Privacy Policy · DRAFT — attorney review required

Privacy Policy

What we collect, how we use it, who we share it with, and the rights you have. Written to be readable without a law degree. Read the Terms of Service in parallel — this policy describes the data; the Terms describe the agreement.

DRAFT — pending attorney review. This document is a working draft authored by the Athena Systems leadership team. It will be reviewed by qualified Washington-state counsel before any user data is collected at scale. Specific compliance language for CCPA, CPRA, GDPR (where applicable), and Washington's My Health My Data Act will be finalized at that review. Do not rely on it as the operative policy until the “DRAFT” marker is removed. Comments and questions to privacy@athenadecisionsystems.com.

Last updated: 2026-05-29. Effective: Pending company formation and attorney review. Version: 0.1 draft.

The short version

We collect three categories of data: account information you give us (name, email, firm), work-file content you submit for evaluation, and operational telemetry we generate by running the service (logs, timestamps, error reports).

We use that data to provide the service, produce your Evaluation Reports and Decision Records, and improve North Star over time. We do not sell it. We do not share it with third parties for their marketing. We do not use your work files to train AI models that produce output for other customers, except on an opt-in basis we'd ask you about directly.

We retain data for as long as you have an active subscription, plus a reasonable window after termination for export, plus whatever the law requires us to retain longer. Decision Records are retained indefinitely as part of the audit chain — that's a feature, not a bug; see §5 below.

You have rights to access, correct, and delete personal data we hold about you, subject to limitations described in §8.

The long version follows.

Contents

  1. 1. Who we are
  2. 2. What we collect
  3. 3. How we use it
  4. 4. With whom we share
  5. 5. Decision Records and the audit chain
  6. 6. How long we keep your data
  7. 7. Security
  8. 8. Your rights
  9. 9. Cookies and similar technologies
  10. 10. Children's privacy
  11. 11. International data transfers
  12. 12. Changes to this policy
  13. 13. Contact

1. Who we are

Athena Systems LLC, a Washington limited liability company ("Athena Systems," "North Star," "we"), operates the North Star appraisal-compliance platform at athenadecisionsystems.com.

We are the controller of personal data described in this policy. For questions, contact privacy@athenadecisionsystems.com.

2. What we collect

Account information you give us

  • Name, email address, phone (optional)
  • Firm name and role
  • State(s) of practice
  • Appraiser credential number (when applicable, for rule-applicability)
  • Billing contact and payment-method tokens (we store payment tokens via our payment processor; we don't store raw card numbers)
  • Any free-text content you provide in the waitlist form, support messages, or feedback submissions

Work-file content you submit for evaluation

When you upload an appraisal work file to North Star, that file may contain (depending on the form type and your assignment):

  • Subject property address and description
  • Borrower / homeowner names (when present on the form)
  • Lender / client identifiers
  • Comparable-sale addresses and prior-transfer histories
  • Appraiser identification (your name, credential number, firm)
  • Loan-program details (FHA / VA / Conventional / USDA / multifamily, etc.)
  • Property condition observations, photos, sketch data
  • Income / expense data (for income-approach properties)
  • Any additional fields the relevant form (URAR / 1004 / 1073 / 1025 / 2090 / etc.) requires

We treat work-file content as confidential. We process it to produce your Evaluation Report and Decision Record. We retain it for the duration described in §6. We do not sell it or share it for marketing.

Operational telemetry we generate

  • Log records of evaluation events (timestamp, anonymized session token, rule-set version, outcome counts) — necessary to operate the service and produce audit-chain Decision Records
  • Aggregated usage statistics (number of evaluations, common rule-trigger patterns, error rates) — anonymized; used to improve the service
  • Error reports and crash diagnostics — used to fix bugs and harden the platform
  • Standard web-server logs (IP address, user-agent, referrer) — retained for security and abuse prevention; see §7

3. How we use it

We use the data described in §2 to:

  • Provide the service: run rules against your submissions, generate Decision Records, produce Evaluation Reports
  • Operate your account: authentication, billing, communications about service changes
  • Support you: respond to your questions, debug issues, improve documentation
  • Improve the platform: identify rule-trigger patterns, common pain points, performance bottlenecks — using aggregated and anonymized data wherever possible
  • Comply with legal obligations: respond to lawful requests from regulators or courts, maintain records required by applicable law
  • Prevent abuse and fraud: detect and respond to unauthorized access attempts or misuse of the service

What we do NOT use your data for:

  • Training large language models or other machine-learning systems whose output goes to other customers (except on opt-in basis, which we'd ask you about directly)
  • Selling to data brokers or marketers
  • Sharing your work files with anyone outside Athena Systems' authorized staff and contractors, except (i) at your direction, (ii) as required by law, or (iii) for the limited purpose of verifying a Decision Record you are the subject of
  • Any purpose materially incompatible with the purposes described in this policy, without your prior consent

4. With whom we share

We share data with the following categories of recipients, and only as needed to operate the service:

  • Cloud infrastructure providers — for hosting, storage, and computational resources. Our production environment is hosted on [TODO: confirm AWS / other once deployed]; data is stored in the [TODO: region — initial draft: US-West-2] region.
  • Payment processor[TODO: Stripe, once wired up] handles payment-card processing. We never see your raw card number; we hold a payment-method token only.
  • Email service provider — for transactional emails (account confirmations, password resets, billing receipts) and (with your opt-in) for product update emails. [TODO: vendor name once selected]
  • Customer support tool — for tracking and responding to your support inquiries. [TODO: vendor name once selected — likely Crisp]
  • AI provider you choose — North Star is bring-your-own-AI. When you save an API key for Anthropic, OpenAI, Perplexity, Google AI Studio, or AWS Bedrock in Settings, your work-file content travels to that provider's API under YOUR account — not ours. Athena never receives a copy. Your AI bill goes to your provider directly. Workflow:
    1. You paste an API key in Settings. We store it server-side, encrypted at the storage volume level, and never expose it back to your browser (we render a 6-character preview only).
    2. When you run extraction on a work file, we send your file's text and any image / PDF attachments to the provider's API using YOUR key.
    3. The provider returns extracted structured data; we store it in your tenant's database row, subject to the retention schedule below.
    4. We record token counts plus an estimated cost in the ai_usage_events table so we can render your billing summary. We do NOT receive a copy of the provider's invoice — that bills to the card on file with the provider.
    If you have no AI key on file, we route the call through Athena's house Anthropic key as a fallback and add a per-call surcharge (cost × configured markup) to your monthly invoice. The fallback path is the only situation in which Athena sees your work-file content via an AI provider; even there we are passing your text to Anthropic's Messages API under our key, not retaining additional copies beyond what is already stored in your tenant database.
  • Time-stamping authority — an independent RFC 3161 TSA counter-signs the timestamp on every Decision Record. The TSA receives a hash of the record — not the underlying content. See the audit-chain page for the cryptographic detail.
  • Legal and regulatory authorities — when we are required by law to disclose data (subpoena, court order, regulatory inquiry). We will challenge overbroad requests and notify you where permitted.
  • Successor entities — in the event of a merger, acquisition, or sale of all or substantially all of our assets, customer data may be transferred to the successor entity, who will be bound by this policy or a comparable replacement.

We do not share data with advertising networks. We do not let third-party trackers run on athenadecisionsystems.com or in the web application.

5. Decision Records and the audit chain

A specific aspect of how we handle data deserves its own section: the Decision Records produced by every evaluation.

Each Decision Record is a cryptographically sealed, tamper-evident record of an evaluation event. It contains (among other fields) a hash of the work-file content you submitted, a hash of the rule set in force, a third-party timestamp, and our digital signature. The Decision Records are linked into a hash chain so any modification to a past record breaks the chain at the next verify.

We retain Decision Records indefinitely. This is a deliberate design choice and a feature of the product:

  • The audit chain's integrity depends on the predecessor hash linkage. Deleting an old record breaks future verifications — not just for you, but for any other customer whose records depend on the chain.
  • The Decision Record's value to you is its long-tail defensibility — a regulator, attorney, or insurance carrier may need to verify the record years after the underlying assignment closes.
  • The Decision Record itself does NOT contain the raw work file content. It contains a hash of the content. The underlying work-file content is retained per §6 below and may be deleted on the timeline described there without affecting the audit chain.

If you have a specific concern about a Decision Record (e.g., it was created in error, or it contains content referencing a third party who has requested erasure), contact privacy@athenadecisionsystems.com. We will evaluate the situation case-by-case. We typically cannot delete a Decision Record without breaking the audit chain, but we can document the dispute and we can mark a record as withdrawn in your account view.

See athenadecisionsystems.com/audit-chain for the framing detail on what Decision Records attest and what they do not. The framing language there is a contractually-binding statement of what the records mean (see Terms of Service §6).

6. How long we keep your data

We hold your work-file documents only as long as the Service needs them and we tell you exactly how long that is. The window differs by product (Evaluate vs Assembly) and, for Evaluate, by your billing tier (monthly vs annual). You can request immediate deletion of any uploaded document at any time within its retention window via your dashboard or by emailing support@athenadecisionsystems.com.

For the full retention policy, including how deletion interacts with the cryptographic seal (which survives the underlying file deletion), see Terms of Service §5a.

Data category Retention period
Account information (name, email, role, etc.) Duration of subscription + 60 days post-termination, then deletion (subject to legal-hold exceptions)
Work-file content you uploaded for Evaluate (Evaluator status), monthly plans 90 days from upload, then deletion. Deletable on request within the window.
Work-file content you uploaded for Evaluate (Evaluator status), annual plans 1 year from upload, then deletion. Deletable on request within the window.
Work-file content you assembled through Assembly (Assembly status) 5 years from the assignment effective date, +2 years if litigation flagged. Mirrors USPAP / WAC 308-125 / OAR 161 record-keeping. Deletable on request within the window.
Findings and Evaluation Reports Follow the underlying work file's retention window. Decision Records (the seal) survive indefinitely — see below.
Decision Records (cryptographic chain) Indefinite — required for chain integrity (see §5)
Billing records 7 years (federal tax-records retention requirement)
Operational logs and telemetry 90 days, then aggregation or deletion
Support communications 3 years from last interaction, then deletion
Waitlist email and submission details Until you ask us to delete them, or 24 months without engagement, whichever comes first

We may retain data longer when required by law, when needed for an ongoing legal matter, or when reasonably necessary for legitimate business purposes (e.g., fraud investigations).

7. Security

We take security seriously. Our practices include:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Role-based access controls for our staff and contractors (least privilege)
  • Audit logging of internal data access
  • Cryptographic signing of every Decision Record using Ed25519 with key material held in [TODO: HSM or KMS once production is deployed]
  • Regular dependency vulnerability scanning and patching
  • Code review on every change to the engine and platform

No security is perfect. If you believe an account has been compromised, or you have discovered a vulnerability, please contact security@athenadecisionsystems.com promptly. We follow a coordinated-disclosure approach to vulnerability reports.

In the event of a security incident that involves your personal data, we will notify you and any required regulators on the timelines required by applicable law (and typically faster).

8. Your rights

Depending on where you live, you may have the following rights with respect to personal data we hold about you:

  • Access — request a copy of the personal data we hold about you
  • Correction — ask us to correct inaccurate or incomplete data
  • Deletion — ask us to delete personal data we hold about you, subject to the limitations in §5 (Decision Records) and §6 (legal retention requirements)
  • Portability — receive your data in a machine-readable format
  • Objection — object to certain processing of your data
  • Withdrawal of consent — where processing relies on your consent, withdraw it

To exercise any of these rights, email privacy@athenadecisionsystems.com. We will respond within the timelines required by applicable law.

California residents (CCPA / CPRA): [TODO: specific CCPA / CPRA categories, sales / sharing disclosure, "Do Not Sell or Share My Personal Information" link if applicable, sensitive personal information disclosure. To be finalized at attorney review.]

EU / UK residents: [TODO: GDPR / UK GDPR-specific disclosures including lawful basis, DPO contact (if appointed), supervisory-authority complaint right. To be finalized at attorney review if we admit EU / UK customers.]

Washington residents (My Health My Data Act): North Star does not collect consumer health data within the meaning of Washington's My Health My Data Act. The work files we process are appraisal records, not health records. [TODO: confirm at attorney review.]

9. Cookies and similar technologies

The marketing website at athenadecisionsystems.com uses minimal cookies:

  • No third-party advertising cookies.
  • No third-party analytics with personalized tracking.
  • We may use a privacy-respecting first-party analytics tool to count visits and understand which pages are most useful. [TODO: confirm vendor at deployment time — Plausible / Fathom / similar.]

The web application (app.athenanorthstar.com, when live) uses functional cookies necessary for session management and authentication. These cannot be disabled without breaking the service.

10. Children's privacy

North Star is not directed to children. We do not knowingly collect personal information from anyone under 18. The service is designed for professional use by licensed appraisers and related practitioners.

11. International data transfers

We host the service in the United States. If you access the service from outside the U.S., your data will be transferred to and processed in the U.S. [TODO: cross-border transfer mechanisms (SCCs, etc.) if we begin admitting EU / UK customers. Initial draft assumes a U.S.-only customer base for the bootstrap phase.]

12. Changes to this policy

We may update this policy from time to time. We will post the updated policy here with a revised "Last updated" date. Material changes will be communicated to active subscribers by email at least 30 days before they take effect.

13. Contact

Privacy questions: privacy@athenadecisionsystems.com.

Security disclosures: security@athenadecisionsystems.com.

General customer support: hello@athenadecisionsystems.com.

Mailing address: available on request via legal@athenadecisionsystems.com.

This document is a DRAFT. Bracketed [TODO: like this] markers indicate items pending finalization at company formation, vendor selection, or attorney review. Do not enforce or rely on this document until the “DRAFT” banner is removed.