The short version
We collect what we need to run a CRM for you: your account details, the CRM data you put in, billing information (handled by Stripe), and technical logs. Your CRM data belongs to you — we process it only to provide the Service, and our AI providers are contractually barred from training on it. We do not sell personal information, we do not run advertising trackers, and we honor privacy rights requests from any U.S. resident regardless of state. Live voice audio is not stored, but transcripts of AI Phone calls and call notes are saved to your account — tell the people you record.
This summary is provided for convenience only. The full document below is what governs.
01Scope & Our Two Roles
This Privacy Policy applies to the SuiteCRE websites, applications, and services (the “Service”) operated by SuiteCRE Inc. (“SuiteCRE,” “we,” “us”). It is important to understand that we handle personal information in two distinct roles:
- SuiteCRE as the business (controller). For the information of our own customers and site visitors — your account, billing, support, and usage information — we decide how and why it is processed, and this policy applies in full.
- SuiteCRE as a service provider (processor). For “Customer Data” — the contacts, leads, clients, deals, documents, communications, call transcripts, and other records our customers store in their CRM — the customer (the broker or brokerage) controls that data. We process it only on the customer’s instructions to provide the Service, and we do not sell it or use it for our own marketing.
If your information appears in a SuiteCRE customer’s CRM (for example, a broker you work with keeps your contact details, emails, or call notes in SuiteCRE, or you chatted with a listing’s AI assistant or requested a showing), that broker is responsible for the data and for responding to your privacy requests. Please direct requests to them; we will assist them in honoring your rights. You can also contact us at privacy@suitecre.com and we will refer your request to the relevant customer where we can identify them.
02Information We Collect
A. Information you provide
- Account and profile: name, email address, password (stored by our authentication provider in hashed form), phone number, company, title, and preferences, including any professional license details you add (e.g., state license numbers, designations, E&O insurance information).
- Customer Data you enter: contacts and companies (names, emails, phone numbers, titles, tags, preferences, notes), deals and pipelines, listings and property details, documents and photos you upload (including text we extract from them for search), calendar events, tasks, commissions and expense records, and communications you draft or log.
- Payment information: processed by Stripe. We receive and store subscription status, plan, and transaction records — never full card numbers.
- Support and feedback: messages, bug reports, and related correspondence.
B. Information from integrations you connect
- Google and Microsoft accounts: when you connect Gmail, Outlook, or Google Calendar, we receive OAuth tokens (stored encrypted) and the calendar and email data needed to provide the features you enable — for email, our access is used to create drafts in your own mailbox for your review.
- WhatsApp (Hermes assistant): if you pair your WhatsApp number, we process your number and the messages you exchange with the assistant via Twilio.
C. Voice, call, and chat data
- Voice mode: live audio is streamed to our speech-to-text provider for real-time transcription. We do not retain the audio after the session; the resulting conversation text is part of your chat history.
- AI Phone and call notes: when you enable AI Phone, calls answered by the assistant are transcribed, and transcripts, caller phone numbers, and call summaries are stored in your account. Call notes you create (including from recordings you upload) are likewise transcribed and stored. You are responsible for any recording notices or consents required where you and your callers are located.
- Client-facing listing chat and showing requests: when a prospective buyer uses a customer’s public listing chat or showing form, we collect the name, email, phone number, messages, IP address, and browser information they provide, on behalf of that customer.
D. Information collected automatically
- Usage and device data: log data such as IP address, browser type, pages viewed, feature usage, and AI message counts (used for billing meters and abuse prevention).
- Diagnostics: we use Sentry for error monitoring and limited session replay (a small sample of sessions, and sessions where an error occurs) to diagnose and fix failures.
- Cookies: we use only essential and functional cookies — see our Cookie Policy. We do not use advertising or cross-site tracking cookies.
E. Information from other sources
- Public sources you direct us to: if you enable market intelligence or lead generation, the Service gathers publicly available listing and contact information from third-party websites according to rules you configure, and stores the results in your account as Customer Data.
03How We Use Information
We use personal information to:
- provide, operate, secure, and support the Service, including syncing the integrations you connect;
- power the AI features you use, as described in the next section;
- process payments, meter usage-based charges, and manage subscriptions;
- send transactional and service communications (receipts, event reminders, security alerts, digests you enable, and notices about changes to the Service or our terms);
- monitor, debug, and improve the Service using aggregated or de-identified usage information;
- prevent fraud and abuse, enforce our Terms of Service, and protect the rights, safety, and property of SuiteCRE, our customers, and others;
- comply with legal obligations and respond to lawful requests.
We do not use personal information for third-party advertising, and we do not make decisions producing legal or similarly significant effects about individuals solely by automated means.
04AI & Voice Processing
When you use AI features, your prompts and the relevant CRM context (for example, the deal or document you are asking about) are sent to the AI providers listed in the next section to generate a response. Document embeddings — numerical representations used for search — are generated and stored in our database.
Our AI providers process your data under API terms that prohibit them from using it to train their models. We do not use Customer Data to train models for other customers.
Voice interactions are processed as described in Section 2(C): live audio is transcribed in real time and not retained as audio, while transcripts of AI Phone calls and call notes are stored in the controlling customer’s account.
07Data Retention
| Data | Retention |
|---|---|
| Account and profile data | Life of the account, then deleted within 30 days of account deletion |
| Customer Data (CRM records, documents, transcripts) | Until you delete it or your account closes; retained 30 days after termination to allow export, then permanently deleted |
| Billing and transaction records | As required by tax, accounting, and financial regulations (typically 7 years) |
| Diagnostic logs and error reports | Short rolling windows appropriate to debugging and security |
| Aggregated / de-identified analytics | May be retained indefinitely (contains no personal information) |
Residual copies may persist in encrypted backups for a limited time after deletion and are overwritten in the ordinary course. We may retain data longer where required by law or to resolve disputes.
08How We Protect Information
We use administrative, technical, and physical safeguards appropriate to the sensitivity of the data, including:
- tenant isolation enforced with database row-level security, designed to fail closed;
- AES-256 encryption of OAuth tokens and third-party API keys at rest, and TLS with HSTS for all data in transit;
- least-privilege database roles, authenticated sessions, and signature verification on inbound webhooks;
- rate limiting, security headers (CSP, frame protections), and input sanitization;
- audit logging of AI agent actions and compliance-relevant events.
No system is perfectly secure. If we learn of a breach affecting your personal information, we will notify you and regulators as required by applicable law. Report suspected vulnerabilities to security@suitecre.com.
09Your Privacy Rights
Depending on where you live, you may have some or all of the rights below. As a matter of policy, we extend these rights to all users in the United States, regardless of state:
- Know / access: confirm whether we process your personal information and obtain a copy of it;
- Correct: fix inaccurate personal information;
- Delete: request deletion of your personal information and account;
- Portability: receive your data in a portable format (the Service includes self-serve export tools);
- Opt out: of sales, sharing for targeted advertising, and profiling with significant effects — none of which we do;
- Limit sensitive data use: we use sensitive information (such as account credentials or license numbers you provide) only to deliver the Service;
- Non-discrimination: we will not deny service or change pricing because you exercised a privacy right.
How to exercise your rights
Use the tools in your account settings (export, integration disconnect, account deletion) or email privacy@suitecre.com. We will verify your request using your account email or other reasonable means, respond within 45 days (extendable once by 45 days where permitted, with notice), and honor requests made through an authorized agent with proof of authorization. If we decline a request, you may appeal by replying to our decision with “Appeal” in the subject line; we will respond to appeals within the period required by your state’s law and, if the appeal is denied, provide a way to contact your state attorney general.
Remember: for personal information held in a customer’s CRM, the customer controls the data, and we will route or support your request as described in Section 1.
10California Notice at Collection
This section supplements the rest of this policy for California residents under the California Consumer Privacy Act, as amended by the CPRA (“CCPA”). In the preceding 12 months we have collected the categories of personal information below. We have not sold or shared personal information, and we do not sell or share it, including of consumers under 16.
| CCPA category | Examples we collect | Disclosed to |
|---|---|---|
| Identifiers | Name, email, phone, IP address, account IDs | Service providers |
| Customer records (Cal. Civ. Code § 1798.80) | Contact details, billing records | Service providers |
| Commercial information | Subscription history, transactions, deal records you store | Service providers |
| Internet / network activity | Usage logs, feature interactions, diagnostics | Service providers |
| Audio / electronic information | Call transcripts, chat messages, voice-session text | Service providers |
| Professional information | Company, title, license and designation details | Service providers |
| Sensitive personal information | Account credentials; license numbers you provide | Service providers (service delivery only) |
| Inferences | AI-generated summaries and health scores within your account | Service providers |
We collect these categories from the sources, for the purposes, and with the retention periods described in Sections 2, 3, and 7. We use sensitive personal information only for the purposes permitted by CCPA regulations (providing the Service, security, and quality), so the “Limit the Use of My Sensitive Personal Information” right does not require an additional toggle. California residents may exercise the rights in Section 9 via privacy@suitecre.com. California’s “Shine the Light” law (Civ. Code § 1798.83) inquiries may be sent to the same address; we do not disclose personal information to third parties for their direct marketing.
11Other U.S. State Disclosures
Residents of states with comprehensive privacy laws — including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Florida, Delaware, Iowa, Nebraska, New Hampshire, New Jersey, Tennessee, Minnesota, Maryland, Kentucky, Rhode Island, and Indiana — have rights substantially similar to those in Section 9, including the right to appeal a refusal. We honor all of them through the same process. For clarity under those laws: we do not sell personal data, do not process it for targeted advertising, and do not engage in profiling in furtherance of decisions that produce legal or similarly significant effects. Where a state requires consent to process sensitive data, we obtain it through your voluntary provision of that data for the feature that uses it.
Nevada residents: we do not sell covered information as defined by Nevada law; you may still submit an opt-out request to privacy@suitecre.com.
12Children
The Service is a business tool and is not directed to anyone under 18. We do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact privacy@suitecre.com and we will delete it.
13International Users
The Service is operated from the United States and intended for U.S. real estate professionals. If you access it from elsewhere, you understand your information will be transferred to and processed in the United States, where privacy laws may differ from those of your jurisdiction. If you are in a jurisdiction such as the EEA, UK, or Canada and applicable law grants you additional rights, you may exercise them via privacy@suitecre.com and we will handle your request in accordance with that law.
14Google & Microsoft API Data
SuiteCRE’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. In particular, Google user data (Gmail and Google Calendar data) is used only to provide the features you enable — creating email drafts in your mailbox and syncing your calendar — and is never used for advertising, never sold, and never used to train generalized AI models. Human access is limited to the narrow cases the policy permits (with your consent, for security, or to comply with law). Microsoft account data accessed through the Outlook integration is handled the same way. You can revoke our access at any time in your SuiteCRE settings or via your Google or Microsoft account permissions.
15Changes to This Policy
We may update this policy as the Service and the law evolve. We will post the updated version with a new “Last updated” date and, for material changes, notify you by email or in-app notification before the changes take effect. Your continued use of the Service after the effective date constitutes acknowledgment of the updated policy.
16Contact Us
SuiteCRE Inc. — Privacy Team
Privacy requests: privacy@suitecre.com
Security reports: security@suitecre.com
General legal: legal@suitecre.com
If you have an unresolved privacy concern that we have not addressed satisfactorily, you may contact your state attorney general’s consumer protection office.
