Privacy Policy

Last updated: March 16, 2026

Summary
Realty Cruiser is a business-to-business real estate CRM. In most cases, the Customer is the Data Controller for leads, contacts, scraped records, and outbound campaigns, and Realty Cruiser acts as the Data Processor or Service Provider processing that data on the Customer's documented instructions. We separately act as a controller for our own account, billing, fraud-prevention, and security administration data.

1. Scope

This Privacy Policy explains how Realty Cruiser collects, uses, discloses, transfers, and retains information when you access or use the Service, including CRM, scraping orchestration, messaging, and AI-assisted market analysis features.

2. Processing Roles

  • Customer / Data Controller: You determine what personal data is collected or imported into the Service, including data obtained from websites, public records, portals, uploads, APIs, forms, and manual entry; your lawful basis for processing; and how long the data will be retained.
  • Realty Cruiser / Data Processor: We process Customer Data only to host, secure, transmit, analyze, export, suppress, and delete that data in accordance with the Service configuration and Customer instructions.
  • Realty Cruiser / Independent Controller: We may independently process account registration data, billing records, authentication logs, abuse-prevention records, and internal audit logs to operate the business, comply with law, and protect the Service.
  • Sub-processors: We may use sub-processors such as cloud hosting providers, communications providers, analytics providers, and AI model providers to deliver portions of the Service.

3. Categories of Information We Process

Depending on how the Service is configured, we may process:

  • Account and organization data: name, email address, role, permissions, team membership, billing identifiers, and login records.
  • CRM and lead data: names, phone numbers, email addresses, property addresses, deal pipeline data, notes, tasks, lead stages, and communication history.
  • Source and scraping data: source URLs, portal names, public-record references, listing metadata, property facts, scrape timestamps, and other data the Customer chooses to import from public or licensed sources.
  • Communications and consent data: SMS, MMS, WhatsApp, and VoIP metadata, message content where enabled, delivery events, opt-in indicators, unsubscribe events, consent evidence, and global suppression records.
  • AI and analytics inputs: prompts, summaries, message drafts, property metrics, market indicators, and related model outputs generated through enabled AI features.
  • Security and audit data: IP address, device or browser information, timestamps, administrative actions, consent logs, blacklist events, and security monitoring data.

4. Data Origin and Web Scraping

Realty Cruiser provides tools that may assist Customers in importing or organizing data collected from public websites, listing portals, MLS-adjacent workflows, public registries, or other third-party sources. For that sourced data:

  • Controller responsibility: The Customer is solely responsible for determining whether the collection, scraping, monitoring, extraction, enrichment, import, and use of the data is lawful in the relevant jurisdiction.
  • Processor role: Realty Cruiser does not decide what sources the Customer targets and acts only as a processor or service provider with respect to Customer-directed scraping or import activity.
  • Public access standards: Customers must respect applicable robots.txt directives, public-data access rules, rate-limit expectations, copyright restrictions, website terms, and other lawful use restrictions applicable to the source site or dataset.
  • No override of source rights: Use of the Service does not grant rights to bypass technical access controls, authentication walls, anti-bot systems, contractual restrictions, or intellectual property protections imposed by third parties.

5. How We Use Information

  • Provide CRM functionality, automation workflows, analytics, export tools, and account administration.
  • Authenticate users, enforce role-based permissions, and maintain the security and reliability of the Service.
  • Operate communications features, maintain suppression lists, and log consent and opt-out events.
  • Provide AI-assisted drafting, summarization, and market analysis features that Customers enable.
  • Prevent fraud, misuse, unlawful messaging, and abusive automation.
  • Comply with legal obligations, respond to lawful requests, and preserve evidence for disputes or investigations.

6. Messaging Consent and Opt-Out Handling

The Service includes messaging workflows that may send SMS, MMS, WhatsApp, voice, or similar communications through third-party carriers or communications providers.

  • Consent evidence: Customers are responsible for obtaining and recording the legally required level of consent, including Prior Express Written Consent where required for marketing or automated messaging.
  • Suppression and STOP handling: The Service may append compliance language such as "Reply STOP to opt out," record opt-out keywords, and add recipients to a global suppression list. Once a valid opt-out is received, we may suppress future messaging across the Service for that recipient.
  • No bypassing opt-outs: Customers may not disable, evade, or work around suppression, blacklist, unsubscribe, or consent-tracking controls without a new lawful basis and fresh consent where required by law.
  • Call recording and disclosures: If call recording or similar features are enabled, the Customer is responsible for required notices and consent under applicable wiretap, telecom, and privacy laws.

7. AI Processing and Fair Housing Safeguards

Realty Cruiser offers AI-assisted outputs and an AI Profit Forecaster. Those tools are intended to analyze operational, property, and market information rather than protected-class characteristics.

  • Market inputs only: The AI Profit Forecaster is designed to use property and market indicators such as price history, days on market, square footage, lot size, bedrooms, bathrooms, currency factors, and related market metrics.
  • No protected-class scoring: We do not intend the AI Profit Forecaster to use, store, or process protected-class data such as race, color, religion, sex, gender, disability, familial status, national origin, ethnicity, citizenship, age, or similar sensitive attributes for scoring, segmentation, or recommendation logic.
  • Customer restrictions: Customers must not use the Service or any AI output to make unlawful discriminatory housing, credit, insurance, employment, or marketing decisions, or to infer protected-class status in violation of the Fair Housing Act or similar laws.
  • Human review remains required: AI outputs are probabilistic and must be reviewed by the Customer before operational use.

8. Sharing and Disclosure

We may disclose information:

  • To sub-processors and service providers who provide infrastructure, communications, analytics, security, or AI functionality.
  • To the Customer and its authorized users in accordance with account permissions and organization controls.
  • For legal and safety reasons where required by law, court order, subpoena, regulatory process, or to protect rights, property, security, or users.
  • In a corporate transaction such as a merger, financing, acquisition, reorganization, or asset sale, subject to applicable confidentiality and legal requirements.

9. Data Retention

We retain information for as long as reasonably necessary to provide the Service, honor Customer instructions, meet contractual commitments, and satisfy legitimate security, audit, dispute-resolution, and legal retention requirements.

  • Communications and consent logs: We may retain consent and opt-out records to prove compliance and prevent unlawful re-contact.
  • Audit and security logs: Administrative and security logs may be retained longer where needed for abuse prevention, investigations, or legal compliance.
  • Deletion workflows: Customers may request deletion or deep-scrub workflows for CRM records, subject to legal exceptions and retention requirements.

10. Security

We implement reasonable technical and organizational measures designed to protect data, including access controls, audit logging, suppression controls, and operational monitoring. No method of transmission or storage is completely secure, and Customers remain responsible for securing their credentials, endpoints, and internal user access.

11. Data Subject Rights, Portability, and Erasure

Depending on the applicable law, Customers and data subjects may have rights that include access, correction, deletion, portability, restriction, objection, and withdrawal of consent.

  • Access and correction: Customers may review and correct Customer Data maintained in the Service.
  • Data portability: Authorized Customer administrators may export CRM records and related fields in a structured format made available by the Service.
  • Right to erasure / deletion: Customers may request deletion or anonymization of CRM records. We may preserve limited evidence required for legal compliance, suppression, fraud prevention, security, or dispute resolution.
  • Controller assistance: If we act as processor, we will assist the Customer with valid access, portability, deletion, and suppression requests to the extent required by GDPR, UK GDPR, KSA PDPL, UAE PDPL, CCPA/CPRA, or other applicable law.

Request routing: If you are a consumer whose information appears in a Customer's CRM, your request should normally be directed to that Customer as the controller. We will support the Customer's response where required.

12. Global Data Residency and Sovereignty

Realty Cruiser supports global workflows involving the United States, the United Kingdom, the United Arab Emirates, and the Kingdom of Saudi Arabia. Data handling differs by legal regime and service configuration.

  • United States: Data relating to U.S. operations may be processed in the U.S. or other permitted locations. We treat Customer Data as business-purpose data and do not sell Customer CRM data for cross-context behavioral advertising.
  • United Kingdom: Where UK personal data is processed, we apply UK GDPR standards, including transfer safeguards for restricted transfers and support for access, correction, erasure, and portability rights.
  • United Arab Emirates: Where UAE-related data is processed, Customers remain responsible for satisfying UAE notice and lawful-processing requirements. We will use contractual, organizational, and technical measures for permitted transfers and processor oversight.
  • Kingdom of Saudi Arabia: Where KSA-related data is processed, we support controller requests for access, export, deletion, and localization review consistent with the Saudi Personal Data Protection Law and its implementing rules, subject to applicable legal exceptions and approved transfer mechanisms.
  • No implied local hosting commitment: Unless a separate written order expressly provides for dedicated in-region hosting or storage, use of regional features, localization, or market-specific workflows does not by itself guarantee that all data will remain stored exclusively in that jurisdiction.

13. International Transfers

Your data may be processed in jurisdictions where we or our sub-processors operate. Where cross-border transfers are restricted by law, we rely on appropriate safeguards such as contractual clauses, transfer impact assessments, vendor commitments, consent where legally sufficient, or other lawful transfer mechanisms.

14. Updates

We may update this Privacy Policy from time to time. Material changes will be posted on this page with an updated "Last updated" date and will apply prospectively unless otherwise required by law.

15. Contact

Questions about privacy, data transfers, deletion, or portability requests may be submitted through the Service support channels or through the sales contact page.