Privacy Policy

1. Information We Collect

When you use EXPX Estates, we may collect the following types of information:

• Contact Information: Name, email address, phone number, and current mailing address.
• Application Information: Date of birth, employer, years of employment, gross annual income, monthly debt obligations, financing preferences (down payment, balloon term, desired move-in date), and, if applicable, co-applicant information.
• Sensitive Identifiers: The last four digits of your Social Security Number — used for identity verification and application record-keeping. We do not collect full Social Security Numbers through this website.
• Self-Reported Credit Range: A credit-range bracket that you select (for example, "660–699"). We do not pull your credit report from any bureau as part of the online application.
• Usage Data: IP address, browser type, pages visited, and approximate time on site, collected to operate the site and protect it from abuse.
• Communications: Messages you send us via the application form, email, or the on-page chat widget.

2. How We Use Your Information

We use the information we collect to:

• Review and evaluate financing applications for our owner-financed properties.
• Communicate with you about your application status, next steps, and property availability.
• Send informational updates about available properties when you subscribe to our newsletter.
• Operate and secure the website, including rate-limiting abusive traffic.
• Comply with applicable legal, tax, and real-estate record-keeping requirements.
• Prevent fraud and verify applicant identity when we move forward with a transaction.

3. Credit Information

The online application asks you to self-report a credit-score range. Submitting the application does not trigger any credit inquiry — we do not contact a credit bureau during online intake, and your credit score is not affected by applying.

If we invite you to move forward toward a land-contract signing, we may request written consent to verify your credit through a bureau-reported soft or hard inquiry. We will describe which type of inquiry is being requested before you sign any authorization, and we will not run a bureau inquiry without your separate, explicit written consent.

Self-reported credit information is used solely to evaluate your financing fit and is never sold or shared with third parties for marketing.

4. Information Sharing

We do not sell, rent, or trade your personal information. We share information only in these limited circumstances:

• Hosting & Infrastructure: Our website is hosted by Netlify, which stores encrypted application records and operates functions needed to receive your submission. Netlify acts as a processor bound by its own security commitments.
• Legal Requirements: When required by law, court order, or government authority.
• Closing Professionals: If your application advances toward closing, we may share relevant details with a title company, escrow officer, or attorney you have authorized us to work with.
• Business Transfers: In a merger, acquisition, or sale of assets, with notice to affected users.
• With Your Consent: For any purpose to which you have explicitly consented.

5. Data Security

We take reasonable technical measures to protect the information you submit:

• In transit: All traffic to this site is served over HTTPS (TLS), with HTTP Strict Transport Security enforced.
• At rest: Sensitive identifiers — specifically the last four digits of your Social Security Number and your co-applicant's, when applicable — are encrypted at rest using authenticated AES-256-GCM encryption before being written to storage. The encryption key is held only as a server-side secret and is never exposed to the browser.
• Access: The administrative dashboard is protected by a server-issued, signed, HTTP-only session cookie. Public browsing of the dashboard is blocked, and SSN fields are redacted from the admin view by default.
• Abuse protection: Application, newsletter, chat, and login endpoints are rate-limited, and the application form uses a hidden honeypot field to reject automated spam.
• Content Security Policy: The site enforces a strict Content Security Policy (no inline scripts, no third-party script origins other than the map library, no framing) and standard defensive response headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy).

No system is perfectly secure. If you believe your data has been compromised, please contact us immediately using the information in Section 12.

5a. Automated Compliance Monitoring ("Paperclip")

To make sure we handle every application consistently and under applicable consumer-credit and fair-housing rules, we run an internal automated watchdog we refer to as Paperclip. Paperclip is a server-side process that is part of this website; no data is sent to any third-party vendor for this purpose.

• What it does: When you submit an application, and again on a daily schedule, Paperclip reads the application record and flags conditions that warrant human review — for example, a very high debt-to-income ratio, a rate that could trigger federal "high-cost mortgage" disclosures, a missing required field, or a lead that has been open long enough to require an adverse-action notice under the Equal Credit Opportunity Act.
• What it does not do: Paperclip does not approve, deny, price, or score your application. It does not make any credit decision. The only automated output is a list of compliance notes sent to the human reviewer. Every credit decision is made by a person.
• What it sends: When a flag fires, Paperclip may email the property owner an internal summary that includes your application ID, name, email, and the flagged terms. No Social Security digits are included in the email, and the summary is sent only to our internal compliance address — not to any third party.
• Your rights: You may request a copy of any Paperclip notes on file for your application, request correction of inaccurate data used by the monitor, or request that we reconsider any decision influenced by a flag. Use the contact information in Section 12.

6. Cookies and Tracking

We deliberately run this website without third-party advertising networks, behavioral-analytics tags, or cross-site tracking pixels. We do not use Google Analytics, Facebook Pixel, or any comparable ad-tech tracker, and we do not sell, rent, or share any information about your visit for advertising.

The cookies and similar storage mechanisms actually used by this site are limited to:

• Administrative session cookie (__Host-xap_session): set only when a site administrator logs into the dashboard. It is a signed, HttpOnly, Secure, SameSite=Strict cookie bound to this exact origin and expires after 8 hours. It is never set for ordinary visitors.
• Server-side abuse controls: rate-limit counters stored on our server (not in your browser) keyed by your IP address, retained for a short rolling window and used only to throttle scripted abuse.
• Map tiles: the property-location map loads map tiles from OpenStreetMap. Those requests include your IP address as any web request does; they do not set tracking cookies.

Because we set no non-essential cookies for public visitors, there is nothing meaningful to "opt out" of at the visit level. You can still clear or block cookies in your browser at any time without affecting your ability to read our listings or submit an application.

7. Your Rights

Depending on your location, you may have the following rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you.
• Correction: Request correction of inaccurate or incomplete information.
• Deletion: Request deletion of your personal data, subject to legal retention requirements.
• Opt-Out: Unsubscribe from marketing communications at any time.
• Portability: Request your data in a portable format where technically feasible.

To exercise any of these rights, please contact us using the information in Section 12.

7a. California Residents (CCPA / CPRA)

If you are a California resident, you have the additional right to know what personal information we collect, to request deletion, to correct inaccurate data, to opt out of any sale or sharing of personal information (we do not sell or share personal information as those terms are defined under the CCPA/CPRA), and to limit the use of sensitive personal information. You may also designate an authorized agent to make a request on your behalf. We will not discriminate against you for exercising any of these rights. To submit a request, email info@expxestates.com with the subject line "California Privacy Request." We respond to verifiable consumer requests within 45 days.

8. Data Retention

We retain information only as long as we have a legitimate reason to. The retention floors below are the minimums we are required to keep; you may request earlier deletion of anything not bound by a legal floor.

• Financing applications that do not lead to a contract are retained for at least 25 months after our decision, per the Equal Credit Opportunity Act and Regulation B (12 CFR §1002.12), and for up to 24 months thereafter so we can follow up if a suitable property becomes available. After that, the record is deleted or anonymized on request.
• Applications tied to an executed land contract are retained for the life of the contract plus the period required by federal tax and Ohio real-estate record-keeping rules (generally up to seven years after final settlement).
• Adverse-action records (denials, counter-offers, incomplete applications) are retained for 25 months per ECOA, whether you submitted a full application or only an inquiry that we acted on.
• “Paperclip” compliance-monitoring logs — internal flag reports and the owner’s email digest — are retained for 25 months alongside the related application, then purged. No Paperclip report is shared with any third party. See Section 5a.
• Unsubscribe / do-not-contact list is retained indefinitely. We intentionally do not delete your suppression record even if you ask us to; losing it would let us accidentally email you again and violate the CAN-SPAM Act (15 U.S.C. §7704(a)(4)). The list stores only a one-way SHA-256 hash of your email address, not the address itself.
• Newsletter subscriptions are retained until you unsubscribe, then moved to the suppression list above.
• Chat logs and request logs are retained for up to 90 days for security and abuse investigation.
• Rate-limit counters are transient — a sliding window of roughly one hour. They are keyed only by a coarse IP fingerprint and are not associated with your name or email.
• Server access logs are retained by our hosting provider (Netlify) per their standard policy, typically 30 days.

You may request earlier deletion at any time using the contact information in Section 12; we will honor the request unless we are required to retain the record to comply with law or to complete a transaction you have initiated.

9. Children's Privacy

Our services are not directed to individuals under the age of 18. We do not knowingly collect personal information from minors. If you believe we have inadvertently collected information from a minor, please contact us immediately and we will take steps to delete such information.

10. Third-Party Links

Our website may contain links to third-party websites, including mapping services and financial calculators. We are not responsible for the privacy practices of those sites and encourage you to review their privacy policies independently.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will post the revised policy on this page with an updated effective date. Your continued use of our services after such changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Mailing Address: 1601 Nevada St, Toledo, OH 43605
• Email: info@expxestates.com
• Phone: (419) 555-0000 — Mon–Fri 9am–6pm ET
• Governing Law: This policy is governed by the laws of the State of Ohio.