Kestrel RMS Privacy Policy
Version 1 · Effective 2026-04-22
KESTREL PRIVACY POLICY
Last Updated: January 1, 2026
TALON VENTURES LLC (d/b/a Kestrel RMS) ("Kestrel," "we," "us," or "our") values your privacy. This Privacy Policy describes how we collect, use, and share information when you use our website (www.KestrelRMS.com) and related services (collectively, the "Services").
This Privacy Policy is incorporated into and supplements our Terms of Service. When you create a Kestrel account, we ask you to affirmatively accept this Privacy Policy through an "I Agree" checkbox alongside the Terms of Service. Your continued use of the Services constitutes ongoing acceptance of this Privacy Policy as it may be updated in accordance with Section 10.
Scope. The Services are currently offered only to individuals located within the United States who are 18 years of age or older. We do not currently offer the Services to residents of Washington State. This Privacy Policy applies to personal information collected through our United States operations.
1. INFORMATION WE COLLECT
We collect personal information in three ways: (a) information you provide to us directly; (b) information collected automatically through our infrastructure; and (c) information we receive from third-party sources you authorize.
1.1 Information You Provide
- Account Registration. When you register for an account, we collect your name, email address, and password. We do not currently collect a phone number at registration. If you voluntarily provide additional information (such as through support communications), we may retain that information as described in Section 6.
- User Content. You upload documents (such as leases, deeds, loan documents, and insurance policies) and input data (such as property addresses, transaction notes, and tags) through the Services. We refer to this collectively as "User Content."
- Third-Party Personal Information in User Content. User Content you upload (for example, a lease) often contains personal information about third parties, such as your tenants' names, contact details, or signatures. With respect to that third-party information: you act as the "Controller" or "Business" of such data under applicable law, and Kestrel acts as your "Processor" or "Service Provider," storing and processing it solely on your behalf and in accordance with your instructions. You are responsible for obtaining any consents and providing any notices required by law before uploading third-party personal information to the Services. Our contractual commitment to you with respect to this third-party data is set out in Section 3.
- Support Communications. Records of your interactions with our customer support team, including messages, attachments, and metadata.
1.2 Information From Third-Party Integrations
- Banking Data (via Plaid). When you choose to link a bank account, we use Plaid Technologies, Inc. ("Plaid") as our data-aggregation service. You provide your financial-institution login credentials directly to Plaid; Kestrel does not receive or store those credentials. Plaid provides us with a tokenized access credential, and we receive from Plaid: (i) institution name, account type, and the last four digits of the account number; and (ii) transaction history (amounts, dates, merchant names, and categorizations). We use the Plaid products Transactions and Liabilities. Your use of Plaid is subject to Plaid's End User Privacy Policy. If you disconnect a linked account through the Services, we retain previously-retrieved transaction data for up to thirty (30) days, after which it is permanently deleted from our systems except as required by law.
A payment-processing integration with Stripe, Inc. will be added when paid subscriptions become available. At that time, we will update this Privacy Policy to describe the information Stripe collects on our behalf and the information we receive from Stripe.
1.3 Information Collected Automatically
Kestrel does not currently operate a first-party analytics program, and we do not use third-party web-analytics vendors (such as Google Analytics), fingerprinting tools, or clickstream-capture tools. The following information is logged by our hosting and infrastructure providers as a byproduct of operating the Services:
- Server and Security Logs. Our hosting and infrastructure providers automatically log IP addresses, browser type and version, operating system, request timestamps, and URLs requested. These logs are used for security, fraud prevention, abuse detection, and operational troubleshooting. Logs are retained for up to ninety (90) days.
- Cookies. We use a strictly necessary session cookie to keep you signed in. We do not use advertising, analytics, or cross-site tracking cookies. A table describing the cookies we use is available at www.kestrelrms.com/cookies.
- Global Privacy Control (GPC). Where our systems detect a
Sec-GPC: 1header from your browser, we honor it as a valid request to opt out of any "sale" or "sharing" of your personal information as those terms are defined by applicable state law. - Do Not Track. We do not separately respond to browser Do-Not-Track signals because no uniform standard for how to respond has been established. We honor GPC as described above.
2. HOW WE USE YOUR INFORMATION
We use the information we collect for the following purposes:
- To Provide the Services. Hosting your documents, displaying your financial data, managing your calendar and notifications, and operating the features you use.
- To Power AI Features. We send text extracted from your documents and your chat messages to third-party AI providers (currently Anthropic, PBC and OpenAI, L.L.C.) for the sole purpose of generating summaries, extracting dates and amounts, categorizing transactions, and responding to your queries within the Services. Vendor data-use terms. Our use of these vendors is governed by their commercial API terms, which prohibit the use of your inputs to train publicly-released foundation models. We do not authorize these vendors to use your inputs for model training, and we select vendor configurations and plan tiers intended to prevent such use. We do not use your identifiable documents or financial data to train any Kestrel-developed AI model.
- To Improve Kestrel. We may use anonymized and aggregated data (which cannot reasonably be used to identify you) to analyze usage trends and improve the Services.
- To Communicate With You. Sending transaction receipts, security alerts, account notices, and support responses. We do not send marketing emails without your separate opt-in consent, and every marketing email will include an unsubscribe mechanism consistent with the CAN-SPAM Act.
- For Legal and Safety Purposes. Complying with court orders, subpoenas, and valid law-enforcement requests; enforcing our Terms of Service; protecting the rights, property, or safety of Kestrel, our users, or others; detecting and preventing fraud.
- Automated Decision-Making. Kestrel does not currently use automated decision-making to make legal or similarly significant decisions about you. AI-generated summaries, categorizations, and insights are provided to you as assistive tools; decisions about your properties, tenants, finances, or accounts are made by you. If this changes, we will update this Privacy Policy and provide any rights required by applicable law.
3. HOW WE SHARE YOUR INFORMATION
We do not sell or share your personal information as those terms are defined by the California Consumer Privacy Act (CCPA/CPRA) or any comparable state privacy law. We do not engage in "cross-context behavioral advertising," and we do not receive any monetary or other valuable consideration for disclosing your personal information. We share personal information only in the circumstances described below.
3.1 Service Providers and Subprocessors
We engage trusted vendors to help operate the Services. Each vendor is bound by a written agreement limiting their use of your personal information to the purposes for which we engaged them. Our current subprocessors are:
| Subprocessor | Purpose | Data Categories |
|---|---|---|
| Supabase, Inc. | Application database, authentication, and file storage | Account data, User Content, documents, transaction data |
| Vercel, Inc. | Web hosting, serverless compute, and feature flags | Server logs, request metadata, IP addresses |
| Plaid Technologies, Inc. | Read-only banking data aggregation | Financial-institution data, transaction history |
| Anthropic, PBC | AI document extraction and summarization | Text extracted from your User Content and queries |
| Upstash, Inc. | Redis cache for session and transaction data | Session identifiers, cached transaction metadata |
| Resend, Inc. | Transactional email delivery | Email address, message content, delivery metadata |
| Google LLC (OAuth) | Optional Sign-in-with-Google authentication | OAuth identifier, email address, name |
An up-to-date list of our subprocessors is maintained at www.kestrelrms.com/legal/subprocessors. We will provide at least thirty (30) days' advance notice of material changes to this list by email or in-product notice. You may object to a new subprocessor by terminating your account before the change takes effect.
Our subprocessors may process data in regions outside your state of residence. We configure our services to use United States regions by default, but some infrastructure providers operate global networks that may handle data in transit through other regions. We do not transfer data to countries subject to U.S. government embargo.
3.2 Business Transfers
If Kestrel is involved in a merger, acquisition, reorganization, sale of assets, or bankruptcy, your personal information may be transferred to the successor entity as a business asset. In the event of such a transfer, we will: (a) provide you with at least thirty (30) days' advance notice by email where practicable; (b) require the successor to honor this Privacy Policy, or provide you with an updated Privacy Policy and an opportunity to exercise your deletion right before the transfer takes effect; and (c) obtain any consents required by applicable law.
3.3 Legal and Safety Disclosures
We may disclose personal information when we reasonably believe it is necessary to: (a) comply with a law, regulation, subpoena, court order, or valid legal process; (b) respond to a lawful request from a government or law-enforcement agency; (c) protect the rights, property, or safety of Kestrel, our users, or others; (d) enforce our Terms of Service; or (e) detect, prevent, or address fraud or security issues. Where lawful to do so, we will: challenge overbroad or improper government requests; provide notice to affected users; and publish periodic transparency reports once our user base reaches a reasonable reporting threshold.
4. ARTIFICIAL INTELLIGENCE
Kestrel uses generative AI to power document extraction, categorization, and the "Kestrel Assistant" chat feature.
- Input Data. When you upload a document or ask the Assistant a question, relevant text from your User Content and your query is sent to our AI subprocessors (Anthropic) for processing.
- Vendor Data-Use Terms. Our use of these vendors is governed by their commercial API terms. Those terms prohibit the vendors from using your inputs to train publicly-released foundation models. We do not authorize training use, and we select vendor plan tiers and configurations intended to prevent such use. We do not claim that either vendor is perfect, and we cannot guarantee the conduct of any third party, but we monitor vendor terms and will update this Privacy Policy if those terms materially change.
- Sensitive Information in Documents. If you voluntarily upload documents containing sensitive personal information (such as Social Security Numbers, government ID numbers, or financial-account numbers), that information is encrypted at rest and in transit but will be processed by our AI subprocessors in the same manner as other text. We encourage you to redact sensitive identifiers that are not necessary for the purposes for which you are using the Services.
- Accuracy. AI-generated outputs may contain errors, including "hallucinations" (plausible but incorrect statements). You are responsible for verifying AI-generated outputs against source documents before relying on them for any financial, tax, legal, or business purpose.
5. DATA SECURITY
We implement physical, technical, and administrative safeguards designed to protect your personal information. These include:
- Encryption. Data is encrypted in transit using TLS 1.2 or higher, and at rest using AES-256 or equivalent industry-standard encryption. Access tokens and high-sensitivity identifiers are encrypted using keys managed in a dedicated key-management system.
- Access Controls. Access to user data by Kestrel personnel is limited to personnel with a legitimate operational need and is logged. We review access logs periodically.
- Monitoring. We conduct regular security monitoring and vulnerability management across our infrastructure.
Security Incident Notification. In the event of a confirmed security incident affecting your personal information, we will notify affected users without undue delay, and in any event consistent with applicable state breach-notification laws. Notification will describe, to the extent known: the nature of the incident, the categories of information involved, the steps we have taken in response, and recommended steps you can take to protect yourself. Notification will be provided via the email address associated with your account and, where applicable, through other channels required by law.
Your Role. No security system is perfect. You are responsible for maintaining the confidentiality of your account credentials and for using strong, unique passwords. Notify us immediately at security@kestrelrms.com if you believe your account has been compromised.
6. DATA RETENTION
We retain personal information only as long as necessary for the purposes set out in this Privacy Policy, and in accordance with the following schedule:
| Data Category | Retention Period | Basis |
|---|---|---|
| Account registration data (name, email, password hash) | Life of account + 30 days | Provide the Services |
| User Content (uploaded documents, notes) | Controlled by you; deleted on account closure (with 30-day export window) | Provide the Services |
| Plaid-derived banking and transaction data | Until linked account is disconnected + 30 days | Provide the Services |
| Support communications | 2 years | Customer service and dispute resolution |
| Server and security logs | 90 days | Security and abuse prevention |
| Billing and financial records (when Stripe is active) | 7 years | Tax and accounting obligations |
| Fraud-prevention records | Up to 7 years | Fraud prevention and legal defense |
| Aggregated and anonymized data | Indefinite | Service improvement (not identifiable) |
Account Closure. When you close your account, we will: (a) make your User Content available for export for thirty (30) days through our account-export function; (b) delete your account registration data and User Content within thirty (30) days after the end of the export window, except as required to retain by law; and (c) retain data only as necessary for tax, legal, or fraud-prevention obligations, in accordance with the schedule above.
Deletion Requests. If you submit a verified deletion request under applicable state privacy law, may be permanently and irreversibly deleted within forty-five (45) days of verification, subject to the narrow retention obligations required by law. See Section 7 for the request procedure.
7. YOUR PRIVACY RIGHTS
Depending on where you live, you may have the following rights with respect to your personal information. We honor these rights for all United States residents as a matter of policy, regardless of whether your state of residence requires us to do so.
- Right to Know / Access. Request confirmation of whether we process your personal information, and a copy of the categories and specific pieces of personal information we hold about you.
- Right to Correction. Request that we correct inaccurate personal information.
- Right to Deletion. Request that we delete your personal information, subject to narrow exceptions required by law.
- Right to Portability. Receive a copy of your personal information in a commonly-used, machine-readable format (typically JSON, CSV, or PDF as applicable).
- Right to Opt Out of Sale or Sharing. We do not sell or share your personal information, so there is nothing to opt out of; if that changes, you will be able to exercise this right before any sale or share occurs.
- Right to Limit Use of Sensitive Personal Information. Limit our use of sensitive personal information to purposes reasonably necessary to provide the Services. See Section 9 for sensitive personal information details.
- Right to Non-Discrimination. Exercise any of these rights without being charged a different price or receiving a different level of service, except as permitted by law.
- Right to Appeal. If we deny a privacy request, you may appeal as described below.
7.1 How to Submit a Request
To submit a privacy request, email us at privacy@kestrelrms.com with the subject line "Privacy Request," or write to us at the address in Section 11. Please include: (a) your name; (b) the email address associated with your Kestrel account; (c) the right you wish to exercise; and (d) sufficient detail for us to verify your identity.
7.2 Verification
To protect your information, we verify requests using the email address on file for your account, and for deletion requests we may require additional verification (such as confirmation of the last four digits of a linked financial-institution account number or answers to account-specific questions). We apply a "reasonable" degree of certainty for access requests and a "reasonably high" degree of certainty for deletion requests, consistent with California Consumer Privacy Act regulations.
7.3 Response Timeline
We will acknowledge your request within ten (10) business days and respond substantively within forty-five (45) days of receiving a verified request. We may extend the response period by an additional forty-five (45) days where reasonably necessary, and will notify you of the extension and the reasons for it.
7.4 Authorized Agents
You may designate an authorized agent to submit requests on your behalf. We require: (a) a signed written permission from you to the agent; (b) direct verification of your identity with us; and (c) direct confirmation from you that you have authorized the agent. We may deny requests from agents that do not provide this information.
7.5 Appeals
If we deny your privacy request, you may appeal within sixty (60) days by emailing privacy@kestrelrms.com with the subject line "Privacy Appeal." We will respond to your appeal within forty-five (45) days. If we deny your appeal, we will provide a written explanation, and you may contact your state Attorney General or the California Privacy Protection Agency (if a California resident) to file a complaint.
8. CHILDREN'S PRIVACY
Our Services are intended for users who are eighteen (18) years of age or older. We do not knowingly collect personal information from any individual under 18. Consistent with the Children's Online Privacy Protection Act (COPPA), if we become aware that we have collected personal information from a child under 13 without verifiable parental consent, we will delete that information promptly. If you believe we have collected information from a minor, please contact us at privacy@kestrelrms.com.
9. STATE-SPECIFIC PRIVACY DISCLOSURES
9.1 Notice at Collection (All U.S. Residents)
The table below summarizes the categories of personal information we collect, the purposes for which we collect each category, and the third parties with whom we share each category. This notice is provided at or before the point of collection as required by the California Consumer Privacy Act (CCPA/CPRA), and also serves as our general categorical notice for residents of all U.S. states with comprehensive privacy laws.
| Category (CPRA) | Collected? | Purposes | Recipients |
|---|---|---|---|
| A. Identifiers (name, email, IP, account ID) | Yes | Provide Services; security; comms | Subprocessors (Section 3) |
| B. Customer records (Cal. Civ. §1798.80 — name, address, financial info) | Yes | Provide Services; billing | Subprocessors; payment processor when active |
| C. Protected classifications | No | — | — |
| D. Commercial information (transaction data, property records) | Yes | Provide Services; analytics (anonymized) | Subprocessors |
| E. Biometric information | No | — | — |
| F. Internet/network activity (logs, session data) | Yes | Security; fraud prevention | Hosting providers (Section 3) |
| G. Geolocation (precise) | No (general-area IP geolocation only) | Security; fraud prevention | Hosting providers |
| H. Sensory data (audio, video, etc.) | No | — | — |
| I. Professional / employment info | Only if you upload it in User Content | Provide Services | Subprocessors |
| J. Education information | No | — | — |
| K. Inferences (preferences, characteristics) | No | — | — |
| L. Sensitive PI (see Section 9.2 below) | Yes | Provide Services | Subprocessors (Section 3) |
Sources. We collect personal information from: (a) you directly, when you register, upload documents, or communicate with us; (b) automatically, through our infrastructure as described in Section 1.3; and (c) third parties you authorize (Plaid, Google OAuth, and, when active, Stripe).
Retention. See the retention schedule in Section 6.
No Sale or Sharing. In the preceding twelve (12) months, we have not sold or shared (for cross-context behavioral advertising) any personal information, and we have no plans to do so.
9.2 Sensitive Personal Information
Under the CPRA, the following categories we collect are considered "Sensitive Personal Information" (SPI):
- Account log-in credentials (email and password hash used to authenticate to Kestrel).
- Financial-institution account information (institution name, account type, last four digits of account number, access tokens provided by Plaid).
- Government identifiers (such as Social Security Numbers, EINs, or driver's license numbers), only if you voluntarily upload documents containing them.
We use SPI only for the purposes of providing the Services, securing your account, and complying with law. We do not use or disclose SPI for purposes that would trigger the CPRA's "right to limit use." If you wish to exercise your right to limit use of SPI, email privacy@kestrelrms.com with the subject line "Limit SPI Use."
9.3 California Residents (CCPA/CPRA)
If you are a California resident, you have the rights set out in Section 7, including the right to know, delete, correct, opt out of sale or sharing, limit use of SPI, and not be discriminated against. We provide two methods to submit requests: email to privacy@kestrelrms.com and a webform at www.kestrelrms.com/legal/privacy-request. We will respond within the timelines in Section 7.3. California residents may also have rights under the "Shine the Light" law (Cal. Civ. Code §1798.83); we do not currently share personal information with third parties for those third parties' own direct-marketing purposes.
9.4 Other State Residents
Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Iowa (ICDPA), Tennessee (TIPA), Delaware (DPDPA), New Hampshire (NHPA), Minnesota (MCDPA), Maryland (MODPA), New Jersey (NJDPA), and Rhode Island have rights substantially similar to those described in Section 7. To exercise these rights, use the contact methods described in Section 7.1. Residents of these states may also have the right to appeal a denial, as described in Section 7.5. If we deny your appeal, you may contact your state Attorney General.
9.5 Washington Residents
The Services are not currently offered to residents of Washington State. This restriction reflects the requirements of the Washington My Health My Data Act (MHMDA), which applies heightened obligations to certain "consumer health data." When the Services become available in Washington, we will publish a separate Consumer Health Data Privacy Policy and obtain any required opt-in consent before collecting consumer health data.
10. CHANGES TO THIS PRIVACY POLICY
We may update this Privacy Policy from time to time. If we make any material change — including a change that reduces your rights, expands the categories of personal information we collect, expands the purposes for which we use personal information, or changes the categories of recipients with whom we share personal information — we will: (a) provide at least thirty (30) days' advance notice by email to the address associated with your account and through a prominent in-product notice; and (b) where the change is material and requires your consent under applicable law, require your affirmative acceptance of the revised Privacy Policy (an "I Agree" click) before it applies to you. If you decline, you may continue to use the Services under the prior version of this Privacy Policy through the end of your then-current billing period, after which your account will be closed in accordance with Section 6.
For non-material changes (such as clarifications, typographical corrections, or reorganizations that do not change the substance of this Privacy Policy), we will update the "Last Updated" date at the top of this policy. Your continued use of the Services after the effective date of such changes constitutes acceptance.
During any beta period of the Services, data-handling practices may evolve as features are added or modified. In such cases we will re-notice you consistent with Section 14 of the Terms of Service.
11. CONTACT US
If you have questions about this Privacy Policy or our data practices, contact us at:
TALON VENTURES LLC (d/b/a Kestrel RMS) PO Box 4811, Fayetteville, AR 72702
- Privacy inquiries and requests: privacy@kestrelrms.com
- Security reports: security@kestrelrms.com
- General legal: legal@kestrelrms.com
- Customer support: support@kestrelrms.com
— End of Privacy Policy —