Privacy Policy

Introduction

CloudCoord is a transaction coordination platform built for licensed real estate professionals. This privacy policy explains what data we collect, how we use it, how long we keep it, and how you can delete it. CloudCoord is operated from Vermont, United States.

Information We Collect

CloudCoord collects four categories of data:

• Account information you provide: your name, email address, brokerage affiliation, license number, and authentication credentials.
• Transaction data you create or upload: purchase and sale agreements, addenda, transaction details, contact information for buyers/sellers/agents/attorneys/lenders, deadlines, communications, and any documents you upload to a transaction.
• Gmail data accessed via OAuth (if you connect Gmail): transaction-related email contents, sender/recipient information, attachment contents (especially PDFs), and metadata such as message IDs and timestamps. We do not access emails unrelated to your active or closed transactions.
• Usage data: standard application logs, security audit events, and performance metrics. We do not use third-party analytics or advertising trackers.

How We Use Google User Data

When you connect your Gmail account, CloudCoord requests these scopes:

• gmail.readonly — to read transaction-related emails and PDF attachments
• gmail.compose — to create drafts in your Gmail account and send messages with your per-message approval

CloudCoord uses Gmail data exclusively to:

1. Extract transaction details (parties, deadlines, prices, conditions) and store them in your transaction record
2. Extract and store PDF attachment contents (purchase agreements, addenda, disclosures) to build your transaction memory
3. Create draft emails for your review before sending
4. Send approved emails on your behalf through your Gmail account

CloudCoord's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not use Google user data to:

• Train any artificial intelligence or machine learning models (CloudCoord uses the Anthropic Claude API; Anthropic does not train models on API-submitted data)
• Serve advertising
• Sell, rent, or share with third parties for any commercial purpose
• Allow humans to read your data, except (a) with your explicit consent, (b) to comply with applicable law, (c) to investigate abuse or security incidents, or (d) when data has been aggregated and anonymized

How We Use Your Other Data

CloudCoord uses your account, transaction, and usage data to:

• Provide the transaction coordination service
• Send you product communications, security alerts, and required service notices
• Improve product reliability and performance
• Detect and prevent abuse, fraud, and security incidents
• Comply with legal obligations including real estate licensing record-keeping requirements

Data Retention

We retain different categories of data for different periods:

• Account data: retained while your account is active and for 30 days after cancellation
• Active transaction data: retained while your account is active and for 30 days after cancellation
• Closed or terminated transaction records: retained for 7 years from the close or termination date, as required by Vermont real estate licensing law (VREC). After 7 years, these records are permanently deleted automatically.
• Gmail data extracted by CloudCoord: same retention as the transactions it relates to
• Audit logs: retained for 7 years for security and compliance purposes
• Usage logs: retained for up to 12 months

If you cancel your subscription, your account enters a 30-day grace period during which you can reactivate or export your data (export feature coming soon — for now, contact privacy@cloudcoordinator.io to request your data). After 30 days, your account is deleted following our standard deletion process.

Your Rights and Controls

You have the following rights regarding your data:

• Disconnect Gmail: Settings → Account & Data Controls → Disconnect Gmail. You may optionally delete all Gmail-derived data at the same time.
• Delete your account: Settings → Account & Data Controls → Delete Account. This deletes your account, active transaction data, and Gmail-derived data tied to active transactions. Closed/terminated transactions are anonymized and retained for the legally required 7-year period.
• Cancel subscription: Settings → Account & Data Controls → Cancel Subscription. Account becomes read-only for 30 days, then is automatically deleted.
• Reactivate: During the 30-day grace period after cancellation, you can reactivate your account from Settings.
• Request data export: Email privacy@cloudcoordinator.io with your account email. We will respond within 30 days.
• Request data deletion if you cannot access your account: Email privacy@cloudcoordinator.io with subject “Data Deletion Request” and your account email. We will verify your identity and complete the deletion within 30 days.

For users in the EU, UK, and California, you have additional rights under GDPR/UK GDPR/CCPA including the right to access, correct, port, and object to processing of your personal data. Email privacy@cloudcoordinator.io to exercise these rights.

How We Protect Your Data

CloudCoord protects user data through:

• AES-256 encryption at rest
• TLS 1.2+ encryption in transit
• Row-Level Security (RLS) enforced at the database layer — even a bug in our application cannot expose another user's data to you
• A five-layer document security pipeline including input sanitization, prompt injection detection, instruction boundaries, output schema validation, and rate limiting
• OAuth tokens stored encrypted; revocation flows fully implemented
• Hosted on professional cloud providers with SOC 2 Type II compliance
• Audit logging of security-relevant events

See our Security page for additional detail.

Third-Party Services

CloudCoord shares data with the following service providers, each only to the extent needed to operate the service:

• Anthropic Claude API — processes documents and emails to generate transaction summaries and draft communications. Anthropic does not retain or train on API-submitted data.
• Cloud infrastructure providers — host the application, database, and storage. Each maintains SOC 2 Type II compliance.
• Payment processor — processes subscription payments. We never store full payment card numbers.
• Email delivery (transactional only) — sends account notifications and security alerts.

We do not sell user data to any third party. We do not share user data for advertising purposes.

Children's Privacy

CloudCoord is a professional tool for licensed real estate agents. The service is not directed to anyone under 18. We do not knowingly collect data from anyone under 18.

International Users

CloudCoord is operated from the United States. If you access the service from outside the U.S., your data will be transferred to and processed in the U.S.

Changes to This Policy

We will notify you of material changes to this policy by email and by posting a notice in the application at least 30 days before changes take effect.

Contact

For privacy questions or requests:

privacy@cloudcoordinator.io

For security issues:

security@cloudcoordinator.io

CloudCoord
[Mailing address available upon request]