SuiteCRE Legal

Privacy Policy

This policy explains what personal information SuiteCRE collects, how we use and share it, how long we keep it, and the rights you have over it — including rights under California's CCPA and other U.S. state privacy laws.

Last updated July 8, 2026 · Effective July 8, 2026

The short version

We collect what we need to run a CRM for you: your account details, the CRM data you put in, billing information (handled by Stripe), and technical logs. Your CRM data belongs to you — we process it only to provide the Service, and our AI providers are contractually barred from training on it. We do not sell personal information, we do not run advertising trackers, and we honor privacy rights requests from any U.S. resident regardless of state. Live voice audio is not stored, but transcripts of AI Phone calls and call notes are saved to your account — tell the people you record.

This summary is provided for convenience only. The full document below is what governs.

01Scope & Our Two Roles

This Privacy Policy applies to the SuiteCRE websites, applications, and services (the “Service”) operated by SuiteCRE Inc. (“SuiteCRE,” “we,” “us”). It is important to understand that we handle personal information in two distinct roles:

  • SuiteCRE as the business (controller). For the information of our own customers and site visitors — your account, billing, support, and usage information — we decide how and why it is processed, and this policy applies in full.
  • SuiteCRE as a service provider (processor). For “Customer Data” — the contacts, leads, clients, deals, documents, communications, call transcripts, and other records our customers store in their CRM — the customer (the broker or brokerage) controls that data. We process it only on the customer’s instructions to provide the Service, and we do not sell it or use it for our own marketing.

If your information appears in a SuiteCRE customer’s CRM (for example, a broker you work with keeps your contact details, emails, or call notes in SuiteCRE, or you chatted with a listing’s AI assistant or requested a showing), that broker is responsible for the data and for responding to your privacy requests. Please direct requests to them; we will assist them in honoring your rights. You can also contact us at privacy@suitecre.com and we will refer your request to the relevant customer where we can identify them.

02Information We Collect

A. Information you provide

  • Account and profile: name, email address, password (stored by our authentication provider in hashed form), phone number, company, title, and preferences, including any professional license details you add (e.g., state license numbers, designations, E&O insurance information).
  • Customer Data you enter: contacts and companies (names, emails, phone numbers, titles, tags, preferences, notes), deals and pipelines, listings and property details, documents and photos you upload (including text we extract from them for search), calendar events, tasks, commissions and expense records, and communications you draft or log.
  • Payment information: processed by Stripe. We receive and store subscription status, plan, and transaction records — never full card numbers.
  • Support and feedback: messages, bug reports, and related correspondence.

B. Information from integrations you connect

  • Google and Microsoft accounts: when you connect Gmail, Outlook, or Google Calendar, we receive OAuth tokens (stored encrypted) and the calendar and email data needed to provide the features you enable — for email, our access is used to create drafts in your own mailbox for your review.
  • WhatsApp (Hermes assistant): if you pair your WhatsApp number, we process your number and the messages you exchange with the assistant via Twilio.

C. Voice, call, and chat data

  • Voice mode: live audio is streamed to our speech-to-text provider for real-time transcription. We do not retain the audio after the session; the resulting conversation text is part of your chat history.
  • AI Phone and call notes: when you enable AI Phone, calls answered by the assistant are transcribed, and transcripts, caller phone numbers, and call summaries are stored in your account. Call notes you create (including from recordings you upload) are likewise transcribed and stored. You are responsible for any recording notices or consents required where you and your callers are located.
  • Client-facing listing chat and showing requests: when a prospective buyer uses a customer’s public listing chat or showing form, we collect the name, email, phone number, messages, IP address, and browser information they provide, on behalf of that customer.

D. Information collected automatically

  • Usage and device data: log data such as IP address, browser type, pages viewed, feature usage, and AI message counts (used for billing meters and abuse prevention).
  • Diagnostics: we use Sentry for error monitoring and limited session replay (a small sample of sessions, and sessions where an error occurs) to diagnose and fix failures.
  • Cookies: we use only essential and functional cookies — see our Cookie Policy. We do not use advertising or cross-site tracking cookies.

E. Information from other sources

  • Public sources you direct us to: if you enable market intelligence or lead generation, the Service gathers publicly available listing and contact information from third-party websites according to rules you configure, and stores the results in your account as Customer Data.

03How We Use Information

We use personal information to:

  • provide, operate, secure, and support the Service, including syncing the integrations you connect;
  • power the AI features you use, as described in the next section;
  • process payments, meter usage-based charges, and manage subscriptions;
  • send transactional and service communications (receipts, event reminders, security alerts, digests you enable, and notices about changes to the Service or our terms);
  • monitor, debug, and improve the Service using aggregated or de-identified usage information;
  • prevent fraud and abuse, enforce our Terms of Service, and protect the rights, safety, and property of SuiteCRE, our customers, and others;
  • comply with legal obligations and respond to lawful requests.

We do not use personal information for third-party advertising, and we do not make decisions producing legal or similarly significant effects about individuals solely by automated means.

04AI & Voice Processing

When you use AI features, your prompts and the relevant CRM context (for example, the deal or document you are asking about) are sent to the AI providers listed in the next section to generate a response. Document embeddings — numerical representations used for search — are generated and stored in our database.

Our AI providers process your data under API terms that prohibit them from using it to train their models. We do not use Customer Data to train models for other customers.

Voice interactions are processed as described in Section 2(C): live audio is transcribed in real time and not retained as audio, while transcripts of AI Phone calls and call notes are stored in the controlling customer’s account.

05How We Disclose Information

We do not sell personal information, and we do not share it for cross-context behavioral advertising. We disclose personal information only:

  • To service providers (subprocessors) that help us run the Service, under contracts limiting their use of the data to providing services to us — listed in the table below;
  • At your direction, such as when you connect an integration, share a listing page or partner link, send a communication, or export data;
  • For legal reasons, where required by law, subpoena, or court order, or to protect the rights, safety, or property of SuiteCRE, our customers, or the public — where lawful, we will notify you before disclosing Customer Data;
  • In a business transfer, such as a merger, acquisition, financing, or sale of assets, in which case this policy continues to apply to previously collected data;
  • To professional advisors (lawyers, accountants, auditors) bound by confidentiality.

Subprocessors we use

ProviderPurpose
SupabaseAuthentication, database hosting, file storage
VercelApplication hosting and delivery
StripePayment processing and subscription billing
Anthropic (Claude)AI broker assistant and AI-generated content
OpenAIDocument and search embeddings; AI processing
GoogleMaps embeds, Gmail/Calendar APIs for integrations you connect
MicrosoftOutlook APIs for the email integration you connect
DeepgramReal-time speech-to-text for the voice assistant
ElevenLabsText-to-speech for the voice assistant
AssemblyAISpeech-to-text transcription (voice dictation)
TwilioAI Phone calls and WhatsApp assistant messaging
FirecrawlWeb retrieval for market intelligence and lead generation
ResendTransactional email delivery
UpstashRate limiting (Redis)
SentryError monitoring and diagnostics
WorkOSOAuth for the SuiteCRE connector (MCP)

06Cookies & Tracking

We use strictly necessary cookies for authentication and session management, and functional cookies for preferences like theme. We do not use advertising cookies or cross-site trackers, and we do not disclose personal information to third parties for targeted advertising — so there is no “sale” or “sharing” for a universal opt-out signal such as Global Privacy Control to switch off; we treat all users as opted out by default. Details are in our Cookie Policy.

07Data Retention

DataRetention
Account and profile dataLife of the account, then deleted within 30 days of account deletion
Customer Data (CRM records, documents, transcripts)Until you delete it or your account closes; retained 30 days after termination to allow export, then permanently deleted
Billing and transaction recordsAs required by tax, accounting, and financial regulations (typically 7 years)
Diagnostic logs and error reportsShort rolling windows appropriate to debugging and security
Aggregated / de-identified analyticsMay be retained indefinitely (contains no personal information)

Residual copies may persist in encrypted backups for a limited time after deletion and are overwritten in the ordinary course. We may retain data longer where required by law or to resolve disputes.

08How We Protect Information

We use administrative, technical, and physical safeguards appropriate to the sensitivity of the data, including:

  • tenant isolation enforced with database row-level security, designed to fail closed;
  • AES-256 encryption of OAuth tokens and third-party API keys at rest, and TLS with HSTS for all data in transit;
  • least-privilege database roles, authenticated sessions, and signature verification on inbound webhooks;
  • rate limiting, security headers (CSP, frame protections), and input sanitization;
  • audit logging of AI agent actions and compliance-relevant events.

No system is perfectly secure. If we learn of a breach affecting your personal information, we will notify you and regulators as required by applicable law. Report suspected vulnerabilities to security@suitecre.com.

09Your Privacy Rights

Depending on where you live, you may have some or all of the rights below. As a matter of policy, we extend these rights to all users in the United States, regardless of state:

  • Know / access: confirm whether we process your personal information and obtain a copy of it;
  • Correct: fix inaccurate personal information;
  • Delete: request deletion of your personal information and account;
  • Portability: receive your data in a portable format (the Service includes self-serve export tools);
  • Opt out: of sales, sharing for targeted advertising, and profiling with significant effects — none of which we do;
  • Limit sensitive data use: we use sensitive information (such as account credentials or license numbers you provide) only to deliver the Service;
  • Non-discrimination: we will not deny service or change pricing because you exercised a privacy right.

How to exercise your rights

Use the tools in your account settings (export, integration disconnect, account deletion) or email privacy@suitecre.com. We will verify your request using your account email or other reasonable means, respond within 45 days (extendable once by 45 days where permitted, with notice), and honor requests made through an authorized agent with proof of authorization. If we decline a request, you may appeal by replying to our decision with “Appeal” in the subject line; we will respond to appeals within the period required by your state’s law and, if the appeal is denied, provide a way to contact your state attorney general.

Remember: for personal information held in a customer’s CRM, the customer controls the data, and we will route or support your request as described in Section 1.

10California Notice at Collection

This section supplements the rest of this policy for California residents under the California Consumer Privacy Act, as amended by the CPRA (“CCPA”). In the preceding 12 months we have collected the categories of personal information below. We have not sold or shared personal information, and we do not sell or share it, including of consumers under 16.

CCPA categoryExamples we collectDisclosed to
IdentifiersName, email, phone, IP address, account IDsService providers
Customer records (Cal. Civ. Code § 1798.80)Contact details, billing recordsService providers
Commercial informationSubscription history, transactions, deal records you storeService providers
Internet / network activityUsage logs, feature interactions, diagnosticsService providers
Audio / electronic informationCall transcripts, chat messages, voice-session textService providers
Professional informationCompany, title, license and designation detailsService providers
Sensitive personal informationAccount credentials; license numbers you provideService providers (service delivery only)
InferencesAI-generated summaries and health scores within your accountService providers

We collect these categories from the sources, for the purposes, and with the retention periods described in Sections 2, 3, and 7. We use sensitive personal information only for the purposes permitted by CCPA regulations (providing the Service, security, and quality), so the “Limit the Use of My Sensitive Personal Information” right does not require an additional toggle. California residents may exercise the rights in Section 9 via privacy@suitecre.com. California’s “Shine the Light” law (Civ. Code § 1798.83) inquiries may be sent to the same address; we do not disclose personal information to third parties for their direct marketing.

11Other U.S. State Disclosures

Residents of states with comprehensive privacy laws — including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Florida, Delaware, Iowa, Nebraska, New Hampshire, New Jersey, Tennessee, Minnesota, Maryland, Kentucky, Rhode Island, and Indiana — have rights substantially similar to those in Section 9, including the right to appeal a refusal. We honor all of them through the same process. For clarity under those laws: we do not sell personal data, do not process it for targeted advertising, and do not engage in profiling in furtherance of decisions that produce legal or similarly significant effects. Where a state requires consent to process sensitive data, we obtain it through your voluntary provision of that data for the feature that uses it.

Nevada residents: we do not sell covered information as defined by Nevada law; you may still submit an opt-out request to privacy@suitecre.com.

12Children

The Service is a business tool and is not directed to anyone under 18. We do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact privacy@suitecre.com and we will delete it.

13International Users

The Service is operated from the United States and intended for U.S. real estate professionals. If you access it from elsewhere, you understand your information will be transferred to and processed in the United States, where privacy laws may differ from those of your jurisdiction. If you are in a jurisdiction such as the EEA, UK, or Canada and applicable law grants you additional rights, you may exercise them via privacy@suitecre.com and we will handle your request in accordance with that law.

14Google & Microsoft API Data

SuiteCRE’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. In particular, Google user data (Gmail and Google Calendar data) is used only to provide the features you enable — creating email drafts in your mailbox and syncing your calendar — and is never used for advertising, never sold, and never used to train generalized AI models. Human access is limited to the narrow cases the policy permits (with your consent, for security, or to comply with law). Microsoft account data accessed through the Outlook integration is handled the same way. You can revoke our access at any time in your SuiteCRE settings or via your Google or Microsoft account permissions.

15Changes to This Policy

We may update this policy as the Service and the law evolve. We will post the updated version with a new “Last updated” date and, for material changes, notify you by email or in-app notification before the changes take effect. Your continued use of the Service after the effective date constitutes acknowledgment of the updated policy.

16Contact Us

SuiteCRE Inc. — Privacy Team
Privacy requests: privacy@suitecre.com
Security reports: security@suitecre.com
General legal: legal@suitecre.com

If you have an unresolved privacy concern that we have not addressed satisfactorily, you may contact your state attorney general’s consumer protection office.