Privacy Policy
Last Updated: March 9, 2026
Table of Contents
- Introduction
- Definitions
- Information We Collect
- How We Use Your Information
- How We Share Your Information
- What We Do Not Do
- Cookies & Tracking Technologies
- Data Retention
- Your California Privacy Rights (CCPA/CPRA)
- Data Security
- Children's Privacy
- International Users
- Changes to This Privacy Policy
- Contact Us
1. Introduction
Welcome to Overassessed (operated by Spaghetti Labs, LLC, a California limited liability company). This Privacy Policy explains how we collect, use, disclose, and protect your information when you visit our website at overassessed.co (the "Website") and use our services (collectively, the "Service").
Throughout this Privacy Policy, "Overassessed," "we," "us," and "our" refer to Spaghetti Labs, LLC and the Overassessed service. "You" and "your" refer to the individual accessing or using the Service.
We believe in being transparent about how we handle your information. This policy is written in plain language so you can understand exactly what data we collect, why we collect it, and what we do with it. If anything is unclear, please contact us at [PLACEHOLDER: support email address].
2. Definitions
- "Personal Information" means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household, as defined under the California Consumer Privacy Act (CCPA).
- "Property Data" means assessed values, property characteristics, comparable sales information, and related real estate data derived from public records and third-party data providers. Under the CCPA, publicly available information from government records — including public real estate and property records — is generally excluded from the definition of Personal Information.
- "Generated Content" means any analysis, reports, narratives, comparable sales evidence, market value estimates, filing guides, PDF documents, or other materials produced by the Service for a user.
- "Service" means the Overassessed website, tools, features, and all related functionality.
3. Information We Collect
3.1. Information You Provide Directly
Property Address
- What: The street address you enter to look up a property.
- Why: To query property data from our data providers and generate your analysis.
- Retention: Cached for up to 90 days to reduce redundant data provider queries and improve response times for repeat lookups.
Email Address
- What: Your email address, provided when you join the county waitlist, make a purchase, or request delivery of a filing guide.
- Why: To send you transactional emails (purchase confirmations, filing guide delivery), waitlist notifications when your county becomes supported, and service-related communications.
- Retention: Retained until you unsubscribe or request deletion, except for purchase-related email records which are retained for 7 years for legal and tax record-keeping purposes (see Section 8).
Payment Information
- What: Credit card number, billing address, and other payment method details.
- How it's handled: Payment information is collected and processed entirely by Stripe, Inc., our payment processor. We do not receive, process, or store your credit card number or full payment method details. We receive only transaction confirmation data from Stripe, including the amount charged, date, product purchased, and a transaction identifier.
- Retention: Transaction confirmation data is retained for 7 years for legal and tax record-keeping requirements.
3.2. Information We Collect Automatically
When you visit the Website, we automatically collect certain information about your device and how you interact with the Service:
IP Address
- What: Your Internet Protocol address.
- Why: Used for rate limiting (preventing abuse of the free property lookup), approximate geolocation (to confirm you are accessing the Service from a supported area), and security monitoring.
- Retention: Retained in server logs for up to 90 days.
Device and Browser Information
- What: Browser type and version, operating system, device type, screen resolution, and language preferences.
- Why: To ensure the Website displays and functions correctly across different devices, and for aggregated analytics.
Usage Data
- What: Pages visited, features used, time spent on pages, click patterns, and navigation paths within the Service.
- Why: To understand how users interact with the Service, identify issues, and improve the product experience.
Cookies and Similar Technologies
- See Section 7 for detailed information about cookies and tracking technologies.
3.3. Information from Third-Party Sources
Property Data from Data Providers
- When you enter a property address, we query our data providers (including BatchData) to retrieve property records, assessed values, property characteristics, and comparable sales data.
- This data is derived from public records — county assessor records, recorded deeds, and other government data sources.
- We query this data on your behalf in response to your specific request. We do not purchase bulk consumer data or maintain a database of personal profiles.
Address Verification from Google
- When you type an address, we use Google Places API to provide address autocomplete suggestions and verify the address and county.
3.4. AI-Generated Content
When you purchase a Data Package or Filing Guide:
- Your property data (address, assessed value, property characteristics, and comparable sales data) is sent to Anthropic's Claude API to generate the AI-powered analysis, market value estimate, and narrative content.
- Per Anthropic's API terms, data sent via the API is not used to train Anthropic's AI models.
- The Generated Content (your analysis, narrative, and filing guide) is stored so you can re-access and re-download your purchase (see Section 8 for retention periods).
4. How We Use Your Information
We use the information we collect for the following purposes:
4.1. Providing the Service — to perform property lookups, generate analysis and filing guides, and deliver purchased products.
4.2. Processing Payments — to facilitate transactions through Stripe and maintain purchase records.
4.3. Delivering Products — to send you your Data Package, Filing Guide, and PDF evidence package via the Website and email.
4.4. Transactional Communications — to send purchase confirmations, delivery notifications, and other communications directly related to your use of the Service.
4.5. Waitlist Management — to notify you when your county becomes supported by the Service.
4.6. Service Improvement — to analyze usage patterns, identify bugs or issues, and improve the Service's features and user experience.
4.7. Security and Fraud Prevention — to implement rate limiting, detect abuse, protect against fraudulent transactions, and maintain the security of the Service.
4.8. Legal Compliance — to comply with applicable laws, regulations, and legal obligations, including tax record-keeping requirements.
4.9. Marketing and Advertising — to run digital marketing campaigns and measure their effectiveness. We may use aggregated, non-personally-identifiable data to understand the effectiveness of marketing efforts. See Section 7 for details on marketing cookies and how to opt out.
5. How We Share Your Information
We disclose Personal Information to service providers and contractors who process information on our behalf for business purposes, pursuant to written agreements that restrict their use of the data. These disclosures are not "sales" or "sharing" as defined under the CCPA/CPRA.
We share your information only with the third-party service providers necessary to operate the Service. We are transparent about each one:
5.1. Stripe (Payment Processing)
- What we share: Stripe collects your payment method details directly. We share your email address and transaction details with Stripe to process payments.
- Why: To securely process your purchases.
- Their policies: Subject to Stripe's Privacy Policy and Stripe's Terms of Service. Stripe is PCI-DSS compliant.
5.2. BatchData (Property Data Provider)
- What we share: The property address you enter.
- Why: To retrieve property records, assessed values, property characteristics, and comparable sales data from public records.
- Note: BatchData processes public record data. The property address you enter is used solely to query the relevant property records.
5.3. Anthropic (AI Analysis — Claude API)
- What we share: Property data, including address, assessed value, property characteristics, and comparable sales data.
- Why: To generate the AI-powered comparable sales analysis, market value estimate, and narrative content included in Data Packages and Filing Guides.
- Data handling: Per Anthropic's API terms, data sent via the API is not used to train their AI models.
5.4. Google (Address Autocomplete and Maps)
- What we share: Address input text (for autocomplete) and property/comparable sale coordinates (for map imagery).
- Why: To provide address autocomplete and generate map images included in the PDF evidence package.
- Their policies: Subject to Google's Privacy Policy.
5.5. Resend (Email Delivery)
- What we share: Your email address and transactional email content.
- Why: To deliver purchase confirmations, filing guides, and waitlist notifications.
5.6. Vercel (Hosting)
- What they collect: Server logs containing IP addresses, request data, and standard web server information.
- Why: The Service is hosted on Vercel's infrastructure. Server logs are maintained per Vercel's data retention policies.
5.7. Analytics Providers
- What they collect: Usage data, device information, and cookies as described in Section 7.
- Why: To understand how users interact with the Service and improve the product.
- Current provider: Vercel Analytics — privacy-focused analytics that collects aggregated, anonymous usage data including page views, referrers, and device/browser types. Subject to Vercel's Privacy Policy.
- We may add additional analytics providers in the future to support marketing measurement and product optimization. Any additions will be reflected in updates to this Privacy Policy.
5.8. Categories of Personal Information Disclosed for Business Purposes
The following table summarizes the categories of Personal Information we disclose to service providers for business purposes:
| Category (CCPA) | Disclosed To | Business Purpose |
|---|---|---|
| Identifiers (email address) | Stripe, Resend | Payment processing, email delivery |
| Identifiers (IP address) | Vercel | Hosting, security, rate limiting |
| Customer records (payment transaction data) | Stripe | Payment processing |
| Property address | BatchData, Anthropic | Property data retrieval, AI analysis |
| Internet/network activity (usage data) | Vercel Analytics | Aggregated product analytics |
5.9. Legal Requirements
We may disclose your information if required to do so by law, regulation, legal process, or enforceable governmental request, or if we believe in good faith that disclosure is necessary to:
- Comply with applicable law or legal process
- Protect the rights, property, or safety of Spaghetti Labs, LLC, our users, or the public
- Detect, prevent, or address fraud, security, or technical issues
6. What We Do Not Do
To be clear about our practices:
6.1. We do not sell your Personal Information as defined under the CCPA/CPRA. We have not sold Personal Information in the preceding 12 months and do not intend to sell Personal Information.
6.2. We do not share your Personal Information for cross-context behavioral advertising as defined under the CPRA. Your information is never provided to third parties for their own marketing or cross-context behavioral advertising purposes.
6.3. We do NOT use your Personal Information for automated decision-making that produces legal effects. The AI analysis we provide is informational — you decide whether and how to use it. The AI does not make decisions about your property taxes or legal rights.
6.4. We do NOT build personal profiles for purposes unrelated to the Service. We do not aggregate your data with other sources to create consumer profiles.
6.5. We do not collect or process Sensitive Personal Information as defined under the CPRA, and we do not use Personal Information for purposes that would require a right to limit under the CPRA.
6.6. We follow data minimization principles and collect only the Personal Information reasonably necessary to provide the Service — specifically, your property address, email address, and payment transaction data processed by Stripe.
7. Cookies & Tracking Technologies
7.1. What Are Cookies?
Cookies are small text files placed on your device when you visit a website. They help the website recognize your device and remember certain information about your visit.
7.2. Types of Cookies We Use
Essential Cookies
- Required for the Service to function properly
- Include session management, security tokens, and user preference cookies
- Cannot be disabled without impairing the Service
Analytics Cookies
- Help us understand how users interact with the Service
- Measure page views, feature usage, and site performance
- Used to identify issues and improve the user experience
- Current provider: Vercel Analytics
Marketing and Advertising Cookies
- May be used to measure the effectiveness of digital marketing campaigns
- May enable retargeting — showing you relevant ads on other platforms based on your visit to our Website
- These cookies may be placed by third-party advertising platforms
- As of the "Last Updated" date above, the Service does not use marketing or advertising cookies. When we introduce marketing cookies, we will update this Privacy Policy, disclose the specific providers used, and implement a cookie consent mechanism before activating them
7.3. How to Manage Cookies
You can control cookies through your browser settings. Most browsers allow you to:
- View what cookies are set
- Delete individual or all cookies
- Block cookies from specific or all websites
- Block third-party cookies
Please note that disabling essential cookies may prevent the Service from functioning properly.
7.4. Global Privacy Control (GPC)
We respect Global Privacy Control (GPC) signals sent by your browser. If your browser sends a GPC signal, we will treat it as a request to opt out of the sale or sharing of Personal Information, as required by California law. Because we do not currently sell or share Personal Information (see Section 6), and our analytics provider (Vercel Analytics) does not use cookies or collect personal data, a GPC signal does not change how the Service operates for you today. If our practices change in the future, GPC signals will be honored to restrict any sale or sharing of Personal Information.
7.5. Do Not Track
At this time, there is no universally accepted standard for how to respond to "Do Not Track" browser signals. We honor GPC signals as described above.
8. Data Retention
We retain your information only as long as necessary for the purposes described in this Privacy Policy, or as required by law. Here is a summary:
| Data Type | Retention Period | Reason |
|---|---|---|
| Property address (lookup cache) | 90 days | Reduce API costs for repeat lookups |
| Generated Content (Data Packages, Filing Guides) | 1 year | Allow users to re-access and re-download purchases |
| Email address (waitlist) | Until unsubscribe or deletion request | Waitlist notifications |
| Email address (associated with purchase) | 7 years | Transaction records and legal/tax compliance |
| Payment transaction data (from Stripe) | 7 years | Legal and tax record-keeping requirements |
| Server logs (IP address, user agent) | 90 days | Security, rate limiting, and debugging |
| Analytics data | Per analytics provider's policy | Product improvement |
When the retention period expires, we delete or anonymize the data. If deletion is not immediately possible (for example, data stored in backups), we will securely isolate it and delete it when the backup cycle completes.
9. Your California Privacy Rights (CCPA/CPRA)
Although Spaghetti Labs, LLC may not yet meet all CCPA/CPRA applicability thresholds, we are committed to respecting your privacy rights as a California consumer. We voluntarily provide the following rights:
9.1. Right to Know
You have the right to request that we disclose:
- The categories of Personal Information we have collected about you
- The specific pieces of Personal Information we have collected about you
- The categories of sources from which we collected your Personal Information
- Our business purpose for collecting your Personal Information
- The categories of third parties with whom we share your Personal Information
9.2. Right to Delete
You have the right to request that we delete your Personal Information. Upon receiving a verified request, we will delete your Personal Information from our records, except where retention is required or permitted by law, including:
- Completing the transaction for which the information was collected
- Complying with legal obligations (e.g., tax record-keeping)
- Detecting security incidents or protecting against fraud
- Exercising or defending legal claims
9.3. Right to Correct
You have the right to request that we correct inaccurate Personal Information we maintain about you.
9.4. Right to Opt-Out of Sale or Sharing
We do not sell Personal Information, and we do not share Personal Information for cross-context behavioral advertising, as those terms are defined under the CCPA/CPRA. If our practices change in the future, we will update this policy and provide a clear opt-out mechanism, including a "Do Not Sell or Share My Personal Information" link on the Website.
9.5. Right to Non-Discrimination
We will not discriminate against you for exercising any of your privacy rights. We will not:
- Deny you the Service
- Charge you different prices
- Provide a different level or quality of service
- Suggest that you will receive different treatment
9.6. How to Submit a Request
To exercise any of the rights described above:
- Email: Send your request to [PLACEHOLDER: support email address]
- Verification: We will verify your identity before processing your request. We may ask you to confirm information associated with your account or purchase, such as the email address or property address used.
- Response Time: We will respond to verified requests within 45 days of receipt. If we need additional time (up to an additional 45 days), we will notify you of the extension and the reason.
- Authorized Agents: You may designate an authorized agent to make a request on your behalf, subject to identity verification of both you and the agent.
9.7. Categories of Personal Information Collected
For transparency, the categories of Personal Information we have collected in the preceding 12 months include:
| Category (CCPA) | Examples | Collected? |
|---|---|---|
| Identifiers | Email address, IP address | Yes |
| Customer records | Name, address, payment records | Yes (via Stripe) |
| Internet or network activity | Browsing history, interactions with the Service | Yes |
| Geolocation data | Approximate location from IP address | Yes |
| Professional or employment information | N/A | No |
| Education information | N/A | No |
| Biometric information | N/A | No |
| Sensory data (audio, visual) | N/A | No |
| Sensitive Personal Information | N/A | No |
10. Data Security
We take reasonable measures to protect your information from unauthorized access, alteration, disclosure, or destruction. These measures include:
10.1. Encryption in Transit. All data transmitted between your browser and our servers is encrypted using HTTPS/TLS.
10.2. Secure Payment Processing. All payment data is handled by Stripe, which is PCI-DSS Level 1 compliant — the highest level of payment security certification.
10.3. Access Controls. Access to user data and production systems is restricted to authorized personnel and protected by authentication.
10.4. API Key Management. Third-party API keys and secrets are stored securely in environment variables and are never exposed in client-side code or committed to source control.
10.5. Rate Limiting. We implement rate limiting on public-facing endpoints to prevent abuse.
No system is perfectly secure. While we strive to protect your information, no method of transmission over the internet or method of electronic storage is 100% secure. We cannot guarantee absolute security. If we become aware of a security breach that affects your Personal Information, we will notify you in accordance with applicable law.
11. Children's Privacy
The Service is not directed at individuals under the age of 18. We do not knowingly collect Personal Information from children under 18. If you are under 18, please do not use the Service or provide any information to us.
If we learn that we have collected Personal Information from a child under the age of 13, we will take steps to delete that information as quickly as possible. If you believe we have inadvertently collected information from a child under 13, please contact us at [PLACEHOLDER: support email address].
12. International Users
The Service is designed for California property owners and is operated from the United States. All data is processed and stored in the United States.
If you access the Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States, where data protection laws may differ from those of your jurisdiction.
By using the Service from outside the United States, you consent to the transfer of your information to the United States and acknowledge that you do so at your own discretion and are responsible for compliance with any applicable local laws.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law.
- Material changes: We will notify you by posting a prominent notice on the Website and, where we have your email address, sending you an email notification before the changes take effect.
- Non-material changes: Minor updates (e.g., formatting or clarifications) take effect when posted.
- Last Updated date: The date at the top of this Privacy Policy will always reflect the most recent revision.
- Your options: If you disagree with changes to this Privacy Policy, you may stop using the Service and request deletion of your Personal Information. Continued use after the effective date of changes constitutes acceptance of the updated Privacy Policy.
14. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Spaghetti Labs, LLC Oakland, CA
Email: [PLACEHOLDER: support email address]
For privacy-related requests (right to know, delete, correct, or opt-out), please email [PLACEHOLDER: support email address] with the subject line "Privacy Request."
This Privacy Policy is a draft prepared for attorney review and has not been reviewed by legal counsel. Do not publish without professional legal review.