Privacy Policy

Effective Date: January 29, 2026 | Last Updated: February 22, 2026

1. Introduction & Scope

Aldea HQ ("we," "us," or "our") operates the website located at aldeahq.com and the Aldea HQ community management platform (collectively, the "Service"). This Privacy Policy describes how we collect, use, store, share, and protect your personal information when you visit our website, use our platform, or interact with us in any way.

Privacy is a core value at Aldea HQ. We are committed to being transparent about our data practices and giving you control over your personal information. We collect only the data necessary to provide and improve our Service, and we never sell your personal information.

By using our Service, you agree to the collection and use of information in accordance with this Privacy Policy. This policy applies to all visitors, users, and others who access the Service. Please also review our Terms of Use, which govern your use of the Service.

2. Information We Collect

We collect information in several ways depending on how you interact with our Service.

Account Data

When you create an account, we collect your name, email address, organization name, role, and property affiliation. Your password is securely managed by our authentication provider, Clerk, and is never stored directly by Aldea HQ.

Content Data

When you use the platform, we store the content you create, including community posts, support tickets, ticket comments, resident handbook entries, and file uploads (images and documents). For your privacy, we automatically strip EXIF metadata (including GPS coordinates, device information, and timestamps) from all uploaded images before storing them. This means location data and other sensitive metadata embedded in your photos is permanently removed and never stored on our servers.

Contact Form Data

If you contact us through our contact form, we collect your name, email address, and message content.

Usage and Analytics Data

With your consent, we use Google Analytics 4 (GA4) to collect anonymized usage data, including page views, interactions, and device and browser information. This data helps us understand how the Service is used and improve the experience. Analytics data is only collected if you consent to analytics cookies.

Payment Data

Payment processing is handled entirely by Stripe, our PCI-DSS compliant payment processor. Aldea HQ never stores, processes, or has access to your credit card numbers or full payment details. We store only the Stripe customer ID and subscription ID necessary to manage your account.

Cookies

We use essential cookies for authentication (Clerk session) and storing your cookie consent preferences (the aldea_consent cookie). With your consent, we also use analytics cookies from Google Analytics (_ga, _gid). See Section 6: Cookies & Tracking for full details.

Log Data

Our servers automatically collect certain information when you access the Service, including your IP address, request timestamps, and browser and operating system information. This data is used for security monitoring and troubleshooting.

Email Event Data

When we send transactional emails (such as notifications and support responses), our email provider Resend tracks delivery status, bounce events, and complaint data. This helps us ensure reliable email delivery and maintain sender reputation.

3. How We Use Information

We use the information we collect for the following purposes:

  • Service delivery: Operating and maintaining the Aldea HQ platform, including community management features, support tickets, and the resident handbook.
  • Authentication: Verifying your identity and managing access to your account and organization.
  • Billing: Processing subscription payments and managing your billing account through Stripe.
  • Support: Responding to your inquiries, support tickets, and contact form submissions.
  • Analytics: Understanding how the Service is used so we can improve features and user experience (with your consent).
  • Communications: Sending transactional emails such as notifications, ticket updates, and account-related messages.
  • Security: Detecting, preventing, and responding to security incidents, fraud, and abuse.
  • Compliance: Meeting our legal obligations under applicable privacy and data protection laws.

4. How We Share Information

We share your personal information only with the third-party service providers listed in Section 5, and only as necessary to provide and operate the Service.

We do not sell your personal information. We do not share your data with advertisers. We do not use your data for advertising purposes.

We may disclose your information if required to do so by law, in response to valid legal requests by public authorities (such as a court order or subpoena), or to protect the rights, property, or safety of Aldea HQ, our users, or the public.

5. Third-Party Service Providers

We work with the following third-party service providers to deliver and operate our Service. Each provider processes data only as necessary for the stated purpose.

ProviderPurposeData Shared
ClerkAuthentication and identity managementName, email, password, roles, organization ID
StripePayment processing (PCI-DSS compliant)Organization name, email, customer and subscription IDs
Cloudflare R2File and image storage, CDN deliveryUploaded images and documents (EXIF metadata stripped before storage)
Resend / Amazon SESTransactional email deliveryRecipient email, email content, delivery status
Google Analytics 4Website analytics (opt-out available)Page views, interactions, device info, city-level geolocation
VercelFrontend hostingRequest logs, IP addresses
RailwayBackend hosting and databaseAll platform data (encrypted at rest)

6. Cookies & Tracking

We use cookies to operate our Service and, with your consent, to understand how it is used. When you first visit our site, a cookie consent banner gives you control over which cookies are set.

Essential Cookies

These cookies are necessary for the Service to function and cannot be disabled.

  • Clerk session cookies: Used for user authentication. Duration: session with 24-hour inactivity timeout.
  • Platform session cookie: Used for application functionality. Duration: session.
  • aldea_consent: Stores your cookie consent preferences. Duration: 1 year.

Analytics Cookies

These cookies are only set if you consent to analytics tracking.

  • _ga: Google Analytics user distinction cookie. Duration: 2 years.
  • _gid: Google Analytics session distinction cookie. Duration: 24 hours.

Managing Your Preferences

You can change your cookie preferences at any time using the "Cookie Settings" link in the footer of any page. You can also disable cookies through your browser settings, though this may affect the functionality of the Service.

7. Data Storage & Security

We take the security of your data seriously and implement appropriate technical and organizational measures to protect it. For more details about our security practices, visit our Security page.

  • Multi-tenant data isolation: Each organization's data is logically separated so that users can only access data within their own community.
  • Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS (Transport Layer Security).
  • Credential security: User passwords are managed exclusively by Clerk using industry-standard hashing. Aldea HQ never stores raw passwords.
  • Soft-delete pattern: When data is deleted within the platform, it is soft-deleted (marked as inactive) rather than permanently destroyed immediately, allowing for recovery if needed and supporting compliance requirements.
  • File storage security: Uploaded files are stored in Cloudflare R2 with AES-256 encryption at rest. All transfers between our servers and storage are encrypted via TLS. Images have EXIF metadata (GPS coordinates, device info, timestamps) automatically stripped before storage for user privacy.
  • Infrastructure security: Our backend is hosted on Railway with database encryption at rest. Our frontend is hosted on Vercel's edge network.

8. Data Retention

We retain your data for as long as necessary to provide the Service and fulfill the purposes described in this policy. Specific retention periods are:

  • Account data: Retained for the duration of your subscription and account. Upon account termination, data is retained per our retention schedule and then deleted.
  • Content data: Retained for the duration of the organization's subscription. Deleted upon account termination per retention schedule.
  • Notifications: Automatically cleaned up after 30 days.
  • Audit logs: Retained indefinitely for compliance and security purposes.
  • Analytics data: Retained per Google Analytics' default retention policies.
  • Email delivery records: Retained per Resend's data retention policies.

9. International Data Transfers

Aldea HQ is operated from Canada (Province of Nova Scotia). However, some of our third-party service providers host data in the United States. By using our Service, you acknowledge that your data may be transferred to and processed in jurisdictions outside of Canada.

The following services process data in the United States:

  • Vercel (frontend hosting)
  • Railway (backend hosting and database)
  • Clerk (authentication)
  • Stripe (payment processing)
  • Cloudflare R2 (file storage)
  • Resend / Amazon SES (email delivery)
  • Google Analytics (website analytics)

We ensure that all third-party providers maintain appropriate data protection practices and comply with applicable privacy regulations. For more information about how each provider handles your data, please refer to their respective privacy policies.

10. Your Privacy Rights

Depending on your location, you may have specific rights regarding your personal information.

PIPEDA Rights (Canada)

Under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), you have the right to:

  • Access: Request access to the personal information we hold about you.
  • Correction: Request correction of inaccurate or incomplete personal information.
  • Withdrawal of consent: Withdraw your consent for us to process your personal information, subject to legal or contractual restrictions.
  • Complaint: File a complaint with the Office of the Privacy Commissioner of Canada (OPC) if you believe your privacy rights have been violated.

CCPA Rights (California Residents)

If you are a California resident, the California Consumer Privacy Act (CCPA) gives you the following rights:

  • Right to know: Request details about the personal information we collect, use, and share.
  • Right to delete: Request deletion of your personal information, subject to certain exceptions.
  • Right to opt-out of sale: We do not sell your personal information. This right is acknowledged but not applicable.
  • Right to non-discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise any of these rights, please contact us at support@aldeahq.com. We will respond to your request within the timeframes required by applicable law.

11. Data Breach Notification

In the event of a data breach involving personal information that poses a real risk of significant harm, Aldea HQ will:

  • Notify affected individuals as soon as feasible after becoming aware of the breach.
  • Report the breach to the Office of the Privacy Commissioner of Canada (OPC) as required under PIPEDA.
  • Provide details about the nature of the breach, the information involved, and steps we are taking to address it.
  • Recommend steps that affected individuals can take to protect themselves.

12. Children's Privacy

The Aldea HQ Service is not intended for use by children under the age of 16. We do not knowingly collect personal information from children under 16.

If we become aware that we have inadvertently collected personal information from a child under 16, we will take steps to delete that information as promptly as possible. If you believe that a child under 16 has provided us with personal information, please contact us at support@aldeahq.com.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make changes, we will update the "Last Updated" date at the top of this page.

For material changes, we will notify you by email or by a prominent notice on our website. We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

14. Contact Information

If you have any questions about this Privacy Policy, want to exercise your privacy rights, or have concerns about how we handle your personal information, please contact us: