Privacy Policy

TenantIQ is a commercial real estate research platform operated by CRELYTIC. This Privacy Policy explains what information we collect, how we use it, and who owns the research output generated by the Service. A key point that differs from many SaaS products: the research reports, scores, and derived data produced by TenantIQ are the property of CRELYTIC. See Section 5 for details.

We collect the following categories of information:

• Account information: Your name, email address, and organization details provided during registration.
• Report inputs: Tenant or company names, property addresses, and lease purpose descriptions you submit to generate reports. We treat the act of submitting a company for research, together with the associated market (derived from the property address you provide, at city / state / postal-code resolution), as signals of commercial tenant and geographic demand. We do not retain street-level address data in our derivative intelligence products — only the market-level geography.
• Research output: All information gathered, generated, scored, and assembled by the Service during report generation, including composite and dimension scores, narratives, key findings, executive profiles, competitor data, CRE signals, and risk classifications.
• Payment information: Payment processing is handled by Stripe (web) and Apple / Google via RevenueCat (mobile). We do not store credit card numbers, bank account details, or other sensitive payment credentials on our servers.
• Device and usage data: Pages visited, features used, report generation activity, device platform (iOS / Android / web), app version, OS version, Expo push tokens (for mobile users who opt in to notifications), and anonymized telemetry about Service performance.

We use the information we collect to:

• Provide, operate, maintain, and improve the TenantIQ platform.
• Generate commercial tenant research reports based on publicly available information.
• Process subscription payments and manage billing.
• Improve the accuracy, quality, calibration, and functionality of our research models, scoring system, and underlying AI workflows.
• Build and maintain aggregated, de-identified datasets and derivative data products, including the CRELYTIC Tenant Risk Index, company intelligence cache, time-series score histories, industry benchmarks, and market-demand analytics (geographic rollups of tenant research activity by city, state, and industry — see Section 5).
• Communicate with you regarding your account, subscription, reports you've run, security notices, and material updates to our policies.

TenantIQ researches commercial entities — businesses, not consumers. Reports do not include consumer credit data, consumer eligibility determinations, or personally identifiable information about individual consumers within the meaning of the Fair Credit Reporting Act. Information about individual executives, directors, or officers is limited to publicly available business-context data (name, title, tenure, prior roles) used to assess leadership quality of a tenant entity.

All research output generated by the TenantIQ Service is the property of CRELYTIC. This includes, without limitation: composite scores, dimension scores, risk classifications, narrative analysis, strengths and risks summaries, key findings, executive and governance data, competitor tables, CRE footprint analysis, industry context, recommendations, and the underlying structured data, embeddings, and metadata produced during report generation.

When you submit a company for research, you grant CRELYTIC a perpetual, irrevocable, worldwide, royalty-free license to:

• Retain the research output indefinitely, including after your account is canceled or deleted.
• Use, reproduce, modify, analyze, combine with other data, and create derivative works from the research output for any commercial or non-commercial purpose.
• Incorporate research output and derivatives into products, datasets, indexes, benchmarks, APIs, and reports that CRELYTIC licenses or sells to third parties, provided that your organization's identity is not disclosed (see Section 6).
• Publish aggregated, de-identified insights, statistics, benchmarks, and trend analysis.

What you get:as a paying customer, CRELYTIC grants your organization a non-exclusive, non-transferable license to use generated reports for internal decision-making and for sharing with direct business counterparties in connection with a specific prospective lease transaction (the "Customer Use License"). You may not resell, sublicense, syndicate, publicly publish, or incorporate reports into a competing product without prior written consent.

You retain ownership of your account information and your raw inputs (e.g., the company names and addresses you type in). CRELYTIC owns the research output derived from those inputs.

CRELYTIC operates derivative data products that combine research output across the entire TenantIQ user base. Before any data is incorporated into a product sold or licensed to third parties, we apply the following rules:

• No customer attribution. Third parties never learn which TenantIQ customer requested a given report, how many times your organization ran a given tenant, or any other behavioral detail tied to your account.
• Commercial-entity data only. Derivative products cover commercial entities (the researched companies). They do not expose your employees, your clients, or any natural persons associated with your organization.
• Aggregation thresholds. Benchmark and demand-signal products are released at aggregation levels that prevent inferring any single customer's activity (minimum N per industry-period bucket).
• Separate storage. Derivative data is stored in a segregated database schema with no link back to customer identifiers, and is governed by a different access policy than your account data.

Your data is stored using Supabase, a US-based database hosting provider. All data is encrypted at rest using AES-256 encryption and in transit using TLS 1.2 or higher. Customer-facing data is governed by Row Level Security policies that ensure users can only access data belonging to their own organization. Derivative intelligence data (Section 6) is stored in a separate schema accessible only to CRELYTIC service accounts.

TenantIQ integrates with the following third-party services to deliver the platform:

• Supabase — database, authentication, file storage, realtime.
• Vercel — web application hosting and content delivery.
• Railway — backend worker hosting for report generation.
• Anthropic — AI analysis and natural language processing for report generation.
• Stripe — web subscription payments.
• RevenueCat — mobile in-app purchase management (Apple / Google).
• Resend — transactional email delivery.
• Expo — mobile push notification delivery.
• Brave Search — web search used by TenantIQ worker processes to source publicly available business context for research reports.

Each third-party service operates under its own privacy policy. We select vendors who provide enterprise-grade security commitments, but you are subject to their respective policies when their services process data on our behalf. Anthropic processes prompts and responses under its commercial terms and does not use API inputs or outputs to train its models.

International transfers. Several sub-processors (including Supabase, Vercel, Anthropic, Stripe, and Resend) are located in the United States, and data may be processed there. Where personal data is transferred from the European Economic Area, the United Kingdom, or Switzerland to the United States or other jurisdictions that have not received an adequacy decision, we rely on the European Commission's 2021 Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum as appropriate.

• Active accounts: Your account and report data is retained for as long as your account remains active and in good standing.
• Canceled accounts: Following cancellation, customer-facing account data is retained for 90 days to allow for reactivation or data export, after which it is permanently deleted.
• Report PDFs and UI copies: Retained for the lifetime of the organization account. Deletion of an organization account results in deletion of all associated report PDFs and UI-accessible data after the 90-day retention period.
• Derivative intelligence data: Aggregated, de-identified, and company-keyed derivative data described in Section 5 and Section 6 is owned by CRELYTIC and is retained indefinitely, independent of your account status. This data does not reference your organization and is not deleted when your account is deleted.

We implement industry-standard security measures to protect your data, including:

• Encryption at rest and in transit for all stored data.
• Row Level Security (RLS) policies ensuring strict organization-level isolation for customer-facing data.
• Service role separation between user-facing, worker, and administrative database operations.
• Nonce-based Content Security Policy, SSRF protections on server-side fetches, rate limiting, and CSRF protections on all state-changing web requests.
• Regular security reviews and dependency updates.

While we strive to protect your information, no method of electronic storage or transmission is completely secure. We cannot guarantee absolute security.

With respect to your account and customer-facing data, you have the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate or incomplete personal data.
• Request deletion of your account and customer-facing data, subject to our data retention obligations.
• Export your reports and account data in a machine-readable format.
• Withdraw consent to future report generation by canceling your subscription and deleting your account.

California residents. If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (together, the "CCPA"), gives you the right to know what personal information we collect, to request deletion or correction of that information, to opt out of the sale or sharing of your personal information, to limit the use of sensitive personal information, and to be free from retaliation for exercising these rights. TenantIQ does not sell personal information and does not share personal information for cross-context behavioral advertising. Our derivative intelligence products describe commercial entities (not individual consumers), meet CCPA de-identification criteria through the minimum-N aggregation rules in Section 6, and fall outside the CCPA's scope of "personal information" for purposes of sale or sharing.

EEA, UK, and Swiss residents. If you are located in the European Economic Area, the United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR), the UK GDPR, or the Swiss Federal Act on Data Protection (as applicable) gives you the right to access, rectify, erase, restrict, port, and object to the processing of your personal data, and to lodge a complaint with your local supervisory authority. We process your personal data on the basis of contract performance (to deliver the service you have signed up for), legitimate interest (to secure, operate, and improve the service and our derivative intelligence products, limited by the commercial-entity and de-identification scope described in Sections 4 and 6), and consent (where separately obtained, for example for non-transactional email).

Note that the rights above apply to customer-facing account data. They do not extend to the aggregated, de-identified derivative intelligence data described in Sections 5 and 6, because that data (a) is owned by CRELYTIC, (b) does not identify you or your organization, and (c) is commingled across the full customer base such that extraction of your contribution is not technically feasible.

To exercise any of these rights, submit a request through our Data Subject Request form. Every request is reviewed by a human and tracked in an audit-retained queue. You can also email privacy@crelytic.ai directly. We will acknowledge your request within 10 business days and provide a substantive response within 45 calendar days (extendable by 45 days with notice for complex requests).

TenantIQ uses essential cookies for authentication and session management only. We do not use tracking cookies, advertising cookies, or any third-party analytics cookies. Essential cookies are strictly necessary for the operation of the Service and cannot be disabled while using the platform.

We may update this Privacy Policy from time to time. For material changes, we will notify you via email at the address associated with your account and by posting a notice in the application. Non-material changes will be posted on this page with an updated "Last updated" date. Your continued use of the Service after changes take effect constitutes acceptance of the revised Privacy Policy.

If you have questions or concerns about this Privacy Policy, contact us:

TenantIQ by CRELYTIC
Email: jonathan@crelytic.ai