This Privacy Policy ("Policy") explains how Acre ("Acre," "we," "us," or "our") collects, uses, discloses, retains, and protects Personal Data in connection with the website located at acrerealestate.app (the "Site") and the pre-launch waitlist offered through it (the "Waitlist," and together with the Site, the "Service"). It also describes your rights regarding your Personal Data and how to exercise them.
This Policy is incorporated into and forms part of our Terms of Use. Capitalized terms used but not defined here have the meanings given in the Terms of Use.
1. Scope and Definitions
This Policy applies to Personal Data we process when you visit the Site, submit your email to the Waitlist, or otherwise interact with the Service. It does not apply to (a) the Acre commercial product, when and if launched (that product will have its own privacy notice), or (b) third-party websites or services we link to.
For purposes of this Policy:
- "Personal Data" means any information relating to an identified or identifiable natural person, as further defined under applicable law (including, where relevant, the GDPR, the CCPA/CPRA, and the UCPA).
- "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, transfer, retention, and deletion.
- "Service Provider" or "Sub-Processor" means a third-party vendor that processes Personal Data on our behalf and under our written instructions.
- "Sale" and "Share" have the meanings given in the CCPA/CPRA.
Acre is the Controller of Personal Data processed in connection with the Service. Our contact details are in Section 19.
2. Personal Data We Collect
2.1 Information you give us
When you join the Waitlist, we collect:
- Your email address.
- The page or URL on the Site from which you submitted the form (the value of the
sourcefield). - The HTTP referrer, if your browser provides one.
- The timestamp of your submission.
If you contact us by email, we also receive whatever information is contained in your message.
2.2 Information collected automatically
When you visit the Site, our hosting and edge providers (Vercel and Cloudflare) automatically receive standard request metadata as part of operating the Service. This typically includes:
- IP address (used in part for abuse prevention and aggregate analytics);
- User-agent string (browser and operating-system information);
- HTTP request URL, method, and status;
- Approximate geographic region (derived from IP, at country/region granularity);
- Timestamps and request durations.
2.3 What we do NOT collect
We do not collect, and we do not knowingly receive, any of the following through the Service: your real name, postal address, phone number, date of birth, Social Security number, government ID, financial-account information, payment-card data, precise geolocation, health information, biometric data, or any sensitive Personal Data within the meaning of Article 9 GDPR or Section 1798.140(ae) of the CCPA. We do not run third-party advertising pixels (Meta, Google Ads, LinkedIn, TikTok, etc.), and we do not maintain cross-site tracking cookies.
3. How We Use Personal Data
We process Personal Data only for the purposes set out in the table below.
| Purpose | Categories used |
|---|---|
| Confirm your Waitlist enrollment by sending a confirmation email | Email address; submission metadata |
| Send periodic (approximately monthly) pre-launch progress updates while you remain on the Waitlist | Email address |
| Send a one-time early-access invitation when available | Email address |
| Operate, secure, and improve the Site (including spam-prevention and rate-limiting) | Automatic request metadata; submission metadata |
| Respond to your inquiries, including data-subject requests | Email address; content of your message |
| Comply with applicable law, court orders, or government requests | Any of the above, as required |
| Establish, exercise, or defend legal claims | Any of the above, as required |
We do not use your Personal Data for automated decision-making or profiling that produces legal or similarly significant effects on you.
4. Legal Bases for Processing (GDPR)
If you are located in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases under Article 6 GDPR (and the equivalent provisions of UK and Swiss law):
- Consent (Art. 6(1)(a)) — for sending you Waitlist communications, including the confirmation email, monthly updates, and the early-access invitation. You may withdraw consent at any time by following Section 10.
- Legitimate interests (Art. 6(1)(f)) — for operating, securing, and improving the Site, including basic server logging and spam prevention. We have determined that these interests are not overridden by your interests, rights, and freedoms.
- Legal obligation (Art. 6(1)(c)) — to the extent processing is required to comply with a legal obligation to which we are subject.
- Establishment, exercise, or defense of legal claims (Art. 9(2)(f)) — where applicable.
5. Disclosure to Service Providers
To operate the Service we rely on the following Sub-Processors. Each receives only the Personal Data necessary for its function, processes that data on our written instructions, and is contractually bound to maintain appropriate technical and organizational measures.
| Service Provider | Function | Data Processed | Location |
|---|---|---|---|
| Loops, Inc. (Loops.so) | Transactional and marketing email; Waitlist contact storage | Email address; submission metadata; email-engagement metadata (open/click) | USA |
| Vercel Inc. | Static-site hosting; serverless function execution | Request metadata; IP address; submission payload | USA (global edge) |
| Cloudflare, Inc. | DNS resolution; edge network; spam protection (Turnstile, if enabled); email routing (if enabled) | Request metadata; IP address; (if Turnstile) interaction signals | USA (global edge) |
Links to each Sub-Processor's privacy notice: Loops · Vercel · Cloudflare.
We may also disclose Personal Data: (a) to comply with applicable law, regulation, legal process, or governmental request; (b) to enforce the Terms of Use, including investigation of potential violations; (c) to detect, prevent, or address fraud, security, or technical issues; or (d) in connection with a merger, acquisition, financing, or sale of all or substantially of our assets, in which case we will notify Waitlist members before any Personal Data becomes subject to a different privacy policy.
We do not sell, rent, or trade your Personal Data, and we do not "share" it with third parties for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA.
6. International Data Transfers
Acre is based in the United States, and our Sub-Processors are headquartered in the United States with global infrastructure. If you are located outside the United States, your Personal Data will be transferred to and processed in the United States and other jurisdictions that may not provide the same level of data-protection law as your home jurisdiction.
Where required by GDPR or UK GDPR, we rely on the European Commission's Standard Contractual Clauses (2021/914/EU) and, where applicable, the EU–U.S. Data Privacy Framework (and its UK Extension and Swiss equivalent) as the legal mechanism for transfers. Our Sub-Processors have provided contractual commitments aligned with these mechanisms. You may request a summary of our transfer safeguards by emailing the address in Section 19.
7. Data Retention
We retain Personal Data only as long as necessary for the purposes described in Section 3:
- Waitlist email and submission metadata: retained for as long as you remain on the Waitlist. When you unsubscribe or request deletion, we remove your record from Loops and our records within seven (7) days, except where we are required to retain it to comply with a legal obligation or to establish, exercise, or defend legal claims.
- Email content and inquiry history: retained for up to twenty-four (24) months after the last correspondence, then deleted.
- Server access logs (Vercel/Cloudflare): retained on each provider's standard rolling window (typically 30 days), then deleted automatically.
- Aggregated, de-identified data: retained indefinitely for analytics and product-development purposes; this data does not identify you.
8. Data Security
We implement appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, including:
- Encryption in transit: the Site and waitlist API are served over HTTPS with HTTP Strict Transport Security (HSTS), and our edge network terminates TLS at Cloudflare.
- Encryption at rest: our Sub-Processors encrypt Personal Data at rest using industry-standard mechanisms.
- Access controls: Sub-Processor consoles are protected by multi-factor authentication, and access to API keys is limited to the minimum number of personnel necessary.
- Network controls: the waitlist API is protected by Cloudflare's edge network and (optionally) by Cloudflare Turnstile.
- Minimization: we do not collect or store passwords, financial data, or any data category outside what is necessary for the Service.
No method of transmission over the internet or method of electronic storage is 100% secure. We cannot guarantee absolute security but we maintain measures designed to be appropriate to the nature of the data we process.
9. Your Privacy Rights
Subject to applicable law and any exceptions provided by that law, you have the following rights with respect to your Personal Data:
| Right | What it means |
|---|---|
| Access / Know | Obtain confirmation of whether we process your Personal Data and, if so, a copy of that data and certain related information. |
| Correction / Rectification | Have inaccurate or incomplete Personal Data corrected. |
| Deletion / Erasure | Have your Personal Data deleted (subject to limited exceptions, such as legal-retention obligations). |
| Restriction | Restrict our processing of your Personal Data in certain circumstances. |
| Objection | Object to our processing of your Personal Data on the basis of legitimate interests or for direct marketing. |
| Portability | Receive your Personal Data in a structured, commonly used, machine-readable format and transmit it to another controller. |
| Withdraw consent | Withdraw your consent to our processing where consent is the legal basis (without affecting the lawfulness of pre-withdrawal processing). |
| Non-discrimination | Not be discriminated against for exercising any of these rights. |
| Lodge a complaint | Lodge a complaint with your local supervisory authority (EU/UK/Swiss residents) or your state Attorney General (US residents). |
10. How to Exercise Your Rights
To exercise any of the rights in Section 9, email nico@acrerealestate.app from the address on file (or include sufficient information for us to verify your identity if you write from a different address). We will respond within the timeframe required by applicable law — generally thirty (30) days for GDPR requests and forty-five (45) days for CCPA/CPRA and UCPA requests, with one extension permitted where reasonably necessary.
You can also unsubscribe from all Waitlist communications at any time by clicking the unsubscribe link in any email or by replying with the word "UNSUBSCRIBE."
You may designate an authorized agent to make a request on your behalf. We may require the agent to provide written, signed permission from you, and we may verify your identity directly.
If we deny your request, we will explain why and inform you of your right to appeal or to complain to the relevant supervisory authority.
11. California Residents (CCPA/CPRA) Disclosures
If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "CCPA"), provides you with additional rights and us with additional obligations.
11.1 Categories collected in the last 12 months
- Identifiers — email address, IP address.
- Internet/network activity — request metadata such as browser type, page visited, and referrer.
- Geolocation — coarse, IP-derived only (country/region level).
We have not collected any other category enumerated in Cal. Civ. Code § 1798.140(o) through the Service. We do not collect "sensitive Personal Information" within the meaning of § 1798.140(ae).
11.2 Sources of collection
Directly from you (the Waitlist form, email correspondence) and automatically from your device (HTTP request metadata).
11.3 Business purposes for collection
The purposes listed in Section 3.
11.4 Disclosures for business purposes
The Sub-Processors listed in Section 5. We have not "sold" or "shared" Personal Information within the meaning of the CCPA during the preceding 12 months, and we do not anticipate doing so.
11.5 Your California rights
You have the rights to know, delete, correct, opt out of sale/sharing (we do neither), limit use of sensitive Personal Information (we collect none), portability, and non-discrimination. To exercise these rights, see Section 10. California residents may also designate an authorized agent and may appeal a denial as described above.
"Shine the Light" (Cal. Civ. Code § 1798.83): we do not share Personal Information with third parties for those third parties' direct-marketing purposes.
12. Utah Residents (UCPA) Disclosures
If you are a Utah resident, the Utah Consumer Privacy Act ("UCPA"), Utah Code Title 13, Chapter 61, provides you with the following rights, which Acre honors:
- The right to confirm whether we are processing your Personal Data and to access that data;
- The right to delete Personal Data you provided to us;
- The right to obtain a portable copy of your Personal Data in a readily usable format;
- The right to opt out of (a) targeted advertising or (b) the sale of your Personal Data. We do not engage in either activity.
To exercise these rights, see Section 10. If we deny your request, you may appeal by replying to our response. If your appeal is denied, you may contact the Utah Attorney General's office at attorneygeneral.utah.gov.
13. EEA, UK, and Swiss Residents
If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the rights described in Section 9 under the GDPR, the UK GDPR, and the Swiss Federal Act on Data Protection ("FADP"), respectively.
Our legal bases for processing are described in Section 4. Our international-transfer mechanism is described in Section 6.
You have the right to lodge a complaint with your local Data Protection Authority. A list of EEA authorities is available at edpb.europa.eu. UK residents may complain to the Information Commissioner's Office (ico.org.uk). Swiss residents may complain to the Federal Data Protection and Information Commissioner.
We have not appointed an EU or UK representative, as our processing does not currently meet the thresholds under GDPR Article 27 or UK GDPR § 27. We will appoint one if and when those thresholds are met.
14. Children's Privacy
The Service is intended for working real-estate professionals and is not directed to children under sixteen (16). We do not knowingly collect Personal Data from anyone under 16, and we comply with the Children's Online Privacy Protection Act ("COPPA") with respect to U.S. children under 13. If you believe we have inadvertently collected Personal Data from a child, contact us at nico@acrerealestate.app and we will delete it.
15. Cookies and Tracking Technologies
The Site uses a minimal set of cookies and equivalent technologies:
- Strictly necessary — cookies set by Vercel for serverless-function execution and by Cloudflare for security/anti-bot challenges. These cannot be disabled without breaking the Service.
- No analytics, advertising, or social-media cookies — we do not deploy Google Analytics, Meta Pixel, LinkedIn Insight Tag, TikTok Pixel, or any equivalent.
If we add an analytics tool in the future, we will update this Section, present a cookie banner where required (EEA/UK), and offer granular consent controls.
16. Do Not Track Signals
Some browsers transmit a "Do Not Track" signal. Because there is no consistent industry interpretation of these signals, the Site does not currently respond to them. We do, however, honor the Global Privacy Control (GPC) signal as a valid request to opt out of "sale" or "sharing" of Personal Information under the CCPA/CPRA — although, as noted, we engage in neither.
17. Data Breach Notification
If we become aware of a Personal Data breach that is likely to result in a risk to your rights and freedoms, we will notify the affected individuals and the appropriate supervisory authority without undue delay and, where feasible, within seventy-two (72) hours of becoming aware, in accordance with GDPR Article 33, applicable U.S. state breach-notification laws, and any other applicable law.
18. Changes to this Policy
We may update this Policy from time to time. When we make material changes, we will update the "Last Updated" date above and, where the change materially affects your rights, provide reasonable advance notice (at least thirty (30) days where practicable) via email to your Waitlist address or via prominent notice on the Site. Your continued use of the Service after the effective date of any modification constitutes your acceptance of the modified Policy.
19. Contact and Data Controller Information
The Data Controller for the Personal Data processed under this Policy is:
Acre
Email: nico@acrerealestate.app
Jurisdiction: Salt Lake County, Utah, USA
For all privacy-related questions, complaints, or requests, email the address above. We aim to respond to all reasonable requests within the timeframe required by applicable law.
Important notice. This Privacy Policy is a starter template prepared as a working draft for Acre's pre-launch waitlist site. It is not legal advice, is not a substitute for advice from a licensed attorney, and has not been reviewed by counsel admitted to practice in Utah or any other jurisdiction. Before relying on this Policy in connection with public marketing, paid product launch, processing of consumer data at scale, or any expansion outside the United States, you should engage qualified privacy counsel to review and revise it for your specific facts, data flows, and regulatory exposure (which may include additional U.S. state laws — Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Texas TDPSA, Oregon OCPA, and others — as well as Canadian PIPEDA, Quebec Law 25, Brazilian LGPD, and similar regimes). Acre is responsible for the final form of any privacy policy it publishes.