Privacy Policy

The short version:

• We collect the information we need to verify your identity and report your rent payments to credit bureaus.
• We only share your data with the partners required to deliver this service (credit bureaus, payment processor, identity verification, SMS).
• We do not sell your personal information.
• We only report positive, on-time rent payments — never missed or late ones.
• You can ask us to delete your data at any time after you cancel.
• If you live in California, Virginia, Colorado, or other states with privacy laws, you have specific rights (see Your Privacy Rights).

This summary is for convenience. The full policy below is what governs our relationship.

We collect only the information needed to verify your identity, accept payment, and report your rent to credit bureaus.

Identity Information

• First and last name
• Date of birth
• Email address
• Mobile phone number (used for one-time verification codes)
• Current residential address

We do not collect any portion of your Social Security Number. The full-SSN identity-verification step required for credit bureaus runs inside Array.com's embedded web component on your dashboard — the value is sent directly to Array and never passes through our servers.

Lease & Rent Information

• Monthly rent amount, lease start and end dates, rent due day
• Your landlord's name, phone, and email (for verification)

We do not store a copy of your lease agreement. If Array.com needs to confirm lease details during onboarding, the document is uploaded directly to Array through their embedded web component and is never stored on our servers.

Payment Information

• We do not see or store your full credit card number. Payments are processed by Stripe, which is PCI DSS Level 1 certified.
• We do receive Stripe-issued identifiers (customer ID, subscription ID, last 4 of card, card brand, billing ZIP) so we can show your billing history.

Technical Information

• IP address, browser type, device type, and approximate location (for security and fraud prevention)
• Pages you visit on our site and timestamps
• Cookies (see Cookies & Tracking)

We use the information above only for the following purposes:

• Identity verification — to confirm you are who you say you are, as required by federal law before reporting credit information.
• Rent reporting — to furnish your on-time payment history to credit bureaus.
• Account management — to provide your dashboard, score updates, and customer support.
• Billing — to charge your $1.00 trial fee and recurring subscription via Stripe.
• Security — to detect fraud, prevent abuse, and protect our service and other users.
• Legal compliance — to meet our obligations under the Fair Credit Reporting Act (FCRA), state privacy laws, and lawful requests from authorities.
• Service communications — to send transactional emails and SMS (verification codes, billing receipts, dispute updates). You can opt out of marketing, but not transactional, messages.

We do not use your information for advertising profiling, behavioral targeting, or any kind of "data product."

We share information only with the partners listed below, and only the minimum data needed for each.

We do not sell your personal information. We do not share your data with advertisers, data brokers, or marketing companies.

We may disclose information when legally required — for example, in response to a valid subpoena, court order, or to protect against fraud.

When you sign up, you give us written consent (under Section 604 of the Fair Credit Reporting Act) to report your rental payment history to credit bureaus.

• We report only positive, on-time payments. We never report late or missed payments. This is a core product principle.
• Your consent is logged with a timestamp, IP address, and the consent version you accepted.
• You can revoke your consent at any time by cancelling your subscription. Once cancelled, we stop furnishing new data to bureaus, though previously-reported data may remain on your credit report per bureau retention policies (typically 7 years for closed tradelines).
• If you believe data we reported is inaccurate, you may dispute it through our platform (Premium plan) or directly with the bureau. We respond to disputes within 30 days as required by the FCRA.

For more on FCRA compliance, see our Compliance page.

All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment provider. WeReportYourRent never sees or stores your full credit card number, CVV, or expiration date.

Stripe's privacy practices are governed by their own Privacy Policy.

The information we receive from Stripe — to display your billing history and manage your subscription — is limited to:

• Stripe customer and subscription identifiers
• Card brand, last 4 digits, expiration month/year
• Billing ZIP and country
• Invoice amounts, dates, and statuses

• Active accounts: we keep your data for as long as your account is active.
• After cancellation: we keep your account record for 7 years for legal, tax, and FCRA audit-trail reasons.
• Lease documents: retained for 7 years after the lease end date.
• Payment records: retained for 7 years per IRS / tax requirements.
• OTP codes: automatically deleted after 5 minutes.
• Marketing data: deleted upon request or 18 months of no activity, whichever is sooner.

You may request deletion of personally identifying information at any time — see Your Privacy Rights.

Depending on where you live, you have certain rights regarding your personal information.

All Users — Federal Rights

• Right to access: request a copy of the personal data we hold about you.
• Right to correct: ask us to fix data that is inaccurate.
• Right to delete: ask us to delete your data (subject to legal retention requirements).
• Right to FCRA dispute: dispute the accuracy of any data we have furnished to a credit bureau.

California Residents (CCPA / CPRA)

You have additional rights, including the right to know what personal information we collect, the right to delete, the right to correct, the right to opt out of "sale" or "sharing" of personal information (we don't do either), and the right to non-discrimination for exercising these rights.

Virginia, Colorado, Connecticut, Utah, and other state-privacy-law residents

You have similar rights under your respective state laws (VCDPA, CPA, CTDPA, UCPA, etc.), including access, deletion, correction, and opt-out of targeted advertising.

How to Exercise Your Rights

You have two ways to act on your access + deletion rights:

• Self-serve (recommended; identity is verified by your active session):
  • Right to know / right of access: log in, open your profile, and use the "Download my data" button. We send a JSON file containing every record we hold about you (subscriptions, payments, leases, consent history, every action we've taken on your account, etc.). Programmatic equivalent: GET /api/account/export with your session bearer token.
  • Right to delete: the same profile page has a "Delete my account" flow. Programmatic equivalent: POST /api/account/delete with a typed confirmation phrase. Some data is retained in anonymized form for FCRA furnisher record-keeping (we tell you which).
• Email request: send a message to privacy@wereportyourrent.com from the email associated with your account. We respond within 45 days. We verify your identity before fulfilling any request.

• Encryption in transit: TLS 1.3 on every connection. HSTS is enforced.
• Encryption at rest: Cloudflare D1 (SQLite) and R2 (object storage) encrypt data at rest by default.
• SSN handling: we do not collect any portion of your Social Security Number at any point in our forms. The identity-verification step that uses your full SSN runs entirely inside Array.com's embedded web component on your dashboard. The value is sent directly from your browser to Array and never passes through our servers or appears in our database.
• Password hashing: PBKDF2 with a per-user salt. We cannot recover your password — only reset it.
• Rate limiting: OTP, login, and signup endpoints have strict rate limits to prevent abuse.
• Audit logging: sensitive actions (consent, data changes, reports) are recorded in an immutable audit log.
• Least-privilege access: only the engineers needed to operate the service can access production data, and every access is logged.

For full technical details, see our Compliance page.

We use a small number of cookies and similar technologies, only as needed:

• wryr_audience — remembers which marketing variant you arrived through (30 days)
• wryr_vid — anonymous visitor identifier used to aggregate site analytics (1 year)
• sessionStorage: wryr_sid — per-tab session identifier used to group page views into a single visit
• localStorage: wryr_token, wryr_user, wryr_signup_data, wryr_utm, wryr_exit_dismissed_at, wryr_exit_submitted — keeps you signed in (token + user record), preserves signup progress, remembers the marketing source you arrived from, and tracks whether you've already seen our exit-intent offer. Note: wryr_token is stored in localStorage (not as an HttpOnly cookie) so it is readable by JavaScript on our domain — we plan to migrate to an HttpOnly cookie post-launch.

First-Party Visitor Analytics

We collect aggregated, privacy-preserving analytics about who visits our site, what pages they view, and which calls-to-action they click. This includes:

• Pages viewed, time on page, scroll depth, and call-to-action button clicks
• UTM campaign parameters from links you clicked to arrive here
• A daily-rotating, salted SHA-256 hash of your IP address and user-agent string (we do not store your raw IP)
• Coarse device/browser information (mobile vs. desktop, browser family) derived from the user-agent

If you later create an account, we link your prior anonymous visitor identifier to your user record so we can understand the path that led you to sign up. You can request deletion of this linkage at any time (see "How to Exercise Your Rights" above).

Exit-Intent Email Capture

If you appear to be leaving our site without signing up (for example, you move your mouse toward the browser tab bar, or switch away from the tab on mobile), we may show a modal offering a free credit-building guide in exchange for your email address. Submitting this form is entirely optional. If you submit, we:

• Store your email, the page you were on, and the marketing source you arrived from in our email_captures table
• May send you occasional educational emails about rent reporting and credit building (you confirmed marketing consent at submission)
• Honor unsubscribe requests immediately via the one-click link in every email (/api/captures/unsubscribe)

If you dismiss the modal without submitting, we remember that decision for 7 days so we don't show it again immediately.

Third-Party Marketing Pixels (Conditional)

When configured by us, our marketing pages (the home page and pricing page only — never logged-in or checkout pages) may load the following third-party tags so we can measure ad effectiveness and reach people who visited us before:

• Meta Pixel (Facebook/Instagram advertising) — when enabled, sends Meta a page-view signal and, only if you submit an email through our exit-intent modal or sign up, a SHA-256 hash of your email for ad-conversion matching (Meta Cookie Policy)
• Google Ads remarketing tag (gtag.js with anonymize_ip: true) — when enabled, sends Google a page-view signal and a SHA-256 hash of your email (only after submission/signup) for ad-conversion matching (Google Ads Policy)

These tags are never loaded on dashboard, admin, profile, checkout, signup, or landlord-portal pages. We honor the browser's Do Not Track header — if your browser sends DNT, we will not load these pixels for you. You can also block them at the browser or extension level (uBlock Origin, Privacy Badger, etc.) without affecting site functionality.

We do not sell your personal information to advertisers, and we do not use behavioral advertising trackers beyond the conditional Meta/Google tags described above.

Our service is intended for adults aged 18 and over. We do not knowingly collect personal information from anyone under the age of 18. If you believe a child has provided us with personal information, please contact us and we will delete it.

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of the page. For material changes, we will notify active users by email at least 30 days before the change takes effect. Your continued use of the service after the effective date constitutes acceptance of the updated policy.

If you have any questions about this Privacy Policy or how we handle your data, please contact us:

• Privacy inquiries: privacy@wereportyourrent.com
• General support: support@wereportyourrent.com
• Mailing address: [To be added before launch]

For credit-report disputes specifically, you may also contact the bureau directly: Experian, Equifax, or TransUnion.