Privacy Policy

1. Who operates Kaivira

Kaivira is operated by Robbie Sands, a licensed real-estate agent with Realty Executives Associates in Knoxville, Tennessee. Kaivira is a personal-use productivity tool that supports my real-estate practice and the clients I serve. It is not a separate company, brokerage, or franchise of Realty Executives.

All real-estate licensing, brokerage obligations, and transaction supervision flow through Realty Executives Associates per Tennessee law and TREC rules. Questions about this policy can be sent to hello@kaivira.com.

2. What information we collect

We separate the data we hold into three categories:

• Agent information — my own profile, MLS/IDX credentials, scheduling state, and platform-internal notes I take while running my practice.
• Client and transaction-party information — names, contact details, property addresses, transaction documents, and any information clients (or the cooperating party in a transaction) share with me to advance a tour, offer, or closing. This includes data that flows through Dotloop as part of normal brokerage transaction management.
• Usage data — visitor activity on Kaivira.com (searches run, listings viewed, saved homes, saved searches), authentication state, hashed IP for rate limiting, device/browser metadata, and product telemetry used to debug and improve the site.

We also capture your IP address (retained as a hash for up to 12 months, used for lead-routing and rate-limiting) and an IP-derived city, state, latitude, and longitude so we can assign you to the agent who covers your territory. We do not use this for advertising and do not share it with third parties.

3. How we use the information

• Provide the search, saved-homes, tour, and seller tools the visitor came for.
• Authenticate accounts, prevent abuse, and rate-limit requests.
• Send transactional emails the user has requested (account, alerts, tour-related, and CMA confirmations).
• Support active and prospective real-estate transactions I am working on under Realty Executives Associates.
• Debug issues, monitor reliability, and improve the product based on aggregated usage.
• Comply with applicable laws, TREC and MLS rules, and the requirements of my brokerage.

4. Brokerage sharing — Realty Executives Associates, HUB, and Dotloop

Because I practice under Realty Executives Associates, some client and transaction data is shared with the brokerage and its compliance/document systems:

• Realty Executives HUB — the agent intranet/back-office used by Realty Executives. Information needed to run a transaction or to satisfy compliance review may be visible there.
• Dotloop — the brokerage's transaction-management platform. Offer documents, disclosures, signatures, and the parties' identifying details flow through Dotloop. Dotloop is the system of record for transaction documents during and after a deal.

I do not sell client data to third parties. I share it only where required to operate the transaction, comply with brokerage policy, or comply with law.

5. Third-party services we rely on

Kaivira is built on top of standard cloud infrastructure. Each provider processes only the data needed to perform its function and is bound by its own privacy and security obligations.

• Dotloop — transaction management for offers, disclosures, and signatures.
• Resend — transactional email delivery (account, alerts, CMA confirmations).
• Google Gemini API — natural-language understanding for Co-Pilot search.
• OpenAI — fallback model for Co-Pilot search when Gemini is unavailable.
• Spark MLS / FBS / Flexmls — listing data feed from East Tennessee Realtors.
• Mapbox — interactive mapping and basemap rendering.
• Vercel — application hosting, edge networking, and serverless execution.
• Sentry — error monitoring and crash reporting.
• PostHog — product analytics for usage and feature improvement.

Conversational queries sent to the Co-Pilot are forwarded to Gemini (or, as a fallback, OpenAI) so the model can interpret them and return structured filters. We do not include any client PII in those calls; the Co-Pilot operates on the search text the visitor typed.

Voice conversations with our agents are recorded and transcribed. Transcripts are sent to Google Gemini for topic classification (homebuying intent, financial questions, timeline). 200-character excerpts are stored for up to 180 days; full transcripts are deleted after that period.

6. Cookies, local storage, and OAuth state

Kaivira uses first-party cookies, browser localStorage, and short-lived OAuth state for the following functions:

• Keeping you signed in (session cookie).
• Preserving UI preferences such as basemap choice, comparison list, and mortgage assumptions.
• Remembering your last few search labels (capped at 3) so the mobile landing page can offer them back to you in the “Pick up where you left off” row.
• Remembering whether you’ve already dismissed the “browse neighborhoods” scroll hint, so it doesn’t reappear on every visit.
• Holding OAuth state while you complete sign-in with Google.
• Rate-limit and CSRF tokens needed to keep the API safe.

These per-device records stay on your device. If you re-tap a saved label, that triggers a normal search request like any other — the label itself never leaves your browser.

We do not use third-party advertising cookies, cross-site tracking pixels, or data brokers for retargeting.

Even when you decline analytics cookies, we set a necessary-tier session identifier in localStorage to maintain your session across page loads. This identifier stays on your device and is not shared with third parties.

7. Transactional emails

We send email only for things you initiated or signed up for: account notices, saved-search alerts, tour confirmations, and CMA verification/confirmation. Marketing email, if any, will include a working unsubscribe link.

8. Data retention

Account information is kept while your account is active. Other categories of data follow specific retention windows so we keep the minimum necessary to operate the product, debug issues, and satisfy legal/brokerage obligations:

• Search and browsing telemetry (search sessions, listing views, impressions, map interactions, mortgage calculator usage, listing-detail events): 90 days.
• Lead intelligence aggregates (derived signals such as IP geo, device count, email-domain category): 12 months.
• Email delivery events (sends, opens, bounces, complaints): 24 months so we can honor sender-reputation and deliverability obligations.
• Voice session transcripts (when voice features are used): 180 days.
• Product event streams (Co-Pilot turns, compare interactions, search refinements, onboarding steps, saved-hub events, form events, content engagement): 365 days.
• Security and audit trail (authentication events, lifecycle events, privacy events): retained as part of our security and compliance record.
• Transaction documents and brokerage records: retained for the period required by Tennessee real-estate law and Realty Executives Associates' compliance policies, even after a deal closes.

When you delete your account, we remove your personal data except where retention is required by law or by the brokerage. Pruning runs on scheduled cron jobs aligned to the windows above; we re-evaluate windows annually.

9. Your rights

• Access: request a copy of the personal data we hold about you.
• Correction: update your profile from inside your account at any time.
• Deletion: delete your account from settings, or email us to request deletion of remaining personal data not subject to legal/brokerage retention.
• Opt-out of email: use the unsubscribe link in any marketing email, or disable alerts in settings.

To exercise any of these rights, email hello@kaivira.com.

9a. California residents

If you live in California, the following plain-English summary describes the rights we honor regardless of whether we currently meet the CCPA statutory volume thresholds. Final statutory citations are deferred pending counsel review.

• Right to know what personal information we hold about you and how we use it.
• Right to delete personal information, subject to legal and brokerage retention.
• Right to correct inaccurate personal information.
• Right to data portability — receive a machine-readable copy of your data.
• Right to opt-out of “sale” or “sharing” of personal information. We do not sell or share personal information as those terms are defined under California law.

To exercise any of these rights, email hello@kaivira.com. We verify requests by matching identifying information you provide to what we already have on file.

9b. Virginia residents

If you live in Virginia, you have the following rights under the Virginia Consumer Data Protection Act (VCDPA):

• Right to confirm and access the personal data we process about you.
• Right to correct inaccuracies.
• Right to delete personal data you provided or that we obtained about you.
• Right to data portability in a portable, readily usable format.
• Right to opt-out of the sale of personal data, targeted advertising, or profiling that produces legal or similarly significant effects. We do not engage in any of those activities.

Email hello@kaivira.com to exercise these rights. If we decline a request, we'll explain the basis and you may appeal by replying to that decision.

9c. Colorado residents

If you live in Colorado, you have the following rights under the Colorado Privacy Act (CPA), which mirror the Virginia rights above:

• Right to access the personal data we process about you.
• Right to correct inaccuracies.
• Right to delete personal data.
• Right to data portability.
• Right to opt-out of sale, targeted advertising, and profiling for decisions with legal or similarly significant effects. We do not engage in any of those activities.

Email hello@kaivira.com to exercise these rights and to appeal any denial.

10. Children

Kaivira is not directed at children under 13 and we do not knowingly collect personal information from them. We comply with the Children's Online Privacy Protection Act (COPPA). If you believe a child has provided us with personal information, please contact us and we will delete it.

11. Security

We use industry-standard safeguards: HTTPS everywhere, JWT session tokens, bcryptjs password hashing (industry-standard 12 rounds), encryption-at-rest for OAuth tokens, principle-of-least-privilege database access, rate limiting, and error monitoring. No system is perfectly secure; if you believe your account has been compromised, contact us immediately.

12. Changes to this policy

We may update this policy from time to time. Material changes will be communicated by email or through a notice on the site. The effective date at the top of this page always reflects the most recent update.

13. Contact

Questions, requests, or concerns about this policy or your data? Email hello@kaivira.com. I respond personally.