Privacy Policy

Encantame Towers Homeowners Association (“Encantame HOA,” “we,” “us,” or “our”) operates the website at encantamehoa.com (the “Portal”). This Privacy Policy explains how we collect, use, disclose, and protect the personal information of homeowners, board members, employees, and other users who access the Portal.

By accessing or using the Portal, you agree to the practices described in this Privacy Policy. If you do not agree, please do not use the Portal.

1. Information We Collect

1.1 Information You Provide

• Account information: Name, email address, phone number(s), mailing address, and profile photo when you create or update your account.
• Authentication data: Passwords (stored in hashed form), two-factor authentication (2FA) preferences and recovery codes, and trusted device identifiers.
• Property information: Unit numbers, tower assignments, and ownership records associated with your account.
• Communications: Maintenance requests, concerns, feedback, and any other content you submit through the Portal.
• Documents: Insurance certificates, uploaded files, and other documents you provide.

1.2 Information Collected Automatically

• Device and browser information: Browser type, device type, and user agent string (used for trusted device identification).
• Login activity: Login timestamps, session duration, and IP addresses for security monitoring.
• Cookies: Essential cookies for authentication, session management, and trusted device recognition. We do not use advertising or tracking cookies.

1.3 Information from Third Parties

• HOA records: Property ownership data, unit assignments, and contact information provided by the HOA administration.

2. How We Use Your Information

We use the information we collect for the following purposes:

• Portal operations: Providing access to your account, property information, documents, announcements, and community services.
• Authentication and security: Verifying your identity, enabling two-factor authentication (via authenticator app, email, or SMS), managing trusted devices, and protecting against unauthorized access.
• Communications: Sending you account-related notifications, maintenance updates, announcements, insurance reminders, and other HOA communications via email or SMS.
• Maintenance and concerns: Processing and tracking maintenance requests, owner concerns, and related communications.
• Insurance compliance: Managing certificate of insurance records, expiration tracking, and compliance notifications.
• Administration: Supporting HOA board and administrative functions including user management, property management, and reporting.

3. SMS and Phone Communications

If you choose SMS as your two-factor authentication method, we will send verification codes to your registered phone number via text message. These messages are:

• Sent only when you initiate a login or 2FA setup/verification.
• Limited to security verification codes.
• Not used for marketing or promotional purposes.
• Delivered through our SMS service provider, Twilio, Inc.

You may change your 2FA method at any time from your profile settings to stop receiving SMS verification codes. Standard message and data rates from your mobile carrier may apply.

Your phone number is stored securely and is not shared with third parties for marketing purposes.

4. Two-Factor Authentication (2FA)

To enhance the security of your account, we offer three 2FA methods:

• Authenticator app (TOTP): A time-based code generated by an app such as Google Authenticator or Authy. The shared secret is stored encrypted on our servers.
• Email OTP: A one-time code sent to your registered email address.
• SMS OTP: A one-time code sent to your registered phone number via text message.

2FA is mandatory for administrative, board member, and employee accounts. It is optional but recommended for owner accounts. Backup recovery codes are provided during setup and should be stored securely by you.

5. Cookies and Similar Technologies

We use the following types of cookies:

• Session cookies: To maintain your authenticated session while using the Portal.
• Trusted device cookies: If you opt to “remember this device” during 2FA verification, a secure cookie is stored to bypass 2FA on subsequent logins for up to 30 days.

We do not use advertising, analytics, or third-party tracking cookies. All cookies are essential for Portal functionality and security.

6. Data Sharing and Disclosure

We do not sell or rent your personal information. We may share your information in the following limited circumstances:

• Service providers: We use trusted third-party services to operate the Portal, including Twilio (SMS delivery), Supabase (database and file hosting), Google Workspace (email), and Vercel (website hosting). These providers only access data necessary to perform their services and are contractually obligated to protect it.
• HOA administration: Board members and administrators may access your property information, contact details, and service requests as needed to manage HOA operations.
• Property management companies: If your property is managed by a third-party management company, relevant insurance and property information may be shared with them for compliance purposes.
• Legal requirements: We may disclose information when required by law, regulation, legal process, or governmental request.

7. Data Security

We implement industry-standard security measures to protect your personal information, including:

• Passwords are hashed using bcrypt before storage (never stored in plain text).
• TOTP secrets are encrypted using AES-256-GCM encryption.
• All data transmission is encrypted via HTTPS/TLS.
• Database access is restricted and monitored.
• Session tokens and trusted device tokens are cryptographically generated and hashed before storage.
• Login activity monitoring and automatic session management.

While we strive to protect your information, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

8. Data Retention

We retain your personal information for as long as your account is active or as needed to provide services. Specifically:

• Account information is retained while your ownership or employment with the HOA is active. Deactivated accounts are soft-deleted (access disabled) but records are retained for auditing purposes.
• Login session data is retained for security monitoring purposes.
• 2FA challenges and expired tokens are automatically cleaned up periodically.
• Trusted device records expire after 30 days and are removed.
• Ownership transfer records and audit logs are retained indefinitely for legal and compliance purposes.

9. Your Rights

You have the right to:

• Access the personal information we hold about you through your Portal profile.
• Update your contact information, phone numbers, and mailing address through your profile settings.
• Manage notifications by adjusting your notification preferences for non-mandatory communication categories.
• Manage 2FA settings including changing methods, revoking trusted devices, and regenerating backup codes.
• Request deletion of your account by contacting the HOA administrator. Note that certain records may be retained for legal and compliance purposes.

10. Children's Privacy

The Portal is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected information from a child under 18, we will take steps to delete it promptly.

11. International Data Transfers

The Portal serves a community in Puerto Peñasco, Sonora, Mexico, with homeowners located in both Mexico and the United States. Your data may be processed and stored in the United States through our hosting and service providers. By using the Portal, you consent to the transfer and processing of your data in the United States.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated “Last updated” date. We encourage you to review this policy periodically. Continued use of the Portal after changes constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact the HOA Administrator: