DRAFT — PENDING ATTORNEY REVIEW
This policy has not yet been reviewed by legal counsel. Do not rely on it as a final, enforceable document.
Effective Date: April 2026 · Last Updated: April 2026
SunTarget, Inc. (“SunTarget,” “we,” “us,” or “our”) operates the SunTarget platform at suntarget.ai. This Privacy Policy describes how we collect, use, disclose, and protect personal information in connection with the Service.
By using the Service, you acknowledge that you have read this Privacy Policy.
This Privacy Policy applies to:
It does not apply to the personal information of residential homeowners whose addresses are submitted to the Service by our residential customers. That homeowner data is governed by the Data Processing Agreement (DPA) between SunTarget and the applicable residential customer.
| Category | Examples | Who Provides It |
|---|---|---|
| Account information | Name, email address, company name, job title, hashed password | Commercial and residential customers |
| Billing information | Stripe customer ID (we do not store card numbers) | All subscribers |
| Building data | Building addresses, dimensions, BIM/IFC files for commercial analysis | Commercial customers |
| Campaign data | Homeowner address lists uploaded for direct mail campaigns | Residential customers |
| Communications | Emails and messages you send to brett@suntarget.ai | Any user |
| Category | Examples | Purpose |
|---|---|---|
| Usage data | Pages visited, features used, time on site | Product improvement |
| Analysis history | Buildings analyzed, report views | Service functionality |
| Log data | IP address, browser type, referring URL | Security and debugging |
| Tracking QR scans | IP address, user agent, timestamp for postcards with QR codes | Campaign analytics for residential customers |
Analytics: We use Plausible Analytics, a privacy-first analytics tool that does not use cookies and does not collect personally identifiable information or share data with third parties.
| Source | Information Received | Purpose |
|---|---|---|
| ATTOM | Property data (address, property attributes, estimated value) | Residential campaign enrichment |
| Google Solar API | Roof solar score | Residential campaign scoring |
| Mapbox | Geocoded building coordinates, footprint polygon | Commercial analysis |
| NREL PVWatts | Solar energy estimates | Commercial analysis |
| Stripe | Payment confirmation, subscription status | Billing |
We use personal information to:
We do not sell personal information. We do not use personal information for automated decision-making that produces legal effects on individuals.
When residential customers upload homeowner addresses for direct mail campaigns, SunTarget acts as a data processor on behalf of the residential customer (who is the data controller). In this capacity:
Residential customers are responsible for ensuring their use of the campaign service complies with applicable law, including CAN-SPAM, applicable state direct mail regulations, and any state privacy laws governing solicitation.
| Data Category | Retention Period |
|---|---|
| Account and billing records | Duration of subscription + 7 years (for financial compliance) |
| Commercial analysis results | Duration of subscription + 2 years, then deleted on request |
| Residential campaign homeowner addresses | 24 months after campaign close, then permanently deleted |
| Suppression list (opt-outs) | Indefinitely (required to honor opt-outs) — stored as hashed identifiers |
| Security and access logs | 90 days |
| Audit logs (admin actions) | 3 years |
You may request deletion of your personal information by submitting a Data Subject Request or contacting brett@suntarget.ai. We will process verified deletion requests within 45 days, subject to retention requirements for legal compliance and fraud prevention.
We share personal information only in the following circumstances:
We share personal information with third-party vendors who help us operate the Service:
All sub-processors are contractually required to use personal information only for the purposes of providing their services to SunTarget and to maintain appropriate security measures.
We may disclose personal information if required by law, court order, or government request, or if we believe disclosure is necessary to protect our rights, prevent fraud, or protect the safety of users or others.
In the event of a merger, acquisition, or sale of assets, personal information may be transferred to the acquiring party. We will notify you before your information is transferred and subject to a different privacy policy.
We may share information for other purposes with your explicit consent.
We implement technical and organizational security measures including:
No security system is impenetrable. We cannot guarantee that personal information will never be accessed, disclosed, altered, or destroyed by a breach. In the event of a data breach affecting your personal information, we will notify you as required by applicable law.
Depending on your location and applicable law, you may have the following rights:
| Right | Description | How to Exercise |
|---|---|---|
| Access | Request a copy of personal information we hold about you | DSR form or email brett@suntarget.ai |
| Correction | Request correction of inaccurate personal information | DSR form or email brett@suntarget.ai |
| Deletion | Request deletion of your personal information | DSR form or email brett@suntarget.ai |
| Data portability | Request your data in a portable format | DSR form or email brett@suntarget.ai |
| Opt-out of marketing | Unsubscribe from marketing emails | Unsubscribe link in email |
| Homeowner opt-out | Opt out of future direct mail campaigns | Email brett@suntarget.ai with subject “Mail Opt-Out” |
We do not respond to Do Not Track signals as no industry standard has been established.
If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with additional rights regarding your personal information.
SunTarget does not sell, rent, or trade your personal information to third parties for monetary or other valuable consideration as defined under the CCPA.
Submit a request through our Data Subject Request form or email us at brett@suntarget.ai with the subject line “California Privacy Request.” We will respond to verifiable requests within 45 days. We may need to verify your identity via the email address associated with your account before processing your request.
The SunTarget platform does not use third-party advertising cookies. Our analytics provider (Plausible) is cookieless and does not track users across sites.
We use a session cookie (HTTP-only) to keep you logged in during your browser session. This cookie is essential for Service operation and cannot be disabled if you wish to use the Service.
QR codes on postcards generated by the residential campaign feature link to tracking URLs that log scan events (IP address, user agent, timestamp). These are used solely to provide campaign scan analytics to the residential customer who ordered the campaign.
The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If you believe we have inadvertently collected such information, please contact us at brett@suntarget.ai.
The Service is hosted in the United States. If you access the Service from outside the United States, your personal information may be transferred to and processed in the United States, where privacy laws may differ from those in your country. By using the Service, you consent to this transfer.
For customers based in the European Economic Area (EEA) or United Kingdom who use the Service to process EU/UK personal data, a Data Processing Agreement (DPA) is available upon request.
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or in-app notice at least 30 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.
SunTarget, Inc. | suntarget.ai