Privacy Policy

Last updated: April 10, 2026

1. Introduction

FindMySublet, Inc. (“FindMySublet,” “we,” “us,” or “our”) operates the FindMySublet platform at findmysublet.com (the “Platform”). This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use the Platform.

By using FindMySublet, you consent to the practices described in this policy. If you do not agree, please do not use the Platform.

2. Information We Collect

2.1 Information You Provide

  • Account registration: Full name, email address, and password (or Google OAuth profile including name, email, and profile picture).
  • Profile information: Phone number, university name, university email address (.edu), profile photo (avatar), and optional bio.
  • Listing information: Property address, city, state, ZIP code, neighborhood, listing type, property type, bedrooms, bathrooms, square footage, furnishing status, pricing, availability dates, amenities, description, and photos.
  • Messages: Content of messages sent and received through the in-platform messaging system.
  • Inquiries: Messages sent to listing hosts and related metadata.
  • Contact form submissions: Name, email, subject, and message body.
  • Listing reports: Report reason, optional details, and your user ID.

2.2 Information Collected Automatically

  • Authentication cookies: Session tokens managed by Supabase Auth to keep you signed in across page loads.
  • OAuth redirect cookie: A short-lived cookie (10 minutes) used to redirect you to the correct page after Google sign-in.
  • Admin session cookie: An HTTP-only cookie used to authenticate admin panel access.
  • Analytics data (Vercel Web Analytics): We use Vercel Web Analytics to collect anonymized, aggregated page view data. This includes page URL, referrer, approximate country, device type (mobile/desktop), and browser type. Vercel Web Analytics is designed to be privacy-friendly: it does not use persistent tracking cookies, does not fingerprint individual users, and does not build behavioral profiles. Data is aggregated and not linked to your identity. See Vercel’s Analytics Privacy documentation for details.
  • Service worker cache: Static assets (CSS, JavaScript, fonts, images) may be cached locally on your device for faster page loads and offline access via our Progressive Web App (PWA) service worker.

2.3 Information from Third Parties

  • Google OAuth: When you sign in with Google, we receive your name, email, and profile picture from Google.
  • OpenStreetMap Nominatim: When you enter a street address while creating a listing, your typed text is sent to the Nominatim geocoding API (operated by the OpenStreetMap Foundation) to suggest addresses. This request is made directly from your browser. We do not store the raw geocoding query on our servers.

3. How We Use Your Information

We use the information we collect to:

  • Create and manage your account.
  • Display your listings and profile to other users.
  • Facilitate messaging between renters and posters.
  • Process verification requests (email, phone, university email) to display trust badges.
  • Send transactional emails (verification codes, account notifications) via Resend.
  • Send SMS verification codes via Twilio Verify.
  • Review and moderate content, including reported listings.
  • Respond to contact form inquiries.
  • Measure and understand how the Platform is used (via anonymized Vercel Analytics data) in order to improve functionality and user experience.
  • Investigate fraud, abuse, safety incidents, and Terms of Service violations.
  • Improve and maintain the Platform’s security and functionality.
  • Comply with legal obligations.

4. Information Sharing & Disclosure

We do not sell your personal information. We share your information only in the following circumstances:

  • With other users: Your name, profile photo, verification badges, and university (if provided) are visible to other users on your profile and in messaging. Listing addresses are displayed on the public listing detail page as entered by the poster; we do not restrict listing address visibility by default.
  • Service providers: We use the following third-party services to operate the Platform:
    • Supabase — Database, authentication, and file storage (hosted on AWS infrastructure).
    • Resend — Transactional email delivery for verification codes.
    • Twilio — SMS delivery for phone number verification.
    • Vercel — Website hosting, deployment, and anonymized web analytics.
    • Google — OAuth authentication and web fonts.
    • OpenStreetMap Foundation (Nominatim) — Address autocomplete (browser-to-server, query not stored by us).
  • Legal compliance: We may disclose your information if required by law, court order, or government regulation, or if we believe disclosure is necessary to protect our rights, safety, or the safety of others.
  • Trust & safety investigations: We may share relevant account data, messages, reports, or activity logs with law enforcement, regulators, or legal counsel in connection with fraud investigations, abuse reports, or credible safety threats.
  • Business transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction, subject to the acquiring party honoring this Privacy Policy.

5. Data Storage & Security

Your data is stored in Supabase-managed PostgreSQL databases and Supabase Storage buckets, with Row Level Security (RLS) policies that restrict data access based on your authenticated identity.

  • Passwords are hashed by Supabase Auth (bcrypt) and are never stored in plain text.
  • Email and SMS verification OTP codes used for university email and account email changes are stored as SHA-256 hashes with short expiration windows (15 minutes) and are single-use.
  • File uploads (photos, avatars) are stored in Supabase Storage with public read access for listing display purposes.
  • All data in transit is encrypted via TLS/HTTPS.
  • Admin access to internal tools is protected by a separate authentication mechanism with HTTP-only, secure cookies.

While we take reasonable measures to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security. If you believe your account has been compromised, please contact us immediately at support@findmysublet.com.

6. Data Retention

We retain your personal information as follows:

  • Account data: Retained for as long as your account is active. When you delete your account, your profile, listings, and saved listings are removed from the Platform. Residual data may persist in system backups for up to 30 days before being overwritten.
  • Messages: Retained as part of conversation history. Deleted conversations may persist in database backups for up to 30 days.
  • Verification records: OTP verification records expire automatically and may be periodically purged.
  • Contact messages and reports: Retained for customer support and moderation purposes until manually deleted by our team.
  • Local storage: Draft listing data stored in your browser’s localStorage is cleared upon successful submission, or can be cleared by you at any time through your browser settings.
  • Trust & safety records: Notwithstanding the above, we reserve the right to retain listings, messages, reports, account metadata, IP address logs, device data, and investigation records for as long as reasonably necessary where: (a) fraud, abuse, or safety incidents are under investigation; (b) a credible legal claim exists or is reasonably anticipated; (c) we are required to do so by applicable law or court order; or (d) retention is necessary to protect the safety of other users. This override applies even if you have deleted your account.

7. Your Rights & Choices

Depending on your jurisdiction, you may have the following rights:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Update inaccurate or incomplete information via your Dashboard settings.
  • Deletion: Delete your account and associated data through Dashboard > Settings > Security > Danger Zone. Note that some records may be retained for trust & safety or legal purposes as described in Section 6.
  • Portability: Request your data in a structured, machine-readable format.
  • Opt-out: You can modify your login email, phone number, or university email at any time. Changing these will reset the associated verification status.

To exercise any of these rights, contact us at support@findmysublet.com or use our contact form. We will respond within 30 days.

8. Cookies & Local Storage

FindMySublet uses a minimal set of cookies and browser storage:

Name / TypePurposeDuration
Supabase Auth cookiesSession management & authenticationSession / refresh token lifetime
fms_oauth_nextPost-OAuth redirect path10 minutes
admin_sessionAdmin panel authentication24 hours
Vercel AnalyticsAnonymized page view analytics (no cross-site tracking, no persistent identity cookie)Session-scoped / no persistent cookie
localStorage (draft listing)Saves in-progress listing form data locallyUntil submission or manual clear

We do not use advertising cookies, tracking pixels, or behavioral profiling. You can clear cookies and local storage at any time through your browser settings.

9. U.S. State Privacy Rights

Depending on the U.S. state in which you reside, you may have additional privacy rights under applicable state law. We extend the rights described below to all U.S. residents to the extent required by applicable law, regardless of state:

  • Right to know / access: You may request information about the categories and specific pieces of personal information we have collected, the sources of that information, the purposes for collection, and the categories of third parties with whom we share it.
  • Right to delete: You may request deletion of your personal information, subject to certain exceptions (including trust & safety retention described in Section 6).
  • Right to correct: You may request correction of inaccurate personal information.
  • Right to opt out of sale or sharing: We do not sell personal information or share it for cross-context behavioral advertising.
  • Right to non-discrimination: We will not discriminate against you for exercising any of these rights.
  • Right to appeal: If we decline to act on a privacy request, you may appeal our decision by contacting support@findmysublet.com with the subject line “Privacy Rights Appeal.”

These rights apply to residents of California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), and other states with applicable consumer privacy laws to the extent each law requires. To submit a verifiable consumer request, email us at support@findmysublet.comwith the subject line “State Privacy Request.” We will respond within the timeframe required by your state’s law.

10. Children’s Privacy

FindMySublet is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from minors. If we learn that we have collected information from a user under 18, we will take steps to delete that information promptly. If you believe a minor has provided us with personal data, please contact us immediately.

11. International Users

FindMySublet is operated from the United States. If you access the Platform from outside the United States, your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your home country. By using the Platform, you consent to this transfer.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the updated policy on this page and update the “Last updated” date. For material changes, we will provide notice via email or a prominent notice on the Platform. Continued use after changes constitutes acceptance of the revised policy.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us: