Privacy policy. Plain English. No dark patterns.

Free calculator (anonymous). When you use the legal-max calculator on the home page or any jurisdiction landing (e.g. /california, /oregon), the math runs in your browser. We do not record the rent, the building age, or the unit address you type in. Nothing is sent to our server for the cap math itself.

Waitlist email. If you submit the email form on the home page or a jurisdiction page, we store the email address, the submission timestamp, and the page you submitted from in a SQLite database on our VPS. That’s the entire row. No name, no IP, no cookie, no marketing-stack ID.

Pro account (when paid plans ship). If you create a Pro account, we store your email, a salted password hash (bcrypt, never the plaintext), and the unit records you create — jurisdiction, building year, current rent, last increase date, optional tenant name and unit address. This is the data the notice generator and compliance log need to do their jobs. We do not have access to your plaintext password.

Notice records (Pro). Each tenant notice you generate is stored as a row in your compliance log: the unit it applied to, the legal-max for that calc, the chosen new rent, the rule-set version hash for that day, and the rendered PDF. This is the audit trail the product is for.

Server access logs. Caddy, our web server, writes a standard access log: timestamp, IP address, requested URL, HTTP status, user-agent, and bytes served. We retain access logs for 90 days and use them to spot abuse, debug bugs, and read traffic shape (e.g. “is the /berkeley page finally indexed?”). We do not join the access log to your account.

Stripe (when payments ship). When you pay $9 for a notice or $19 for a Pro month, you are redirected to Stripe’s hosted Checkout. Stripe collects your card number; we never see it. Stripe sends back a payment intent ID, your billing email, and the amount; that’s the entire payment record on our side. Stripe’s own privacy policy applies to the data they collect: stripe.com/privacy.

• No third-party analytics. No Google Analytics, no Mixpanel, no PostHog, no Segment, no Heap. The site has zero JavaScript trackers loaded from another domain.
• No ad pixels. No Meta pixel, no Google Ads tag, no LinkedIn Insight, no TikTok pixel, no remarketing cookies of any flavor.
• No session replay. No FullStory, no LogRocket, no Hotjar, no Microsoft Clarity. We don’t want to watch you, and we don’t want a vendor watching you on our behalf.
• No CRM sync. Your waitlist email does not get pushed to HubSpot, Salesforce, Mailchimp, ConvertKit, or anything similar. It sits in the SQLite database until we send the next launch update from a single transactional sender, then it sits there again.
• No tenant data sharing. If you enter a tenant’s name and unit address to generate a notice, that data is yours. We do not sell it, do not aggregate it for “market data,” do not share it with property-management software vendors, and do not look at it for product analytics.
• No fingerprinting. We don’t use canvas fingerprinting, font enumeration, audio context, or any of the other browser-fingerprint tricks.

If a future feature requires us to add a vendor — for example, a transactional email provider so we can send you the launch announcement — we will list the vendor by name and link their privacy policy here, and we will email Pro subscribers 30 days before the change takes effect.

All RentCeiling data — waitlist rows, Pro accounts, unit records, notice records, the compliance log, and Caddy access logs — lives on a single virtual server in a U.S. data center operated by Hetzner. There is no second region, no replicated database in a different country, and no “data lake” downstream. The SQLite file is backed up nightly to encrypted off-site storage operated by the same factory; the backup retention is 30 days.

The product backend (Node.js for the API surface, Caddy as the web server) runs on the same machine. We do not use a managed database service, do not use Vercel, Netlify, Cloudflare, AWS, or any other cloud SaaS for the data path. The static front-end — everything you see at rentceiling.com — is plain HTML and CSS served from disk by Caddy.

The rule-set itself (the JSON files at /rules/california.json and siblings) is public. Nothing about your usage of those rule files is logged beyond the standard access log entry described above.

The current site sets no cookies at all. Open the browser DevTools, look at the Storage tab on rentceiling.com, and you’ll see an empty list.

When the Pro account flow ships, we will set a single first-party session cookie (rc_session, HTTP-only, SameSite=Lax, Secure) so that you stay logged in. That is the only cookie we plan to set. We will not set advertising cookies, analytics cookies, or A/B-test cookies. If that ever changes, this section is the place we’ll list each cookie’s name, purpose, and expiry.

RentCeiling honors the data-subject rights that California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100–1798.199.100), the California Delete Act (Cal. Civ. Code §§ 1798.99.80–1798.99.89), and the EU General Data Protection Regulation (Regulation 2016/679) recognize, regardless of where you live and regardless of whether either statute strictly applies to a small operator like us. That means:

• Right of access. Email privacy@rentceiling.com from your account’s email address, and we will send you a JSON dump of every row of yours within 30 days — usually within 48 hours.
• Right of correction. If a unit record, a tenant name, or your email is wrong, you can correct it from the Pro account UI when it ships, or email us in the meantime.
• Right of deletion. Email the same address with “delete my data” in the subject. We will delete the waitlist row, the Pro account, the unit records, and the compliance log within 30 days. We retain billing records for seven years as required by U.S. tax law (26 U.S.C. § 6001 and CFR § 1.6001-1) — that’s the only carve-out.
• Right of portability. The compliance log already exports as CSV + PDF bundle. The data is yours; the export is a product feature, not a privacy concession.
• Right to opt out of sale. We don’t sell your data. There is nothing to opt out of, but for completeness: this is the section you’d invoke if that ever changed (it won’t).

If your jurisdiction recognizes other data-subject rights (Virginia CDPA, Colorado CPA, Connecticut CTDPA, Texas TDPSA, etc.), email us. The answer is almost always “yes, we’ll do that.”

RentCeiling’s ICP is U.S. small landlords (1–20 units). The product is not directed at children, we do not knowingly collect data from anyone under 16, and we do not believe a child has any reason to be on this site. If you are a parent and you believe your child has submitted an email to our waitlist, write to privacy@rentceiling.com and we will delete the row.

The VPS runs only the services it needs to run (Caddy on 443, Node.js on a private socket, SQLite as a local file). SSH access is key-only with no password fallback. Caddy terminates TLS with a Let’s Encrypt certificate auto-renewed every 60 days. Every Pro account password is hashed with bcrypt at cost factor 12; we never store, log, or transmit plaintext passwords.

If RentCeiling experiences a security incident that exposes Pro-account email addresses, password hashes, unit records, or compliance-log data, we will notify affected users by email within 72 hours of confirming the incident, describe what was exposed, and tell you what to do about it (e.g. rotate your password). This commitment is shorter than what most state breach-notification statutes require, on purpose.

If we change a non-material part of this policy — rewording for clarity, fixing a typo, adding a section that doesn’t change what we collect or share — we update the “Effective” date at the top and the change is live. If we change a material part — adding a vendor that processes Pro-account data, changing a retention window, adding a cookie that is not strictly necessary — we email Pro subscribers 30 days before the change takes effect, and we link a redline of the previous version on this page.

Privacy questions, data-subject requests, security disclosures, or anything else covered by this policy: privacy@rentceiling.com. We answer every message; turnaround is normally one business day.

For non-privacy product questions, the address is hi@rentceiling.com.

For our terms of service, see /terms.