Cornice
Privacy Policy
Effective June 1, 2026 · Last updated June 1, 2026
This Privacy Policy explains how Cornice ("we," "us") collects, uses, shares, and protects information when you use cornicenyc.com and the Cornice service. It is incorporated into our Terms of Service.
1. Who this applies to
This Policy applies to visitors who look up public building data without an account, account holders on any tier (Free, Basic, Pro, Business, Enterprise), people who provide an email to receive building alerts (the email-only watch), and people who submit the Enterprise "Contact Sales" form.
It does not apply to the building owners, agents, or tenants whose information appears in public datasets we display — that information is published by government agencies under their own data-disclosure rules, and we are not the source of it.
2. Information we collect
What you give us: account email + optional name; subscription tier and billing metadata (last-4, brand, expiration — handled by Stripe; we do not store full card numbers); the BINs you save to a portfolio; files you upload to the Document Vault; email + BINs you elect to monitor; Enterprise inquiry data; support messages.
What we collect automatically: pages viewed, features used, approximate location derived from IP, device/browser, referrer, timestamps; an authentication cookie from Supabase; standard server logs (IP, request timing, error traces) retained for operational and security purposes.
Public data we display: reference data from NYC Open Data feeds (DOB, ECB/OATH, HPD, FDNY, DEP, DSNY, DOT, DOHMH, DCWP, LPC) and NY State data (SLA). We re-publish that data unmodified except for plain-English summaries.
3. How we use information
To operate the Service (look up buildings, save portfolios, send alerts, generate reports), provide customer support, process payments via Stripe, send transactional and service-related emails, prevent abuse and fraud, comply with legal obligations, and (with notice) communicate product updates.
We do not sell personal information. We do not use your data to train third-party AI models.
4. Who we share with
Service providers we contract with: Supabase (hosted Postgres + auth + storage), Vercel (web hosting), Stripe (payments), Resend (transactional email). Each is bound by its own data processing terms and processes information only on our instructions.
We may disclose information in response to a valid legal process, to protect our rights or the safety of users, or in connection with a corporate transaction (acquisition, financing) with notice.
5. Retention
Account data is kept while your account is active and for up to 30 days after deletion to allow recovery from accidental deletes. Document Vault files are deleted when you delete them or close your account. Server logs are retained 90 days. Email-only watcher records are retained until you unsubscribe; unsubscribed records are retained 12 months for audit, then deleted.
6. Your rights
You can request access to, correction of, or deletion of your personal data by emailing hello@cornicenyc.com from the address on your account. We respond within 30 days as required by NY GBL §899-aa. California residents have additional rights under the CCPA (right to know, delete, correct, opt out of sale — we do not sell). EU/UK residents have GDPR rights (access, rectification, erasure, portability, restriction, objection).
7. Security
All traffic is encrypted in transit (HTTPS/TLS). Database storage is encrypted at rest. The service role key and webhook secrets are stored only in server environment variables. Document Vault files are scoped per-user via Supabase Storage Row-Level-Security policies. We do not guarantee absolute security but follow industry-standard practices.
8. Children
Cornice is not directed at children under 16 and we do not knowingly collect personal information from them.
9. International users
Cornice is operated from the United States. By using the Service from outside the US you consent to the transfer and processing of your information in the US.
10. Cookies
We use a strictly-necessary authentication cookie (Supabase session) on signed-in pages. If we enable analytics (Plausible or PostHog) we will note it here; analytics scripts will respect Do-Not-Track signals where supported.
11. Changes to this policy
If we make material changes we will post the updated policy here and (for account holders) email a notice at least 14 days before changes take effect.
12. Contact
Privacy questions: hello@cornicenyc.com.