Cornice

Privacy Policy

Effective June 1, 2026 · Last updated June 1, 2026

This Privacy Policy explains how Cornice ("we," "us") collects, uses, shares, and protects information when you use cornicenyc.com and the Cornice service. It is incorporated into our Terms of Service.

1. Who this applies to

This Policy applies to visitors who look up public building data without an account, account holders on any tier (Free, Basic, Pro, Business, Enterprise), people who provide an email to receive building alerts (the email-only watch), and people who submit the Enterprise "Contact Sales" form.

It does not apply to the building owners, agents, or tenants whose information appears in public datasets we display — that information is published by government agencies under their own data-disclosure rules, and we are not the source of it.

2. Information we collect

What you give us: account email + optional name; subscription tier and billing metadata (last-4, brand, expiration — handled by Stripe; we do not store full card numbers); the BINs you save to a portfolio; files you upload to the Document Vault; email + BINs you elect to monitor; Enterprise inquiry data; support messages.

What we collect automatically: pages viewed, features used, approximate location derived from IP, device/browser, referrer, timestamps; an authentication cookie from Supabase; standard server logs (IP, request timing, error traces) retained for operational and security purposes.

Public data we display: reference data from NYC Open Data feeds (DOB, ECB/OATH, HPD, FDNY, DEP, DSNY, DOT, DOHMH, DCWP, LPC) and NY State data (SLA). We re-publish that data unmodified except for plain-English summaries.

3. How we use information

To operate the Service (look up buildings, save portfolios, send alerts, generate reports), provide customer support, process payments via Stripe, send transactional and service-related emails, prevent abuse and fraud, comply with legal obligations, and (with notice) communicate product updates.

We do not sell personal information. We do not use your data to train third-party AI models.

4. Who we share with

Service providers we contract with: Supabase (hosted Postgres + auth + storage), Vercel (web hosting), Stripe (payments), Resend (transactional email). Each is bound by its own data processing terms and processes information only on our instructions.

We may disclose information in response to a valid legal process, to protect our rights or the safety of users, or in connection with a corporate transaction (acquisition, financing) with notice.

5. Retention

Account data is kept while your account is active and for up to 30 days after deletion to allow recovery from accidental deletes. Document Vault files are deleted when you delete them or close your account. Server logs are retained 90 days. Email-only watcher records are retained until you unsubscribe; unsubscribed records are retained 12 months for audit, then deleted.

6. Your rights

You can request access to, correction of, or deletion of your personal data by emailing hello@cornicenyc.com from the address on your account. We respond within 30 days as required by NY GBL §899-aa. California residents have additional rights under the CCPA (right to know, delete, correct, opt out of sale — we do not sell). EU/UK residents have GDPR rights (access, rectification, erasure, portability, restriction, objection).

7. Security

All traffic is encrypted in transit (HTTPS/TLS). Database storage is encrypted at rest. The service role key and webhook secrets are stored only in server environment variables. Document Vault files are scoped per-user via Supabase Storage Row-Level-Security policies. We do not guarantee absolute security but follow industry-standard practices.

8. Children

Cornice is not directed at children under 16 and we do not knowingly collect personal information from them.

9. International users

Cornice is operated from the United States. By using the Service from outside the US you consent to the transfer and processing of your information in the US.

10. Cookies

We use a strictly-necessary authentication cookie (Supabase session) on signed-in pages. If we enable analytics (Plausible or PostHog) we will note it here; analytics scripts will respect Do-Not-Track signals where supported.

11. Changes to this policy

If we make material changes we will post the updated policy here and (for account holders) email a notice at least 14 days before changes take effect.

12. Contact

Privacy questions: hello@cornicenyc.com.