INTERNAL PROTOTYPE — NOT LEGAL ADVICE — DO NOT SEND

Privacy Policy

Last updated: 2026-05-07

This page describes what Tenant Wiki does with the information you provide. It is written to be honest about the current implementation, not to make promises the software doesn't keep.

What we ask you for

To generate a demand letter, the tool asks for:

  • Your email address (for sign-in)
  • Facts about your situation (jurisdiction, addresses, dates, dollar amounts, names of parties)
  • Optionally, an organization code from a partner (tenant union, legal aid)

We do not ask for ID, proof of residency, your lease, or anything beyond what the rules engine needs to validate your claim.

How we store email

Your email address is converted to a one-way HMAC fingerprint as soon as it arrives. The fingerprint is what the database stores. The original email address is only held in server memory long enough to send your sign-in link, then discarded.

Practical consequence: we cannot reverse the fingerprint to recover your email. We also cannot proactively reach out to you — if we ever discover a legal error in generated output and need to notify affected users, the only path is a public notice on this site, not an email.

How we store the facts you enter

The facts you enter into the generation form are used to evaluate eligibility rules and fill in the letter template. Letter generations are recorded with the jurisdiction, claim type, and your fingerprinted user token — but the raw fact values (names, addresses, dollar amounts) are not retained in the primary database after generation completes. The generated PDF is written to disk so you can download it; PDFs older than 30 days are pruned.

Server logs

The web server logs IP addresses, request paths, and timestamps for routine diagnostics. These logs are retained for 30 days. Application logs (errors, rule-engine events) are retained for the same period.

What we don't do

  • We do not share your information with landlords, courts, or third parties.
  • We do not sell or rent your data.
  • We do not use the facts you submit to train AI models.
  • We do not run third-party advertising trackers or analytics SDKs.

Browsing the database

Searching the corpus, reading statutes, and browsing the rights and deadlines pages requires no account and writes nothing about you to the application database. The only record is the standard server log described above.

Cookies

After you sign in, a session cookie keeps you signed in across pages. The cookie holds only an opaque session identifier — no personal data. Sessions expire after 7 days of absence or 24 hours of inactivity, whichever comes first. Logging out deletes the session immediately.

Deleting your data

Signed-in users can wipe every record we hold tied to their account at any time: demand letters, lease audits, encrypted intake-fact blobs, encrypted lease extractions, active sessions, and the email-to-user mapping itself. Visit Delete My Data from any signed-in page. You retype the email tied to your account as a confirmation step (we can't pre-fill it because we only store an HMAC, not the plaintext), then the delete runs immediately and irreversibly. After the wipe you're signed out; you can sign back up later with the same email but anything tied to your old account is gone.

Changes to this policy

If the implementation changes in a way that affects what we collect or how we store it, this page will be updated. The "Last updated" date at the top reflects the most recent revision.