PRIVACY POLICY

1. Introduction

International Real Estate - REALTORres ("we," "us," "our," or "REALTORres") is committed to protecting the privacy and security of your personal information. This Privacy Policy describes how we collect, use, disclose, store, and otherwise process personal information in connection with our real estate services, website, mobile applications, and related services (collectively, the "Services").

This Privacy Policy applies to all users of our Services, including property buyers, sellers, renters, landlords, agents, and visitors to our website. By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.

Key Definitions:

• "Personal Information" or "Personal Data" means any information relating to an identified or identifiable natural person.
• "Processing" means any operation performed on personal data, including collection, storage, use, disclosure, or deletion.
• "Controller" means the entity that determines the purposes and means of processing personal data.
• "Processor" means an entity that processes personal data on behalf of the controller.
• "Sensitive Personal Information" includes data revealing racial or ethnic origin, political opinions, religious beliefs, health information, biometric data, genetic data, sexual orientation, precise geolocation, and Social Security numbers.

2. Scope and Application

This Privacy Policy applies to:

• All visitors to https://www.realtorres.org
• Users of our mobile applications
• Clients who engage our real estate services
• Property owners and tenants whose information we process
• Third parties who interact with our Services

This Privacy Policy does not apply to:

• Information collected offline (unless subsequently combined with online data)
• Third-party websites, applications, or services linked from our Services
• Information processed by third-party real estate partners acting as independent controllers

3. Information We Collect

We collect various categories of personal information to provide, maintain, and improve our Services. The information we collect depends on how you interact with our Services.

3.1 Categories of Personal Information Collected

A. Identification Information

• Full name (first, middle, last)
• Date of birth
• Government-issued identification numbers (driver's license, passport)
• Social Security number (when required for transactions)
• Photographs and identification documents

B. Contact Information

• Physical address (current and previous)
• Email address
• Telephone numbers (mobile, home, business)
• Emergency contact information

C. Financial Information

• Credit card and payment information
• Bank account details
• Credit scores and credit reports
• Income and employment information
• Tax identification numbers
• Financial statements and assets
• Loan and mortgage information
• Transaction history and payment records

D. Property Information

• Property addresses and descriptions
• Property ownership records
• Purchase and sale history
• Lease agreements and rental history
• Property preferences and search criteria
• Mortgage and lien information
• Home inspection and appraisal reports

E. Professional Information

• Occupation and employer details
• Professional licenses and certifications (for real estate agents)
• Business contact information
• Professional references

F. Technical and Usage Information

• IP address and device identifiers
• Browser type and version
• Operating system information
• Cookie identifiers and mobile advertising IDs
• Pages viewed and features accessed
• Time spent on pages
• Clickstream data and navigation paths
• Referring and exit pages
• Search queries within our Services
• Date and time stamps

G. Geolocation Data

• Precise location data (GPS coordinates)
• Approximate location based on IP address
• Location preferences for property searches

H. Communication Information

• Messages sent through our platform
• Email correspondence
• Chat and support transcripts
• Phone call recordings (with notice and consent)
• Survey responses and feedback

I. Marketing and Preferences

• Communication preferences
• Marketing consent status
• Newsletter subscriptions
• Property alerts and notification settings
• Saved searches and favorite properties

J. Biometric Information

• Facial recognition data (for property access systems, where applicable)
• Voiceprints (from customer service recordings, where permitted)

K. Social Media Information

• Social media profile information (when you connect accounts)
• Information from social media interactions
• Publicly available social media content

L. Sensitive Personal Information

We collect sensitive personal information only when necessary and legally permitted:

• Social Security numbers (for transaction processing and tax reporting)
• Precise geolocation data (for property search functionality)
• Financial account credentials (through secure third-party payment processors)
• Government-issued identification (for identity verification)

3.2 Sources of Personal Information

We collect personal information from the following sources:

A. Directly From You

• Account registration and profile creation
• Property listing submissions
• Contact forms and inquiries
• Service requests and applications
• Surveys and feedback forms
• Customer support interactions
• In-person meetings and property tours

B. Automatically Through Our Services

• Cookies and similar tracking technologies
• Web server logs and analytics tools
• Mobile device sensors (with permission)
• Location services (with permission)

C. Third-Party Sources

• Multiple Listing Services (MLS) and real estate databases
• Credit bureaus and reporting agencies (Experian, Equifax, TransUnion)
• Background check providers
• Property records and public databases
• Marketing partners and lead generation services
• Social media platforms (Facebook, LinkedIn, Instagram)
• Data analytics providers (Google Analytics, Adobe Analytics)
• Advertising networks and affiliates
• Mortgage lenders and financial institutions
• Title companies and escrow services
• Property inspection and appraisal services
• Government agencies and public records

D. Business Partners and Affiliates

• Real estate agents and brokers
• Property management companies
• Insurance providers
• Legal service providers
• Moving and relocation services

4. Legal Basis for Processing Personal Information

We process your personal information only when we have a valid legal basis to do so. The legal basis depends on the specific purposes for which we collect and use your information.

4.1 Legal Bases Under GDPR (for EEA and UK Residents)

A. Contractual Necessity

Processing is necessary to perform a contract with you or to take steps at your request before entering into a contract. This includes:

• Creating and managing your account
• Processing property transactions
• Providing requested real estate services
• Fulfilling service agreements
• Processing payments

B. Legitimate Interests

Processing is necessary for our legitimate business interests, provided these interests are not overridden by your fundamental rights and freedoms. This includes:

• Improving and personalizing our Services
• Conducting market research and analytics
• Marketing and promotional activities (where consent is not required)
• Preventing fraud and ensuring security
• Managing business operations
• Enforcing legal rights and contracts
• Network and information security

We have conducted legitimate interest assessments where required to ensure our processing is lawful and proportionate.

C. Legal Obligation

Processing is necessary to comply with legal obligations, including:

• Anti-money laundering (AML) requirements
• Know Your Customer (KYC) verification
• Tax reporting obligations (IRS Form 1099, etc.)
• Regulatory compliance (Real Estate Settlement Procedures Act, Fair Housing Act)
• Court orders and law enforcement requests
• Record-keeping requirements

D. Consent

Where required by law, we obtain your explicit consent for processing, including:

• Marketing communications (where opt-in consent is required)
• Precise geolocation tracking
• Processing sensitive personal information
• Use of certain cookies and tracking technologies
• Sharing information with third parties for their marketing purposes

You may withdraw your consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

E. Vital Interests

Processing is necessary to protect vital interests (yours or another person's), such as in emergency situations requiring immediate action.

F. Public Interest

Processing is necessary for tasks carried out in the public interest or in the exercise of official authority.

4.2 Legal Bases Under CCPA/CPRA (for California Residents)

Under California law, we process personal information for the business and commercial purposes described in Section 5 below. We do not "sell" personal information as traditionally understood, though certain data sharing activities may constitute "sale" or "sharing" under CCPA/CPRA definitions (see Section 7).

4.3 Other Jurisdictions

For residents of other jurisdictions with comprehensive privacy laws, we rely on equivalent legal bases as provided under applicable law, including consent, contractual necessity, legal compliance, and legitimate interests.

5. How We Use Your Information

We use the personal information we collect for various business and commercial purposes to provide, maintain, improve, and protect our Services.

5.1 Specific Purposes for Processing

A. Service Delivery and Operations

• Creating and managing user accounts
• Facilitating property searches and matching
• Processing property listings and inquiries
• Coordinating property viewings and tours
• Processing transactions and payments
• Providing customer support and assistance
• Communicating about services and account activity
• Managing agent and client relationships
• Coordinating with third-party service providers

B. Transaction Processing and Compliance

• Verifying identity and conducting background checks
• Processing mortgage applications and approvals
• Conducting credit checks and financial assessments
• Executing purchase and sale agreements
• Managing escrow and closing processes
• Generating required tax documentation
• Maintaining transaction records
• Complying with anti-money laundering requirements

C. Personalization and Improvement

• Personalizing property recommendations
• Customizing user experience and interface
• Analyzing user behavior and preferences
• Conducting market research and analytics
• Improving Services functionality and performance
• Developing new features and services
• Testing and optimizing platform performance

D. Marketing and Communications

• Sending promotional emails and newsletters
• Displaying targeted advertisements
• Conducting marketing campaigns
• Sharing property alerts and updates
• Providing market insights and reports
• Sending customer satisfaction surveys
• Engaging in social media marketing

E. Security and Fraud Prevention

• Detecting and preventing fraudulent activities
• Monitoring for security threats and vulnerabilities
• Investigating suspicious activities
• Enforcing terms of service and policies
• Protecting against unauthorized access
• Maintaining network and information security
• Preventing identity theft

F. Legal and Regulatory Compliance

• Responding to legal process and government requests
• Enforcing legal rights and contracts
• Complying with regulatory requirements
• Maintaining required records
• Reporting to tax authorities
• Defending legal claims
• Conducting audits and investigations

G. Business Operations

• Managing vendor and partner relationships
• Conducting due diligence for business transactions
• Processing corporate transactions (mergers, acquisitions)
• Maintaining business records
• Managing insurance claims
• Internal training and quality assurance

5.2 Automated Decision-Making and Profiling

We may use automated decision-making and profiling in limited circumstances, including:

• Credit assessments: Automated evaluation of creditworthiness for transaction approvals
• Property matching: Algorithmic recommendations based on search preferences and behavior
• Fraud detection: Automated systems to identify suspicious activities
• Marketing personalization: Automated segmentation for targeted communications

Where automated decision-making produces legal or similarly significant effects, you have the right to:

• Obtain human intervention
• Express your point of view
• Contest the decision
• Request an explanation of the decision

6. Cookie and Tracking Technologies

We and our third-party partners use cookies, web beacons, pixels, and similar tracking technologies to collect information about your interactions with our Services.

6.1 Types of Cookies We Use

A. Strictly Necessary Cookies

These cookies are essential for the Services to function and cannot be disabled:

• Authentication and session management
• Security and fraud prevention
• Load balancing and performance
• User preference storage

B. Performance and Analytics Cookies

These cookies help us understand how visitors use our Services:

• Google Analytics (traffic analysis and user behavior)
• Adobe Analytics (conversion tracking and funnel analysis)
• Hotjar (heatmaps and session recordings)
• Mixpanel (product analytics)

C. Functional Cookies

These cookies enable enhanced functionality and personalization:

• Language and location preferences
• Saved searches and favorite properties
• User interface customizations
• Chat and support features

D. Targeting and Advertising Cookies

These cookies are used to deliver relevant advertisements:

• Facebook Pixel (retargeting and conversion tracking)
• Google Ads (display and search advertising)
• LinkedIn Insight Tag (B2B advertising)
• Programmatic advertising networks

6.2 Other Tracking Technologies

Web Beacons and Pixels

Small graphic images embedded in emails and web pages to track opens, clicks, and conversions.

Local Storage

HTML5 local storage and session storage for caching and performance optimization.

Mobile SDKs

Third-party software development kits integrated into our mobile applications for analytics, advertising, and functionality.

Fingerprinting

Collection of device and browser characteristics to identify unique devices (used only for fraud prevention and security).

6.3 Cookie Management and Consent

Cookie Consent Management

When you first visit our website, we present a cookie consent banner allowing you to:

• Accept all cookies
• Reject non-essential cookies
• Customize cookie preferences by category
• Access our detailed Cookie Policy

Your consent choices are stored for 12 months.

Browser Controls

You can manage cookies through your browser settings:

• Chrome: Settings > Privacy and Security > Cookies and other site data
• Firefox: Options > Privacy & Security > Cookies and Site Data
• Safari: Preferences > Privacy > Cookies and website data
• Edge: Settings > Cookies and site permissions > Cookies and site data

Opt-Out Tools

• Google Analytics Opt-Out: https://tools.google.com/dlpage/gaoptout
• Network Advertising Initiative: http://optout.networkadvertising.org/
• Digital Advertising Alliance: http://optout.aboutads.info/
• European Interactive Digital Advertising Alliance: http://www.youronlinechoices.eu/

Do Not Track Signals

Our Services do not currently respond to Do Not Track (DNT) browser signals due to lack of industry-wide standards. However, you can manage tracking through cookie settings and opt-out mechanisms described above.

Global Privacy Control (GPC)

We recognize Global Privacy Control signals as valid opt-out requests for the sale/sharing of personal information under applicable state privacy laws.

6.4 Third-Party Cookies

We use the following third-party services that may set cookies on your device:

Category: Analytics

• Google Analytics (Google LLC)
• Adobe Analytics (Adobe Inc.)
• Mixpanel (Mixpanel Inc.)

Category: Advertising

• Google Ads (Google LLC)
• Facebook Pixel (Meta Platforms Inc.)
• LinkedIn Insight Tag (LinkedIn Corporation)

Category: Customer Support

• Zendesk (Zendesk Inc.)
• Intercom (Intercom Inc.)

Category: Social Media

• Facebook Connect (Meta Platforms Inc.)
• LinkedIn Integration (LinkedIn Corporation)
• Instagram Embed (Meta Platforms Inc.)

For detailed information about these third-party services and their privacy practices, please review their respective privacy policies.

7. Third-Party Sharing and Disclosures

We share personal information with third parties only as necessary to provide our Services, comply with legal obligations, or with your consent.

7.1 Categories of Third-Party Recipients

A. Service Providers and Processors

We share personal information with service providers who perform services on our behalf under contractual obligations:

• Cloud hosting providers: Amazon Web Services (AWS), Microsoft Azure
• Payment processors: Stripe, PayPal, Square
• Email service providers: SendGrid, Mailchimp
• Customer relationship management: Salesforce, HubSpot
• Analytics providers: Google Analytics, Adobe Analytics
• Customer support platforms: Zendesk, Intercom
• Background check providers: Checkr, Sterling
• Credit reporting agencies: Experian, Equifax, TransUnion
• Marketing and advertising platforms: Google Ads, Facebook, LinkedIn
• Data storage and backup services
• IT infrastructure and security providers

These service providers are contractually obligated to:

• Process personal information only for specified purposes
• Implement appropriate security measures
• Not use personal information for their own purposes
• Comply with applicable data protection laws
• Delete or return personal information upon request

B. Real Estate Industry Partners

• Multiple Listing Services (MLS) and real estate databases
• Real estate agents, brokers, and franchisees
• Property management companies
• Title and escrow companies
• Appraisal and inspection services
• Mortgage lenders and financial institutions
• Insurance providers
• Moving and relocation services
• Home warranty companies
• Legal service providers

C. Business Partners and Affiliates

We may share information with:

• Corporate affiliates and subsidiaries
• Joint venture partners
• Marketing and promotional partners
• Co-branded service providers
• Franchisees and licensed real estate professionals

D. Advertising and Analytics Partners

• Advertising networks and exchanges
• Social media platforms (for targeted advertising)
• Analytics and measurement providers
• Marketing automation platforms

7.2 Categories of Personal Information Shared

The categories of personal information shared with each recipient category include:

Service Providers: All categories of personal information as necessary for their specific services

Real Estate Partners: Identification, contact, financial, property, and professional information

Advertising Partners: Technical and usage information, cookie identifiers, geolocation data (approximate)

Analytics Providers: Technical and usage information, device identifiers, behavioral data

7.3 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, your personal information may be transferred to the successor entity. We will provide notice before your personal information is transferred and becomes subject to a different privacy policy.

7.4 Legal Disclosures and Protection of Rights

We may disclose personal information when we believe in good faith that disclosure is necessary to:

• Comply with applicable law, regulation, legal process, or governmental request
• Enforce our Terms of Service, policies, and user agreements
• Detect, prevent, or address fraud, security, or technical issues
• Protect against harm to the rights, property, or safety of REALTORres, our users, or the public
• Respond to claims of violation of third-party rights
• Support audits, compliance, and corporate governance functions
• Defend against legal claims and litigation

7.5 With Your Consent

We may share personal information with third parties when you provide explicit consent, such as:

• Sharing your contact information with interested buyers or sellers
• Connecting your account with third-party services
• Participating in co-marketing initiatives
• Submitting testimonials or reviews

7.6 Aggregate and De-Identified Information

We may share aggregate, de-identified, or anonymized information that cannot reasonably be used to identify you, including:

• Market trends and statistical reports
• Property market analytics
• Industry benchmarking data
• Research and academic purposes

7.7 Sale and Sharing of Personal Information (CCPA/CPRA)

Sale Disclosure:

Under California law, "sale" includes disclosing personal information to third parties for monetary or other valuable consideration. We do not sell personal information in the traditional sense. However, the following activities may constitute "sale" under CCPA/CPRA:

• Sharing cookie identifiers and device information with advertising networks for targeted advertising
• Providing user behavior data to analytics partners who may use it for their own purposes
• Disclosing contact information to real estate partners who may use it for their marketing

Categories of Personal Information Sold or Shared (Last 12 Months):

• Technical and usage information (IP addresses, device identifiers, cookie IDs)
• Geolocation data (approximate location based on IP address)
• Contact information (in connection with real estate referrals)
• Property preferences and search behavior

Categories of Third Parties:

• Advertising networks and technology companies
• Real estate brokers and agents
• Marketing and analytics partners
• Social media platforms

Your Right to Opt-Out:

You have the right to opt out of the sale or sharing of your personal information. To exercise this right:

• Click "Do Not Sell or Share My Personal Information" in the website footer
• Submit a request via support@realtorres.org
• Call us at the contact information provided in Section 16
• Use the Global Privacy Control (GPC) browser signal

We honor opt-out requests within 15 business days and do not discriminate against users who exercise their opt-out rights.

Sensitive Personal Information:

We limit the use and disclosure of sensitive personal information to purposes necessary to provide our Services and as permitted by law. You may limit our use of sensitive personal information by contacting us as described in Section 16.

8. International Data Transfers

REALTORres is headquartered in the United States. We may transfer, store, and process personal information in the United States and other countries where we or our service providers maintain facilities.

8.1 Transfers from the European Economic Area (EEA), United Kingdom, and Switzerland

If you are located in the EEA, UK, or Switzerland, we comply with applicable legal requirements for international data transfers.

Transfer Mechanisms:

A. Adequacy Decisions

We transfer personal information to countries recognized by the European Commission as providing an adequate level of data protection.

B. Standard Contractual Clauses (SCCs)

For transfers to countries without adequacy decisions, we use Standard Contractual Clauses approved by the European Commission (as updated in 2021). These clauses provide enforceable rights and effective legal remedies for data subjects.

C. Supplementary Measures

In accordance with the Schrems II decision, we implement supplementary technical and organizational measures when transferring data to the United States, including:

• End-to-end encryption for data in transit
• Encryption of data at rest
• Access controls and authentication requirements
• Contractual commitments from US service providers
• Regular security audits and assessments
• Incident response procedures

D. Data Privacy Framework

For service providers certified under the EU-U.S. Data Privacy Framework, UK Extension, and Swiss-U.S. Data Privacy Framework, we rely on these certifications as a lawful transfer mechanism.

Your Rights Regarding International Transfers:

• You may request information about the safeguards we use for international transfers
• You may obtain a copy of the Standard Contractual Clauses
• You may object to transfers in specific circumstances

To exercise these rights, contact us using the information in Section 16.

8.2 Transfers from Other Jurisdictions

For transfers from other jurisdictions with data localization or transfer requirements, we comply with applicable laws, which may include:

• Obtaining consent for international transfers
• Implementing approved transfer mechanisms
• Conducting transfer impact assessments
• Registering transfers with local authorities
• Implementing data localization requirements where mandated

8.3 Cross-Border Access by Government Authorities

Personal information transferred to the United States may be subject to access by U.S. government authorities under U.S. law, including:

• Foreign Intelligence Surveillance Act (FISA)
• Executive Order 12333
• Stored Communications Act
• Cloud Act

We implement contractual and technical safeguards to limit such access and will challenge overly broad requests where legally permitted.

9. Data Retention Periods

We retain personal information only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce agreements.

9.1 General Retention Principles

Purpose Limitation: We retain personal information only for the duration necessary to achieve the specific purposes for which it was collected.

Legal Requirements: We retain information as required by applicable law, including tax, anti-money laundering, and record-keeping obligations.

Legitimate Interests: We may retain information beyond the initial purpose when we have a legitimate business interest and legal basis to do so.

Anonymization and Deletion: When personal information is no longer needed, we either securely delete it or anonymize it so it can no longer identify you.

9.2 Specific Retention Periods

A. Account Information

• Active accounts: Retained for the duration of the account relationship
• Inactive accounts: Retained for 3 years after last activity, then deleted
• Closed accounts: Retained for 7 years to comply with legal obligations, then deleted

B. Transaction Records

• Property transactions: Retained for 7 years after closing (tax and legal compliance)
• Payment records: Retained for 7 years (IRS requirements)
• Contracts and agreements: Retained for 7 years after expiration or termination
• Tax documentation: Retained for 7 years (statute of limitations)

C. Financial Information

• Credit reports and scores: Retained for 3 years after transaction completion
• Bank account details: Deleted after transaction processing, unless ongoing relationship
• Mortgage and loan information: Retained for 7 years after loan closure

D. Communication Records

• Email correspondence: Retained for 3 years or as required for ongoing matters
• Customer support tickets: Retained for 5 years for quality assurance and legal purposes
• Recorded calls: Retained for 2 years (where permitted by law)
• Chat transcripts: Retained for 3 years

E. Marketing and Analytics Data

• Marketing lists: Retained until opt-out or 3 years of inactivity
• Cookie data: Retained for duration specified in cookie notice (typically 12-24 months)
• Analytics data: Aggregated and retained indefinitely; individual data deleted after 26 months

F. Legal and Compliance Records

• Dispute and litigation records: Retained for 7 years after resolution
• Regulatory compliance records: Retained as required by applicable regulations
• Audit records: Retained for 7 years

G. Property Listings and Searches

• Active listings: Retained while property is listed and for 2 years after sale/removal
• Search history: Retained for 2 years for personalization purposes
• Saved properties: Retained while account is active

H. Identity Verification Records

• Government-issued IDs: Retained for 5 years after verification (AML compliance)
• Background checks: Retained for 7 years
• Biometric data: Deleted immediately after verification unless ongoing use (e.g., access systems)

9.3 Retention During Legal Holds

When personal information is subject to legal hold (pending litigation, investigation, or audit), we suspend normal deletion schedules and retain the information until the hold is lifted.

9.4 Right to Request Deletion

You may request deletion of your personal information as described in Section 12. Upon verification of your identity and request, we will delete your information unless:

• Retention is required by law
• Retention is necessary to complete a transaction
• Retention is necessary to detect security incidents or fraud
• Retention is necessary to exercise free speech or legal rights
• Retention is necessary for internal uses reasonably aligned with your expectations

9.5 Automated Deletion Processes

We implement automated deletion processes that:

• Identify personal information that has exceeded retention periods
• Securely delete or anonymize outdated information
• Generate deletion logs for audit purposes
• Alert administrators of retention policy violations

10. Security Measures

We implement comprehensive technical, administrative, and physical security measures to protect personal information from unauthorized access, disclosure, alteration, and destruction.

10.1 Technical Security Measures

A. Encryption

• Data in Transit: TLS 1.2 or higher encryption for all data transmitted over networks
• Data at Rest: AES-256 encryption for sensitive data stored in databases and file systems
• End-to-End Encryption: Applied to particularly sensitive communications
• Key Management: Hardware security modules (HSMs) and secure key rotation policies

B. Access Controls

• Authentication: Multi-factor authentication (MFA) required for employee and administrative access
• Authorization: Role-based access control (RBAC) limiting data access to job functions
• Principle of Least Privilege: Users granted minimum access necessary for their roles
• Password Policies: Strong password requirements (minimum 12 characters, complexity, rotation)
• Session Management: Automatic session timeouts and secure session token handling

C. Network Security

• Firewalls: Next-generation firewalls with intrusion detection and prevention
• Network Segmentation: Isolation of sensitive systems from general networks
• DDoS Protection: Distributed denial-of-service mitigation services
• VPN Requirements: Secure VPN connections for remote access
• Penetration Testing: Regular third-party security assessments

D. Application Security

• Secure Development: Security by design principles and secure coding practices
• Code Reviews: Security-focused code reviews before deployment
• Vulnerability Scanning: Automated scanning for known vulnerabilities
• Patch Management: Timely application of security patches and updates
• Input Validation: Protection against SQL injection, cross-site scripting (XSS), and other attacks

E. Monitoring and Detection

• Security Information and Event Management (SIEM): Real-time monitoring and log analysis
• Intrusion Detection Systems (IDS): Automated detection of suspicious activities
• Anomaly Detection: Machine learning-based identification of unusual patterns
• Continuous Monitoring: 24/7 security operations center (SOC) monitoring

10.2 Administrative Security Measures

A. Security Governance

• Information Security Policy: Comprehensive documented security policies
• Security Steering Committee: Executive-level oversight of security program
• Compliance Program: Regular compliance audits and assessments
• Third-Party Risk Management: Vendor security assessments and contractual requirements

B. Employee Security

• Background Checks: Pre-employment screening for positions with data access
• Security Training: Mandatory annual security awareness training
• Phishing Simulations: Regular testing of employee vigilance
• Confidentiality Agreements: Contractual obligations to protect confidential information
• Access Revocation: Immediate access termination upon employment separation

C. Incident Response

• Incident Response Plan: Documented procedures for security incident handling
• Incident Response Team: Dedicated team trained in breach response
• Forensic Capabilities: Tools and expertise for incident investigation
• Communication Protocols: Procedures for internal and external notifications
• Post-Incident Review: Analysis and remediation after security events

D. Business Continuity

• Disaster Recovery Plan: Documented procedures for system recovery
• Regular Backups: Automated backups with offsite storage
• Backup Testing: Periodic restoration testing
• Redundancy: Geographic redundancy for critical systems

10.3 Physical Security Measures

A. Data Center Security

• Access Controls: Biometric access controls and security personnel
• Video Surveillance: 24/7 monitoring with recorded footage retention
• Environmental Controls: Fire suppression, temperature control, power backup
• Visitor Management: Strict visitor logging and escort requirements

B. Office Security

• Secure Areas: Restricted access to areas with sensitive information
• Clean Desk Policy: Requirement to secure physical documents
• Document Destruction: Secure shredding of physical records
• Equipment Security: Cable locks and secure storage for devices

10.4 Third-Party Security

We require third-party service providers and partners to:

• Implement security measures equivalent to our own
• Undergo security assessments before engagement
• Submit to periodic security audits
• Provide security incident notifications
• Maintain relevant security certifications (SOC 2, ISO 27001)

10.5 Security Certifications and Frameworks

We align our security practices with recognized standards and frameworks:

• ISO 27001: Information Security Management System
• SOC 2 Type II: Service Organization Control audit
• NIST Cybersecurity Framework: Risk-based security controls
• OWASP Top 10: Web application security best practices

10.6 Limitations

While we implement industry-standard security measures, no security system is impenetrable. We cannot guarantee absolute security of personal information. You are responsible for maintaining the confidentiality of your account credentials and should immediately notify us of any unauthorized access to your account.

11. Data Breach Notification Procedures

We maintain comprehensive procedures to detect, respond to, and notify affected parties of data breaches in compliance with applicable laws.

11.1 Breach Detection and Assessment

A. Detection Methods

• Automated security monitoring and alerts
• Employee reporting of suspected incidents
• Third-party security researchers and bug bounty program
• Customer reports of suspicious activity
• Audit findings and compliance reviews

B. Initial Assessment

Upon discovering a potential breach, we immediately:

• Contain the Incident: Isolate affected systems to prevent further unauthorized access
• Preserve Evidence: Secure logs and forensic data for investigation
• Assemble Response Team: Activate incident response team (IT, legal, compliance, communications)
• Assess Scope: Determine what personal information may have been compromised
• Evaluate Risk: Assess potential harm to affected individuals

11.2 Investigation and Remediation

Investigation Process:

• Conduct forensic analysis to determine breach cause and extent
• Identify all affected personal information and individuals
• Determine timeframe of unauthorized access
• Assess security vulnerabilities that enabled the breach
• Document findings for regulatory reporting

Remediation Actions:

• Close security vulnerabilities
• Strengthen security controls
• Reset compromised credentials
• Implement additional monitoring
• Review and update security policies

11.3 Notification Requirements and Timelines

A. Regulatory Authority Notifications

European Union (GDPR):

• Supervisory Authority: Notification to lead supervisory authority within 72 hours of becoming aware of the breach (Article 33)
• Threshold: Breaches likely to result in risk to individual rights and freedoms
• Content: Description of breach, categories and approximate number of affected individuals, contact information, likely consequences, and measures taken

United States (State Breach Laws):

• California: Notification "without unreasonable delay" (typically interpreted as within 5-14 business days after determination)
• Other States: Compliance with applicable state breach notification laws (timing varies by state: immediate to 90 days)
• Federal Requirements: Compliance with sector-specific requirements (e.g., GLBA, HIPAA where applicable)

Attorney General Notifications:

• Notification to state Attorneys General as required (e.g., California AG for breaches affecting 500+ California residents)

B. Individual Notifications

GDPR Requirements:

• Data Subjects: Notification without undue delay when breach is likely to result in high risk to individual rights and freedoms
• Content: Description of breach in clear and plain language, contact information, likely consequences, measures taken, and recommendations for affected individuals

CCPA/CPRA Requirements:

• California Residents: Notification as required by California Civil Code § 1798.82
• Method: Written notice, electronic notice (if primary method of communication), or substitute notice (if costs exceed $250,000 or affected class exceeds 500,000)

Other State Laws:

Compliance with applicable state-specific requirements, which generally mandate notification to affected residents within specified timeframes.

C. Notification Methods

• Email: Primary notification method for individuals with email addresses on file
• Postal Mail: For individuals without email or where required by law
• Telephone: For high-risk breaches or as supplemental notification
• Website Notice: Prominent posting on homepage for large-scale breaches
• Media Notice: Publication in major media outlets when substitute notice is required
• Account Notifications: In-app or portal notifications for active users

D. Notification Content

All notifications will include:

• Description of the incident and how it occurred
• Types of personal information involved
• Date or estimated date of the breach
• Whether personal information was acquired by unauthorized person
• Measures we have taken to protect personal information
• Steps affected individuals can take to protect themselves
• Contact information for questions
• Information about identity theft protection services (if offered)
• Toll-free numbers for credit bureaus (when applicable)

11.4 Credit Monitoring and Identity Theft Protection

For breaches involving sensitive personal information (Social Security numbers, financial account credentials, driver's license numbers), we may offer:

• Credit Monitoring Services: Complimentary credit monitoring (typically 12-24 months)
• Identity Theft Protection: Identity restoration services
• Fraud Alerts: Assistance placing fraud alerts with credit bureaus
• Credit Freezes: Guidance on implementing credit freezes

11.5 Documentation and Reporting

We maintain comprehensive documentation of all data breaches, including:

• Timeline of events and discovery
• Nature and scope of the breach
• Personal information affected
• Number of affected individuals
• Notifications sent to authorities and individuals
• Remediation actions taken
• Post-incident analysis and lessons learned

Documentation is retained for 7 years and made available to regulatory authorities upon request.

11.6 Post-Breach Actions

Following a breach, we:

• Conduct root cause analysis
• Implement corrective actions to prevent recurrence
• Update security policies and procedures
• Provide additional employee training as needed
• Review and update incident response plans
• Consider third-party security audits

12. Your Privacy Rights

You have specific rights regarding your personal information, which vary depending on your location and applicable privacy laws.

12.1 Rights Under GDPR (EEA, UK, and Swiss Residents)

A. Right of Access (Article 15)

You have the right to obtain:

• Confirmation of whether we process your personal data
• A copy of your personal data
• Information about processing purposes, categories, recipients, retention periods, and your rights

B. Right to Rectification (Article 16)

You have the right to request correction of inaccurate personal data and completion of incomplete personal data.

C. Right to Erasure "Right to be Forgotten" (Article 17)

You have the right to request deletion of your personal data when:

• Personal data is no longer necessary for the purposes collected
• You withdraw consent and there is no other legal basis
• You object to processing and there are no overriding legitimate grounds
• Personal data was unlawfully processed
• Deletion is required for legal compliance
• Personal data was collected in relation to offering information society services to children

Exceptions: We may refuse erasure when retention is necessary for legal compliance, exercising legal rights, public interest, or establishing, exercising, or defending legal claims.

D. Right to Restriction of Processing (Article 18)

You have the right to request restriction of processing when:

• You contest the accuracy of personal data (during verification)
• Processing is unlawful but you prefer restriction over deletion
• We no longer need the data but you need it for legal claims
• You have objected to processing (pending verification of legitimate grounds)

E. Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller when:

• Processing is based on consent or contract
• Processing is carried out by automated means

We provide data exports in JSON, CSV, or XML formats.

F. Right to Object (Article 21)

You have the right to object to processing based on:

• Legitimate interests: You may object at any time; we will cease processing unless we demonstrate compelling legitimate grounds that override your interests
• Direct marketing: You may object at any time to processing for direct marketing purposes; we will cease such processing upon objection
• Automated decision-making: You may object to decisions based solely on automated processing that produce legal or similarly significant effects

G. Right to Withdraw Consent (Article 7)

Where processing is based on consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing based on consent before withdrawal.

H. Right to Lodge a Complaint (Article 77)

You have the right to lodge a complaint with your supervisory authority, particularly in your country of residence, place of work, or place of alleged infringement.

Lead Supervisory Authority for REALTORres:

For EEA residents, our lead supervisory authority is determined based on our EU establishment or representative.

UK Information Commissioner's Office (ICO):
Website: https://ico.org.uk
Telephone: +44 303 123 1113

Swiss Federal Data Protection and Information Commissioner (FDPIC):
Website: https://www.edoeb.admin.ch
Telephone: +41 58 462 43 95

12.2 Rights Under CCPA/CPRA (California Residents)

A. Right to Know

You have the right to request disclosure of:

• Categories of personal information collected
• Categories of sources from which information was collected
• Business or commercial purposes for collecting or selling information
• Categories of third parties with whom we share information
• Specific pieces of personal information collected about you

Timeframe: Information for the 12 months preceding the request (or longer if we retain data beyond 12 months)

B. Right to Delete

You have the right to request deletion of personal information we have collected from you, subject to certain exceptions.

Exceptions: We may deny deletion when necessary to:

• Complete transactions or provide requested services
• Detect security incidents or protect against fraud
• Debug or repair errors
• Exercise free speech or other legal rights
• Comply with legal obligations
• Use information internally in ways reasonably expected based on relationship with us

C. Right to Correct

You have the right to request correction of inaccurate personal information we maintain about you.

D. Right to Opt-Out of Sale/Sharing

You have the right to opt out of:

• Sale of personal information
• Sharing of personal information for cross-context behavioral advertising

How to Opt-Out:

• Click "Do Not Sell or Share My Personal Information" link in footer
• Submit request via support@realtorres.org
• Enable Global Privacy Control (GPC) in your browser

E. Right to Limit Use of Sensitive Personal Information

You have the right to limit our use and disclosure of sensitive personal information to purposes necessary to provide Services and as permitted by law.

F. Right to Non-Discrimination

We will not discriminate against you for exercising your privacy rights, including by:

• Denying goods or services
• Charging different prices or rates
• Providing different quality of services
• Suggesting you will receive different prices or quality of services

G. Right to Designate an Authorized Agent

You may designate an authorized agent to submit requests on your behalf. We require:

• Written authorization signed by you
• Verification of the agent's identity
• Verification of your identity

H. Appeal Rights (CPRA)

If we deny your request, you have the right to appeal the decision. We will provide appeal instructions in our response to your request.

12.3 Rights Under Other US State Privacy Laws

Virginia, Colorado, Connecticut, Utah, Montana, Oregon, Texas (and other states with comprehensive privacy laws):

You have similar rights to California residents, including:

• Right to access personal data
• Right to correct inaccuracies
• Right to delete personal data
• Right to data portability
• Right to opt out of targeted advertising, sale, and profiling
• Right to appeal denials of requests

Specific rights and procedures vary by state law. Contact us to exercise your rights under your applicable state law.

12.4 How to Exercise Your Rights

Submission Methods:

Email: support@realtorres.org (Subject: "Privacy Rights Request")

Online Form: Available at https://www.realtorres.org/privacy-request

Telephone: Contact information provided in Section 16

Information Required:

To process your request, please provide:

• Full name
• Email address associated with your account
• Account username (if applicable)
• Specific right you wish to exercise
• Description of your request
• State/country of residence
• Verification information (details below)

Identity Verification:

To protect your privacy, we verify your identity before processing requests:

• Account holders: Login credentials and security questions
• Non-account holders: Government-issued ID (redacted to show only name and last 4 digits of ID number) and verification of contact information
• High-risk requests (deletion, access to sensitive data): Enhanced verification including additional documentation

For authorized agent requests:

• Power of attorney or written authorization
• Agent's identity verification
• Your identity verification

Response Timeframes:

• GDPR requests: Response within 1 month (extendable by 2 months for complex requests)
• CCPA/CPRA requests: Response within 45 days (extendable by 45 days with notice)
• Other state law requests: Response within timeframes specified by applicable law (typically 45-60 days)

Request Limits:

• GDPR: No limit on number of requests (may charge fee for excessive, manifestly unfounded, or repetitive requests)
• CCPA/CPRA: Two verifiable consumer requests per 12-month period (may deny excessive requests)

Fees:

We do not charge fees for processing requests except:

• Manifestly unfounded or excessive requests (GDPR)
• Providing additional copies of the same information (GDPR)
• Requests exceeding statutory limits (CCPA)

If a fee applies, we will notify you and obtain consent before processing.

13. Children's Privacy

REALTORres does not knowingly collect personal information from children under the age of 16 (or the applicable age of digital consent in your jurisdiction).

13.1 Age Restrictions

United States: Our Services are not directed to children under 13, and we do not knowingly collect personal information from children under 13 in compliance with the Children's Online Privacy Protection Act (COPPA).

European Economic Area: We do not offer information society services directly to children under 16 (or the age specified by member state law, which may be as low as 13) without verifiable parental consent.

Other Jurisdictions: We comply with applicable age restrictions under local laws.

13.2 Parental Rights

If you are a parent or guardian and believe we have collected personal information from your child without consent, please contact us immediately at support@realtorres.org. We will:

• Verify the relationship
• Provide access to the child's information
• Provide opportunity to refuse further collection or use
• Delete the child's personal information upon request

13.3 Discovery of Child Information

If we discover we have collected personal information from a child in violation of applicable law, we will:

• Cease processing the information
• Delete the information from our systems
• Terminate any associated account
• Notify the child (if age-appropriate) and parent/guardian

14. Third-Party Links and Services

Our Services may contain links to third-party websites, applications, and services that are not operated by REALTORres.

14.1 Third-Party Websites

We are not responsible for the privacy practices of third-party websites. When you click on a third-party link, you will leave our Services and be directed to the third party's site. We encourage you to review the privacy policy of every website you visit.

Examples of third-party links:

• Social media platforms (Facebook, Instagram, LinkedIn, Twitter)
• Mortgage lender websites
• Insurance provider portals
• Home inspection and appraisal services
• Moving and relocation companies
• Property listing websites and databases

14.2 Third-Party Integrations

We may integrate third-party services into our platform (e.g., virtual tour providers, mortgage calculators, chat widgets). Your use of these integrated services may be subject to the third party's terms and privacy policy.

14.3 Social Media Features

Our Services include social media features, such as:

• Social sharing buttons (share listings on Facebook, Twitter, etc.)
• Social login (sign in with Facebook, Google, LinkedIn)
• Embedded social media feeds (Instagram property photos)

These features may collect your IP address, page visited, and may set cookies. Social media features are governed by the privacy policies of the respective social media companies.

14.4 Single Sign-On

If you use single sign-on (SSO) to create an account or log in (e.g., "Sign in with Google"), we receive information from the SSO provider according to your privacy settings with that provider. This typically includes your name, email address, and profile information.

You can revoke our access to your SSO account at any time through your account settings with the SSO provider.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or business operations.

15.1 Notification of Changes

Material Changes:

For material changes that significantly affect how we collect, use, or share personal information, we will provide prominent notice, including:

• Email notification to registered users (at least 30 days before effective date)
• Prominent notice on our website homepage
• In-app notifications for mobile users
• Pop-up or banner notifications upon login

Non-Material Changes:

For minor changes (e.g., clarifications, contact information updates, formatting improvements), we will:

• Update the "Last Updated" date at the top of this policy
• Post the updated policy on our website
• Maintain previous versions in the Revision History (Section 19)

15.2 Acceptance of Changes

Continued Use:

Your continued use of our Services after the effective date of changes constitutes acceptance of the updated Privacy Policy.

Opt-Out:

If you do not agree with material changes, you may:

• Discontinue use of our Services
• Close your account
• Request deletion of your personal information (subject to legal retention requirements)

15.3 Annual Review

We commit to reviewing this Privacy Policy at least annually to ensure it remains accurate, complete, and compliant with applicable laws.

15.4 Version Control

• Current Version: 1.0
• Effective Date: November 21, 2025
• Last Reviewed: November 21, 2025

16. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

16.1 Data Protection Officer (DPO)

For residents of the European Economic Area, United Kingdom, or Switzerland, you may contact our Data Protection Officer:

16.2 EU Representative

For EU residents, our EU representative (if applicable under Article 27 GDPR) can be contacted at:

[To be designated if REALTORres processes EU residents' data and is required to appoint an EU representative]

16.3 UK Representative

For UK residents, our UK representative (if applicable under UK GDPR Article 27) can be contacted at:

[To be designated if REALTORres processes UK residents' data and is required to appoint a UK representative]

17. Jurisdiction and Governing Law

17.1 Governing Law

This Privacy Policy and any disputes arising from or related to it shall be governed by and construed in accordance with:

For US Residents:
The laws of the State of Texas and applicable federal laws of the United States, without regard to conflict of law principles.

For EU/EEA/UK Residents:
EU General Data Protection Regulation (GDPR), UK GDPR, and applicable member state laws, as applicable.

For Residents of Other Jurisdictions:
Applicable local data protection and privacy laws, in addition to Texas and US federal law where not in conflict.

17.2 Venue and Jurisdiction

For US Residents:

Subject to the arbitration provisions in our Terms of Service (if applicable), any legal action or proceeding arising out of or relating to this Privacy Policy shall be brought exclusively in:

Federal or State Courts located in El Paso County, Texas

By using our Services, you consent to the personal jurisdiction and venue of these courts.

For EU/EEA/UK Residents:

Disputes related to data protection rights may be brought in:

• Your local courts of competent jurisdiction
• Courts of the location where REALTORres has an establishment
• Before your data protection supervisory authority

17.3 Compliance with Local Laws

Where we operate in multiple jurisdictions, we comply with applicable local privacy and data protection laws in addition to this Privacy Policy. In the event of a conflict between this Privacy Policy and local legal requirements, we will comply with local law to the extent required.

17.4 Cross-Border Disputes

For disputes involving cross-border data transfers or international privacy laws, we will cooperate with:

• Data protection authorities in applicable jurisdictions
• The European Data Protection Board (EDPB)
• Appropriate dispute resolution mechanisms under Standard Contractual Clauses
• Alternative dispute resolution bodies as required by law

18. Severability

18.1 Severability Clause

If any provision of this Privacy Policy is found by a court of competent jurisdiction or arbitrator to be invalid, illegal, or unenforceable, such provision shall be modified to the minimum extent necessary to make it valid, legal, and enforceable while preserving its intent. If such modification is not possible, the invalid, illegal, or unenforceable provision shall be severed from this Privacy Policy.

18.2 Continuation of Remaining Provisions

The invalidity, illegality, or unenforceability of any provision shall not affect the validity, legality, or enforceability of the remaining provisions of this Privacy Policy, which shall continue in full force and effect.

18.3 Jurisdictional Variations

If specific provisions of this Privacy Policy are deemed unenforceable in certain jurisdictions but enforceable in others, such provisions shall:

• Remain in effect in jurisdictions where enforceable
• Be severed or modified only in jurisdictions where unenforceable
• Be replaced by valid provisions that most closely approximate the intended effect in affected jurisdictions

18.4 Interpretation

In the event of severance or modification of provisions, this Privacy Policy shall be interpreted to give maximum effect to:

• The protection of personal information
• Compliance with applicable privacy laws
• Our commitment to transparent data practices
• Your privacy rights under applicable law

19. Revision History

We maintain a complete revision history of this Privacy Policy to provide transparency about changes over time.

Version 1.0

Effective Date: November 21, 2025
Last Updated: November 21, 2025

Summary of Changes:

• Initial publication of comprehensive Privacy Policy
• Established baseline privacy practices and commitments
• Implemented GDPR, CCPA/CPRA, and multi-state privacy law compliance
• Defined data collection, processing, sharing, and retention practices
• Established user rights and request procedures
• Implemented security measures and breach notification procedures
• Defined international data transfer mechanisms
• Established cookie and tracking technology policies

Sections Added:

• All sections (initial version)

Previous Versions:

None (initial version)

---

Archive of Previous Versions

Previous versions of this Privacy Policy are available upon request. To obtain a copy of a prior version, please contact us at support@realtorres.org with the specific version number or effective date you wish to review.

We retain all previous versions for a minimum of 7 years in accordance with legal record-keeping requirements.

---

Acknowledgment and Consent

By using the Services of International Real Estate - REALTORres, you acknowledge that you have read, understood, and agree to this Privacy Policy. If you do not agree with this Privacy Policy, please discontinue use of our Services immediately.

For processing activities that require consent, we will obtain your explicit consent through:

• Opt-in checkboxes during account registration
• Cookie consent banners upon first website visit
• Email consent confirmations for marketing communications
• Separate consent requests for sensitive personal information processing

You may withdraw your consent at any time as described in Section 12 (Your Privacy Rights).

---