Flatre ("Flatre," "we," "our") provides an AI-native real estate transaction management platform (the "Service"). This Privacy Notice describes what information we collect when you or the people you work with use the Service, how we use it, and the choices you have.
This notice applies to real estate professionals who sign up for Flatre, members of their workspace, and the clients, leads, and counterparties whose information flows through the Service. If you are a client or lead of a Flatre customer, that customer is the controller of your information and may have its own privacy notice that also applies.
1. Information we collect
Information you provide
- Account details. Name, email address, password, brokerage name, profile photo, phone number, and license information.
- Workspace content. Contacts, leads, properties, listings, offers, transactions, tasks, calendar events, notes, uploaded documents, and photos you add to Flatre.
- Communications. Email threads, messages, and attachments exchanged through connected mailboxes or the in-app messaging tools.
- Voice calls. Call participants, phone numbers, timestamps, routing and status metadata, and—only after the Flatre user has expressly enabled recording—call audio, transcripts, and AI-generated summaries. A notice is played to the other participant before recording begins, explains that remaining connected indicates consent, and gives the participant an opportunity to disconnect before recording.
- Payment details. If you subscribe to a paid plan, our payment processor collects billing contact information and payment method details. Flatre does not store full card numbers.
- Support requests. Messages, screenshots, and related metadata you send when contacting us.
Information from integrations
- Email providers. When you connect Gmail, Outlook, or Yahoo, we access the mailbox data you authorize so Flatre can sync threads, send on your behalf, and surface transaction-relevant context.
- MLS data. Listing, property, and market data retrieved from brokerage MLS providers configured for your workspace or searched through Flatre after setup.
- Lead sources. Lead records imported from Follow Up Boss, Meta, and other lead integrations you connect.
- e-Signature. Documents, envelopes, recipient information, and status events from DocuSign or other e-signature providers you connect.
- Sign-in providers. Basic profile information (name, email, avatar where available) and authorization identifiers from Apple, Google, or Microsoft when you use provider sign-in. Provider tokens are encrypted at rest and used only to maintain or revoke the connection you requested.
Information collected automatically
- Device and log data. IP address, browser and device type, operating system, referring URLs, pages viewed, timestamps, app version, and device-level notification tokens used to deliver account, transaction, and incoming-call notifications.
- Cookies and similar technologies. Session cookies for authentication and user preference cookies. If you allow optional analytics cookies, our public marketing pages load Google Analytics, which sets first-party analytics cookies (such as
_ga) to measure aggregate visits; Google acts as our analytics processor for those pages. We do not run analytics inside the authenticated product, and we do not deploy advertising or session-replay technologies. - Public portal interactions. When a client, buyer, seller, or counterparty opens a Flatre portal link (e.g., offer, CMA, net sheet, onboarding), we record view and action events to keep the originating agent informed.
Information we generate
- AI outputs and derived content. Draft messages, call and communication summaries, extracted fields, classifications, and other content produced by AI features acting on your workspace data.
- Search and similarity indexes. To power in-app search and AI features, we generate vector embeddings of selected workspace content — including contact records, message threads, transaction summaries, and document text. These embeddings are derived from your content and are processed by the AI providers identified in Section 3.
- Audit and model-call logs. Internal records of administrative actions, security events, and AI model calls (with sensitive values redacted before storage).
2. How we use information
- Provide, maintain, and improve the Service and its features.
- Authenticate users, secure accounts, and prevent abuse or fraud.
- Power AI features — drafting messages, summarizing communications, extracting transaction data, and recommending next steps — using large language model providers acting as our processors.
- Provide Voice calling and, when the Flatre user has opted in, record, transcribe, and summarize calls. The user can disable future recording in Voice settings and can turn recording off for an individual call.
- Send transactional emails (magic links, receipts, status alerts) and service announcements.
- Send opted-in SMS/text messages, including real estate transaction updates, showing reminders, task reminders, portal notifications, document/status alerts, and coordination messages.
- Analyze aggregate product usage to prioritize improvements.
- Comply with law and enforce our Terms of Use.
We do not sell your personal information, and we do not use customer or client content to train third-party AI models.
If you opt in to Flatre SMS messages, we use your mobile phone number to send recurring text messages related to your Flatre account, workspace, portal, or real estate transaction activity. Message frequency varies based on transaction activity, workspace configuration, and the communications you request or consent to receive. Message and data rates may apply. You can reply STOP to opt out or HELP for help.
3. AI processing
Flatre's AI features are powered by third-party large language model and document intelligence providers acting as our processors. We currently use:
- OpenAI for chat completion, drafting, summarization, classification, and vector embeddings used by search and AI features.
- Microsoft Azure AI Document Intelligence for optical character recognition on uploaded documents where text extraction is required.
To return a useful response, AI features transmit the relevant inputs to the provider. Depending on the feature, these inputs can include contact details (names, email addresses, phone numbers), property and listing addresses, the bodies of communications you exchange in Flatre (including emails received from clients and counterparties when inbound triage is enabled), uploaded document content, transaction metadata, prior AI conversation history, and consented call transcripts or audio when a Voice summary is requested.
Content sent to these providers is governed by the providers' commercial terms. Under those terms our customer content is not used to train their generally available models and is retained by the provider only for the limited periods required to deliver, debug, and secure the service (commonly up to 30 days for OpenAI's standard API). Where supported by the provider, we may enable zero-retention processing for specific features.
We require each AI provider that receives personal data to provide the same or equal protection described in this Privacy Notice and required by applicable privacy rules. You choose whether Flatre may share data with these providers before an AI feature sends personal or workspace data. You can revoke that permission at any time in Settings > AI Controls; after revocation, Flatre blocks new AI requests from that device unless you grant permission again.
For auditability, Flatre stores its own copy of each AI request and response in our database. Before storage we apply automated redaction to mask email addresses, phone numbers, postal addresses, and recognizable secrets from these internal records. Redaction is applied to the stored copy and does not alter the content already transmitted to the AI provider.
AI outputs are generated by probabilistic models and may be inaccurate, incomplete, or fabricated. Do not rely on AI output as legal, tax, financial, or fair-housing advice without human review.
4. AI assistant connectors
If you authorize an AI assistant connector such as Claude, ChatGPT, or Codex, Flatre returns scoped workspace evidence and, if enabled by workspace policy and OAuth scopes, governed Automation write outcomes for that assistant to process in your assistant session. Current connector responses may include transactions, contacts, properties, tasks, approvals, safe communication previews, document metadata, financial summaries, integration health, audit summaries, and Automation proposal or action outcomes.
AI assistant connectors do not return raw email bodies, document contents, attachments, storage keys, credentials, Flatre AI model output, embeddings, direct draft/send/approval mutations, or web search results. These connectors also do not send messages, approve actions directly, directly mutate workspace records outside Automation, or consume Flatre AI credits.
Workspace owners and admins can disable or restrict connector scopes, and authorized users can revoke active connector grants from Settings > Integrations.
5. How we share information
- Service providers. We rely on third parties that process data on our behalf under written agreements: Vercel and Render (web and API hosting), our managed Postgres database and object-storage providers, Resend (transactional email delivery),Stripe (billing), Twilio (phone numbers, call routing, call audio, and transcription), OpenAI and Microsoft Azure (AI processing — see Section 3),DocuSign (e-signature), and the MLS, lead, and sign-in partners you enable. We maintain an internal subprocessor register and will provide the current list on request to privacy@flatre.ai.
- Workspace members. Information you add to a Flatre workspace is visible to other members of that workspace according to their permissions.
- Integration partners. When you connect an integration (configured brokerage MLS, mailbox, e-signature, lead source), data flows to and from that provider as directed by the connection settings.
- Portal recipients. Information you intentionally share through a public portal link is accessible to whoever has that link.
- Legal and safety. We may disclose information to comply with legal process, protect rights and safety, or during a corporate transaction (with notice where required).
We do not sell, rent, or share mobile phone numbers with third parties for their own marketing or promotional purposes. We may share mobile phone numbers with messaging providers and other service providers only as needed to deliver, secure, support, and comply with opt-in, opt-out, and legal obligations for Flatre communications.
6. Data retention
We retain workspace content for as long as your account is active and for a reasonable period afterward to support recovery, dispute resolution, security, and legal obligations. Consented Voice recordings and their transcripts and derived AI payloads are deleted no later than 365 days after the call, or earlier when an authorized user deletes the call data. Deletion removes the Twilio-hosted recording and scrubs the recording URL, transcript, summary, and derived Voice intelligence from Flatre.
You can delete many individual records in the Service and can initiate account deletion in the iOS app. Account deletion removes or anonymizes the account data governed by Flatre, revokes connected Sign in with Apple authorization when available, and schedules provider-backed data for deletion, except for records we must retain by law or legitimate security/compliance needs (for example tax, audit, or real estate transaction records).
To make deletion retry-safe and prevent replay of an Apple credential issued before deletion, Flatre retains a one-way hashed deletion receipt for up to 30 days. The receipt does not contain the Apple account identifier in readable form. If Apple revocation cannot finish immediately, the refresh credential remains encrypted only until revocation succeeds or an authorized operator completes the documented manual resolution; it is then destroyed.
AI and document-intelligence providers process the inputs we send them subject to their own retention windows, which are independent of the retention period for your account in Flatre. See Section 3 for the current provider terms we rely on.
7. Security
We use encryption in transit (TLS) and at rest, hashed passwords, least-privilege access controls, OAuth with short-lived tokens, and audit logging. No system is perfectly secure; notify us promptly of suspected compromise at the address below.
8. Your choices and rights
Depending on where you live, you may have rights to access, correct, export, or delete the personal information we hold about you, and to object to or restrict certain processing. California residents have rights under the CCPA/CPRA including the right to know and to delete, and to opt out of "sharing" for cross-context behavioral advertising (Flatre does not engage in such sharing). EEA/UK residents have rights under the GDPR/UK GDPR. To exercise rights, email us at the address below.
If you are a client or lead of a Flatre customer, please contact that customer first — they control your data inside Flatre. We will assist them in fulfilling requests.
9. International transfers
Flatre is operated from the United States. If you access the Service from outside the U.S., your information is transferred to and processed in the U.S. and other jurisdictions where our service providers operate. We rely on appropriate safeguards (including Standard Contractual Clauses where applicable) for cross-border transfers.
10. Children
The Service is not directed to children under 16, and we do not knowingly collect personal information from them. If you believe a child has provided information, contact us so we can delete it.
11. Changes to this notice
We may update this notice to reflect product or legal changes. Material changes will be announced in the Service or by email. The "Last updated" date below indicates when the current version took effect.
12. Contact
Questions, requests, or complaints about this notice: privacy@flatre.ai.
Last updated July 15, 2026