Privacy Policy

• We collect what we need to run the platform — nothing more.
• We don't sell your data, and we don't use it to train AI models.
• You can delete your account anytime; we remove your personal information 14 days after the request.
• Property managers control their tenants', vendors', and owners' data on the platform.
• Questions? privacy@domios.ai

Domios is a small team building in public. We aim for honesty over polish. If anything in this policy doesn't match what you actually experience, email us at privacy@domios.ai and we'll fix it.

Domios does not sell or share personal information for monetary or other valuable consideration. No such activity has occurred in the prior 12 months, and we have no plans to begin. We also do not share individually identifying personal information with advertising networks, data brokers, or analytics partners for their independent commercial use.

EVO SMART AI CORP, doing business as Domios (referred to in this policy as “Domios,” “we,” “us,” or “our”) operates the Domios property management platform, including the Max tenant mobile app, the Diana vendor mobile app and web portal, the Henry owner mobile app and web portal, the Messenger mobile app for property management staff, the Domios admin portal, and related web services (collectively, the “Services”).

This Privacy Policy explains what information we collect, how we use it, when we share it, and the choices available to you. Please read it carefully before using our Services.

Domios operates a multi-sided platform. We act as the processor of personal information on behalf of the property management companies that use our Services — they are the controllers of their tenants', vendors', and owners' data. If you have a relationship with a property management company that uses Domios, the most direct path to exercise data rights about your tenancy or vendor engagement is through them. We support both paths.

Information you provide

• Account information: name, email address, phone number, and password (or one-time code) when you create or access an account.
• Profile information: professional title, company name, avatar, and other details you choose to add.
• Maintenance requests (tenants): descriptions, photos and videos, and messages you submit through the Max app.
• Work order data (vendors): job acceptance and decline decisions, scheduling, completion photos and videos, and proof-of-work submissions through the Diana app or portal. Proof-of-work media may include precise GPS coordinates embedded in the file metadata.
• Property and ownership information (owners): the properties, units, leases, and financial records associated with you, including rent amounts and payment records.
• Payment and billing information: invoice amounts, payment references, and related financial records. We do not collect or store bank card numbers, social security numbers, driver's license numbers, or government-issued ID numbers.
• Communications: messages you send to other parties via the platform chat, and to our support channels.

Information collected automatically

• Device information: device type, operating system version, and unique device identifiers used for push notification delivery.
• Usage data: features accessed, actions taken, timestamps, and session duration.
• Log and diagnostic data: IP address, browser type, and error reports collected to maintain platform stability.
• Push notification tokens: device tokens used to deliver push notifications to your mobile device.

Information from property management companies

Property management companies that use Domios may provide your contact details, tenancy information, and ownership information when setting up your account or operating their portfolios.

Categories of personal information (under California law)

For California residents, the categories of personal information defined under the CCPA that we collect are: identifiers (name, email, phone, account identifiers); customer records (contact details, lease and rent records); commercial information (work order costs, payment records); internet or network activity (IP address, device identifiers, push tokens); geolocation data (property addresses and precise GPS coordinates from proof-of-work media); sensory data (photos and videos you upload); professional information (job titles, company affiliations); and inferences drawn from the above (such as AI-suggested work order priority or trade type — see “AI Features” below).

We do not collect: social security numbers, driver's license numbers, passport numbers, government ID numbers, biometric identifiers, racial or ethnic origin, religious or philosophical beliefs, union membership, genetic data, sexual orientation, citizenship or immigration status, or health information.

Under California law (CPRA), the following data we collect is classified as sensitive personal information:

• Account login credentials — stored as one-way Argon2 hashes for passwords and SHA-256 hashes for refresh tokens. The original credentials cannot be recovered from our database.
• Precise geolocation — property latitude and longitude (used to display maps), and precise GPS coordinates embedded in proof-of-work photos and videos submitted by vendors (used to verify that work was completed on-site).
• Contents of communications — messages between tenants, vendors, owners, and property management staff sent through the platform's chat features.

We use sensitive personal information only for the purposes you would expect: to display maps, to verify proof-of-work, to deliver messages between parties on the platform, and to authenticate your account. We do not use sensitive personal information for advertising, profiling, or any other secondary purpose. Your California right to limit the use of sensitive personal information is effectively honored by default.

We do not collect the types of sensitive personal information that traditional property management platforms collect for tenant screening (social security numbers, driver's license numbers, credit history, criminal history). Tenant screening is not a feature of the Domios platform.

• Provide, operate, and maintain the Services.
• Process and route maintenance requests, work orders, and financial records.
• Power our AI features (Max, Diana, and Henry) — see Section 8.
• Send notifications about work order status, scheduling, and account activity.
• Verify the identity of users (via one-time codes and password authentication) and protect against unauthorized access.
• Detect, investigate, and prevent fraudulent or unauthorized activity.
• Analyze usage in aggregate to improve the platform — see Section 9.
• Comply with applicable legal obligations.
• Respond to your support requests and communications.

We share personal information only in the following circumstances:

• Within the platform: Tenant maintenance requests are shared with the property manager and, when assigned, the vendor. Work order details, including a tenant's name and the property address, are shared with the assigned vendor. Property owners can see work orders, lease information, and financial summaries for their own properties.
• Service providers (subprocessors): We use a small number of trusted third-party providers to operate the platform. We disclose them by category below. The full vendor list is available to enterprise customers under NDA as part of due diligence.
• Legal requirements: We may disclose information when required by law, court order, or government authority.
• Business transfers: If Domios is involved in a merger, acquisition, or asset sale, your information may be transferred. We will make reasonable efforts to notify you before your information becomes subject to a different privacy policy.
• With your consent: We may share information for other purposes with your explicit consent.

Categories of subprocessors

The following categories of third-party providers process personal information on our behalf:

• Cloud infrastructure & database providers — for hosting, managed database, file storage, and caching.
• AI / large language model providers — for our AI features (Max, Diana, Henry). API terms with these providers prohibit them from using your data to train their models.
• Communication providers — for email delivery and SMS-based one-time codes and notifications.
• Push notification providers — for delivering mobile push notifications.
• Mapping & geolocation providers — for property address lookup and map display.
• Error monitoring providers (mobile apps only, optional) — for crash reports and error tracking.
• Website analytics provider (marketing website only) — Google Analytics 4 on our public marketing pages (e.g., domios.ai) to count visitors and understand which content is useful. We do not run analytics on the signed-in product surfaces (admin portal, Max, Diana, Henry, Messenger). IP addresses are anonymized, advertising and remarketing features are disabled, and we do not combine analytics data with your account profile.

When we add a new subprocessor that will process personal information, we update this Privacy Policy and notify existing customers at least 30 days in advance.

The Domios platform includes three AI features that interact with you directly: Max (for tenants), Diana (for vendors), and Henry (for property owners). Each AI is clearly identified as artificial intelligence in the app. They are not human staff and do not impersonate human staff.

What data flows to our AI providers

• Max — your typed messages and any photos or videos you attach to a maintenance request are sent to our AI provider so Max can understand and respond. Max may also extract structured information (such as a suggested priority or trade type) which is then shown to your property manager for review.
• Diana — the work order details you are dispatched and the messages you send through the vendor portal are sent to our AI provider so Diana can help coordinate.
• Henry — when you ask Henry a question, Henry will read the property data relevant to your question and send it to our AI provider along with your question so it can answer. The scope follows your question: if you ask about a specific property, only that property's data is shared with the AI provider; if you ask a portfolio-level question, a summary of your portfolio is shared.

We do not train AI on your data

We do not use the content of your conversations with our AI features (Max, Diana, or Henry) to train artificial intelligence models. Our AI providers' API terms prohibit them from using your data to train their models.

We may use aggregated and de-identified operational data (such as the number and types of maintenance requests across our customer base, average response times, or trends in property categories) to evaluate and improve our platform and its AI features. This data does not identify you, your property, or any specific person.

If we ever change this practice — for example, to use individual conversation data with explicit opt-in consent — we will update this Privacy Policy in advance and give you a meaningful choice before the change takes effect.

AI suggestions are not automated decisions

When Max suggests a work order priority, urgency level, or trade type from your maintenance request, those suggestions are starting points for your property manager to review and adjust. They are not automated decisions about you, and they do not affect your tenancy, lease, or eligibility for housing. Decisions about your tenancy are made solely by the property management company you work with.

AI can make mistakes. Always verify anything important before relying on it.

We may aggregate and de-identify the data you provide and use it to:

• Show benchmarks comparing your properties to similar properties in our customer base.
• Improve our platform and AI features.
• Publish industry research and reports.

What we never do with aggregated data

• We do not sell your personal information, even in de-identified form, without an explicit opt-in.
• We do not share individually identifying information about you, your property, or your tenants, vendors, or owners with insurance companies, real estate investors, or other third parties for their independent commercial use.
• We do not use property or tenant data to make decisions about housing eligibility — for example, screening tenants, setting rent prices, or recommending evictions. Decisions about your tenants are made solely by the property management company you work with.

We commit to maintaining technical and procedural safeguards to prevent re-identification of de-identified data, and we will not attempt to re-identify it.

We retain personal information only as long as needed to provide the Services and to meet legal and operational obligations. Specific retention periods:

• Account data — for the life of your account. When you request deletion, your account is deactivated immediately and your personal information is removed 14 days after the request (a cooling-off period during which you can cancel).
• Work order records and financial records — up to 7 years, to meet IRS and financial recordkeeping obligations.
• Audit logs (identity changes, administrative actions) — 1 year.
• Refresh tokens — up to 90 days; expire automatically when not used.
• One-time login codes — 5 minutes.
• Database backups — 90 days on a rolling basis.

We may retain certain information longer when required by law (e.g., for ongoing litigation or regulatory obligations). After deletion, work orders and financial records may be retained in anonymized or aggregated form as required for legitimate business operations; these retained records are no longer linked to your identity.

If you are a California resident, you have the following rights under the CCPA and CPRA:

• Right to Know — request a copy of the personal information we hold about you, the sources we collected it from, the purposes we use it for, and the categories of third parties we share it with.
• Right to Delete — request that we delete personal information we hold about you, subject to legal and operational exceptions.
• Right to Correct — request that we correct inaccurate personal information.
• Right to Data Portability — receive your personal information in a portable, machine-readable format.
• Right to Opt Out of Sale or Sharing — opt out of the sale or sharing of your personal information for cross-context behavioral advertising. (Domios does not sell or share for advertising purposes; this right is honored by default.)
• Right to Limit Use of Sensitive Personal Information — restrict our use of sensitive personal information to providing the requested service. (See Section 5 — we already limit our use to this purpose.)
• Right to Non-Discrimination — exercise these rights without any penalty, denial of service, or reduction in service quality.

How to submit a request

To exercise any of these rights, email us at privacy@domios.ai with the subject line indicating the right you are exercising (e.g., “CCPA — Right to Know”), or use the in-app delete option under Settings → Delete Account.

We respond within 45 days. If we need more time, we will tell you and may extend by another 45 days, for up to a total of 90 days.

Identity verification

To protect your privacy, we will ask you to verify your identity before responding to a Right to Know, Right to Delete, or Right to Correct request. We verify by matching information you provide (such as your registered email, phone, and a recent activity reference) against our records. For requests involving sensitive personal information, we may ask for a government-issued ID.

Authorized agents

You may designate an authorized agent to submit a request on your behalf. We require either (1) signed written permission from you, together with valid government-issued identification for both you and the agent, or (2) a valid power of attorney executed under applicable law.

Privacy laws in other U.S. states grant residents rights similar to those described in Section 11. The specifics vary by state.

Virginia, Colorado, Connecticut, Texas, Oregon, Montana, Iowa, Tennessee, Utah, Indiana, Kentucky, Maryland, Nebraska, New Hampshire, New Jersey, Rhode Island

Residents of these states have the right to access, correct, delete, and obtain a portable copy of their personal information, and to opt out of targeted advertising and the sale of personal information. Specific differences include:

• Colorado, Connecticut, Texas, New Jersey, Oregon — recognize universal opt-out signals such as the Global Privacy Control (see Section 13).
• Virginia, Connecticut, Colorado, Texas, Oregon, Montana, Tennessee, New Jersey — provide a right to appeal if we decline a privacy request. The appeal process is described in our response to your initial request.

Delaware, Minnesota, Oregon

Residents of these states have additional access rights, including the right to receive a list of the categories of third parties to whom we have disclosed their personal information.

To exercise any of these rights, contact us at privacy@domios.ai. The submission, verification, and authorized-agent processes described in Section 11 apply equally to residents of other states.

We honor the Global Privacy Control (GPC) browser signal. When your browser sends a Sec-GPC: 1 header, we treat it as a valid request to opt out of any sale or sharing of your personal information for cross-context behavioral advertising.

We honor GPC for residents of: California, Colorado, Connecticut, Delaware, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, and Texas.

Because we do not sell or share personal information for advertising in any form, GPC effectively has no impact on our practices — our default behavior already matches what GPC asks of us. We still honor the signal as a matter of legal compliance and good faith.

The Services are not intended for individuals under 18 years of age. Rental tenancy and vendor service relationships typically require participants to be at least 18, and we do not knowingly create accounts for minors.

We do not knowingly collect personal information from anyone under 13 years of age, which is the threshold defined by the federal Children's Online Privacy Protection Act (COPPA). If you believe we have inadvertently collected such information, please contact us at privacy@domios.ai and we will promptly delete it.

Operational and transactional communications — one-time login codes, account verification, password resets, work order notifications, payment receipts, and security alerts — are part of providing the Services and cannot be opted out of without closing your account.

If we send you any commercial email (such as product updates or newsletters), the message will include an unsubscribe link and our physical mailing address, in compliance with the federal CAN-SPAM Act. You can also reply to any such email with the word “unsubscribe” or contact us at privacy@domios.ai to be removed from commercial communications.

For SMS, you can reply STOP to opt out of further messages from the relevant number. Standard message and data rates may apply from your wireless carrier.

We use industry-standard measures to protect your information, including encrypted data transmission, hashed credential storage, role-based access controls, and audit logging. The technical details of our security program — including authentication, access controls, subprocessor categories, and our compliance roadmap — are described on our Security page. No method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

We may update this Privacy Policy from time to time. For material changes, we will notify you at least 30 days in advance by posting the updated policy on this page, updating the “Effective Date,” and where practical, sending a notice to the email associated with your account. For non-material changes, we will give at least 7 days' notice. Your continued use of the Services after the updated policy takes effect indicates your acknowledgment of the changes.

This Privacy Policy is governed by the laws of the State of Delaware, without regard to its conflict of law provisions. Any disputes arising under this policy are subject to the exclusive jurisdiction of the courts of the State of Delaware, except where applicable consumer privacy laws grant you a non-waivable right to enforce them in your state of residence.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: