Our Privacy Policy

1. Legal Framework & Applicable Laws

This Privacy Policy is designed to comply with the following laws and regulations, among others:

• EU General Data Protection Regulation (GDPR) – Regulation (EU) 2016/679
• UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018
• California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA) – Cal. Civ. Code § 1798.100 et seq.
• Children's Online Privacy Protection Act (COPPA) – 15 U.S.C. § 6501 et seq.
• Connecticut Data Privacy Act (CTDPA) – Conn. Gen. Stat. § 42-515 et seq.
• Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws
• Australia's Privacy Act 1988 and the Australian Privacy Principles
• ePrivacy Directive (EU) 2002/58/EC and UK Privacy and Electronic Communications Regulations (PECR)
• Illinois Biometric Information Privacy Act (BIPA) – 740 ILCS 14/1 et seq.
• Texas Capture or Use of Biometric Identifier Act (CUBI) – Tex. Bus. & Com. Code § 503.001 et seq.
• Washington My Health My Data Act and applicable state biometric privacy laws
• Telephone Consumer Protection Act (TCPA) – 47 U.S.C. § 227
• Electronic Signatures in Global and National Commerce Act (E-SIGN Act) – 15 U.S.C. § 7001 et seq.
• EU-U.S. Data Privacy Framework (DPF), UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF

Where local law provides greater protections than this Policy, those protections apply to residents of the relevant jurisdiction.

2. Data Controller & Contact Information

2.1 Identity of Data Controller

For the purposes of GDPR, UK GDPR, and other applicable data protection laws, the data controller is:

2.2 Technology Classification & Entity Status

Open Agent LLC is organized and operated as a technology platform company under NAICS Code 518210. Open Agent does not hold a real estate broker's license in any jurisdiction and is not subject to real estate licensing laws in the capacity of a broker or agent. The Platform is a technology intermediary service only. These privacy obligations are those of Open Agent LLC as a corporate entity and do not constitute personal obligations of its members, managers, or officers in their individual capacities.

2.3 EU/UK Representative (GDPR Article 27)

Open Agent may collect personal data from individuals located in the European Economic Area (EEA) and the United Kingdom. Where Open Agent is subject to GDPR Article 27 or UK GDPR Article 27 — which generally applies when a controller not established in the EU or UK offers goods or services to, or monitors the behavior of, individuals in the EEA or UK — Open Agent is required to designate a representative established in the EEA and/or UK.

Open Agent is in the process of designating its Article 27 EU and UK representatives and will publish their full contact details at www.openagentusa.com prior to actively targeting or onboarding users located in the EEA or UK. Until such time as EEA or UK users are actively onboarded, Open Agent's primary point of contact for GDPR and UK GDPR inquiries is: legal@openagentusa.com.

EEA and UK users may direct all data protection inquiries, including requests to exercise data subject rights, to legal@openagentusa.com pending formal designation of the Article 27 representative. The identity and contact details of the appointed EU and UK representatives will be communicated to users in the EEA and UK upon their onboarding and will be kept current at www.openagentusa.com.

3. Personal Data We Collect

3.1 Data You Provide Directly

When you register for or use the Platform, we may collect:

• Identity Data: Full name, username, profile photo;
• Contact Data: Email address, phone number, mailing address;
• Professional Data: Real estate license number, licensing jurisdiction, professional credentials;
• Financial Data: Payment card details, bank account information, billing address — processed by our PCI-DSS compliant payment processor; full card numbers are never stored on our servers;
• Transaction Data: Assignment details, compensation amounts, payment history, escrow records, chargeback dispute data;
• Profile Data: Ratings, reviews, job history, account preferences;
• Communications Data: In-app messages, support inquiries, feedback; and
• Verification Data: Government-issued ID or license documents for identity or credential verification.

3.2 Biometric Data

If our third-party identity verification service uses facial recognition technology to compare your profile photo to your government-issued ID, the following applies in compliance with BIPA, CUBI, and applicable state biometric laws:

• Prior Consent: We obtain your explicit, separate written consent before any biometric collection. Declining is optional but may limit access to identity-verified features.
• Purpose Limitation: Biometric data is used solely for identity verification and fraud prevention and for no other purpose.
• Retention & Destruction: Biometric identifiers are permanently and securely destroyed within ninety (90) days of collection, or upon account closure, whichever occurs first.
• No Sale or Profit: Open Agent does not sell, lease, trade, or otherwise profit from biometric data under any circumstances.
• No Unauthorized Disclosure: Biometric data is disclosed only to our identity verification service provider under a written data processing agreement, or as required by law or court order.

See Section 10 of the Terms of Use for the standalone biometric consent provision required by BIPA and applicable state laws.

3.3 Data Collected Automatically

When you access or use the Platform, we automatically collect:

• Device & Technical Data: Device type, model, operating system, unique device identifiers (IDFA/GAID), browser type;
• Log Data: IP address, access times, pages/features viewed, referring URLs, error logs;
• Location Data: Precise geolocation data, with your explicit consent, to match Agents and Assistants by proximity;
• Usage Data: Feature interactions, session duration, clicks, search queries;
• Cookie & Tracking Data: Cookies, pixel tags, and similar technologies (see Section 5); and
• Push Notification Tokens: Device tokens for delivering notifications, with your permission.

Device Permissions: With your explicit permission, we may request access to your Camera and Photo Library for profile pictures or property photos. You may revoke these permissions at any time through your device's system settings.

3.4 Consent Log Data

We collect and retain an immutable record of each user's agreement to our Terms and Privacy Policy, including: account identifier, IP address, device information, UTC timestamp of acceptance, and the specific version numbers of the documents accepted at the time of agreement. This consent log constitutes legally admissible evidence of agreement and is stored separately from general user profile data. Consent log data is retained for the duration of the account plus three (3) years following closure.

3.5 Data Received from Third Parties

We may receive personal data about you from:

• Payment Processors: Transaction confirmations, fraud signals, payment status, and chargeback dispute records;
• Collections Agencies: Account and debt information in connection with unresolved chargebacks or outstanding balances;
• Identity Verification Services: Verification outcomes, document validity assessments;
• App Distribution Platforms: Crash reports and technical diagnostics from Apple App Store and Google Play; and
• Analytics Providers: Aggregated and pseudonymized usage analytics.

3.6 Special Categories of Personal Data

We do not intentionally collect special categories of personal data (such as health data, racial or ethnic origin, political opinions, religious beliefs, or sexual orientation). Biometric data, where collected, is governed by Section 3.2 and Section 10 of the Terms of Use. If you voluntarily provide other special category data, you explicitly consent to its processing for the purpose of operating your account.

4. How We Use Your Personal Data & Legal Bases

The table below describes each processing purpose and its applicable legal basis under GDPR and UK GDPR:

• Account Creation & Management

  Purpose: Create and maintain your user account.

  Legal Basis: Performance of a contract (Article 6(1)(b) GDPR).

• Platform Matching & Operations

  Purpose: Connect Agents with Assistants and facilitate assignments.

  Legal Basis: Performance of a contract (Article 6(1)(b) GDPR).

• Payment Processing & Chargeback Disputes

  Purpose: Process payments, hold escrow funds, maintain transaction records, and dispute chargebacks with payment processors and collections agencies.

  Legal Basis: Performance of a contract; legal obligations (Article 6(1)(b) and (c) GDPR).

• Biometric Verification

  Purpose: Verify user identity and prevent fraud using facial recognition, with explicit prior consent.

  Legal Basis: Explicit consent (Article 9(2)(a) GDPR).

• Consent Log Maintenance

  Purpose: Maintain legally admissible records of user agreement to Terms and Privacy Policy.

  Legal Basis: Legal obligations; legitimate interests (Article 6(1)(c) and (f) GDPR).

• Notifications & TCPA Communications

  Purpose: Send transactional SMS, push, and email communications.

  Legal Basis: Consent; legitimate interests (Article 6(1)(a) and (f) GDPR).

• Customer Support & Dispute Resolution

  Purpose: Respond to inquiries and resolve payment and assignment disputes.

  Legal Basis: Legitimate interests (Article 6(1)(f) GDPR).

• Security, Fraud Prevention & Platform Integrity

  Purpose: Detect and prevent unauthorized, fraudulent, or harmful activity.

  Legal Basis: Legitimate interests; legal obligations (Article 6(1)(c) and (f) GDPR).

• Legal Compliance & Tax Obligations

  Purpose: Comply with applicable laws, IRS requirements, and court orders.

  Legal Basis: Legal obligations (Article 6(1)(c) GDPR).

• Platform Improvement & Analytics

  Purpose: Analyze usage and improve features.

  Legal Basis: Legitimate interests (Article 6(1)(f) GDPR).

• Marketing Communications

  Purpose: Send promotional messages with your consent.

  Legal Basis: Consent (Article 6(1)(a) GDPR); withdrawable at any time without affecting prior lawful processing.

Automated Decision-Making & AI Matching: We use algorithmic systems to match Agents with Assistants based on proximity, ratings, and availability. We do not use purely automated decision-making that produces legal or similarly significant effects on users without human review, in compliance with GDPR Article 22. We do not use your personal data or private communications to train generative AI models without your explicit opt-in consent.

5. Cookies, Tracking Technologies & Consent Management

We use cookies and similar technologies (including pixel tags, web beacons, and device identifiers) to operate, secure, and improve the Platform. Non-essential cookies are only placed with your explicit prior consent, in compliance with the EU ePrivacy Directive and UK PECR.

5.1 Cookie Consent Management Platform (CMP)

On your first use of the Platform or website, you will be presented with a Cookie Consent Management Platform (CMP) banner that clearly describes the categories of cookies in use. You may accept all cookies, reject non-essential cookies, or customize preferences by category. Your preferences are stored and can be updated at any time through the Platform's Privacy Settings menu or by contacting legal@openagentusa.com. For EEA and UK users, non-essential cookies are not set until affirmative consent is provided through the CMP, in compliance with the ePrivacy Directive and ICO guidance.

5.2 Types of Cookies

• Strictly Necessary: Required for Platform operation (authentication, session management). Cannot be disabled.
• Performance & Analytics: Help us understand Platform usage. Enabled only with your consent.
• Functional: Remember your preferences and settings. Enabled only with your consent.
• Marketing/Targeting: Used to deliver relevant content or advertising, if applicable. Enabled only with your consent.

5.3 Global Privacy Control (GPC) & Do Not Track

Our systems are configured to recognize and honor the Global Privacy Control (GPC) signal as a valid opt-out from the sale or sharing of personal information for cross-context behavioral advertising, as required by the CPRA. We also respond to standard Do Not Track (DNT) browser signals. For California users, the CMP also serves as the mechanism to opt out of the "sale" or "sharing" of personal data collected via cookies.

6. How We Share Your Personal Data

6.1 With Other Platform Users

Certain profile information (name, professional credentials, ratings, assignment details) is visible to other users as necessary to facilitate platform matching. We share only what is proportionate and necessary for the intended purpose.

6.2 With Service Providers (Data Processors)

We engage trusted third-party service providers who process personal data on our behalf under binding data processing agreements (DPAs) compliant with GDPR Article 28. These include:

• Payment processors (transaction processing, escrow management, AML/KYC compliance);
• Collections agencies (solely in connection with unresolved chargebacks or outstanding debts, per Terms § 4.7);
• Cloud hosting and infrastructure providers;
• Push notification service providers;
• Analytics providers (using pseudonymized or aggregated data where possible);
• Identity verification services (biometric and document verification); and
• Customer support and communication tools.

All service providers are contractually prohibited from using your data beyond what is necessary for the contracted service.

6.3 International Data Transfers

Open Agent is based in the United States. If you access the Platform from the EEA, UK, Switzerland, or other jurisdictions with data transfer restrictions, your personal data may be transferred to and processed in the United States. We implement the following safeguards:

• Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914) for EEA transfers;
• UK International Data Transfer Agreements (IDTAs) or UK Addenda to SCCs for UK transfers;
• EU-U.S. Data Privacy Framework (DPF) participation and its UK and Swiss extensions; and
• Supplementary technical and organizational measures following transfer impact assessments.

You may request a copy of applicable transfer safeguards by contacting legal@openagentusa.com.

6.4 Legal Disclosures & Law Enforcement

We may disclose personal data when required by applicable law, regulation, legal process, or governmental request, or where we reasonably believe disclosure is necessary to protect the safety, rights, or property of Open Agent, our users, or the public. Open Agent expressly reserves the right to disclose user information to law enforcement without prior notice where required by law or where we reasonably believe a user has engaged in criminal activity through or in connection with the Platform. Where legally permitted, we will notify you of such requests.

6.5 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your personal data may be transferred as part of that transaction. We will provide at least thirty (30) days' prior notice before your data becomes subject to a materially different privacy policy.

6.6 No Sale of Personal Data

Open Agent does not sell, rent, lease, or trade your personal data to third parties for their own marketing purposes. For CCPA/CPRA purposes, we do not "sell" or "share" personal information as those terms are defined under California law, except as described in this Policy.

7. Data Retention

We retain personal data for as long as necessary to fulfill the purposes described in this Policy, or as required by law. Specific retention periods are as follows:

• Account data: Duration of account plus three (3) years after closure;
• Transaction and financial records (payout logs, escrow histories, tax documentation): Seven (7) years from the date of the transaction — this obligation survives account deletion regardless of any erasure request, as required by IRS regulations;
• Biometric data: Permanently destroyed within ninety (90) days of collection or upon account closure, whichever occurs first;
• Consent log data: Duration of account plus three (3) years after closure;
• Chargeback and dispute records: Duration of the dispute plus the applicable statute of limitations period;
• Communications and support records: Three (3) years;
• Technical and log data: Twelve (12) months; and
• Marketing consent records: Until withdrawal plus three (3) years.

Upon a valid erasure request, we will delete personal data as required by applicable law. Financial and transaction records will be retained for the seven (7) year period as permitted under GDPR Article 17(3)(b) and equivalent provisions of applicable law. You will be expressly informed of any such retention at the time of your deletion request.

8. Your Data Rights & In-App Deletion

8.1 Rights Under GDPR & UK GDPR (EEA & UK Users)

EEA and UK users have the following rights under the GDPR and UK GDPR:

• Right of Access (Article 15): Request a copy of the personal data we hold about you and information about how it is processed.
• Right to Rectification (Article 16): Request correction of inaccurate or incomplete personal data.
• Right to Erasure / Right to be Forgotten (Article 17): Request deletion, subject to the 7-year financial retention obligation and other legal exceptions.
• Right to Restriction of Processing (Article 18): Request restricted processing in certain circumstances.
• Right to Data Portability (Article 20): Receive your data in a structured, commonly used, machine-readable format.
• Right to Object (Article 21): Object to processing based on legitimate interests or for direct marketing purposes.
• Rights Related to Automated Decision-Making (Article 22): Not to be subject to solely automated decisions with significant legal effects without human review.
• Right to Withdraw Consent (Article 7): Withdraw consent at any time without affecting prior lawful processing.

Contact legal@openagentusa.com to exercise these rights. We respond within thirty (30) calendar days (extendable by sixty (60) days for complex requests, with notice to you). We may request identity verification before fulfilling your request.

8.2 Supervisory Authority Complaints (EEA & UK)

If you are dissatisfied with our response, you have the right to lodge a complaint with your local supervisory authority:

• European Data Protection Board (EDPB) — directory of EU national DPAs: https://edpb.europa.eu/about-edpb/about-edpb/members_en
• UK Information Commissioner's Office (ICO): www.ico.org.uk | Tel: 0303 123 1113

We encourage you to contact us first at legal@openagentusa.com so we have the opportunity to address your concern directly.

8.3 Rights Under CCPA/CPRA (California Residents)

California residents have the following rights:

• Right to Know: Categories and specific pieces of personal information collected, used, and disclosed.
• Right to Delete: Deletion of personal information, subject to legal retention exceptions including the 7-year financial record retention obligation.
• Right to Correct: Correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: Opt out of cross-context behavioral advertising. The GPC signal is honored as a valid opt-out request per Section 5.3.
• Right to Limit Sensitive PI: Limit use of sensitive personal information to necessary service purposes.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

Submit CCPA/CPRA requests to legal@openagentusa.com. We respond within forty-five (45) days (extendable by forty-five (45) days with notice). Authorized agents may submit requests on your behalf.

Shine the Light (Cal. Civ. Code § 1798.83): California residents may request annual disclosure of personal data shared with third parties for direct marketing purposes by contacting legal@openagentusa.com.

8.4 Connecticut Residents (CTDPA)

Connecticut residents have rights to access, correct, delete, and obtain a portable copy of personal data, and to opt out of targeted advertising and the sale of personal data. Submit requests to legal@openagentusa.com. We respond within sixty (60) days.

8.5 Canadian Users (PIPEDA)

Canadian users may access, correct, and withdraw consent to collection or use of their personal information. Submit requests to legal@openagentusa.com. We respond within thirty (30) days. You may also contact the Office of the Privacy Commissioner of Canada at www.priv.gc.ca.

8.6 Australian Users

Australian users have rights under the Privacy Act 1988 to access and correct personal information. Submit requests to legal@openagentusa.com. Complaints about Australian Privacy Principles violations may be lodged with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

8.7 In-App Account Deletion

You may exercise your right to erasure by permanently deleting your account directly within the Open Agent mobile application via the Account Settings menu. Upon initiating deletion, you will receive a written confirmation specifying any data retained under applicable law, including the 7-year financial record retention obligation. Non-retained data will be deleted within thirty (30) days of your request.

9. Data Security

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, disclosure, alteration, loss, or destruction, including:

• Encryption of data in transit using TLS 1.2 or higher;
• Encryption of data at rest for sensitive personal data;
• PCI-DSS compliant payment processing — full card numbers are never stored on our servers;
• Secure hard-deletion protocols for biometric data within 90 days of collection;
• Role-based access controls and least-privilege principles;
• Regular security assessments and penetration testing;
• Employee training on data protection and security practices; and
• Incident response and breach notification procedures.

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within seventy-two (72) hours as required by GDPR Article 33, and notify affected individuals without undue delay per Article 34 where applicable.

10. Children's Privacy

The Platform is not directed to individuals under the age of 18 globally. We do not knowingly collect personal data from minors under 18. For EEA users, GDPR Article 8 permits Member States to set the age of digital consent between 13 and 16; however, Open Agent's minimum user age is 18 for all users globally, consistent with the professional nature of the Platform and the real estate industry. Processing of data from any user under 18 is not authorized under any circumstances.

Under COPPA, we do not knowingly collect data from children under 13 without verified parental consent. Under the UK Age Appropriate Design Code, we apply age-appropriate design standards across the Platform. If we become aware of inadvertent minor data collection, we will promptly delete it and notify the applicable supervisory authority if required. Contact legal@openagentusa.com if you believe we have collected data from a minor.

11. Third-Party Services & Links

The Platform may contain links to third-party websites or integrate with third-party services (such as payment processors, mapping tools, or social login providers). This Privacy Policy does not apply to those third parties. Open Agent is not responsible for the privacy practices, security, or content of third-party services. We encourage you to review the privacy policies of any third-party services you interact with through the Platform before providing any personal data.

12. Apple App Store & Google Play

Your download and use of the Open Agent application through the Apple App Store or Google Play is also subject to those platforms' applicable terms and privacy practices. Open Agent complies with:

• Apple's App Store Review Guidelines and App Privacy "Nutrition Label" disclosure requirements;
• Google Play's Developer Policy Center Data Safety section requirements;
• Apple's App Tracking Transparency (ATT) framework — we request your explicit permission before accessing your IDFA for any tracking purposes; and
• Google's Advertising ID (GAID) consent requirements.

You may revoke ATT or GAID permission at any time through your device's system settings.

13. Accessibility of This Policy

Open Agent is committed to ensuring that this Privacy Policy and all related data rights communications are accessible to all users, including those with disabilities, in compliance with the Americans with Disabilities Act (ADA), WCAG 2.1 Level AA, and the European Accessibility Act (Directive 2019/882/EU). If you have difficulty accessing this Policy in its current format, please contact support@openagentusa.com and we will provide it in an accessible alternative format upon request.

14. Disclaimer of Warranties & Limitation of Liability for Privacy Matters

14.1 Disclaimer of Warranties

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, OPEN AGENT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, WITH RESPECT TO THE SECURITY, ACCURACY, COMPLETENESS, OR RELIABILITY OF THE PERSONAL DATA PROCESSING DESCRIBED IN THIS PRIVACY POLICY. OPEN AGENT DOES NOT WARRANT THAT ITS DATA SECURITY MEASURES WILL PREVENT ALL UNAUTHORIZED ACCESS OR THAT ITS DATA PROCESSING SYSTEMS WILL BE ERROR-FREE OR UNINTERRUPTED. Nothing in this Section limits any mandatory rights you may have under applicable data protection law, including the right to lodge a complaint with a supervisory authority.

14.2 Limitation of Liability for Privacy Claims

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, OPEN AGENT'S TOTAL AGGREGATE LIABILITY FOR ANY PRIVACY-RELATED CLAIM — INCLUDING ANY CLAIM ARISING FROM AN ALLEGED VIOLATION OF THIS PRIVACY POLICY, ANY APPLICABLE DATA PROTECTION LAW, OR ANY DATA SECURITY INCIDENT — SHALL NOT EXCEED THE GREATER OF: (A) THE TOTAL PLATFORM FEES ACTUALLY PAID BY YOU TO OPEN AGENT IN THE THREE (3) CALENDAR MONTHS IMMEDIATELY PRECEDING THE DATE ON WHICH THE CLAIM AROSE; OR (B) ONE HUNDRED DOLLARS ($100.00 USD). OPEN AGENT SHALL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES ARISING FROM ANY PRIVACY-RELATED CLAIM, REGARDLESS OF THE THEORY OF LIABILITY.

This limitation does not affect: (a) any mandatory rights you may have under applicable data protection law, including the right to lodge a complaint with a supervisory authority; (b) any mandatory compensation rights under GDPR Article 82 or UK GDPR that cannot be waived by contract; or (c) any liability that cannot be excluded or limited under applicable law.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. For material changes, we will provide at least thirty (30) days' prior notice via the Platform, by email, or by other reasonable means, before the changes take effect, along with a revised effective date and version number. For EEA and UK users, where a material change involves new processing of your personal data or a new legal basis, we will seek fresh consent where required. Your continued use of the Platform after the effective date constitutes acceptance of the updated Policy. If you do not agree, you may delete your account and cease using the Platform.

16. Contact Us & Supervisory Authorities

For any questions, concerns, or data rights requests regarding this Privacy Policy:

16.1 EEA Supervisory Authorities

Full directory of EU national Data Protection Authorities: https://edpb.europa.eu/about-edpb/about-edpb/members_en

16.2 UK Supervisory Authority

Information Commissioner's Office (ICO): www.ico.org.uk | Tel: 0303 123 1113

16.3 Canadian Privacy Commissioner

Office of the Privacy Commissioner of Canada: www.priv.gc.ca | Tel: 1-800-282-1376

16.4 Australian Information Commissioner

Office of the Australian Information Commissioner (OAIC): www.oaic.gov.au | Tel: 1300 363 992

16.5 EU Online Dispute Resolution

EU residents may also submit data-related disputes through the European Commission's ODR platform: https://ec.europa.eu/consumers/odr/