1. Who We Are
SheltrIQ ("we," "us," or "our") is a product of Avion LLC, doing business as Avion Technologies,, a California limited liability company (Filing Number B20250439205). SheltrIQ provides AI-powered rental property tax intelligence and property management software at sheltriq.com and app.sheltriq.com (the "Service").
For privacy questions, contact us at: [email protected]
2. Information We Collect
2.1 Account Information
- Name and email address (required for registration)
- Password (stored as a bcrypt hash — we never store plaintext passwords)
- Tax filing status and W-2 income information (optional, for tax calculations)
- Language and display preferences
2.2 Property & Financial Data
- Rental property details (addresses, purchase prices, valuations, units)
- Financial transactions imported via OFX/CSV upload or SimpleFIN bank sync
- Expense classifications and Schedule E categorizations
- Depreciation schedules, mileage logs, and tax form data
- Rent payment records and collection data
- Insurance policy information
- Property photos and document uploads
2.3 Sensitive Financial Data
- Taxpayer Identification Numbers (TINs/SSNs/EINs) — Collected only for 1099 generation purposes. Encrypted at rest using AES-256-GCM encryption with a dedicated encryption key. TINs are never stored in plaintext, never logged, and never transmitted to third parties except as required for tax filing.
- Bank account credentials — We do not store bank login credentials. Bank connections are made through SimpleFIN, a third-party aggregator that uses tokenized access. We only receive transaction data, not login credentials.
- Payment card data — We do not store credit card or bank account numbers. All payment processing is handled by Stripe, a PCI DSS Level 1 certified processor. Card data never touches our servers.
2.4 Tenant Information
If you use SheltrIQ to manage tenants, we store tenant data you provide:
- Tenant names, email addresses, phone numbers
- Lease terms and payment history
- Maintenance request details and communications
- Screening request metadata (actual screening is performed by TransUnion SmartMove — we do not receive or store credit reports, criminal records, or eviction history)
2.5 Automatically Collected Data
- IP address and approximate geolocation (for rate limiting and security)
- Browser type and device information
- Pages visited and feature usage patterns
- GPS location data (only when you explicitly enable GPS mileage tracking in the mobile app — never collected in the background)
3. How We Use Your Information
- Core service delivery: Expense classification, tax calculations, Schedule E reports, depreciation tracking, and all other product features
- AI-powered classification: Transaction descriptions and amounts are processed by our AI models (running on our own servers — see Section 5) to categorize expenses to IRS Schedule E lines and determine repair vs. capital improvement status
- Tax calculations: Your financial data is used to compute QBI deductions, quarterly estimates, tax health scores, audit risk assessments, and other tax intelligence features
- Email notifications: Lease renewal reminders, maintenance escalations, tax deadline alerts, monthly digests, and account communications
- Payment processing: Rent collection via Stripe Connect ACH transfers between your tenants and your connected bank account
- CPA collaboration: When you create a CPA share link, the designated CPA can view (read-only) your Schedule E data, properties, transactions, and depreciation schedules for the duration you specify
- Service improvement: Anonymized, aggregated usage patterns to improve classification accuracy and product features (we never sell individual user data)
4. How We Share Your Information
We do not sell, rent, or trade your personal or financial data to third parties.
We share data only in these limited circumstances:
| Recipient | Data Shared | Purpose |
|---|
| Stripe | Payment amounts, tenant email | Rent payment processing |
| SimpleFIN | Bank connection tokens | Transaction import |
| Resend | Email address, name | Transactional emails |
| TransUnion SmartMove | Applicant name, email | Tenant screening invitations |
| Your designated CPA | Financial reports (read-only) | Tax preparation collaboration |
| Backblaze B2 | Encrypted database backups | Offsite backup storage & disaster recovery |
| Law enforcement | As required by valid legal process | Legal compliance |
5. AI Processing & Data Handling
SheltrIQ uses artificial intelligence to classify expenses and analyze documents. Important details about our AI:
- Self-hosted models: All AI processing runs on our own servers using open-source models (Qwen3 for text analysis, LLaVA for image analysis). Your data is never sent to OpenAI, Google, Anthropic, or any third-party AI provider.
- No training on your data: We do not use your personal financial data to train or fine-tune AI models. Classification improvements come from rule updates, not your data.
- Human override always available: Every AI classification can be corrected by you. AI suggestions are advisory — you retain full control over all categorizations and tax decisions.
- Deterministic first: Our classification engine uses a rules-based approach first (keyword matching, user-learned patterns, IRS safe harbor rules). AI is only consulted for ambiguous transactions that rules cannot classify.
- Input sanitization: All user-provided text is sanitized before AI processing to prevent prompt injection attacks.
6. Data Security
- Encryption in transit: All connections use TLS 1.2+ (HTTPS) via Cloudflare and Caddy auto-SSL
- Encryption at rest: TINs/SSNs are encrypted using AES-256-GCM. Database is hosted on encrypted storage.
- Authentication: JWT tokens with httpOnly cookies, bcrypt password hashing, rate limiting on all endpoints
- Access control: Row-level security (RLS) policies ensure users can only access their own data. Multi-tenant isolation at the database level.
- Infrastructure: Hosted on Hetzner Cloud (Germany/EU-compliant datacenter), firewalled with UFW, fail2ban for brute-force protection, automated daily backups (encrypted, stored offsite on Backblaze B2) with 7-day retention
- Monitoring: Automated health checks, error tracking, and uptime monitoring
- Incident response: In the event of a data breach, we will notify affected users within 72 hours as required by applicable law
7. Data Retention
- Active accounts: We retain your data for as long as your account is active
- Account deletion: Upon account deletion request, we permanently delete all your personal data, property data, transactions, classifications, and documents within 30 days. Anonymized aggregate data may be retained.
- Tax records: We recommend you export and retain your tax data before deleting your account. The IRS recommends keeping tax records for at least 3-7 years.
- Backups: Deleted data may persist in encrypted backups for up to 7 days before being permanently purged
- Legal holds: We may retain data longer if required by law or legal proceedings
8. Your Rights
8.1 All Users
- Access: Request a copy of all data we hold about you
- Correction: Update or correct inaccurate personal information
- Deletion: Request permanent deletion of your account and all associated data
- Export: Download your data in standard formats (PDF reports, CSV exports)
- Opt-out of emails: Unsubscribe from digest emails via account settings (you will still receive critical security and account notifications)
8.2 California Residents (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
- Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected, the sources, the business purpose, and the categories of third parties with whom we share it
- Right to Delete: You may request deletion of personal information we have collected from you
- Right to Correct: You may request correction of inaccurate personal information
- Right to Opt-Out of Sale: We do not sell personal information. There is nothing to opt out of.
- Right to Non-Discrimination: We will not discriminate against you for exercising any CCPA/CPRA right
- Right to Limit Use of Sensitive Personal Information: We use sensitive personal information (TINs/SSNs) only for the disclosed purpose of 1099 tax form generation
To exercise these rights, email [email protected] with the subject "CCPA Request." We will verify your identity and respond within 45 days.
8.3 EU/EEA Residents (GDPR)
While SheltrIQ primarily serves US landlords, if you are an EU/EEA resident:
- Our legal basis for processing is performance of a contract (providing the Service) and legitimate interest (product improvement)
- You have rights to access, rectification, erasure, data portability, restriction of processing, and objection
- Data is stored on servers in Germany (Hetzner, Falkenstein datacenter)
- Contact [email protected] for GDPR requests
9. Cookies & Tracking
- Authentication cookie: We use a single httpOnly, secure, SameSite cookie containing your encrypted session token. This is essential for the Service to function.
- No advertising cookies or browser trackers: We do not run advertising cookies, retargeting pixels, or third-party analytics cookies in your browser — no Google Analytics, and no Meta/Facebook browser pixel.
- Privacy-friendly analytics: We measure aggregate, anonymous site usage with Plausible Community Edition, self-hosted on our own infrastructure. It sets no cookies, collects no personal information, and does not track you across websites.
- Ad conversion measurement (server-side only): If you subscribe after clicking one of our ads, we report that single conversion to Meta from our server (the Meta Conversions API) so we can measure our advertising. This uses a hashed, irreversible version of your email — no browser pixel and no tracking cookie is involved, and we never share your financial data. This applies only to paid subscriptions, not to browsing or free use.
- Local storage: We store your theme preference (dark/light mode) and language selection in browser localStorage. This data never leaves your device.
10. Children's Privacy
SheltrIQ is not intended for use by individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that a child under 18 has provided us with personal information, we will promptly delete it.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email and/or a prominent notice on the Service at least 30 days before the change takes effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.
12. Contact Us
For privacy-related questions, data requests, or concerns:
- Email: [email protected]
- Company: Avion LLC, doing business as Avion Technologies
- State: California, USA