Privacy Policy

1. Information we collect

Information you provide directly:

• Email address when you join the waitlist or create an account.
• Account credentials handled by our authentication provider, Clerk.
• Preferences you express in the chat experience (budget, commute, priorities, towns of interest). We automatically extract structured preference signals from your messages - such as budget range and priority categories - and store them in your account profile to assess lead quality and improve recommendations.
• Messages you type in the chat and content we return to you.

Information collected automatically:

• Pages viewed, clicks, and funnel events through our analytics tools (see § 4).
• Approximate location derived from IP address, used only to route you to the nearest supported metro. Your raw IP is not stored beyond short-lived request logs.
• Device and browser metadata (user-agent, screen size, OS) used for rendering and error triage.
• Error events and masked session replays when something breaks (see § 4).

What we do not collect: we do not collect Social Security numbers, financial account numbers, biometric identifiers, or precise geolocation. We do not knowingly collect information from children under 13.

1b. Public shortlists

When you choose to create a public shortlist on Burbia (a page at /u/<your-handle>/shortlist), the following information is published on a public, search-engine-indexable page:

• A display name you choose. By default, your first name only; you can opt in to first name + last initial, or a family name.
• The metro you are searching (NYC, Boston, Chicago, Miami, or Dallas).
• The 2-6 towns you shortlisted.
• The criteria you said matter to you (for example, "great schools, walkable downtown, train under 45 min").
• Your stated budget range (for example, "$800K-$1.2M").
• (Optional) any one-line notes you wrote about the shortlist or about specific towns.

You can edit your shortlist, change your privacy level, or delete the shortlist at any time from your account. We do not publish your email, your account identity, your chat history, your IP address, or any town you considered but did not include in the shortlist.

2. How we use information

• To operate the Services: route chat prompts to the language model, compute town scores, render maps, send waitlist confirmations.
• To improve the Services: measure which prompts work, which towns users engage with, where users drop off in the funnel.
• To communicate with you: respond to support requests; send waitlist and launch emails (you can unsubscribe at any time).
• To keep the Services secure: rate-limit abuse, detect fraud, investigate errors.
• To comply with legal obligations, including fair-housing and consumer-protection laws.

We do not use your conversation content to train third-party AI models. Our language-model provider (Groq) processes your messages to generate a response and does not retain them for model training under its service terms.

3. How the AI experience works

The chat experience on burbia.ai is powered by a large language model (currently Meta's Llama 3.3 70B) hosted by Groq. When you type, your message is sent to Groq along with a system prompt describing the town dataset. Groq returns a response which we display to you.

The AI does not make automated decisions with legal or similarly significant effects about you. It does not determine creditworthiness, insurance eligibility, employment, housing applications, or government benefits. It provides discovery guidance only. All real-world decisions (which towns to visit, which homes to tour, which offers to make) remain yours.

AI output can be wrong. Verify anything material (school boundaries, tax rates, crime data, commute times, prices) with an authoritative source before acting on it.

4. Service providers and sub-processors

We share information with the following service providers, each subject to that provider's terms of service and data-handling commitments:

• Clerk - authentication, account management.
• Groq - language-model inference for chat.
• Resend - transactional and waitlist email.
• Vercel - hosting, CDN, and deployment.
• Supabase - database hosting for chat session records, extracted preference signals, and (when you create one) your public shortlist. Data is stored in the US (us-east-1). Chat messages are retained for product improvement and lead-quality assessment, subject to the retention schedule in § 6.
• Vercel Blob - storage for waitlist records and analytics event files.
• Vercel Analytics + Speed Insights - privacy-preserving page-view and Core Web Vitals measurement. Cookieless by default.
• Sentry - error tracking and session replay (when active). Session replay captures a masked reconstruction of the page only when an error occurs. Text, inputs, and media are masked by default; we do not send your email, chat content, IP, or user agent to Sentry.
• PostHog - product analytics and optional session replay. When active, we forward explicit analytics events (page views, chat steps, waitlist signup) after you consent. We never pass your email or name; user profiles are keyed by an opaque account identifier only after sign-in. Session replay is masked by default.

We do not sell personal information for money. We do not share personal information for cross-context behavioral advertising.

5. Cookies and analytics consent

We use cookies and similar technologies for core functionality (keeping you signed in) and for analytics (measuring usage). Analytics, error tracking, and session replay only activate after you consent through the on-site banner. You can withdraw consent at any time through the banner; we will stop those tools on your next page load.

5a. Demo mode

Certain visitors (investors, press, partners under a preview link) access the Services through a gated demo URL. A short-lived session cookie named burbia_demo identifies that session so we can (a) block write actions like waitlist signup and partner handoff, (b) tag internal analytics events with demo: true so the traffic stays out of our default conversion funnels, and (c) apply a noindexheader. No account is created. No personal information is collected beyond what this policy already describes. Exit demo at any time using the "Exit →" link in the on-page demo strip; that link clears the cookie.

6. Data retention

• Waitlist emails: retained until you ask us to delete them or for 24 months after the last account activity, whichever is sooner.
• Account data (Clerk): retained while your account is active, plus 90 days after deletion for fraud prevention.
• Chat messages: your conversation messages are sent to our language-model provider (Groq) to generate a response. Groq does not retain your messages for model training. We store your messages and our responses in a database hosted by Supabase (see § 4) to improve the product, assess lead quality, and support your account. Chat session records are retained for 24 months after the last session activity, then deleted. We also extract structured preference signals (budget range, priority categories, session activity) from your messages and store them in your account profile (see § 2).
• Analytics events: retained for 13 months; aggregated metrics retained indefinitely.
• Error events and replays: retained for 30 days, then purged.
• Server request logs: retained for 30 days.

Longer retention applies where required by law or to resolve a live dispute.

7. Your rights

Depending on where you live, you may have rights to:

• Know what personal information we have collected about you.
• Access a copy of it in a portable format.
• Correct inaccurate information.
• Delete personal information we hold about you.
• Opt out of sale or sharing of personal information (we do neither, but the right is still available).
• Limit our use of sensitive personal information (we do not use sensitive PI).
• Non-discrimination for exercising any of these rights.
• Appeal a denial of a request.

California residents have these rights under the CCPA/CPRA. Residents of other US states with analogous laws (including Virginia, Colorado, Connecticut, Utah) have substantially similar rights. New York residents receive breach-notification protections under the NY SHIELD Act. Massachusetts residents are entitled to safeguards under 201 CMR 17.00; we maintain security measures described in § 9 of this policy.

To exercise a right, email privacy@burbia.ai. We will verify your identity using information we already hold, respond within 45 days, and may extend by another 45 days if reasonably necessary.

8. Children

The Services are not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, contact privacy@burbia.ai and we will delete it.

9. Security

We use administrative, technical, and physical safeguards designed to protect personal information, including encryption in transit (TLS), encrypted storage, access controls keyed to named individuals, rate limiting, and logging. No system is perfectly secure; we will notify affected users and regulators of a security breach as required by applicable law.

10. Cross-border transfers

We operate from the United States. If you access the Services from outside the US, your information will be processed in the US. Our service providers operate in the United States and are subject to US data-protection law. If we begin processing data in jurisdictions that require additional safeguards, we will implement appropriate transfer mechanisms and update this section.

11. Changes to this policy

We will post material changes here and update the "Last updated" date. For significant changes, we will also notify you by email or an in-product notice.

12. Contact

Privacy requests and questions: privacy@burbia.ai.

General inquiries: hello@burbia.ai.