Privacy Policy
Last Updated: May 1, 2026
This Privacy Policy explains how Audubonic ("we," "our," "us") collects, uses, protects, and shares information when you use Milo, our software platform for commercial real estate financial analysis.
We've written this policy to be specific. If you have questions, email us at contact@audubonic.com.
Information We Collect
- Account Information: Name, email address, and login credentials (via email/password or Google OAuth).
- Property and Deal Documents: Files you upload to analyze deals — typically T-12 operating statements, rent rolls, offering memorandums, leases, appraisals, and similar commercial real estate documents. We refer to these collectively as "Deal Documents".
- Extracted and Generated Data: Structured data extracted from your Deal Documents (rent rolls, financial line items, lease terms) and the underwriting analyses Milo generates from them (cash flow projections, IRR / cap rate / DSCR calculations, AI-generated insights).
- Payment Information: Processed by Stripe. We do not store full payment-card details.
- Usage Data: Application interaction logs, performance metrics, and error reports used to operate and improve Milo.
How We Use Your Information
We use the information you provide to:
- Run document extraction, financial analysis, and AI-generated insights on your Deal Documents.
- Authenticate users and manage organization-level access controls.
- Process billing and subscription management.
- Communicate account updates, security notices, and (where you've opted in) product news.
- Operate, maintain, and improve the Milo platform.
We do not use your data for advertising, and we do not sell or rent personal information to third parties.
AI Models and Your Data
This is the section that matters most for our customers, so we want to be specific:
- We do not use your Deal Documents to train, fine-tune, or otherwise improve any AI model — neither models we operate ourselves nor models operated by our vendors.
- The AI vendors we use (Anthropic, Cohere, AWS) process your documents only as needed to return results for your specific request, and are contractually prohibited from retaining your inputs for training or model improvement under their respective Data Processing Addendums (DPAs).
- The user feedback you provide on extraction accuracy is stored only in our own database and is used solely to display corrections back to you. It is not forwarded to any AI vendor.
Subprocessors
We share limited operational data with the following subprocessors so we can deliver Milo. Each subprocessor is contractually bound to confidentiality and to processing data only on our instructions, under a signed DPA where applicable.
| Subprocessor | Purpose | Data Categories |
|---|---|---|
| Amazon Web Services (AWS) | Document storage (S3), database hosting, OCR (Textract) | Deal Documents, extracted data, account metadata |
| Anthropic (Claude API) | Document understanding and AI insight generation | Document text excerpts, prompts |
| Cohere | Document embeddings and search reranking | Document text excerpts, search queries |
| Tavily | Web search for AI agent tools | Search queries (may include property names / addresses) |
| Supabase | Database hosting and authentication (transitioning to AWS) | Account info, deal metadata, extracted data |
| Vercel | Frontend hosting | Usage metrics, request logs |
| Stripe | Payment processing | Billing information, payment metadata |
| Google (OAuth) | Authentication only | Name, email, profile picture, OAuth tokens |
We will notify customers via email or in-app notice before adding a new subprocessor that processes Deal Documents.
Data Storage, Encryption, and Retention
- Encryption in transit: All connections to Milo are encrypted with TLS 1.2 or higher.
- Encryption at rest: All Deal Documents in S3 are encrypted with AES-256 server-side encryption. Database storage is encrypted at rest by our hosting provider.
- Infrastructure: Production data is hosted on AWS (us-east region), which is SOC 2 Type II and ISO 27001 certified.
- Active retention: We retain your data while your account is active and for as long as needed to provide the service.
Deleting Your Data
You can permanently delete your data at any time:
- Individual documents: Use the delete button in the Document Library or the file explorer in any Deal Room. The original file, its parsed extractions, and any generated underwriting summaries derived from it are removed from our databases and from object storage immediately.
- Entire deals: Use "Delete Deal" from the Deals dashboard. All documents, lease and rent-roll data, financial models, and AI-generated insights tied to that deal are permanently removed from our databases and object storage immediately.
- Account-wide deletion: Email contact@audubonic.com from the address associated with your account, or write to us through the in-app support channel. We honor account deletion requests within 30 days and confirm completion by email.
After deletion:
- Active database records and object storage copies are removed immediately.
- Encrypted, point-in-time database backups are purged on their normal rotation, which is 30 days or less.
- AI vendor caches (where applicable) age out within 24 hours per our vendor agreements.
We will retain a minimal record of the deletion request itself (date, account ID, requester email) for legal and audit purposes.
Your Rights
Depending on where you live, you may have the right to:
- Access the personal information we hold about you.
- Correct inaccurate personal information.
- Delete your personal information ("right to erasure").
- Restrict or object to certain processing.
- Export your data in a portable format.
- Opt out of marketing communications at any time.
To exercise any of these rights, email contact@audubonic.com. We will respond within 30 days. We do not discriminate against users who exercise these rights.
California residents have additional rights under the CCPA / CPRA, including the right to know what personal information we collect and the right to opt out of any sale or sharing of personal information. We do not sell or share personal information as defined under the CCPA.
EEA / UK residents are protected under the GDPR and UK GDPR. The legal bases on which we process your information are: contract performance (to deliver Milo), legitimate interests (to operate and improve the platform), and consent (where you've explicitly opted in, e.g., marketing).
Google User Data
When you sign in with Google, Milo accesses only:
- Basic profile information: Name, email address, and profile picture.
- Authentication tokens: Used to maintain your login session.
We do not access Gmail content, calendar events, contacts, or any other Google service data, and we never use Google user data for advertising. Use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
Security Incidents
If a security incident affects your data, we will notify you within 72 hours of confirming the incident, in accordance with applicable law (including GDPR Article 33). Notifications include the nature of the incident, the data affected, our response, and recommended next steps.
Children's Privacy
Milo is not intended for users under 18. We do not knowingly collect information from children.
Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated by email or in-app notice. The "Last Updated" date at the top of this page reflects the most recent revision.
Contact
- Privacy questions or data requests: contact@audubonic.com
- Product support: support@audubonic.com