Privacy Policy for AmenityResy™

Last Updated: April 29, 2026

This Privacy Policy describes how Dibsly LLC ("we," "us," or "our") collects, uses, and discloses your personal information when you use the AmenityResy platform (the "Service"). By using the Service, you agree to the collection and use of information in accordance with this policy.

1. Data Controller

Dibsly LLC is the data controller for personal information processed through AmenityResy. You can reach us at contact@amenityresy.com. If you are an EU/UK resident and have a concern we have not resolved, you have the right to lodge a complaint with your local supervisory authority.

2. Information We Collect

To provide a seamless amenity booking experience, we collect the following information:

  • Account data: name, email address, profile image, optional phone number, hashed password (if you signed up with email/password), or OAuth provider identifier (Google or Apple sign-in).
  • Building data: apartment/unit number, building location, role (admin or resident), and approval status.
  • Usage data: reservations, check-ins, no-show records, issue reports, in-app notifications, building broadcasts you have sent.
  • Billing data (admins only): Stripe customer and subscription identifiers, invoice history, billing period dates. Card details are processed by Stripe and never stored by us.
  • Device data: IP address, browser type, mobile device push tokens, user-agent string used in security logs.
  • Consent records: timestamps and choices for resident terms, terms of service, privacy policy, and cookie preferences.

3. How We Use Your Information

We use your data to:

  • Facilitate and manage your amenity reservations.
  • Notify you of booking confirmations or building-wide amenity updates.
  • Provide your building management with attendance logs for safety and maintenance.
  • Process payments for paid amenities and admin subscriptions through Stripe.
  • Authenticate you, including multi-factor authentication where enabled.
  • Improve the Service, prevent fraudulent bookings, and respond to security incidents.

4. Lawful Basis for Processing (GDPR Article 6)

For users in the European Economic Area or the United Kingdom, we rely on the following lawful bases:

  • Performance of a contract — to deliver the booking platform you signed up for. Covers reservation handling, account management, payment processing, and building admin features.
  • Legitimate interests — to keep the Service secure (audit logging, fraud prevention) and to communicate operational matters with you. We balance these interests against your rights and you can object at any time.
  • Legal obligation — to comply with tax, accounting, and applicable tenant data privacy laws (e.g., NYC TDPA — see Section 5).
  • Consent — for non-essential cookies (analytics, marketing) and any optional marketing communications. You can withdraw consent at any time via account settings or the cookie preferences banner.

5. Data Retention & Deletion (NYC & Boston Compliance)

In compliance with the New York City Tenant Data Privacy Act (TDPA) and other local regulations:

  • The 90-Day Rule: We will delete or anonymize your personal information within ninety (90) days after we are notified that you have moved out of the building or have terminated your account.
  • Soft-delete with anonymization: When you delete your account from settings, we immediately anonymize your profile (email, name, phone, profile image) and schedule full purge of the database row after a 30-day retention window. Booking history is retained for the building's audit trail but no longer linked to your identifiable profile.
  • Anonymization: We may retain "De-identified Data" (data that cannot be linked back to you) indefinitely for internal analytics and system performance reports.

6. Sharing of Information — Sub-processors

We do not sell your personal information. We share your data with the following categories of recipients:

  • Your building management: to verify your residency and manage the physical amenities.
  • Service providers (sub-processors):
    • Vercel (US) — hosting and deployment of the Service.
    • Neon (US) — managed PostgreSQL database for application data.
    • Stripe (US) — payment processing for admin subscriptions and paid amenity bookings.
    • Resend (US) — transactional email delivery.
    • Upstash (US) — Redis cache and QStash for background jobs (booking holds, scheduled reconciliation).
    • Amazon Web Services (US) — encrypted database backup storage (S3 Object Lock).
    • Google and Apple — OAuth sign-in providers, only when you choose to use them.
  • Legal requirements: if required by law, court order, or to protect the safety of residents.

7. International Data Transfers

Our sub-processors are primarily located in the United States. If you access the Service from outside the US, your information will be transferred to and processed in the US. For transfers from the EEA, UK, or Switzerland, we rely on the European Commission's Standard Contractual Clauses where applicable. By using the Service, you acknowledge and consent to this transfer.

8. Your Rights and Choices

Depending on your location (EU/UK GDPR, California CCPA, NYC TDPA, Maryland, Massachusetts), you have the following rights. We honor each of them regardless of where you live:

  • Right of access (GDPR Art. 15): request a copy of the personal data we hold about you. Self-service from account settings → Download my data.
  • Right to rectification (Art. 16): correct inaccurate or incomplete data — update name, email, phone, and notification preferences directly in settings.
  • Right to erasure (Art. 17): delete your account from settings → Delete my account. If you manage one or more buildings, we will prompt you to either archive them or transfer admin to another user before deletion completes.
  • Right to restrict processing (Art. 18): contact us to limit how we process your data while a dispute or correction request is being resolved.
  • Right to data portability (Art. 20): the data export above is provided in machine-readable JSON.
  • Right to object (Art. 21): object to processing based on legitimate interests — contact us at contact@amenityresy.com.
  • Withdraw consent: manage cookie preferences from the banner or settings → Manage cookies. Opt out of non-essential email via the toggle in settings.
  • Right to lodge a complaint: EU/UK residents can complain to their local supervisory authority.

9. Cookies & Similar Technologies

We use a small number of cookies. The categories are necessary, analytics, and marketing. Necessary cookies (sign-in session, security) are always on; analytics and marketing are opt-in via the consent banner shown on first visit. The current build does not load any analytics or marketing scripts — the consent banner is the gate any future tracking must consult.

10. Global Privacy Control (GPC)

We honor the Global Privacy Control signal sent by your browser. When your browser advertises GPC, we automatically record a reject-all cookie consent decision without prompting you, and treat the signal as an opt-out from sharing or selling personal information for any future marketing or analytics use.

11. Security

We implement industry-standard security measures, including TLS encryption in transit and at rest, encrypted database backups in S3 Object Lock, hashed passwords (bcrypt cost factor 12), required multi-factor authentication for admin access, and audit logging of security-relevant events. However, no method of transmission over the internet is 100% secure.

12. Contact Us

If you have questions about this Privacy Policy or your data, please contact us at:

Dibsly LLC

contact@amenityresy.com

5812 Grosvenor Ln, Bethesda, Maryland, 20814

See also our Terms of Service.