Privacy Policy

1. Scope and notice at collection

This Privacy Policy describes how OM Consulting Inc. ("OM Consulting," "we," "us") collects, uses, and shares personal information when you use omconsulting.info and the Title 24 compliance service offered through it. This Policy also serves as our Notice at Collection under the California Privacy Rights Act (CPRA): we collect the categories of personal information described in Section 2 for the purposes described in Section 3, share them with the recipients described in Section 4, and retain them for the periods described in Section 6.

2. Information we collect

• Account information you provide at signup: name, email, role, and the timestamp of your acceptance of our Terms and this Policy. We do not collect or store your password — Supabase performs authentication and stores only a salted hash. We do not collect a phone number.
• Project information you provide during the guided flow: the architectural plan PDF you upload, the page classifications you select, and the building inputs you confirm (project address, climate zone, scope of work, bedroom counts, ceiling height, garage, ADU, and similar fields). The values we extract from the PDF using a third-party large-language-model API (Anthropic's Claude API by default; Google's Gemini API as a configurable alternative) are also stored alongside your confirmed values.
• Designer information you provide later in the workflow when you identify the responsible designer who will sign the CF1R: their name and email. See Section 5 for how we handle this third-party data.
• Compliance documents generated for your project: the .ribd25 input file we use internally to run CBECC-Res 2025 verification, and the final signed CF1R PDF. The signed CF1R is stored against your project so you can re-download it from your dashboard; the .ribd25 file is retained for our internal records and is not made available to you for download.
• Payment information. We do not store your full card number. Stripe processes your payment and gives us a transaction ID, the amount, and a status.
• Technical and analytics data: IP address, browser/user-agent, and basic request logs needed to operate and secure the Service; product-analytics events (page views, click events, session duration) collected through PostHog; and error-monitoring events (the URL where an error occurred, browser/user-agent, stack trace, and a short trail of recent navigation and click breadcrumbs) sent to Sentry when the Service encounters an unexpected error. See Section 4.

3. How we use your information

• Provide, operate, and secure the Service.
• Extract building inputs from your uploaded PDF and generate the internal .ribd25 input file used to run CBECC-Res 2025 verification, including by sending the PDF to a third-party large-language-model API for content extraction (Anthropic's Claude API by default, with Google's Gemini API available as a configurable alternative).
• Run CBECC-Res 2025 verification on the generated file, register the project with CHEERS, and request a signature from your designated responsible designer.
• Process payments through Stripe.
• Send transactional emails about your account and project status (welcome, payment confirmation, signature request, CF1R delivery, etc.) — no marketing without separate opt-in.
• Understand how the Service is used and improve product flows through aggregated and pseudonymous analytics.
• Investigate fraud, abuse, or security incidents.

4. Third-party services and processors

We share information only with vendors and counterparties that support the Service. Each is engaged as a service provider or processor under contract restrictions and may not use your information for its own purposes.

• Supabase — authentication, user profile storage, project database, and file storage. Hosted in the United States (AWS US-East-2 region).
• Stripe — payment processing.
• Anthropic (Claude API) — PDF content extraction and plan-check analysis. By default, uploaded plans (and any plan-check inputs you provide) are sent to Anthropic's Claude API for analysis. Anthropic does not train its models on data sent through its API. Hosted in the United States.
• Google (Gemini API) — alternate PDF content extraction and plan-check analysis provider, available as a configurable alternative to Claude. When enabled, uploaded plans are sent to Gemini for analysis instead of Claude. We do not authorize Google to use your inputs to train its models.
• PostHog — product analytics. We use PostHog to understand how users move through the Service so we can fix friction and improve flows. PostHog is engaged as a service provider under contract restrictions; it does not use your data for its own purposes, and we do not authorize cross-context behavioral advertising. Hosted in the United States.
• Sentry — error monitoring. When the Service encounters an unexpected error in your browser or on our servers, we send Sentry the URL where the error occurred, browser/user-agent, stack trace, and a short trail of recent navigation and click breadcrumbs so we can diagnose and fix the problem. We have configured Sentry not to attach default personal-information fields, and we do not enable session replay or performance tracing. Sentry is engaged as a service provider under contract restrictions and does not use your data for its own purposes. Hosted in the United States.
• Resend — outbound transactional email (welcome, status updates, designer signature requests).
• CHEERS — once your project reaches the registration stage, your project information and the responsible-designer contact you provided are submitted to CHEERS so they can issue and email the CF1R for countersignature.

We do not sell your personal information, and we do not share it for cross-context behavioral advertising.

5. Information about third parties (designers)

When you identify the responsible designer who will sign your CF1R, we collect that designer's name and email. We use this information solely to (a) email the designer through CHEERS to request signature, (b) send signature reminders through Resend, and (c) maintain a record of who signed the CF1R for the project. We do not use designer contact information for marketing.

If you are a designer who has been contacted in this capacity and would like to access, correct, or delete your contact information, email help@omconsulting.info.

6. How long we keep your information

Account information is retained for as long as your account exists. Project records — including the uploaded PDF, the extracted and confirmed inputs, the internally generated .ribd25 input file, and the signed CF1R — are retained while your account is active. The signed CF1R and your original uploaded PDF can be re-downloaded from your dashboard at any time; the .ribd25 file is retained for our internal records and to allow us to produce it on request from a building department or other authority.

You may delete your account at any time from the Profile page. We will delete your account, project records, and uploaded files within 45 days of your request (extendable to 90 days where additional verification or technical reasons require it), except that we may retain a record of any CF1R registered with CHEERS as required by law and our regulatory obligations, and may retain de-identified or aggregated information that no longer identifies you.

7. Cookies, similar technologies, and consent

We use the following storage technologies on your device:

• Essential — authentication cookies and tokens (managed by Supabase) to keep you signed in. These are always on; without them you can't use the Service.
• Essential — browser storage (localStorage and IndexedDB) to remember your in-progress project between page loads, including a temporary copy of the uploaded plan PDF so you don't lose it on a refresh during the upload flow.
• Essential — error-monitoring storage (a small amount of localStorage written by the Sentry browser SDK to hold a session identifier and a short buffer of recent breadcrumbs) so that when the Service errors we can attach context to the diagnostic event. No advertising, profiling, or cross-site identification is performed.
• Optional — PostHog cookies and localStorage for product analytics (page views, click events, session duration). These load only after you accept the cookie banner shown on first visit, or click "Allow product analytics" from the "Do Not Sell or Share My Personal Information" link in the footer. They are off by default and stay off if you reject.

We do not use third-party advertising cookies, and we do not participate in cross-context behavioral advertising. Our Site honors browser-level Global Privacy Control (GPC) signals automatically as an opt-out — if your browser sends a GPC signal, we treat it as a request not to load the optional analytics cookies and do not show the consent banner.

You can change your choice at any time by clicking "Do Not Sell or Share My Personal Information" in the footer of any page.

8. California privacy rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), gives you the following rights:

• Right to know what categories of personal information we have collected about you, the categories of sources, the business purposes, and the categories of third parties with whom we share it.
• Right to delete personal information we hold about you, subject to legal exceptions (including our obligation to retain a record of any CF1R registered with CHEERS on your behalf).
• Right to correct inaccurate personal information.
• Right to data portability — to receive a copy of your personal information in a portable format.
• Right to limit the use of sensitive personal information. We do not collect sensitive personal information as defined by the CPRA.
• Right to opt out of sale or sharing. We do not sell personal information and we do not share it for cross-context behavioral advertising. Our analytics provider (PostHog) is engaged as a service provider under contract restrictions and is not a "sale" or "share" under the CPRA.
• Right to non-discrimination for exercising any of these rights.

Categories of personal information collected (last 12 months). Identifiers (name, email, account ID, IP address; plus the responsible designer's name and email when you identify them); commercial information (transaction records); internet/network activity (page views and click events via PostHog; error-monitoring events via Sentry); professional or employment information (the role you select at signup); geolocation (project address, climate zone). Sources: directly from you, automatically from your device, and from our payment processor (Stripe). Business purposes: providing the Service, processing payments, communicating with you, security, and product analytics. Categories of recipients: see Section 4. We do not draw inferences from this information for advertising or profiling purposes.

How to exercise your rights. Email help@omconsulting.info from the email address on your account. We will verify your request and respond within 45 days (extendable to 90 days where permitted). You may also designate an authorized agent to make a request on your behalf, in which case we will require proof of the agent's authorization.

9. Other privacy rights

Depending on where you live, you may have additional rights to access, correct, delete, or port your personal information, and to opt out of certain processing. To exercise any of these rights, email help@omconsulting.info.

10. Security

We use industry-standard measures (TLS in transit, hashed passwords, scoped API keys, server-side verification of authentication tokens) to protect your information. No system is perfectly secure; if we learn of a breach affecting your information, we will notify you as required by law.

11. Children

The Service is restricted to users 18 and older. We do not knowingly collect personal information from anyone under 18, and never from anyone under 13. If you believe we have inadvertently collected such information, contact us at help@omconsulting.info and we will delete it.

12. International users

The Service is operated from the United States and is intended for use on California residential projects. If you access it from outside the US, you consent to your information being processed in the US.

13. Changes

We may update this Policy; the "Effective date" above will reflect the most recent version. Material changes will be communicated by email or in-app notice.

14. Contact

Privacy questions or rights requests: help@omconsulting.info.