Privacy Policy
BAU ENTERPRISES LLC — Version 1.0 — Effective February 23, 2026
1. Introduction
Valzotra (“we,” “us,” or “our”) operates the Valzotra platform (valzotra.com and app.valzotra.com), a tax compliance platform for short-term rental hosts. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our services.
By using Valzotra, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use our services.
2. Information We Collect
2.1 Information You Provide
- Account information: Name, email address, and password when you create an account.
- Property information: Property addresses, descriptions, and operational details you enter to manage your short-term rentals.
- Compliance records: Work logs, mileage logs, expense records, revenue entries, and receipt uploads that you create for tax compliance purposes.
- Reservation information: Guest names, contact details, check-in/check-out dates, and booking details you enter or import.
- Team information: Names and email addresses of team members you invite to your account.
- Billing information: Payment details are collected and processed by Stripe, our payment processor. We do not store credit card numbers.
- Communications: Messages you send through our support channels.
2.2 Information from Financial Institutions (via Plaid)
When you choose to connect a bank account or credit card through our integration with Plaid Inc. (“Plaid”), we collect the following information from your financial institution(s):
- Account information: Account name, type (checking, savings, credit), institution name, and masked account number (last 4 digits only).
- Transaction data: Transaction date, amount, merchant/vendor name, payment channel, and transaction category for up to 24 months of history.
We use this information solely to import and categorize your business transactions for tax compliance purposes. We access your financial data through Plaid's secure, tokenized API. We never receive or store your bank login credentials. By connecting your accounts, you authorize Plaid to access this information on your behalf in accordance with Plaid's Privacy Policy.
You can disconnect your financial accounts at any time from Settings, which immediately revokes our access to your financial data.
2.3 Information Collected Automatically
- Usage data: Pages visited, features used, and actions taken within the platform.
- Device information: Browser type, operating system, and device identifiers.
- Log data: IP addresses, access times, and referring URLs.
3. How We Use Your Information
We use the information we collect for the following purposes:
- Providing our services: Operating the Valzotra platform, including compliance tracking, expense management, revenue tracking, and tax reporting tools.
- Financial data import: Automatically importing and categorizing bank transactions as business expenses or rental income for IRS Schedule E compliance reporting.
- Account management: Managing your account, authentication, billing, and subscription.
- Communication: Sending transactional emails (password resets, account notifications, export confirmations) and responding to support requests.
- Security: Detecting and preventing fraud, unauthorized access, and other security incidents.
- Improvement: Analyzing usage patterns to improve our platform, fix bugs, and develop new features.
- Legal compliance: Meeting legal, regulatory, and tax reporting obligations.
We do not use your information for:
- Advertising or marketing to third parties
- Selling or renting your personal information
- Building consumer profiles for credit decisions
- Any purpose unrelated to providing our services to you
4. How We Share Your Information
We do not sell, rent, or trade your personal information. We share your information only in the following limited circumstances:
4.1 Service Providers
We use trusted third-party services to operate our platform. These providers only access your data as necessary to perform services on our behalf and are contractually obligated to protect it:
| Provider | Purpose | Data Shared |
|---|---|---|
| Supabase | Database, authentication, file storage | Account data, compliance records, uploaded files |
| Plaid | Bank account connectivity | Financial account tokens (we do not share your Valzotra data with Plaid) |
| Stripe | Payment processing | Billing details (name, email, payment method) |
| Railway | API hosting | Data processed in memory during API requests |
| Vercel | Frontend hosting | Session tokens, page requests |
| Resend | Transactional email | Email addresses, email content |
| Anthropic (Claude) | AI-powered transaction classification | Transaction descriptions and amounts (no PII) |
4.2 Legal Requirements
We may disclose your information if required by law, regulation, legal process, or governmental request, including to comply with IRS reporting requirements or respond to lawful subpoenas.
4.3 Business Transfers
If Valzotra is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.
4.4 With Your Consent
We may share information with third parties when you explicitly consent to such sharing.
5. Data Security
We implement industry-standard security measures to protect your information:
- Encryption in transit: All data is transmitted over TLS 1.2 or higher.
- Encryption at rest: All data stored in our database and file storage is encrypted at rest. Highly sensitive credentials (such as financial account tokens) receive additional application-level AES-256-GCM encryption.
- Tenant isolation: Your data is isolated from other users at the database level using Row-Level Security policies. Other users cannot access your data, even in the event of an application-level bug.
- Authentication: Secure password hashing, JWT-based session management, and optional TOTP multi-factor authentication.
- Access control: Role-based access control, principle of least privilege, and regular access reviews.
- Audit logging: Security-relevant actions are logged for monitoring and incident response.
For more details, see our Information Security Policy, available upon request.
6. Data Retention
We retain your information for as long as your account is active, plus the following periods after account deletion:
- Account data: Deleted within 30 days of account closure.
- Financial and compliance records: Retained for up to 7 years after deletion request, consistent with IRS record-keeping requirements for tax documentation.
- Financial account connections: Access tokens are revoked immediately upon disconnection or account deletion.
- Audit logs: Retained for 3 years for security and compliance purposes.
- Application logs: Retained for 90 days for operational purposes.
7. Your Rights and Choices
7.1 Access and Export
You can access all data in your account through the Valzotra dashboard. You can export your compliance data (work logs, mileage, expenses, revenue) as CSV files at any time.
7.2 Correction
You can update your personal information, property details, and compliance records directly through the platform.
7.3 Deletion
You can request deletion of your account and all associated data by contacting us at privacy@valzotra.com. Upon receiving a verified deletion request, we will delete your data in accordance with the retention schedule above.
7.4 Disconnect Financial Accounts
You can disconnect any linked bank account or credit card at any time from Settings. Disconnecting immediately revokes our access to new transaction data from that institution. Previously imported transactions that you approved remain in your compliance records unless you delete them.
7.5 Opt-Out of Communications
You can opt out of non-essential communications at any time. Transactional emails related to your account security and service operation cannot be opted out of while your account is active.
8. Cookies and Tracking
Valzotra uses essential cookies for authentication and session management. We do not use advertising cookies, tracking pixels, or third-party analytics that follow you across other websites. We do not serve advertisements in our products.
9. Children's Privacy
Valzotra is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected information from a child under 18, we will delete it promptly.
10. California Privacy Rights (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):
- Right to know what personal information we collect, use, and disclose.
- Right to delete your personal information, subject to certain exceptions.
- Right to opt-out of the sale of personal information. We do not sell your personal information.
- Right to non-discrimination for exercising your privacy rights.
To exercise these rights, contact us at privacy@valzotra.com.
11. International Users
Valzotra is operated from the United States. If you access our services from outside the United States, your information will be transferred to and processed in the United States. By using our services, you consent to this transfer.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the “Last Updated” date. For significant changes, we will provide additional notice through the platform or via email.
13. Contact Us
If you have questions about this Privacy Policy or our data practices, please contact us:
Email: privacy@valzotra.com
Website: https://valzotra.com
BAU ENTERPRISES LLC — O'Fallon, Illinois, United States