Privacy Policy

1. Who we are

This policy describes how Ethan Flynn (“we”, “us”, or “the operator”) handles information in the Ethan Flynn CRM application (“the application” or “the CRM”) hosted at ethanflynn.com. The CRM is a private application used by the operator to manage real-estate transactions and associated bookkeeping for the operator’s own business. It is not offered as a product to third parties.

2. Information we collect

The CRM collects only the information required to operate. This consists of:

• Authentication data.When the operator signs in with Google, we receive the operator’s name, email address, and Google account identifier.
• Business records entered by the operator. Contact information for the operator’s real-estate clients, deal details, property data, and financial entries. These records are only accessible to the operator.
• Bank and financial data (via Plaid).If the operator links a bank or credit-card account through Plaid, the CRM receives transaction records (date, amount, merchant description, category) and account balances for the operator’s own accounts only. We do not receive login credentials for any financial institution — those are entered by the operator directly into Plaid Link, which is operated by Plaid Inc.
• Communication content.If the operator enables the optional Gmail integration, messages related to the operator’s own real-estate deals are imported into the CRM for organization.
• Operational metadata. Standard server logs (timestamp, IP address, response status) generated by AWS Amplify and CloudWatch to support debugging and security monitoring.

3. How we use this information

Collected information is used solely to operate the CRM for the operator’s internal business management, including: displaying deals and contacts, producing a monthly profit-and-loss statement and general ledger, reconciling bank transactions against recorded journal entries, and responding to client communications sent to the operator. The CRM does not use collected information to build profiles of the operator, to serve advertising, or for any purpose unrelated to the operator’s bookkeeping.

4. How we share information

We do not sell, rent, or share collected information with third parties for their own use. Information may be transmitted to the limited set of infrastructure providers listed below strictly to deliver the CRM to the operator:

• Amazon Web Services (DynamoDB for storage, Amplify for hosting, S3 for attachments). Data is stored within AWS accounts controlled by the operator.
• Google for sign-in (OAuth) and, optionally, Gmail access.
• Plaid Inc.as the data aggregator used to connect and retrieve transactions from the operator’s own bank and credit-card accounts. Plaid’s own End-User Privacy Policy governs how Plaid handles data it collects on the operator’s behalf.
• Anthropic for optional AI-assisted parsing of inbound documents. Document content sent for parsing is not used to train Anthropic models.

We may also disclose information if compelled by valid legal process (subpoena, court order) or if disclosure is necessary to protect against fraud, unauthorized access, or other imminent harm.

5. Security

Data is protected with multiple layers:

• All traffic between the operator’s browser and the application uses TLS 1.2 or higher.
• The DynamoDB table storing CRM records is encrypted at rest by AWS using AES-256.
• Plaid access tokens are additionally encrypted at the application layer using AES-256-GCM before being written to DynamoDB, with the encryption key stored outside the database.
• All administrative access to the application’s backing infrastructure (AWS console, DynamoDB) is protected by phishing-resistant multi-factor authentication using FIDO2 passkeys.
• Every non-public route in the application is gated behind operator-only authentication. No end-user accounts other than the operator’s exist.

No system can be guaranteed fully secure. We continue to apply patches and reasonable industry practices to reduce risk.

6. Data retention

Business records and financial data are retained for as long as the operator needs them for tax, accounting, or historical reference — typically seven years to align with IRS record-retention guidance for small-business records. Server logs are retained for up to ninety days. The operator may disconnect the Plaid integration at any time, which revokes the access token and stops further transaction imports; the historical transaction data already imported remains in the ledger unless explicitly deleted.

7. Your choices

Because the CRM is operated by a single person for a single person’s business, most choices about the data belong to the operator. If you are a third party who has communicated with the operator (for example, a real-estate client) and your contact information has been recorded in the CRM, you may contact the operator at the address below to request access to, correction of, or deletion of that information. Requests will be handled within thirty days.

8. Children’s data

The CRM is not directed to anyone under the age of thirteen and does not knowingly collect information from children.

9. Changes to this policy

We may revise this policy as the CRM evolves. Material changes will be reflected in a new effective date above, and in a notice on this page for at least thirty days following the change.

10. Contact

Questions about this policy or requests related to personal information can be sent to: