements to real property (Fla. Stat. § 95.11). After that period, records are archived to the Customer's designation or securely destroyed.

Account and authentication data are retained for the duration of the account and for a reasonable period thereafter for legal, accounting, and security purposes. De-identified, aggregated data may be retained indefinitely.

09

Your Rights and Choices

Subject to applicable law, you may have the right to (a) access the personal data we hold about you, (b) correct inaccurate data, (c) request deletion, (d) request a portable copy, (e) object to or restrict certain processing, and (f) withdraw consent where processing is based on consent. To exercise these rights, write to privacy@handoffhq.com from the email address associated with your account.

Where you are an Authorized User of a Customer, your request may be routed to the Customer for fulfillment because the Customer controls the data. We will assist the Customer in responding.

10

California Residents (CCPA / CPRA)

California residents have the rights described in Section 9 above, plus the right to (a) know the categories of personal information we collect, the purposes for which it is used, and the categories of third parties with whom it is shared, and (b) not be discriminated against for exercising privacy rights. We do not sell or share personal information for cross-context behavioral advertising, so there is no opt-out to provide. You may designate an authorized agent to make a request on your behalf, subject to verification.

11

Florida Residents

Florida residents may exercise rights of access, correction, deletion, and portability under the Florida Digital Bill of Rights, as applicable. HandoffHQ does not engage in targeted advertising, the sale of personal data, or profiling for decisions that produce legal or similarly significant effects.

12

EU / UK / Swiss Residents

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have rights under the GDPR, UK GDPR, and FADP respectively, including the rights described in Section 9. You may lodge a complaint with your supervisory authority. Where we transfer personal data outside your region, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses.

13

Children

The Service is not directed to children under sixteen (16) years of age. We do not knowingly collect personal information from children. If you believe a child has provided personal information, please contact us so we can delete it.

14

Cookies and Similar Technologies

We use a minimal set of strictly-necessary cookies and local storage entries to maintain authentication state and remember user preferences. We do not use third-party advertising cookies or build cross-site behavioral profiles. Browser-level “Do Not Track” signals are honored where technically feasible.

15

International Transfers

The Service is operated from the United States. By using the Service, you understand that information may be transferred to, stored in, and processed in the United States and other countries where we or our subprocessors operate. These jurisdictions may have different data protection laws than your jurisdiction of residence.

16

Changes to this Policy

We may update this Policy from time to time. We will post the updated Policy with a revised “Last updated” date and, for material changes affecting Customers, provide email or in-product notice. Continued use of the Service after the effective date constitutes acceptance.

17

Contact

Privacy inquiries, rights requests, and DPA requests should be directed to privacy@handoffhq.com. Security reports may be sent to security@handoffhq.com. General contact is hello@handoffhq.com.

HandoffHQ — Miami, Florida

A Data Processing Agreement (DPA), subprocessor list, and security architecture overview are available to paying tenants upon written request.