PriceTilt

Security & Trust at PriceTilt

Version 1.0 · Effective: June 2, 2026 · Last updated: June 2, 2026

PriceTilt is built on AWS and follows AWS Well-Architected security practices. We treat user data and our methodology IP with care, because we have to --- and because acquirer-ready products do. Here’s what we do.

Our Security Posture in Plain Language

Your data is encrypted. Everything you submit to PriceTilt is encrypted in transit (TLS 1.3) and at rest (AES-256). This is the same encryption standard used by major banks and the U.S. federal government.

We never see your password. You can sign in with Google or with an email and password. When you use a password, it is hashed and managed by AWS Cognito (Amazon’s identity service) --- PriceTilt never sees or stores your plaintext password. When you use Google, authentication happens at Google and we never receive your password.

We don’t track you across the web. PriceTilt does not use third-party advertising trackers, cross-site behavioral analytics, or fingerprinting. We rely on standard server logs (in AWS CloudWatch) for security, reliability, and aggregate operational metrics --- and that’s it.

We don’t sell your personal information. We may share aggregated, de-identified market insights for research and commercial purposes, but never information that identifies you. See our Privacy Policy for details.

We don’t share your chat conversations. Your conversations with PriceTilt are processed by AWS Bedrock to generate responses. Per AWS’s commercial terms, your inputs and outputs are not used to train any model. Your chat history is yours.

We don’t collect protected demographic information. PriceTilt does not collect or use information about your race, religion, national origin, family status, disability, or other protected characteristics. Our scoring methodology and chat features are designed to be Fair Housing Act compliant by design.

The Technical Details

If you’re a security professional, IT administrator, or just curious, here’s the deeper look.

Authentication

PriceTilt uses AWS Cognito User Pools. You can sign in with an email address and password or via Google (additional federated providers may be added over time). Cognito handles:

  • OAuth 2.0 / OpenID Connect flow with the identity providers
  • Session token issuance and validation (JWTs with rotating signing keys)
  • Email verification for email/password sign-up, and self-service password reset
  • Password hashing and storage (PriceTilt never sees your plaintext password)
  • Session timeout and refresh

For Google sign-in, any multi-factor authentication you enable at Google applies. PriceTilt does not currently add a separate MFA layer at the application level. If you wish to revoke PriceTilt’s access to your Google account, you can do so through your Google account settings.

Data Encryption

In transit: All communication between your browser and PriceTilt servers uses TLS 1.3 (HTTPS). We do not support unencrypted HTTP for any portion of the Service. HTTP Strict Transport Security (HSTS) is enabled.

At rest: All data stored in PriceTilt’s systems is encrypted using AES-256: - Account information in AWS Cognito (Cognito-managed encryption) - Saved reports and chat history in AWS DynamoDB (AWS-managed encryption, AES-256) - Cached property data and report payloads in AWS S3 (S3-managed encryption) - API keys and secrets in AWS Secrets Manager (Secrets Manager-managed encryption)

Data at rest is encrypted with AWS-managed AES-256 encryption across DynamoDB, S3, Cognito, and Secrets Manager.

Network Security

PriceTilt runs on AWS serverless infrastructure (AWS Lambda behind API Gateway, with the frontend served via AWS Amplify/CloudFront over TLS). Data stores (DynamoDB, S3) are not publicly accessible and are reachable only by our authorized application components through least-privilege AWS IAM permissions.

Rate limiting and a daily usage cap are applied to prevent abuse.

Access Controls

PriceTilt follows the AWS Well-Architected security pillar:

  • Least-privilege IAM roles. Each service component (Lambda functions, API Gateway, etc.) runs with the minimum permissions needed to perform its function. No service has broad “admin” access.
  • Environment isolation. Dev and prod environments are separate AWS resource stacks with isolated IAM, networking, and data. Code is tested in dev before deployment to prod.
  • Secrets management. All API keys (ATTOM, Tavily, Stripe, etc.) are stored in AWS Secrets Manager. Keys are never committed to source control or stored in environment variables.
  • Audit logging. All API calls within AWS are logged via AWS CloudTrail. Application-level events are logged to CloudWatch with 30-day retention.

Data Handling

Where your data lives. Your account information, saved reports, chat history, and scoring records are stored in AWS DynamoDB in the us-east-1 region (Northern Virginia). Raw API responses from ATTOM are cached in AWS S3 in the same region. Both are encrypted at rest.

Who has access. Only authenticated PriceTilt services running in our AWS account can read your data. PriceTilt staff have limited access through audited admin tools, used only for support purposes (resolving a billing question, debugging an error you reported, etc.). All staff access is logged.

Data retention. See our Privacy Policy for specific retention periods. Key highlights: - Account information: lifetime of your account + 7 years - Chat conversations: lifetime of your account; removed when you delete your account - Saved reports: lifetime of your account - Server logs: 30 days - Aggregated/de-identified data (calibration corpus): indefinite

Data deletion. You can delete your account yourself at any time from your account settings. Deletion is immediate --- it removes your account identity and associated data (profile, saved properties, alerts, chat history) and cancels any active subscription. Residual copies in backups and logs are purged within 30 days. De-identified scoring data that is not linked to you is retained as described in our Privacy Policy.

AI/LLM Privacy

PriceTilt’s chat and report generation features are powered by Anthropic’s Claude models accessed through AWS Bedrock. Specifically:

  • Your inputs to PriceTilt are processed by Anthropic Claude through AWS Bedrock to generate responses.
  • Per AWS Bedrock’s commercial terms, your inputs and outputs are not used to train Anthropic’s foundation models. AWS does not retain or share your inputs with Anthropic or any third party for training purposes.
  • AWS Bedrock Guardrails wrap every LLM invocation to filter PII, enforce Fair Housing rules, and prevent disclosure of PriceTilt’s proprietary methodology.
  • LLM responses are logged temporarily (for debugging and quality monitoring) but are deleted after 30 days per our retention policy.

Property Data Source Integrity

Property data displayed in PriceTilt comes from licensed and public sources:

  • ATTOM Data Solutions: licensed commercial property data (deeds, AVMs, tax assessments, building permits, flood-zone designation, etc.), which itself draws on government and public records
  • Public web content via our web-search component (free tier), with an explicit blocklist of listing sites whose terms prohibit automated access
  • Federal Reserve Economic Data (FRED): mortgage-rate reference data

We do not scrape Zillow, Redfin, Realtor.com, or any other commercial real estate listing site whose terms of service prohibit automated access. Our web search component (used in the free tier) operates with an explicit blocklist of such domains.

This isn’t just a security posture; it’s a brand commitment. PriceTilt is built to be acquired by a serious real estate or proptech company, and a clean data-sourcing posture is a precondition for that.

Payment Security

Payment processing is handled by Stripe, a PCI DSS Level 1 certified processor. PriceTilt:

  • Does not store your credit card number, expiration date, CVV, or any other card data
  • Stores only your Stripe customer identifier and subscription status
  • Uses Stripe’s hosted payment forms (Stripe Checkout) --- your card data goes directly from your browser to Stripe, not through PriceTilt’s servers

You can find Stripe’s security practices at stripe.com/docs/security.

Vulnerability Disclosure

If you believe you’ve identified a security vulnerability in PriceTilt, please report it to security@pricetilt.com. We commit to:

  • Acknowledge your report within 5 business days
  • Investigate and respond with a resolution plan within 30 days
  • Credit the reporter in our security disclosures (with your permission), unless you prefer anonymity

We do not currently offer a bug bounty program but may add one as the Service matures.

Compliance

PriceTilt’s data practices comply with:

  • California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
  • Other applicable U.S. state privacy laws (Virginia, Colorado, Connecticut, Texas, Oregon, Washington, etc.)
  • Fair Housing Act --- both in our methodology (which excludes protected-class information from scoring) and in our AI safeguards (Bedrock Guardrails enforce Fair Housing posture)

PriceTilt is intended for use by U.S. residents only. We do not currently support EU users and have not undertaken GDPR compliance. If you are accessing PriceTilt from outside the U.S., your information will be processed in the U.S.

Third-Party Service Providers

PriceTilt relies on the following providers, each with their own security posture:

  • Amazon Web Services (AWS) --- hosting, database, authentication, AI (Bedrock), maps/address lookup (Location Service), logging/monitoring, secrets management. AWS security overview.
  • Stripe --- payment processing. PCI DSS Level 1 certified.
  • ATTOM Data Solutions --- licensed property data provider.
  • Tavily --- web search provider for free-tier reports.
  • Federal Reserve Economic Data (FRED) --- mortgage-rate reference data.

We carefully select service providers and contractually require them to maintain appropriate security practices for the data they handle.

Incident Response

In the event of a security incident affecting your data, we will:

  • Investigate promptly and contain the issue
  • Notify affected users by email within 72 hours of confirming the incident
  • Report the incident to applicable regulatory authorities as required by law
  • Publish a post-incident summary on this Trust page once the issue is resolved

Frequently Asked Questions

Can PriceTilt see my conversations with the chatbot?

PriceTilt staff do not have routine access to your chat conversations. Conversations are stored encrypted in our database and used only to provide the Service to you (e.g., enabling cross-session memory for paid users). Logs from chat interactions are retained for 30 days for debugging and quality monitoring. PriceTilt staff may access chat data only for limited support purposes (e.g., debugging an error you reported), and such access is logged.

Are my conversations used to train AI models?

No. Anthropic Claude (accessed via AWS Bedrock) does not train on Bedrock inputs or outputs per AWS’s commercial terms. Your conversations stay private to PriceTilt.

What happens to my data if PriceTilt is acquired?

Per our Privacy Policy, your data may transfer to the acquiring entity in connection with a merger, acquisition, or sale of assets. The acquiring entity will be bound by our privacy commitments or will notify you of any material changes. This is standard practice for SaaS products and is part of how PriceTilt is built to be acquired by a serious real estate or proptech company.

Can I export my data?

You can share a report via a shareable link. For a copy of your data (account information, saved properties, chat history), contact us at privacy@pricetilt.com and we will respond within the timeframe required by applicable law. Self-service data export is on our roadmap.

Can I delete my data?

Yes. You can delete your account yourself at any time from your account settings; deletion is immediate. It removes your account identity and associated data (profile, saved properties, alerts, chat history) and cancels any active subscription; residual copies in backups and logs are purged within 30 days. Aggregated and de-identified data not linked to you may be retained indefinitely as it is no longer personal information.

Where is my data physically located?

PriceTilt data is stored in AWS data centers in the us-east-1 region (Northern Virginia). Backups are kept in the same region. We do not currently replicate data to other AWS regions.

Does PriceTilt support two-factor authentication?

If you sign in with Google, any two-factor authentication you enable at Google applies. PriceTilt does not currently add a separate MFA layer for email/password accounts; application-layer MFA is on our roadmap. We recommend a strong, unique password --- or signing in with Google with 2FA enabled --- for the strongest account security.

What about COPPA (Children’s Online Privacy Protection Act)?

PriceTilt is not directed to children under 18 and we do not knowingly collect information from individuals under 18. If we learn that we have collected information from a person under 18, we will delete it. PriceTilt is not subject to COPPA’s compliance requirements for child-directed services.

What about HIPAA, FERPA, or other regulated data?

PriceTilt does not handle protected health information (HIPAA), educational records (FERPA), or other specifically regulated data categories. Do not submit such data to the Service.

Is PriceTilt SOC 2 certified?

PriceTilt is not currently SOC 2 certified. We follow many of the controls associated with SOC 2 (encryption, access controls, audit logging, etc.) and will pursue SOC 2 certification when commercial demand justifies the cost. AWS, our primary infrastructure provider, is SOC 1, SOC 2, SOC 3, ISO 27001, ISO 27017, ISO 27018, PCI DSS, FedRAMP, HIPAA-eligible, and certified under most major compliance frameworks.

Contact

For security questions or to report a vulnerability: security@pricetilt.com For privacy questions or data requests: privacy@pricetilt.com For general support: support@pricetilt.com

Last updated: [date].

PriceTilt LLC, [Mailing address --- to be set after entity formation], Seattle, WA.