Privacy Policy
Last updated July 2026.
This policy may be updated from time to time as the service or legal requirements change; when we make a material change we will provide reasonable notice and update the date above, and continued use after an update means you accept the revised policy.
Contents
1. Who we are and our roles
HOA Library is a hosted, access-controlled, full-text-searchable archive that makes a homeowners association's ("the Association") records easy for authorized members to find and view. Two parties handle information:
- The Association is the controller of its records. The Association (with its management company) owns the records, decides which records are loaded, decides which records members may view, and decides who has an account. The Association sets the access policy.
- Navecta is the processor. Navecta hosts and operates the platform and processes data on behalf of the Association, under the Association's instructions and the parties' agreement. Navecta does not decide the substance of the Association's records or who is entitled to view them.
If you have a question about your records, your account, or a correction, the Association is the right point of contact, and we route requests accordingly (see Section 8).
2. What information we collect
Member account information. Name, email address, and the role assigned to the account (member, board, management-company manager, admin, or deletion authority). Where the Association's authorized roster includes it, an account record may also carry the member's unit or property address and phone number, used to match the account to the roster and to contact the member about the service. Passwords are collected to authenticate you and are stored only as a salted hash, never in plain text; Navecta never sees or retains your plaintext password. Account membership is derived from the Association's authorized roster; being on the roster is what entitles a person to an account.
Documents and record content. The Association's records (governing documents, meeting minutes, financials made available to members, and similar), including the text extracted from them by optical character recognition (OCR) so they can be searched, and AI-generated summaries stored alongside them as a search aid.
Usage and access logs. Records of activity such as logins, document views, searches, AI questions asked, uploads, publish actions, and administrative actions, together with timestamps and account identifiers. These logs support security, the records-integrity and audit story the Association relies on, rate limiting, and troubleshooting. Standard server-side technical data (such as IP address and request metadata) is processed by our hosting provider to deliver and protect the service.
We do not ask for and do not intend to collect Social Security numbers, government ID numbers, or payment-card numbers from members through this platform. Each Association decides which records it loads; where an Association loads only member-viewable records, confidential and executive-session material is kept in its other systems and is not placed in the archive. Where a member-viewable record may still contain personal information, the platform provides a "sensitive" flag and a keyword/pattern PII scan to help administrators restrict that record (see Section 5).
HOA-authorization verification documents (self-serve signup). When someone signs up to create an Association's account through our public self-serve signup, before the account is unlocked for real data we ask them to upload documents that show they are authorized to represent that Association (for example a state corporation-commission officer filing or annual report, a management-company authorization letter, or board minutes or resolution). We collect these solely to confirm the submitter's authority to set up and administer that Association's account.
These verification documents are not part of the Association's member archive: they are stored in a restricted, access-controlled location separate from the records archive, are never shown to members or to any other Association, and can be viewed only by Navecta's review staff, through short-lived, purpose-limited links, for the purpose of the authorization review. We keep only the decision metadata (who reviewed it, when, and the outcome) for our audit records, and we delete the uploaded verification documents within 30 days after the verification is decided (approved or rejected).
3. Why we collect it and how it is used
We use the information above only to operate the service for the Association:
- to authenticate accounts and enforce role-based access;
- to store, index, search, and display the Association's records to authorized members;
- to generate AI summaries and answer member questions as a reference aid (the source document always governs);
- to maintain the records-integrity, audit, and security functions the Association requires;
- to provide notifications and platform email where enabled;
- to support, maintain, secure, and improve the service.
We do not use member data for advertising, and we do not build advertising profiles.
4. We do not sell or share your data
Navecta does not sell member data, and does not share it for any party's marketing or advertising. We do not trade, rent, or monetize member or record data. We disclose information only:
- to the Association and its authorized administrators and the HOA management company (this is their data);
- to the limited service providers that operate the platform (Section 6), under contract and only to provide the service;
- if required by law, valid legal process, or to protect the safety and integrity of the service - and, where permitted, we will inform the Association.
5. How we protect it (security)
Navecta applies defense-in-depth on enterprise-grade infrastructure:
- Encryption in transit (TLS/HTTPS, Cloudflare-terminated) and encryption at rest for stored data and documents.
- Gated access only - there is no anonymous public browsing; every account is approved against the Association's roster, and role-based permissions limit what each account can see.
- Logical tenant isolation - the Association's data is segregated from every other organization on the platform, enforced server-side on every request and independently adversarially tested; only the platform operator has cross-tenant access for operations.
- Hashed passwords - credentials are stored using PBKDF2-SHA256 with 100,000 iterations and a unique per-user salt, never in plain text, and Navecta never sees or retains the plaintext password.
- Access and activity logging to detect and investigate misuse.
- Rate limiting and abuse controls on resource-intensive endpoints.
- Public-records page and anonymous share links are off by default (opt-in only). If an Association opts in, share links are restricted, revocable, and time-limited rather than permanent public URLs, and sensitive-flagged records are excluded from share links and from any public-records view.
Honest limits. No internet-connected system can be guaranteed completely impervious. The platform runs on Cloudflare's certified, enterprise-grade infrastructure, but the HOA Library application itself has not yet undergone an independent third-party security audit or certification (for example SOC 2, ISO 27001, or HIPAA), and we do not claim those certifications. A pre-launch security hardening pass was completed, and Navecta is prepared to support a further independent security review; we apply industry-standard safeguards to keep risk at a reasonable level.
6. Third-party processors
We rely on a small number of vetted providers, used only to deliver the service:
- Cloudflare - hosting, storage, content delivery, and the AI models that power search summaries and the Ask feature. Records and data are stored on and processed through Cloudflare's infrastructure.
- Resend - delivery of transactional and notification email on the Association's behalf, where email features are enabled.
These providers process data under their own terms and contractual commitments and only to provide their service to us. No other sub-processors are used; if one is added, this section will be updated and the Association informed.
7. Data retention
- Records are retained for the duration of the agreement between Navecta and the Association, with regular backups, because permanent, accessible record-keeping is the purpose of the service. By design, published records are immutable and are not silently altered or deleted.
- Access and usage logs are retained for 12 months for security and audit purposes, then aged out.
- On termination of the agreement, the Association has 30 days to export its data; Navecta provides a full export and then deletes the Association's data from active systems within that window, subject to routine backup cycles.
8. Your rights (access, correction, deletion)
Because the Association is the controller of its records and account roster, requests are routed appropriately:
- Access - members already have direct, searchable access to the records they are entitled to view, and can bulk-download the member-viewable record set at any time.
- Account information (your name, email, role) - to review or correct it, contact the Association through its member support channel.
- Correction of a record's content - the source document governs; corrections to a published record are made by the Association publishing a superseding version, with the original retained and marked as replaced.
- Deletion - deletion of a published record is a governed action that requires the Association's authorized process; members may direct such requests to the Association. Deletion of your account can be requested through the Association.
- Where applicable state or other law grants additional rights, those requests are honored through the Association as controller, with Navecta's support as processor.
We will not unilaterally alter or delete the Association's records in response to a member request; such matters are decided by the Association under its policies and applicable law.
9. Cookies and sessions
The platform uses a session mechanism (a cookie or equivalent token) solely to keep you logged in and to operate the service securely. We do not use third-party advertising or cross-site tracking cookies.
10. Children's data
The service is intended for adult homeowners and authorized Association members and is not directed to children. We do not knowingly collect personal information from children under 13. The platform is not a children's service.
11. Breach notification
If Navecta becomes aware of a confirmed security breach affecting the Association's data, Navecta will notify the Association without undue delay, and within 72 hours of confirming a breach, with the information reasonably available, and will support the Association in meeting any notification obligations it owes its members under applicable state law (for an Arizona Association, A.R.S. Sec. 18-552) and other applicable law. The Association, as controller, is responsible for notifications it must make to affected individuals.
12. Changes to this policy
We may update or modify this Policy from time to time as the service or legal requirements change. We will provide reasonable notice of material changes through the Association, the effective date above will be updated, and continued use of the service after an update constitutes acceptance.
13. Contact
- Association (records owner / controller): your homeowners association and its management company. Members should direct records, account, access, correction, and deletion requests to the Association through its member support channel.
- Navecta (platform operator / processor): Navecta LLC. For platform and processor inquiries: [email protected].
This is Navecta LLC's current published Privacy Policy and may be revised. Navecta LLC is not a law firm and this is not legal advice.