NAAC operates a SaaS property management platform for licensed property management companies. We collect personal information from three categories of individuals.
IP addresses, browser type, operating system, pages visited, and timestamps -- used for security monitoring and platform performance.
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Tenant screening | Name, SSN, DOB, address, employment, income | FCRA 604(a)(3)(F); applicant consent |
| Lease management | Applicant identity, lease terms | Contractual necessity |
| Billing and payments | Name, payment method, ledger balances | Contractual necessity |
| Communications | Email, phone, lease data | Contractual necessity; NRS 118A |
| Security and fraud prevention | IP address, session data, payment behavior | Legitimate interest |
| Legal compliance | As required by law | Legal obligation |
We do not sell personal information. Consumer report data is used only for the permissible purpose for which it was obtained.
NAAC obtains consumer reports from MicroBilt Corporation, a Consumer Reporting Agency regulated under the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.). Your rights as a consumer are described in Section 7.
After explicit written FCRA authorization, NAAC's screening waterfall accesses: iPredict (credit risk scoring, OFAC check), IBV (bank-verified income), EvictionSearch (public eviction records, 7-year lookback), and CriminalSearchV2 (public criminal records, dismissed/acquitted excluded).
Reports are obtained solely to evaluate applicants for residential tenancy under 15 U.S.C. 1681b(a)(3)(F). All API calls include GLBPurpose=TENANT_SCREENING.
Before any report is pulled, applicants complete a standalone FCRA authorization page presented outside the application wizard, with explicit consent timestamp, per 15 U.S.C. 1681b(b)(2)(A).
Before MicroBilt calls or fee collection, applicants answer criminal and eviction self-disclosure questions. If an applicant's self-disclosure indicates disqualifying history under the property's stated criteria, the application does not proceed to fee collection or report retrieval. The Subscriber is notified to take action.
Consumer report data is accessible only to authorized staff within the property management company that ordered the screening. Access is logged in our audit trail. NAAC personnel access reports only for platform operation and compliance.
NAAC does not make tenancy decisions. The property management company makes all approve/deny decisions. The platform provides structured findings and recommendation indicators; the property manager makes the final determination.
The platform provides pre-populated notice templates. The Subscriber (property manager) is solely responsible for reviewing and issuing all pre-adverse and adverse action notices per 15 U.S.C. 1681m. Pre-adverse notices include a copy of the report and CFPB summary of rights. NAAC generates notice templates pre-populated with required content. The Subscriber downloads, reviews, and sends all notices to applicants.
Consumer report data is retained for five years from terminal application state (exceeding the 25-month ECOA minimum). After five years, encrypted PII is automatically purged by a daily task. See Section 5 for details.
SSN and date of birth are encrypted using Fernet symmetric encryption (AES-128-CBC with HMAC-SHA256) before database storage. Plaintext SSN is never persisted; only the last four digits are stored in cleartext. Each record carries an encryption_key_id for future key rotation. Decryption events are logged to an immutable audit table.
The database (AWS RDS PostgreSQL 16) has storage-level AES-256 encryption, providing a second layer for all data at rest.
All client-platform communication uses TLS. Plaintext HTTP is not accepted. External provider connections (MicroBilt, Payabli, Postmark, Twilio, BlueMoon) use TLS exclusively.
The platform runs on AWS (SOC 2 Type II, ISO 27001, PCI DSS) with encrypted storage, managed database, and DDoS mitigation.
Unique identities via SuperTokens. Role-based access control. Multi-tenant data isolation scoped by organization ID. Consumer report access limited to the ordering organization. All PII access logged.
We maintain an incident response plan. Breaches affecting consumer report data or sensitive PII trigger notification per NRS 603A.220 and applicable federal law.
| Data Category | Retention | Disposal |
|---|---|---|
| Applicant SSN and DOB (encrypted) | 5 years from terminal state | Irreversibly purged (cryptographic erasure of encryption key + NULL overwrite of PII fields) |
| Consumer report records | 5 years from terminal state | Irreversibly purged (cryptographic erasure of encryption key + NULL overwrite of PII fields); records retained |
| FCRA authorization records | 5 years (ECOA min: 25 months) | Not deleted during retention period; archived after 5 years |
| Lease and tenant financial data | 7 years from lease end | Irreversibly purged (cryptographic erasure of encryption key + NULL overwrite of PII fields) |
| Payment transactions | 7 years (IRS) | Irreversibly purged (cryptographic erasure of encryption key + NULL overwrite of PII fields) |
| Audit log entries | 7 years | Irreversibly purged (cryptographic erasure of encryption key + NULL overwrite of PII fields) |
A daily automated task identifies applications in terminal state for 5+ years and overwrites encrypted SSN and DOB fields with NULL. The application record is retained; only PII is purged.
Each provider receives only data necessary for its function.
| Provider | Service | Data Shared |
|---|---|---|
| MicroBilt | Consumer reporting (credit, income, eviction, criminal) | Name, SSN, DOB, address after FCRA authorization |
| Payabli | Payment processing (PCI-DSS compliant) | ACH details, name, contact info |
| BlueMoon | Lease generation and e-signature | Identity, lease terms, property info |
| Postmark | Transactional email | Recipient name, email, message content |
| Twilio | SMS delivery | Phone number, message content |
| AWS | Cloud infrastructure (SOC 2, ISO 27001, PCI DSS) | All platform data stored and processed on AWS |
| Anthropic | AI leasing assistant | Anonymized conversation text; no PII or consumer data |
NAAC does not sell, rent, or sublicense personal information or consumer report data.
If a consumer report was obtained in connection with your application, you have the right to:
To dispute: contact privacy@naac.ai. We route disputes to MicroBilt within five business days. NAAC communicates MicroBilt's reinvestigation outcome to the applicant upon receipt.
MicroBilt Corporation -- 1640 Airport Road, Suite 115, Kennesaw, GA 30144 -- (888) 347-2425 -- microbilt.com
You may request a copy of your personal information, correction of inaccuracies, or deletion (where not required by law for FCRA, ECOA, or tax compliance). Contact privacy@naac.ai.
Note: Consumer report data collected in connection with a rental application cannot be deleted during the 5-year retention period required under FCRA and ECOA, regardless of outcome.
Tenants may update notification preferences in the tenant portal. Legally required notices (lease, late payment, adverse action) cannot be opted out of.
NAAC does not sell covered information as defined in NRS 603A.340. Nevada residents may submit a verified opt-out request to privacy@naac.ai.
In the event of a breach, we notify affected individuals and the Nevada Attorney General per NRS 603A.220.
NAAC facilitates compliance with Nevada landlord-tenant law, including statutory notice requirements, late fee limitations, and deposit handling. This policy does not diminish tenant rights under NRS 118A.
Material changes are communicated via email to registered users and a prominent notice on this page for at least 30 days. Continued use after the effective date constitutes acceptance. Prior versions available on request to privacy@naac.ai. Changes that materially affect how consumer report data is collected, used, or retained require express acceptance before continued access to screening features.
NotAnotherAiCo LLC (NAAC)
Attn: Privacy
187 E. Warm Springs Rd, STE B - NV189
Las Vegas, NV 89119
To submit a privacy request, use the contact form.
We respond to verifiable privacy requests within 45 days. For consumer report disputes, see Section 7.