Privacy Policy

1. Introduction

Ilora AI, Inc., operating as ILORA.ai (“we,” “our,” or “us”), respects your privacy. This Privacy Policy explains what information we collect, how we use it, who we share it with, what rights you have, and how to exercise them. It applies to the ilora.ai website, the ILORA.ai mobile applications (including ILORA.ai Tasks), and all related services.

Our Service provides AI-assisted analytics for commercial real estate portfolios. ILORA.ai is intended for businesses and their authorized team members; it is not intended for use by children under 18.

2. Information We Collect

2.1 Information You Provide

• Account information: name, email address, password (stored as a salted hash, never in plain text), organization, role.
• Property and portfolio data: property names, addresses, financial documents you upload (P&L statements, operating statements, rent rolls, STR/RevPAR data, lease abstracts, AP/AR ledgers).
• Team member data: for delegated tasks — team-employee name, email, phone, role title, and notification preferences set by you.
• Communications: messages you send to support, replies you submit to AI-generated questions, attachments accompanying replies.
• Payment information: processed by our payment processor (Stripe). We never see or store full card numbers; we receive a reference token and last-4 digits for display.

2.2 Information Collected Automatically

• Device and connection: browser type, operating system, mobile platform (iOS/Android), device push-notification token, IP address, approximate location derived from IP (city-level, never GPS).
• Usage data: features used, pages viewed, time spent, search queries, errors encountered.
• Logs: server access logs, audit-trail entries for sensitive operations (data exports, permission changes).
• Cookies and similar technologies: see Section 9.

2.3 Information We Do NOT Collect

• We do not collect biometric identifiers (Face ID, fingerprints) — if your device unlocks the app via biometrics, that match happens on-device only.
• We do not collect contact lists, photos, calendar events, or microphone/camera data unless you actively attach a photo to a task reply.
• We do not collect precise GPS location.
• We do not use third-party advertising trackers, analytics SDKs that profile users across services, or social-media pixels (no Facebook Pixel, no TikTok Pixel, no LinkedIn Insight Tag).

3. How We Use Your Information

• Provide the Service: authenticate you, store your portfolio data, run analytics, generate AI-assisted insights, deliver notifications, route task replies.
• Improve the Service: measure feature usage, diagnose errors, plan improvements. We use aggregated, de-identified statistics — never your raw documents — for product analytics.
• Security and integrity: detect fraud, prevent abuse, enforce our Terms of Service.
• Customer support: respond to your inquiries, troubleshoot issues you report.
• Legal compliance: meet legal, tax, or accounting obligations and respond to lawful requests from authorities.
• Communications you opted into: product updates, security alerts, billing notices. You can unsubscribe from non-essential communications at any time from in-app Settings.

4. AI Processing — Transparency About How Your Data Is Analyzed

ILORA.ai uses third-party large language models (LLMs) to generate insights, summarize documents, and evaluate task replies. We disclose the providers we use and the strict commitments that bind them.

4.1 LLM Sub-Processors

When the Service calls an LLM on your behalf, your prompt (which may include excerpts from your data) is sent to one of the following providers under a written data-processing agreement:

• Groq, Inc. (Mountain View, CA) — primary inference for Llama 3.3 70B and similar open-weight models.
• Together AI (San Francisco, CA) — secondary inference, including Llama 3.3 70B Turbo.
• Google LLC (Gemini API) (Mountain View, CA) — vision, embeddings, and Gemma open models. Gemini API processing is governed by Google's API data-use terms (no training on customer data).
• Local inference (Ollama) — runs on our own infrastructure for sensitive workloads; no third-party transmission.

4.2 What These Providers May Do — and What They May Not

• They process your prompt momentarily to return a response.
• They do NOT train their models on your data. Their commercial API terms (Groq, Together AI, Google Gemini API) explicitly prohibit training on customer inputs and outputs.
• They do NOT sell or share your data with advertisers or third parties.
• They do NOT retain your prompts beyond the brief processing window (typically <30 days for abuse detection, then deleted).

4.3 Our Own Use of Your Data for AI

• We do not train foundation models on your data, and we do not contribute your data to any third-party AI training corpus.
• We do not sell, license, or share your data with any third party for AI training, marketing, or any purpose other than delivering the Service to you.
• We may use de-identified, aggregated patterns (e.g., “X% of users uploaded a Q4 financial report this month”) for product improvement, but never your raw content.
• Our agent layer learns from your interactions in the ways disclosed in Sections 4.5 through 4.9 below. This is a separate concept from training a foundation model and is fully under your control.

4.4 Important: AI Output May Contain Errors

AI-generated outputs — including insights, recommendations, summaries, valuations, forecasts, and answers to your questions — may contain inaccuracies, omissions, hallucinations, or misinterpretations.You must independently verify any AI-generated output before relying on it for any business, financial, legal, tax, investment, or operational decision. See our Terms of Service for the full disclaimer of liability regarding AI output.

4.5 User Profile Building — What Our AI Learns About You

To provide a useful financial-analytics experience, our AI agents build and maintain an evolving profile of your activity within the Service. By using ILORA.ai, you acknowledge and consent to the following profile-building activities:

• Property and portfolio inventory. The AI knows which properties you operate, the property types and sectors involved, the geographic concentration, and the financial scale of each asset.
• Workflow and preference inference. The AI infers which KPIs you focus on (NOI, RevPAR, occupancy, WALT, ADR, etc.), the periods you most frequently analyze, the reports you generate, the agents you interact with most often, the questions you ask repeatedly, and the depth of analysis you typically require.
• Decision patterns. The AI tracks which recommendations you accept, dismiss, or escalate to a teammate, in order to calibrate the relevance of future suggestions.
• Communication style. The AI may adapt the tone, length, and depth of its responses based on the patterns of your past interactions (e.g., concise summaries vs. detailed walkthroughs).
• Anomaly memory. The AI remembers accounting anomalies, classification corrections, and exception patterns you have previously flagged, so similar issues are surfaced (or auto-resolved) more accurately over time.
• Unresolved-thread tracking. The AI keeps a running list of open questions, deferred decisions, and follow-ups so it can remind you and continue conversations across sessions.

4.6 Self-Improving Agent Layer — How We Use Your Interactions to Get Better

ILORA.ai operates an agent layer that improves with use. When you correct an AI extraction, accept or reject a recommendation, answer a clarification request, or otherwise interact with the Service, those interactions are recorded and used to enhance the agent layer in the following bounded ways:

• Per-field confidence calibration. When you correct a value the AI extracted from a document (e.g., a ledger row, a tenant name, a lease date), we use the correction to adjust the confidence weights for that field type going forward. This is statistical weight adjustment, NOT model fine-tuning.
• Knowledge flywheel. Agents record outcomes from past decisions (what they recommended, whether the recommendation was accepted, whether the result was favorable) and consult that history before making similar future decisions on your portfolio.
• Prompt optimization. The system tracks which agent-prompt formulations produce higher-quality answers in your specific context and prefers those formulations over time.
• Routing improvements. The system learns which specialist agent best answers which type of question for your portfolio and routes accordingly.
• Continuous grading. Outputs are graded for quality (accuracy against verified ground truth, your acceptance rate, downstream consequences). Lower-graded patterns are adjusted or retired.

What this is NOT:we do not train or fine-tune any neural-network model (LLM, embedding model, or vision model) on your data. The improvements above are heuristic weights, retrieval indices, prompt selections, and routing tables — not learned model parameters. Your data does not become part of any model that ILORA.ai or any third party uses to serve another customer.

4.7 Persistent Memory Across Sessions

ILORA.ai uses a three-tier memory architecture so the agents you interact with do not start from zero each session:

• Tier 1 — short-term buffer: chat-message history within the current session, retained for the session and trimmed at session end.
• Tier 2 — session summaries: compressed summaries of your past sessions including identified assets, KPI focus, accounting anomalies, user preferences, and unresolved threads. These are surfaced when you start a new session so context carries forward.
• Tier 3 — long-term vector memory: embeddings of substantive interactions are stored in a private, organization-scoped vector index that the agents consult when a current question is similar to a past one. This index is never shared across organizations.

All three memory tiers are scoped to your organization via Row-Level Security (RLS). Your memory data is never visible to other ILORA.ai customers, and our staff accesses it only when required for support, under audit logging.

4.8 Predictive Analytics — Assessing Future Needs and Wants

Based on the profile (Section 4.5) and memory (Section 4.7), our AI may proactively predict and surface:

• Reports we believe you will want at the start of a new period (e.g., a Q4 NOI variance review).
• Anomalies we anticipate based on past patterns (e.g., a recurring monthly journal-entry adjustment).
• Tenant, lease, vendor, or insurance-renewal events approaching their critical dates.
• Cross-property opportunities we infer from comparing your portfolio against itself or against anonymized industry benchmarks.
• Suggested next actions in workflows you have started but not completed.

Predictions are surfaced as suggestions, not as automated actions. We do not execute material decisions (financial transactions, legal filings, irreversible portfolio changes) on your behalf without your explicit confirmation.

4.9 Your Controls Over AI Personalization

You can manage how the AI ecosystem interacts with your data from in-app Settings:

• View your AI profile — see the inferred preferences, KPI focus, and patterns the AI has built about you.
• Correct or remove specific profile entries — if the AI has inferred something incorrectly, you can edit or delete it; the change propagates immediately to active agents.
• Reset memory — wipe Tier 2 session summaries and Tier 3 vector memory for your account or your entire organization. Agents will start from zero context after a reset.
• Disable proactive predictions — turn off Section 4.8 features and use the Service only in reactive mode (you ask, AI answers; nothing surfaces unprompted).
• Disable self-improvement — opt out of contributing your interactions to the per-field confidence calibration and knowledge-flywheel improvements described in Section 4.6. Your individual experience may be slightly less calibrated, but your data does not contribute to any improvement signal.
• Export and delete — under Section 10 of this policy, you can export your AI profile and memory data in a portable format, and request full deletion at any time.

When you delete your account, all of the items in this Section 4 (profile data, memory tiers, learned calibrations attributable to your interactions) are deleted within the timeframes described in Section 8.

5. Data Security

We use industry-standard administrative, technical, and physical safeguards:

• Encryption in transit: all connections use TLS 1.2 or higher.
• Encryption at rest: AES-256 on Supabase (PostgreSQL), AES-256 on Supabase Storage, AES-256 on backup snapshots.
• Row-Level Security (RLS): every table is RLS-enforced, isolating each organization's data at the database layer.
• SECURITY DEFINER hardening: no PostgreSQL function exposes EXECUTE privilege to the anonymous role; service-role keys are not exposed to client-side code.
• Authentication: Supabase Auth with optional MFA; passkey support; biometric unlock on mobile.
• Audit logging: all sensitive operations (data exports, permission grants, account deletions) are logged immutably.
• Vulnerability management: automated dependency scanning (Dependabot), regular reviews.
• Personnel access: the principle of least privilege; production data is accessible only to engineers who require it for support, under audit logging.

No security control is perfect. If you become aware of a security issue, please report it to legal@ilora.ai.

6. Sub-Processors

We share necessary data with the following sub-processors, each bound by a written DPA:

• Supabase, Inc. — database, authentication, storage, and realtime services. Hosted in US-East AWS regions.
• Vercel, Inc. — web hosting, serverless function execution, edge caching.
• Twilio SendGrid — transactional email delivery and inbound reply parsing.
• Stripe, Inc. — payment processing.
• Slack Technologies, LLC — only when your organization has explicitly connected its own Slack workspace via OAuth.
• Apple, Inc. (APNs) and Google LLC (FCM) — mobile push notification delivery.
• LLM providers — see Section 4.1.

We do not sell your personal information. We may disclose information when required by law, valid legal process, or to protect rights, safety, or property.

7. International Data Transfers

We are based in the United States. If you access the Service from outside the U.S., your data is transferred to and processed in the U.S. For users in the European Economic Area, United Kingdom, or Switzerland, transfers to the U.S. are made under the European Commission's Standard Contractual Clauses (SCCs) and supplemented by the safeguards described in this policy. By using the Service, you consent to such transfers, where consent is the lawful basis under applicable local law.

8. Data Retention

• Active accounts: data retained for as long as the account is active.
• Account deletion: upon your request, your data is deleted or anonymized within 30 days, except where law requires longer retention (e.g., financial records under tax law).
• Cancelled subscriptions: data is retained in cold storage for 90 days after cancellation to permit reactivation, then deleted.
• Logs: server logs retained for up to 90 days; security audit logs retained for up to 24 months.
• Backups: encrypted database backups are retained on a rolling 35-day window.

9. Cookies and Similar Technologies

We use first-party cookies for authentication (session tokens), preferences (theme, language), and security (CSRF protection). We do not use third-party advertising or social-media tracking cookies. You can disable cookies in your browser settings, but doing so may break authentication and core features. See our Cookie Policy for details.

10. Your Rights

Depending on where you live, you may have the following rights:

10.1 General Rights (All Users)

• Access a copy of your personal data.
• Correct inaccurate or incomplete data.
• Delete your account and data.
• Export your data in a portable format (JSON or CSV).
• Restrict or object to certain processing activities.
• Withdraw consent for any processing based on consent.
• Lodge a complaint with a data-protection authority.

10.2 European Economic Area, UK, and Switzerland (GDPR / UK GDPR)

Our lawful bases for processing are: (a) performance of a contract with you (Article 6(1)(b) GDPR), (b) our legitimate interests in operating and securing the Service (Article 6(1)(f)), (c) your consent where applicable (Article 6(1)(a)), and (d) compliance with legal obligations (Article 6(1)(c)). The data controller is Ilora AI, Inc..

10.3 California (CCPA / CPRA)

California residents may request to know what personal information we have collected about them, the sources, the business purpose, and to whom we have disclosed it. You may also request deletion. We do not sell or share personal information for cross-context behavioral advertising as those terms are defined under California law. To exercise these rights, contact legal@ilora.ai.

10.4 How to Exercise Your Rights

Email legal@ilora.ai from the email address associated with your account. We will respond within 30 days. We may need to verify your identity before fulfilling certain requests.

11. Children's Privacy

ILORA.ai is not intended for use by children under 18. We do not knowingly collect personal information from children under 18. If we learn that we have collected information from a child under 18, we will delete it promptly. If you believe a child has provided information to us, please contact legal@ilora.ai.

12. Data Breach Notification

In the unlikely event of a data breach affecting your personal information, we will notify affected users without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with applicable law (GDPR Article 33 and similar U.S. state breach-notification statutes).

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notice at least 30 days before they take effect. The “Last updated” date at the top of this policy reflects the most recent revision.

14. Contact Us

For questions about this Privacy Policy, to exercise your rights, or to report a privacy concern, please contact us at: