Skip to main content
Onfile

Privacy Policy

Effective May 1, 2026

OnFile is operated by Lozort Federal LLC, a Texas limited liability company based in Houston, Texas (“we”, “our”, “OnFile”). We provide software that helps property managers and general contractors collect, track, and renew vendor compliance documents. This Privacy Policy explains what information we collect, why we collect it, and how you can manage it. We aim to keep this document short and plain-English — if anything is unclear, email us at privacy@getonfile.com.

Information we collect

Account information

When you create an account we collect your name, email address, organization name, and (optionally) profile information you choose to add.

Vendor records and documents

Customers upload vendor contact information and compliance documents (certificates of insurance, W-9s, licenses, and similar). These records are stored in our customers’ isolated workspaces and accessible only to members of that organization.

Usage data

We log standard product telemetry — pages viewed, features used, and approximate location derived from IP address — to operate the service, detect abuse, and improve the product.

Payment information

Subscriptions are billed through Stripe. We never see or store full payment card numbers; Stripe handles payment processing and stores those details on our behalf.

How we use information

  • To provide, maintain, and secure the OnFile service.
  • To send transactional and compliance reminder emails to vendors and customers.
  • To respond to support requests and communicate with you about your account.
  • To detect, prevent, and respond to fraud, abuse, and security incidents.
  • To comply with our legal obligations.

We do not sell your personal information, and we do not use vendor compliance documents to train any general-purpose AI models.

Sharing

We share information only with:

  • Subprocessors we use to operate OnFile (listed below). Each is contractually bound to handle data only on our instructions and maintains its own published privacy and security commitments.
  • Legal authorities, if required by valid legal process.
  • An acquirer, if OnFile is acquired or merged. We will notify you before such a transfer takes effect.

Subprocessors

We engage the following third parties to process Customer Data on our behalf. We update this list before engaging a new subprocessor.

  • Supabase, Inc.— managed Postgres database and encrypted object storage. Stores account records, vendor records, and uploaded compliance documents. Region: US (us-east-1).
  • Resend (Plus Five Five, Inc.)— transactional email. Receives recipient email addresses, subject lines, and message bodies for vendor reminders, team invites, password resets, and digests.
  • Stripe, Inc.— subscription billing and payment processing. Receives the billing email and tokenized payment-method identifiers; OnFile never sees full payment-card numbers.
  • OpenAI, L.L.C.— document text extraction (OCR). Receives the contents of compliance documents you upload to extract structured fields (expiration dates, policy limits, etc.). Documents may contain vendor-supplied PII (names, license numbers, insurance carrier details). Inputs are not used to train OpenAI’s models per OpenAI’s API data-usage policy. Customers may disable extraction at any time for their organization.
  • Vercel Inc.— application hosting, request serving, and product analytics (anonymous page views and Web Vitals).
  • Sentry / Functional Software, Inc.— error monitoring. Receives stack traces and request metadata; configured to scrub email addresses, file names, and OCR-extracted fields before ingestion.
  • PostHog Inc.— product analytics. Receives anonymous page views, signup events, and plan-change events tied to an organization identifier.

Document storage and AI extraction

Documents are stored in encrypted object storage. When a document is uploaded, we may run an AI extraction step that reads the document and pulls structured fields (expiration dates, policy limits, etc.). Extraction inputs are not used to train the underlying model. Customers may disable extraction at any time for their organization.

Data retention

We retain account, vendor, and document records for as long as your account is active. When an account is deleted, we delete or anonymize associated information within 30 days, except where retention is required for legal, accounting, or audit purposes.

Your choices

  • You can update your profile information from the settings page.
  • You can export your data by contacting support.
  • You can request account deletion at any time from Settings → Account. Deletion is scheduled for 30 days after the request to allow recovery; after that period your account and associated personal data are hard-deleted. If you are the owner of an organization, you must transfer ownership before deleting.

Security

OnFile uses industry-standard security practices: encrypted connections (HTTPS), encrypted storage at rest, role-based access controls, and row-level isolation between organizations. No system is perfect — if you discover a vulnerability, please report it to security@getonfile.com.

Children

OnFile is not intended for children under 13 and we do not knowingly collect their information.

Changes

We may update this policy from time to time. If changes are material, we will notify account owners by email or in-app notice before they take effect.

Contact

Questions? Email privacy@getonfile.com.