Privacy Policy

Last updated: May 8, 2026

This Privacy Policy explains how Unlocked (“we,” “our,” or “us”) collects, uses, stores, shares, and protects your personal information when you use our website and services (collectively, the “Service”). By using the Service, you agree to the practices described in this Policy. If you do not agree, please do not use the Service.

1. Information We Collect

Account information:

Name, email address, and password (stored securely using industry-standard hashing). You may optionally provide additional profile information.

Study progress data:

Quiz scores, flashcard review results, practice exam attempts, module completion status, daily streaks, and readiness estimates. This data is used to personalize your experience and power your progress analytics.

Carl conversation history:

Messages you send to Carl and Carl’s responses. These are used to deliver the Service and may be used in aggregate, anonymized form to improve our AI system. We do not share individual conversation transcripts with third parties, except as required by law or as necessary to operate the Service (e.g., processing by Anthropic’s API).

Carl long-term memory:

When Carl decides to keep a durable note about you across sessions (for example, your study goal or time constraints you’ve shared), that note is stored in our database under your account. Notes are limited in number and length, are visible only to you and Carl, and can be deleted at any time by deleting your account or contacting us. You may also instruct Carl to forget a specific note in conversation.

Tool usage logs:

When Carl uses one of his tools on your behalf (catalog lookups, NYC Property Check, the calculators, the listing audit), we record the tool name, input metadata (such as listing length or property address category), success status, and execution time. These logs support service operation, abuse detection, and aggregate product analytics. We do not retain full listing text, addresses, or other free-form inputs in these logs beyond what is necessary to deliver and audit the Service.

User-submitted content (listing audit and similar tools):

Listing descriptions, property addresses, and similar text you paste into our tools are transmitted to Anthropic’s Claude API for analysis. We use the result to generate the audit or estimate you requested. We do not retain your submitted content beyond what is necessary to return your result and operate the Service. Anthropic’s API processes your content under their commercial terms, including their default zero-retention practices for input and output. You should not paste personal information about third parties (tenants, applicants, sellers) into these tools without those individuals’ consent.

Payment information:

Payments are processed by Stripe. We do not store full payment card details on our servers. We receive and retain billing metadata (e.g., last four digits, billing address, transaction ID) as provided by Stripe to support receipts and dispute resolution.

Usage and technical data:

Pages visited, features used, session duration, browser type, device type, IP address, and referring URL. This data is collected automatically to operate, maintain, and improve the Service and to detect abuse.

Communications:

If you contact us by email or otherwise, we retain records of that correspondence.

2. How We Use Your Information

  • To provide, maintain, operate, and improve the Service
  • To personalize Carl’s responses and surface content relevant to your weak areas
  • To track and display your study progress and readiness score
  • To process payments, issue receipts, and manage your subscription
  • To send transactional emails (account confirmation, payment receipts, password resets)
  • To send you study reminders or product updates (you may opt out at any time)
  • To detect and prevent fraud, abuse, and violations of our Terms of Service
  • To comply with legal obligations, respond to legal process, and enforce our agreements
  • To protect the rights, property, and safety of Unlocked, our users, and the public

We do not sell your personal information to any third party. We do not use your personal data for third-party advertising.

3. Third-Party Services

We share limited data with the following third parties solely to operate the Service:

  • Supabase — database hosting and authentication. Your account data and study progress are stored in Supabase. Supabase is SOC 2 Type 2 compliant. See Supabase’s Privacy Policy.
  • Stripe — payment processing. Stripe handles all payment card data and is PCI-DSS Level 1 compliant. We never see or store raw card numbers. See Stripe’s Privacy Policy.
  • Anthropic — AI infrastructure powering Carl. Messages you send to Carl are transmitted to and processed by Anthropic’s Claude API. See Anthropic’s Privacy Policy.
  • Vercel — application hosting, deployment, and analytics. Vercel processes request data as part of serving the Service. We use Vercel Analytics and Vercel Speed Insights to measure page performance and usage patterns in aggregate. These tools collect anonymized performance metrics (page load times, web vitals) and basic usage data (page views, referrers). They do not use third-party advertising cookies or track you across other websites. See Vercel’s Privacy Policy.
  • Resend — transactional email delivery. Your email address is transmitted to Resend solely to deliver account-related emails (e.g., purchase confirmations, password resets). Resend does not use your data for advertising. See Resend’s Privacy Policy.

We do not share your personal information with any other third parties except as required by law.

4. Cookies and Local Storage

We store your study progress, preferences, and UI state locally on your device using standard browser storage mechanisms. We use functional cookies strictly necessary to authenticate you and operate the Service.

We do not use third-party tracking cookies, advertising cookies, or behavioral profiling technologies.

Do Not Track. Some browsers transmit “Do Not Track” (DNT) signals. Because we do not use third-party behavioral tracking, our response to DNT signals does not materially change your experience.

5. Data Security

We implement industry-standard technical and organizational measures to protect your personal information against unauthorized access, disclosure, alteration, or destruction. These include: encrypted data transmission (HTTPS/TLS), hashed password storage, role-based access controls, and reliance on SOC 2 compliant infrastructure.

Data Breach Notification. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users and relevant authorities as required by applicable law, including within 72 hours where required under the GDPR.

No method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security of your information.

6. Data Retention

We retain your account data and study history for as long as your account is active. If you request deletion of your account, we will delete or anonymize your personal data within 30 days, except where we are required to retain it for: (a) legal or regulatory compliance; (b) financial recordkeeping; (c) fraud prevention; or (d) resolution of active disputes.

Aggregated, anonymized data that cannot identify you may be retained indefinitely for product improvement purposes.

7. Your Rights

You have the right to:

  • Access the personal information we hold about you
  • Correct inaccurate or incomplete personal information
  • Request deletion of your personal information (subject to legal retention requirements)
  • Export your study data in a portable format
  • Opt out of non-essential communications at any time via the unsubscribe link in any email or by contacting us
  • Withdraw consent where processing is based on consent

To exercise any of these rights, email us at support@passunlocked.com. We will respond within 30 days.

8. New York Residents (SHIELD Act)

We comply with the New York Stop Hacks and Improve Electronic Data Security Act (SHIELD Act, NY GBL §899-aa), which applies to businesses that own or license private information of New York residents. We maintain reasonable administrative, technical, and physical safeguards to protect private information, train relevant personnel, and select third-party service providers capable of maintaining appropriate safeguards. In the event of a breach involving private information of a NY resident, we will notify affected individuals as required by the SHIELD Act.

9. California Residents (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), including:

  • The right to know what personal information we collect, use, disclose, and sell (we do not sell personal information)
  • The right to delete your personal information
  • The right to correct inaccurate personal information
  • The right to opt out of the sale or sharing of personal information (we do not sell or share for cross-context behavioral advertising)
  • The right to limit use of sensitive personal information
  • The right to non-discrimination for exercising your privacy rights

To submit a CCPA/CPRA request, contact us at support@passunlocked.com. We will verify your identity before processing requests.

10. European Users (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation (GDPR) or equivalent applicable law, including the right to access, rectify, erase, restrict processing of, or port your personal data, and the right to object to processing.

Legal basis for processing: We process your personal data on the following legal bases: (a) performance of a contract (providing the Service you have purchased); (b) your consent (for optional communications); (c) legitimate interests (fraud prevention, security, product improvement); and (d) legal obligation (compliance with applicable law).

International transfers: Your data may be transferred to and processed in the United States, which may not provide the same level of data protection as your home country. By using the Service, you consent to this transfer. We rely on Standard Contractual Clauses or other approved mechanisms where required.

To exercise your GDPR rights or to lodge a complaint with a supervisory authority, contact us at support@passunlocked.com.

11. Children’s Privacy

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we discover we have inadvertently collected such information, we will delete it promptly. If you believe a child under 18 has provided us personal information, contact us immediately.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the “Last updated” date at the top of this page and, where appropriate, by email. Your continued use of the Service after any change constitutes acceptance of the updated Policy.

13. Contact

For privacy questions, requests, or concerns, contact us at support@passunlocked.com.