Privacy

Flatre ("Flatre," "we," "our") provides an AI-native real estate transaction management platform (the "Service"). This Privacy Notice describes what information we collect when you or the people you work with use the Service, how we use it, and the choices you have.

This notice applies to real estate professionals who sign up for Flatre, members of their workspace, and the clients, leads, and counterparties whose information flows through the Service. If you are a client or lead of a Flatre customer, that customer is the controller of your information and may have its own privacy notice that also applies.

1. Information we collect

Information you provide

• Account details. Name, email address, password, brokerage name, profile photo, phone number, and license information.
• Workspace content. Contacts, leads, properties, listings, offers, transactions, tasks, calendar events, notes, uploaded documents, and photos you add to Flatre.
• Communications. Email threads, messages, and attachments exchanged through connected mailboxes or the in-app messaging tools.
• Payment details. If you subscribe to a paid plan, our payment processor collects billing contact information and payment method details. Flatre does not store full card numbers.
• Support requests. Messages, screenshots, and related metadata you send when contacting us.

Information from integrations

• Email providers. When you connect Gmail, Outlook, or Yahoo, we access the mailbox data you authorize so Flatre can sync threads, send on your behalf, and surface transaction-relevant context.
• MLS data. Listing, property, and market data retrieved from brokerage MLS providers configured for your workspace or searched through Flatre after setup.
• Lead sources. Lead records imported from Follow Up Boss, Meta, and other lead integrations you connect.
• e-Signature. Documents, envelopes, recipient information, and status events from DocuSign or other e-signature providers you connect.
• Sign-in providers. Basic profile information (name, email, avatar) from Google or Microsoft when you use OAuth sign-in.

Information collected automatically

• Device and log data. IP address, browser and device type, operating system, referring URLs, pages viewed, and timestamps.
• Cookies and similar technologies. Session cookies for authentication and user preference cookies. Our public marketing pages also load Google Analytics, which sets first-party analytics cookies (such as _ga) to measure aggregate visits; Google acts as our analytics processor for those pages. We do not run analytics inside the authenticated product, and we do not deploy advertising or session-replay technologies.
• Public portal interactions. When a client, buyer, seller, or counterparty opens a Flatre portal link (e.g., offer, CMA, net sheet, onboarding), we record view and action events to keep the originating agent informed.

Information we generate

• AI outputs and derived content. Draft messages, summaries, extracted fields, classifications, and other content produced by AI features acting on your workspace data.
• Search and similarity indexes. To power in-app search and AI features, we generate vector embeddings of selected workspace content — including contact records, message threads, transaction summaries, and document text. These embeddings are derived from your content and are processed by the AI providers identified in Section 3.
• Audit and model-call logs. Internal records of administrative actions, security events, and AI model calls (with sensitive values redacted before storage).

2. How we use information

• Provide, maintain, and improve the Service and its features.
• Authenticate users, secure accounts, and prevent abuse or fraud.
• Power AI features — drafting messages, summarizing communications, extracting transaction data, and recommending next steps — using large language model providers acting as our processors.
• Send transactional emails (magic links, receipts, status alerts) and service announcements.
• Analyze aggregate product usage to prioritize improvements.
• Comply with law and enforce our Terms of Use.

We do not sell your personal information, and we do not use customer or client content to train third-party AI models.

3. AI processing

Flatre's AI features are powered by third-party large language model and document intelligence providers acting as our processors. We currently use:

• OpenAI for chat completion, drafting, summarization, classification, and vector embeddings used by search and AI features.
• Microsoft Azure AI Document Intelligence for optical character recognition on uploaded documents where text extraction is required.

To return a useful response, AI features transmit the relevant inputs to the provider. Depending on the feature, these inputs can include contact details (names, email addresses, phone numbers), property and listing addresses, the bodies of communications you exchange in Flatre (including emails received from clients and counterparties when inbound triage is enabled), uploaded document content, transaction metadata, and prior AI conversation history.

Content sent to these providers is governed by the providers' commercial terms. Under those terms our customer content is not used to train their generally available models and is retained by the provider only for the limited periods required to deliver, debug, and secure the service (commonly up to 30 days for OpenAI's standard API). Where supported by the provider, we may enable zero-retention processing for specific features.

For auditability, Flatre stores its own copy of each AI request and response in our database. Before storage we apply automated redaction to mask email addresses, phone numbers, postal addresses, and recognizable secrets from these internal records. Redaction is applied to the stored copy and does not alter the content already transmitted to the AI provider.

AI outputs are generated by probabilistic models and may be inaccurate, incomplete, or fabricated. Do not rely on AI output as legal, tax, financial, or fair-housing advice without human review.

4. How we share information

• Service providers. We rely on third parties that process data on our behalf under written agreements: Vercel and Render (web and API hosting), our managed Postgres database and object-storage providers, Resend (transactional email delivery),Stripe (billing), OpenAI and Microsoft Azure (AI processing — see Section 3), DocuSign (e-signature), and the MLS, lead, and sign-in partners you enable. We maintain an internal subprocessor register and will provide the current list on request to privacy@flatre.ai.
• Workspace members. Information you add to a Flatre workspace is visible to other members of that workspace according to their permissions.
• Integration partners. When you connect an integration (configured brokerage MLS, mailbox, e-signature, lead source), data flows to and from that provider as directed by the connection settings.
• Portal recipients. Information you intentionally share through a public portal link is accessible to whoever has that link.
• Legal and safety. We may disclose information to comply with legal process, protect rights and safety, or during a corporate transaction (with notice where required).

5. Data retention

We retain workspace content for as long as your account is active and for a reasonable period afterward to support recovery, dispute resolution, security, and legal obligations. You can delete many individual records in the Service. Account, workspace, export, and deletion requests are handled through a verified support workflow, except for records we must retain by law or legitimate security/compliance needs (e.g., tax, audit, or real estate transaction records).

AI and document-intelligence providers process the inputs we send them subject to their own retention windows, which are independent of the retention period for your account in Flatre. See Section 3 for the current provider terms we rely on.

6. Security

We use encryption in transit (TLS) and at rest, hashed passwords, least-privilege access controls, OAuth with short-lived tokens, and audit logging. No system is perfectly secure; notify us promptly of suspected compromise at the address below.

7. Your choices and rights

Depending on where you live, you may have rights to access, correct, export, or delete the personal information we hold about you, and to object to or restrict certain processing. California residents have rights under the CCPA/CPRA including the right to know and to delete, and to opt out of "sharing" for cross-context behavioral advertising (Flatre does not engage in such sharing). EEA/UK residents have rights under the GDPR/UK GDPR. To exercise rights, email us at the address below.

If you are a client or lead of a Flatre customer, please contact that customer first — they control your data inside Flatre. We will assist them in fulfilling requests.

8. International transfers

Flatre is operated from the United States. If you access the Service from outside the U.S., your information is transferred to and processed in the U.S. and other jurisdictions where our service providers operate. We rely on appropriate safeguards (including Standard Contractual Clauses where applicable) for cross-border transfers.

9. Children

The Service is not directed to children under 16, and we do not knowingly collect personal information from them. If you believe a child has provided information, contact us so we can delete it.

10. Changes to this notice

We may update this notice to reflect product or legal changes. Material changes will be announced in the Service or by email. The "Last updated" date below indicates when the current version took effect.

11. Contact

Questions, requests, or complaints about this notice: privacy@flatre.ai.