Privacy Policy

Last updated: May 3, 2026

This policy describes how the Milltown Lofts website and resident portal (together, the "Service") handle information. It reflects how the Service is built and operated today. This is general information, not legal advice.

Who we are

The Service is operated on behalf of Milltown Lofts. For privacy questions related to this website or the portal, use the contact form on the homepage.

What we collect

Website visitors (public pages)

• Usage analytics. We use Vercel Web Analytics on pages you visit. It helps us understand aggregate traffic and performance. See Vercel's analytics privacy information.
• Contact inquiries. If you submit the contact form, we collect the fields you enter: name, email address, optional phone number, optional unit or interest notes, and optional message text. We store this in our database so we can respond. To limit spam, we may verify submissions with Cloudflare Turnstile (your interaction is processed by Cloudflare; see their privacy materials for details). We also derive a one-way hash of your network information to enforce rate limits on submissions; we do not store your full IP address with the inquiry in the database.
• Technical data. Like most sites, hosting infrastructure and our application may process technical data such as IP address, request metadata, and browser type when you load pages or call our APIs.

Resident accounts and portal

The resident portal requires an account. Authentication and account credentials are processed by Supabase (email and password sign-in). When you register, we collect information you provide, including email, unit number, name, and an invite code. We associate your account with a resident profile that may include name, phone number, unit number, and email as shown or edited in the portal.

Within the portal, the Service stores and processes content needed to run community features, including:

• Direct messages between residents and related conversation metadata. Message text is kept for one year from the send date, then permanently deleted by an automated process. Message alerts in your notifications inbox are removed when you view them or when the underlying message is deleted.
• Notifications (for example in-app alerts tied to messages and other activity)
• Announcements, documents, calendar events, and related comments
• Projects (for example community or building projects) and comments on them
• Invite codes used to create accounts and records of which code was used
• Administrative actions where authorized users manage resident access or profiles

Some parts of the portal use live updates over the network so your device can reflect new messages or notifications without refreshing the entire app.

Browser push notifications

If you opt in, we store a push subscription for your device (including subscription endpoint and related keys supplied by the browser) and may store your browser's user-agent string. Push delivery relies on your browser's push service (for example Apple, Google, or Microsoft, depending on device); we use those services only to deliver notifications you have agreed to receive.

How we use information

• Provide, secure, and improve the Service
• Authenticate residents and show the correct portal content
• Send operational communications through the portal and, if enabled, push notifications
• Respond to contact inquiries and reduce abusive or automated submissions
• Comply with law and enforce community rules where applicable

Service providers

We use third-party services that process data on our behalf, including Supabase (database, authentication, and related infrastructure for the portal) and Vercel (hosting and analytics). When Turnstile is enabled, Cloudflare processes verification traffic. These providers have their own privacy policies governing how they handle data sent to them.

Retention

We keep information for as long as needed to operate the Service, meet legal and contractual obligations, and resolve disputes. Retention periods can depend on the type of data (for example account records versus contact inquiries).

Security

We rely on industry-standard practices and our vendors' safeguards, including encrypted transport (HTTPS) and access controls on backend data. No method of transmission or storage is completely secure.

Your choices

• You can use browser settings to block or clear cookies and site data; doing so may affect staying signed in.
• You can disable or revoke push notifications from your device or browser settings, and unsubscribe flows in the app where offered.
• For contact form data, you may request access or correction using the same contact channel you used to reach us.
• For resident portal data, contact building management or the administrators who provision your access. Some requests may be limited by leases, governing documents, or law.

Children

The Service is not directed at children under 13, and we do not knowingly collect their personal information.

Changes

We may update this policy from time to time. We will adjust the "Last updated" date when we do. If changes are material, we may provide additional notice (for example through the portal).