Security & Privacy

How we handle your data.

Plain English, not a 30-page legal doc. If something here is wrong or unclear, email [email protected] and we'll fix it the same week.

What we collect

Just enough to do the job. Email address, name (if you give one), the property address(es) you want monitored, your tier preferences (which islands you cover, your brokerage). For paid customers: a Stripe customer ID linked to your subscription. That's it.

Yes — for delivering briefs + login

Name

Optional

Saved address(es)

Yes — that's the product

Phone number

Only if you provide one

Bank or card details

Never — handled by Stripe

SSN / ID numbers

Never collected

Location tracking

Browsing fingerprint

No — basic page-hit only

Where it lives

Subscriber records and product state live on a single Vultr cloud server in Seattle, US. Encrypted at rest at the disk level, encrypted in transit (HTTPS / TLS 1.3 only — no plain HTTP). Daily backups to a separate encrypted volume.

No data leaves the US. No third-party data warehouses, analytics platforms, or marketing pipelines. The only people with database access are John (the founder) and the systems that need it to deliver your briefs.

What we never do

Sell your data. Not to advertisers, not to data brokers, not to anyone. There's no business model where we'd consider it.
Send you marketing email. Auto-emails are limited to transactional sends (welcome, weekly brief, payment events). No "monthly tips" newsletters, no upsell sequences, no win-back campaigns.
Track you across the internet. No third-party trackers, pixels, or retargeting cookies on our pages.
Share your address with neighbors or your contractor. Property briefs are private to your subscription. The aggregated counts on /admin (e.g., "X subscribers") never include identifying details.
Keep your data after you cancel. See "Deleting your data" below.

Subprocessors

The vendors that actually handle your data on our behalf, what they do, and why we trust them.

Stripe

Payment processing. PCI-DSS Level 1 compliant. Card details never touch our servers — Stripe Checkout handles them directly. We see only the customer ID, subscription status, and email.

Resend

Transactional email delivery (welcome emails, weekly briefs). EU + US infrastructure. We send only the email content + your address — they don't profile recipients or share data with advertisers.

Anthropic Claude

AI model that drafts watch-out summaries inside Property Brief and the scope-of-work proposals inside BlueWave Projects. Per Anthropic's API terms, prompts are not used to train future models. We send parcel facts, not your personal info.

Cloudflare

DNS + edge CDN for ai.ikenagroup.com and ai.portofcams.com. Sees request metadata (IPs, user agents) for rate-limiting + DDoS protection. No payload-level access.

Vultr

The actual server hardware. Hosting only — they don't access application data. Encrypted volumes, regional redundancy.

OpenStreetMap (Nominatim)

Address-to-coordinate geocoding for non-Oahu addresses. We send the address string, get coordinates back. They don't store the query against you.

Public records vs. private data

Property facts (TMK, parcel size, zoning, permits, ownership) are public Hawaii records. They're already published by state and county GIS portals — anyone can look them up. We aggregate them so you don't have to visit six websites.

What's private to you: which addresses you watch, your email, your tier preferences, your subscription state, anything you input into the BlueWave Projects portal (leads, quotes, photos, blueprints). These never leave your account.

Cookies + tracking

We use one local cookie for keeping you signed in to the BlueWave Projects contractor portal. That's it. No marketing cookies, no third-party analytics, no Google Tag Manager, no Facebook pixel.

Page-hit logging is server-side only — we count which pages get traffic (e.g., 43 hits on /lookup last week) without tying it to specific users. The lookup tool tracks recently-viewed addresses in your own browser's localStorage so you don't lose your search history; that data never leaves your device.

Security practices

HTTPS everywhere. No plaintext traffic. TLS 1.3 minimum. HSTS enabled on all subdomains.
API key rotation. Production keys are rotated proactively (last full rotation: April 2026 after a security audit) and immediately on any suspected exposure.
Webhook signature verification. Stripe webhooks are verified per-account against signing secrets. Unsigned or mismatched payloads are rejected.
Per-tenant data isolation. BlueWave Projects multi-tenant data is scoped to tenant_id at every database query — verified end-to-end across 14 endpoints.
Rate limiting. Lookup tool and AI Q&A are rate-limited per IP (10/day on free, unlimited for subscribers).
Two-factor on infrastructure. SSH key-only access, no password authentication, hardened Docker host.

Deleting your data

You own your data. To delete it:

Cancel your subscription via the Stripe portal link on /account. Your record is marked canceled at end of billing period.
Email [email protected] with "delete my account" and your subscription email. We delete your subscriber record (saved addresses, tier preferences, history) within 7 business days. Stripe retains its own customer record per PCI requirements — that you'd delete via Stripe's own data-request flow.
BlueWave Projects tenants can request a full data export (JSON of every record) via the same email before deletion. We never auto-delete your work product — we wait for your written go-ahead.

Incident response

If we ever experience a security incident affecting customer data, we notify affected customers by email within 72 hours of discovery, with plain-English description of what happened, what was exposed, and what we're doing about it. No corporate-speak, no "out of an abundance of caution" hedging.

One human in the loop.

Behind every email, every approved permit alert, every customer-portal session is one builder in Honolulu. If you have a question or concern that doesn't fit a form, write to [email protected] and you'll get a real reply, usually same-day Hawaii time.

Legal entity

IkenaAI is a product line of Ikena Design & Build Group LLC, registered in the State of Hawaii. Based in Honolulu. For data-request, GDPR/CCPA, or legal inquiries, full registered mailing address is available on request to [email protected].

Last updated: 2026-05-08. Material changes to this page get sent to active subscribers by email.