Nivora
Sign inRequest access

Legal · Privacy

Privacy Policy

Nivora is invite-only underwriting software for real estate investment teams. This policy explains what information we collect, how we use it, and the choices you have. The short version: your deal data belongs to your organization, we don't sell data to anyone, and we collect only what the product needs to work.

Effective June 12, 2026

Who we are

Nivora (the “Service”) is operated by Nivora Capital (“we,” “us”). The Service is a multifamily real-estate underwriting platform: organizations upload property documents — rent rolls, trailing-twelve-month operating statements, offering memoranda — and the platform produces pro forma analyses, return metrics, and exports.

Information we collect

  • Account information. Name, email address, password (stored only as a salted hash by our authentication provider), and two-factor authentication settings.
  • Organization and deal data. The documents and figures your organization uploads or enters: rent rolls, operating statements, offering memoranda, underwriting assumptions, notes, and the analyses derived from them.
  • Audit records. The Service keeps an audit log of changes to deals and assumptions — who changed what, and when — as a product feature for your organization.
  • Usage and technical data. Log data such as IP address, browser type, pages viewed, and performance metrics, plus error reports when something breaks.

How we use information

  • To provide the Service: run analyses on the data your organization uploads, generate exports, and keep your team’s work in sync.
  • To secure the Service: authenticate sign-ins, enforce two-factor authentication, detect abuse, and maintain audit logs.
  • To operate and improve the Service: monitor errors and performance, and understand which features are used.
  • To communicate with you about your account, such as access approvals and security notices.

We do not sell personal information, and we do not use your organization’s deal data to train AI models.

AI-assisted document processing

When you upload an offering memorandum (or use other AI-assisted import features), the document is processed by Anthropic’s Claude API to extract figures such as unit counts and asking prices. These requests are made under API terms that do not permit the provider to train models on your data. Extracted values are always shown to you for review before they become part of your underwriting.

Service providers

We rely on a small set of infrastructure providers to run the Service:

  • Supabase — database, authentication, and file storage.
  • Vercel — application hosting, serverless functions, and performance analytics.
  • Anthropic — AI document extraction, as described above.
  • Sentry — error monitoring.
  • Cloudflare — bot protection on sign-in and sign-up.

Each provider processes data only as needed to provide its service to us.

Cookies and browser storage

The Service uses three narrow categories of cookies and browser storage:

  • Essential. Authentication tokens and session state (via our authentication provider) that keep you signed in and enforce two-factor authentication. The Service cannot function without these.
  • Preferences. Interface settings such as theme, your last-active tab, and whether you have dismissed notices like the cookie banner.
  • Analytics. First-party, cookieless performance and usage analytics (Vercel Web Analytics) that aggregate page views and load times without identifying or tracking individual visitors across sites.

We do not use third-party advertising cookies, cross-site trackers, or browser fingerprinting, and we do not sell or share browsing data. Because the essential storage is required for sign-in and the analytics are cookieless, the Service shows an informational notice rather than a consent wall; you can clear all stored data at any time through your browser settings (you will simply be signed out).

Security

Access is invite-only with enforced two-factor authentication. Organizations are isolated from one another at the database layer (row-level security), data is encrypted in transit and at rest, and an immutable audit log records changes to underwriting data. No system is perfectly secure, but security is a design constraint of the Service, not an afterthought.

Data retention and deletion

Deal data is retained for as long as your organization’s account is active, so your team’s underwriting history stays available. If your organization ends its relationship with us, we will delete or return organization data on request, subject to legal retention requirements.

Your rights

Depending on where you live, you may have rights to access, correct, export, or delete your personal information. To exercise them, contact your organization administrator or reach us through your Nivora representative, and we will respond within a reasonable period.

Changes to this policy

If we make material changes, we will update the effective date above and notify organization administrators. Continued use of the Service after a change takes effect constitutes acceptance of the revised policy.