← Back to Knockhaus
// LEGAL

Privacy policy.

Last updated · April 21, 2026
// TL;DR
We collect only what we need to run the product: account info, data your team types in, minimal usage telemetry, and location when a rep turns it on. We don't sell your data — ever. You can export or delete it at any time by emailing privacy@knockhaus.app.

1. Who we are

Knockhaus, Inc.(“Knockhaus”, “we”, “us”) operates the Knockhaus platform at knockhaus.app and the companion iOS app. We act as a data processor for data your organization (the “Customer”) uploads or generates through the platform, and a data controller for data we collect directly (e.g. when you contact us). This policy covers both.

2. What we collect

Account data

Name, email, role, organization membership, authentication tokens, and payment method (stored by Stripe, not by us).

Customer-submitted content

Territory polygons, pin dispositions, notes a rep captures at a door, contact details a homeowner volunteers via a rep's public card, contracts, commission plans, chat messages, and training content an admin publishes.

Device + usage data

IP address, user agent, pages visited, feature clicks, crash reports. We keep this minimal and never fingerprint devices for advertising.

Location

If a rep enables location in iOS, we log the coordinates of each knock for territory analytics and for auditing commission disputes (“was the rep actually at 412 Oak?”). Location collection is always explicit; it can be revoked in iOS Settings at any time.

Cookies

See the cookie policy for the full breakdown. Summary: a small set of necessary cookies for auth, optional analytics, and no advertising cookies.

3. How we use it

  • To run the core product (map tiles, saving pins, sending cadence emails).
  • To bill you and pay your reps through Stripe Connect.
  • To send service emails (receipts, security alerts, legally-required notices).
  • To improve the product — aggregated usage only, never reading your customer-submitted content for model training.
  • To investigate abuse, enforce our acceptable-use policy, and protect users.
  • To respond to legal process when required.

We do not sell personal information, and we do not use customer content to train generative AI models beyond the specific request the owner/manager submits (e.g. “explain this commission line”).

4. Who we share it with

Only the subprocessors listed in the live subprocessors page, each bound by their own DPA. A few highlights:

  • Supabase — database, auth, file storage.
  • Stripe — subscription billing + commission payouts.
  • Resend / Twilio — email + SMS delivery.
  • Mapbox — map tiles, geocoding, parcel data.
  • Anthropic — AI assistance for commission + plan features (owner-initiated).
  • Dropbox Sign — e-signature for contracts.

We will also disclose information when compelled by a valid subpoena or court order. We'll notify the affected customer first unless legally prohibited.

5. Where the data lives

Primary storage is in the United States (AWS us-east-2). Edge requests to the marketing site may transit other regions via our hosting CDN. For EU/UK personal data transferred to the U.S., we rely on the European Commission's Standard Contractual Clauses and our subprocessors' Data Privacy Framework certifications where applicable.

6. How long we keep it

  • Account + customer content — as long as your org is active, plus 30 days after deletion.
  • Billing records — 7 years (required for U.S. tax purposes).
  • Server logs — 30 days, then anonymized.
  • Backups — up to 90 days, encrypted at rest.

7. Your rights

All users

  • Access — get a copy of the data we hold about you.
  • Correct — fix anything that's wrong.
  • Delete — permanent deletion on request (subject to retention above).
  • Export — a structured JSON copy of your account and customer content.
  • Object — to any specific processing activity.

EU/UK (GDPR)

You may also restrict processing, lodge a complaint with your local supervisory authority, and withdraw consent for consent-based processing at any time.

California (CCPA/CPRA)

You may request categories/sources/purposes of collection, the right to know specific pieces, the right to delete, the right to correct, and the right to opt-out of “sales” and “sharing” as defined under the CCPA. We do not sell or share personal information, so the opt-out is informational. We do not discriminate against users who exercise these rights.

How to exercise them

Email privacy@knockhaus.app from the email associated with your account. We respond within 30 days. If someone else is acting on your behalf, we may ask for proof of authorization.

8. Security

Details live on the security page: encryption in transit and at rest, role-based access controls, audit logs, and multi-tenant isolation enforced at the database level via row-level security. That page also says plainly what we don't have today (no SOC 2 certification, no third-party pen test on record). If you think you've found a vulnerability, please email security@knockhaus.app — we aim to respond within 2 business days.

9. Children

Knockhaus is for business use. The platform is not directed at children under 16, and we don't knowingly collect data from them. If we learn we have, we'll delete it.

10. Changes

We may update this policy to reflect new features or legal requirements. Material changes will be announced via email to the org owner and via a banner in the app at least 14 days before taking effect.

11. Contact

Privacy requests: privacy@knockhaus.app. General mail: Knockhaus, Inc., 123 State Street, Orem, UT 84057, United States.

Questions about this document? Email legal@knockhaus.app. For privacy-specific requests (access, deletion, correction), use privacy@knockhaus.app.