Privacy Policy

1. Introduction

MotionCRE Inc., a Delaware corporation ("MotionCRE," "we," "us," or "our"), operates the MotionCRE platform and website located at motioncre.com (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, retain, and protect your personal information when you access or use the Service.

This Privacy Policy applies to all users of the Service, including workspace administrators, team members, and visitors to our website. By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our data practices as described herein, please do not use the Service.

This Privacy Policy should be read in conjunction with our Terms of Service.

2. Information We Collect

2.1 Account Information

When you create an account, we collect the following information:

• First and last name
• Work email address
• Password (hashed and stored by our authentication provider, Clerk. MotionCRE does not store your password directly)
• Workspace or company name
• Optional profile photo
• Job title and role (if provided)

2.2 Workspace and Deal Data

When you and your team use the platform, you may provide the following categories of information:

• Deal and project information, including property names, stages, notes, key dates, and financial details such as deal values, underwriting assumptions, and return projections
• Contact records, including names, email addresses, phone numbers, company affiliations, and professional titles
• Tasks, comments, activity logs, and internal communications within the platform
• Documents and files uploaded to deal rooms, including PDFs, spreadsheets, images, and other files (stored in Amazon S3)

This data is provided voluntarily by you and your team and may include information about third parties (e.g., brokers, lenders, counterparties). You represent that you have the authority to provide such information and that doing so does not violate any applicable law or third-party rights.

2.3 Billing Information

When you subscribe to a paid plan, payment information (including credit card number and billing address) is collected and processed directly by Stripe, Inc. ("Stripe"). MotionCRE does not store your full payment card details on its servers. We retain the following billing-related data: Stripe customer identifier, subscription status, plan type, billing period dates, and invoice history.

2.4 Usage and Technical Data

We automatically collect certain technical and usage information when you access the Service, including:

• Browser type, version, and language preferences
• Operating system and device information (device type, screen resolution)
• IP address and approximate geographic location derived from IP address
• Pages visited, features used, actions taken, and session duration
• Performance metrics (Web Vitals, page load times)
• Error and crash reports (collected via Sentry for debugging and service improvement purposes)

2.5 Cookies and Similar Technologies

We use cookies and similar tracking technologies to operate and improve the Service. We classify cookies into the following categories:

• Strictly Necessary Cookies. Authentication cookies managed by Clerk to maintain your session and demo mode cookies (expires after 2 hours). These cookies are essential for the Service to function and cannot be disabled.
• Analytics Cookies. We use Google Analytics (GA4) to measure site usage, traffic sources, page views, session duration, and feature adoption. Google Analytics uses cookies to distinguish unique users and track sessions. Google Analytics data is processed by Google LLC in accordance with the Google Privacy Policy. You may opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.
• Session Analytics Cookies. We use Microsoft Clarity to record anonymized user sessions, including mouse movements, clicks, scrolls, and page interactions, to help us understand how users navigate the platform. Session recordings do not capture keystrokes in password fields or payment information. Clarity respects browser Do Not Track (DNT) settings. You may opt out by enabling DNT in your browser settings or by using an ad blocker. For more information, see the Microsoft Privacy Statement.

You may also disable analytics cookies by adjusting your browser settings to block third-party cookies or by using browser extensions that block tracking scripts.

3. How We Use Your Information

We use the information we collect for the following purposes:

• Providing, operating, and maintaining the Service, including processing transactions and managing your subscription
• Authenticating users and managing workspace access and permissions
• Sending transactional communications, including task assignments, project notifications, deal alerts, and billing receipts
• Powering AI Features, including the AI Associate and document analysis (as described in Section 4)
• Monitoring and resolving errors, improving platform performance, and enhancing security
• Responding to support requests and communicating with you about your account
• Analyzing usage patterns and feature adoption to improve the Service (using only aggregated or de-identified data)
• Complying with applicable legal obligations, including tax, accounting, and regulatory requirements
• Protecting our rights, property, and safety, and the rights, property, and safety of our users and third parties

3.1 Legal Bases for Processing (GDPR)

If you are located in the European Economic Area ("EEA"), United Kingdom ("UK"), or Switzerland, we process your personal data under the following legal bases:

Where we rely on legitimate interests, we have conducted balancing tests to ensure our interests do not override your fundamental rights and freedoms. You may request information about these balancing tests by contacting privacy@motioncre.com.

4. AI Features and Data Processing

MotionCRE offers AI-powered features, including the AI Associate, automated document analysis, and deal summarization (collectively, "AI Features"). This section describes how your data is processed when you use AI Features.

4.1 How AI Features Work

Document Analysis. When you upload a file and request AI analysis, the text content extracted from the file (PDF, Word document, or spreadsheet) is transmitted to Anthropic, PBC ("Anthropic") via their commercial API for processing. Anthropic generates summaries, extracts key terms, and produces suggested actions, which are returned to MotionCRE and stored in your workspace.

AI Associate. When you interact with the AI Associate, your messages and relevant deal context (including project details, notes, and file contents within the applicable deal workspace) are transmitted to Anthropic's API to generate responses. Conversation history with the AI Associate is stored in your workspace.

4.2 Data Handling by Anthropic

Data transmitted to Anthropic for AI processing is governed by Anthropic's commercial API terms. Under these terms, data submitted via the API is not used to train, improve, or develop Anthropic's foundation models. Anthropic acts as a sub-processor of MotionCRE and processes data solely for the purpose of generating outputs in response to API requests.

4.3 Opt-Out

Use of AI Features is entirely optional. You may use the Service without enabling any AI Features. If you prefer that your data not be processed by Anthropic, simply do not use AI Features. AI Features can be disabled at the workspace level by your administrator.

4.4 AI Output Disclaimer

AI-generated outputs, including financial calculations, projections, summaries, and deal status updates, are generated by automated systems and may contain errors. These outputs are provided as supplemental tools only and do not constitute investment advice, financial recommendations, appraisals, legal advice, or professional due diligence. You are solely responsible for independently verifying all AI-generated outputs.

4.5 Automated Decision-Making

MotionCRE does not use AI Features or any automated processing to make decisions that produce legal effects or similarly significant effects on individuals. All AI-generated outputs are presented as suggestions or supplemental information for human review and decision-making. You have the right to request human review of any AI-generated output.

5. Third-Party Service Providers

We share information with the following categories of service providers solely to operate and improve the Service. Each provider processes data only for the purposes specified and in accordance with our contractual obligations.

We will provide at least thirty (30) days' prior written notice before engaging any new sub-processor that processes personal data, during which time you may object in writing by contacting privacy@motioncre.com.

6. Data Sharing Within Workspaces

MotionCRE is a team-based platform. When you create or join a workspace, data within that workspace (including deals, contacts, files, tasks, and activity history) is accessible to other members of the workspace based on their assigned role (Owner, Admin, Member, or Viewer).

Workspace administrators may configure project-level access restrictions to limit visibility of specific deals or data to designated team members. MotionCRE does not control and is not responsible for access decisions made by workspace administrators. We recommend that administrators review role assignments and access controls periodically to ensure they align with their organization's data governance requirements.

7. Data Security

MotionCRE implements and maintains administrative, technical, and physical safeguards designed to protect your information against unauthorized access, disclosure, alteration, loss, or destruction. These measures include:

• Encryption in transit using TLS 1.2 or higher for all data transmitted to and from the Service
• Encryption at rest using AES-256 for stored files (Amazon S3) and database contents (Amazon RDS)
• Role-based access controls and workspace-level data isolation
• Secure authentication via Clerk with support for email-based two-factor verification
• Rate limiting on all API endpoints to prevent abuse
• Signed, time-limited URLs for secure file access
• Security headers including HSTS, X-Frame-Options, X-Content-Type-Options, and Content-Security-Policy
• Regular security assessments and vulnerability scanning
• Audit logging of administrative actions and data access events

While we employ industry-standard security measures, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security. In the event of a security incident, we will comply with the notification obligations described in Section 7.1.

7.1 Security Incident Notification

In the event MotionCRE becomes aware of a security incident resulting in the unauthorized access to, acquisition of, or disclosure of personal data ("Security Incident"), MotionCRE will:

• Notify affected customers without undue delay and in no event later than seventy-two (72) hours after becoming aware of the Security Incident
• Provide the following information to the extent reasonably available: (i) the nature and scope of the incident, (ii) the categories and approximate volume of data affected, (iii) the likely consequences, and (iv) the measures taken or proposed to address and mitigate the incident
• Cooperate with affected customers in good faith to investigate and remediate the incident and to comply with applicable breach notification laws and regulatory requirements
• Notify the relevant supervisory authority within the timeline required by applicable law (including 72 hours under GDPR Article 33) where MotionCRE is the data controller

8. International Data Transfers

Your data is processed and stored in the United States. Our infrastructure and service providers, including AWS, Vercel, Clerk, Stripe, Anthropic, and Sentry, operate primarily in the United States.

If you are located in the European Economic Area, United Kingdom, or Switzerland, the transfer of your personal data to the United States and other jurisdictions may involve countries that do not provide the same level of data protection as your home jurisdiction.

To ensure appropriate safeguards for international transfers, MotionCRE relies on the following mechanisms:

• EU-U.S. Data Privacy Framework (and the UK Extension and Swiss-U.S. Data Privacy Framework), where applicable, for transfers to certified recipients in the United States
• Standard Contractual Clauses (SCCs) approved by the European Commission (Module 2: Controller to Processor and Module 3: Processor to Processor, as applicable), supplemented by appropriate technical and organizational measures based on transfer impact assessments
• The UK International Data Transfer Addendum, where applicable for transfers from the United Kingdom

Copies of the relevant SCCs and transfer impact assessments are available upon request.

9. Data Retention

We retain your information only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, and resolve disputes. The following retention periods apply:

When you delete items within the platform (deals, files, contacts), they are marked as deleted and permanently purged from production systems within thirty (30) calendar days. Residual copies in backup systems are purged within ninety (90) calendar days.

9.1 Data Retention After Subscription Cancellation

When you cancel your subscription, your workspace data (including deals, contacts, files, tasks, and uploaded documents) is retained for ninety (90) calendar days after the end of your billing period. During this retention period, you may reactivate your subscription to restore full access to your data. After ninety (90) days, your workspace and all associated data are permanently deleted from production systems.

During the cancellation process, you may choose to have your data deleted immediately upon the end of your billing period instead of the standard ninety-day retention window. If you select immediate deletion, all workspace data will be permanently removed when your subscription ends and cannot be recovered.

9.2 Delete Workspace

Workspace administrators may permanently delete their workspace at any time through Settings. Deleting a workspace immediately and irreversibly removes all associated data from production systems, including deals, contacts, files, tasks, uploaded documents, AI conversation history, activity logs, and workspace configuration. The associated Stripe subscription is canceled, and the workspace organization is deleted from our authentication provider (Clerk). This action cannot be undone. Residual copies in backup systems are purged within ninety (90) calendar days.

9.3 General Retention

Upon account closure (whether by cancellation with data retention expiry or workspace deletion), we will delete or anonymize your personal data in accordance with the schedule above, except where retention is required by law (e.g., billing records retained for seven years for tax and accounting compliance).

10. Your Privacy Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate or incomplete personal data.
• Erasure: Request deletion of your personal data ("right to be forgotten"), subject to legal retention requirements.
• Data Portability: Request a copy of your personal data in a structured, commonly used, machine-readable format.
• Restriction: Request restriction of processing in certain circumstances.
• Objection: Object to processing based on legitimate interests, including profiling.
• Withdrawal of Consent: Where processing is based on consent, withdraw your consent at any time without affecting the lawfulness of prior processing.
• Automated Decision-Making: Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects (see Section 4.5).

To exercise any of these rights, contact us at privacy@motioncre.com. We will verify your identity and respond within thirty (30) days (or within the period required by applicable law). If we require additional time, we will notify you of the extension and the reasons.

10.1 Right to Lodge a Complaint

If you are located in the EEA or UK, you have the right to lodge a complaint with your local data protection supervisory authority if you believe that our processing of your personal data violates applicable data protection law.

11. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "CCPA"):

• Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected, the sources of collection, the business or commercial purposes for collection, and the categories of third parties with whom we share your information.
• Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
• Right to Correct: You may request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.
• Authorized Agents: You may designate an authorized agent to make requests on your behalf, subject to verification.

To submit a request, contact privacy@motioncre.com. We will verify your identity before fulfilling your request and will respond within forty-five (45) calendar days.

In the preceding twelve (12) months, we have collected the categories of personal information described in Section 2. We collect this information from the sources and for the purposes described in Sections 2 and 3. We disclose personal information to the categories of service providers described in Section 5.

12. Do Not Track Signals

Some web browsers transmit "Do Not Track" (DNT) signals. Because there is no industry-accepted standard for how to interpret DNT signals, the Service does not currently alter its data collection and use practices in response to DNT signals. If an industry standard is adopted, we will update this policy accordingly.

13. Children's Privacy

The Service is not directed to, and is not intended for use by, individuals under the age of eighteen (18). We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take prompt steps to delete such information. If you believe we have inadvertently collected information from a child under 18, please contact us at privacy@motioncre.com.

14. Data Processing

The processing of personal data on behalf of customers is governed by our Data Processing Addendum ("DPA"), which is incorporated by reference into our Terms of Service and applies to all customers. The DPA addresses the scope and purpose of processing, sub-processor obligations, data subject rights, cross-border transfer mechanisms, security requirements, and audit rights.

MotionCRE conducts Data Protection Impact Assessments ("DPIAs") for new features and processing activities that may present heightened privacy risks, including AI-powered features. Summaries of relevant DPIAs are available upon request to enterprise customers under a non-disclosure agreement.

15. Audit and Compliance

MotionCRE will make available to customers, upon reasonable written request, information necessary to demonstrate compliance with applicable data protection obligations. MotionCRE maintains industry-standard security certifications and will provide relevant security documentation upon request under a non-disclosure agreement.

MotionCRE will cooperate with reasonable audit requests from customers or their authorized auditors, subject to reasonable advance notice, scope limitations, and confidentiality protections. Audit requests may be satisfied by providing existing third-party audit reports, certifications, or written responses to reasonable security questionnaires.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or business operations. We will provide notice of material changes by:

• Posting the updated Privacy Policy on this page with a revised effective date
• Sending an email notification to the address associated with your account
• Displaying an in-app notification for active users

We will provide at least thirty (30) days' notice before material changes take effect. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. We encourage you to review this policy periodically.

17. Data Protection Contact

If you have questions about this Privacy Policy, our data practices, or wish to exercise your privacy rights, please contact:

MotionCRE Inc.
Privacy Inquiries: privacy@motioncre.com
Legal Inquiries: legal@motioncre.com
Support: support@motioncre.com
Website: motioncre.com

For data protection inquiries from individuals in the EEA or UK, you may also contact our designated privacy representative at privacy@motioncre.com. We will respond to all privacy-related inquiries within thirty (30) days.