AdvisorCM

Privacy Policy

Effective date: May 27, 2026

This Privacy Policy explains how CRE Capital Insights LLC (“AdvisorCM,” “we,” or “us”) collects, uses, and shares personal information when you use the AdvisorCM platform at advisorcm.co (the “Service”).

1. Information we collect

We collect the following categories of personal information from and about you:

Account information

When you sign up, we collect your email address, first and last name, phone number (optional), and the name of your firm or company. Authentication is handled by Clerk; some of this information is stored with Clerk and some in our own database.

Payment information

If you subscribe to a paid plan, payment information (card details, billing address) is collected and processed by Stripe. We do not see, store, or have access to your full payment card number. We retain only a Stripe customer identifier and your subscription status.

Data you create in your workspace

When you use the Service, you create and save data in your account workspace: deals you set up (loan amount, asset type, stage, etc.), lenders you add to those deals, statuses and notes you assign, quotes you save to the Quote Matrix, and recipients you invite to data rooms. This data is stored so you can access your workspace across signed-in devices. By default, workspace data is not visible to other users unless you explicitly share it (for example, by inviting a recipient to a data room). You are responsible for determining which recipients you invite to data rooms and what information you choose to share through the Service.

When you use the Quote Matrix Creator to parse a term sheet, the document text is sent to our AI subprocessor (Anthropic) for parsing. We store the extracted text and the structured fields the AI returned in your workspace. We do not store the original PDF or Word file. For Data Rooms, the actual files you upload (such as offering memoranda or financial models) are stored in our hosted file storage so that recipients you invite can access them via magic link.

Usage and device data

We automatically collect technical information when you use the Service: IP address, browser type, device type, pages viewed, actions taken (clicks, form submissions, searches), referring URL, and timestamps. We use PostHog for product analytics with conservative settings (no session recording, no DOM capture; only explicit events fired by our code).

Cookies and similar technologies

We and our service providers use cookies, local storage, and similar technologies to: keep you signed in (authentication session cookies set by Clerk), process payments and prevent fraud (cookies set by Stripe during checkout), and analyze aggregate usage (a persistent identifier set by PostHog so we can recognize the same browser across events). We do not use cookies for advertising or third-party retargeting. Most browsers let you block or delete cookies; doing so may cause parts of the Service that depend on a session to stop working.

Communications

If you contact us (e.g. by replying to a transactional email or emailing support@advisorcm.co), we receive and retain that communication along with your email address.

2. How we use information

We use personal information for the following business purposes:

  • Provide the Service — authenticate your account, maintain your deal records, deliver requested features (Smart Search, data rooms, exports).
  • Process payments — bill subscriptions, manage renewals, handle cancellations through Stripe.
  • Send transactional emails — welcome messages, data room invitations, billing receipts, account notifications.
  • Improve the Service — analyze aggregate usage patterns to identify friction, prioritize features, and fix bugs.
  • Provide AI-powered features — when you use Smart Search or the Quote Matrix term-sheet parser, we send to Anthropic the content associated with the requested feature, such as submitted queries or document text, along with related metadata necessary to process the request. Depending on what you submit, this may include portions of your uploaded deal materials. Anthropic does not train its models on data sent to its commercial API, per its Commercial Terms of Service. We do not currently use your data to train our own AI models.
  • Detect and prevent abuse — investigate misuse, enforce our Terms of Service, defend the platform against bulk data extraction or unauthorized scraping.
  • Comply with legal obligations — respond to lawful requests, enforce our Terms of Service and other agreements, exercise legal rights.
  • Generate aggregated or deidentified information — we may create aggregated or deidentified information that cannot reasonably identify an individual or a specific customer and use it for analytics, benchmarking, security, and improving the Service.

We do not sell your personal information, and we do not share personal information with third parties for their own advertising or marketing purposes.

3. Service providers and third parties

We use the following named service providers to operate the Service. Each receives only the personal information needed to perform its function, under contractual data-protection terms.

Service providerPurposeData shared
Clerk Inc.User authentication, session management, invitationsEmail, name, authentication credentials (such as passwords or login tokens), session metadata
Supabase Inc.Database, file storage, hosted PostgreSQLAll account, deal, lender, and uploaded-document data
Stripe, Inc.Subscription payments, billing portalEmail, billing address, payment card details (handled directly by Stripe)
Twilio SendGridTransactional email deliveryRecipient email, message content (welcome, data-room invites, etc.)
Anthropic, PBCAI-powered Smart Search + Quote Matrix term-sheet parsingContent associated with the requested feature, such as submitted queries or document text, plus related metadata necessary to process the request. Anthropic does not train on commercial API data per its terms.
PostHog Inc.Product analytics (aggregate usage patterns)Hashed user identifier, page views, feature events. No personal information in event properties; values are bucketed or categorical.
Netlify, Inc.Web hosting, edge functionsStandard request/response logs (IP, user agent, URL)
Microsoft / GoDaddyCustom-domain email hosting for support@advisorcm.coInbound email messages sent to our support address
cron-job.orgExternal scheduler for daily maintenance jobsSends authenticated pings to our API endpoints; receives no personal data

We may also disclose information when required by law, in response to lawful requests by public authorities, or to enforce our agreements and protect our rights.

Changes to our service providers

We may add, remove, or replace service providers from time to time as we improve the Service. The current list above is maintained as part of this Privacy Policy and will be updated when material changes occur. For material changes that introduce a new category of data sharing or a new processing purpose, we will notify active account holders by email at least 7 days before the change takes effect, so you can review and, if you choose, exercise your rights under Section 5 before the new provider begins processing.

International data transfers

AdvisorCM is based in the United States and our primary data processing happens in the United States. Some of our service providers operate or store data in additional countries (for example, Stripe and Anthropic operate globally). By using the Service, you understand that your information may be transferred to and processed in countries outside your jurisdiction, including the United States and other countries where our service providers operate.

4. How long we keep information

  • Account information — kept while your account is active. If you delete your account, we delete or anonymize it within 30 days, except where retention is required for legal, tax, accounting, security, fraud-prevention, or dispute-resolution purposes. Some information may persist for a short period in encrypted backups before being overwritten by the normal backup cycle.
  • Deal and lender activity data — kept while your account is active. Deleted with your account.
  • Payment records — Stripe retains transaction records per its own policy (typically 7 years for tax purposes). We retain Stripe customer identifiers and subscription history for the same period.
  • Email communications — kept while reasonably needed for support and recordkeeping (typically 2 years).
  • Usage analytics data — PostHog retains event data per its retention policy. We have not configured shortened retention beyond PostHog's defaults.
  • Data room files — deleted from storage 90 days after the parent deal closes or is marked dead, per our data room lifecycle policy. If you revoke a recipient's magic-link access mid-deal, future downloads through that link will fail, but we cannot control or delete copies, screenshots, exports, or downloaded files that the recipient obtained before access was revoked.

5. Your privacy rights

Depending on where you live, you may have the following rights regarding your personal information:

  • Know — request a copy of the personal information we hold about you.
  • Delete — request that we delete personal information about you. We may retain certain records for legal compliance.
  • Correct — request that we correct inaccurate personal information. Most profile data is editable directly on your account page.
  • Opt out of sale — we do not sell personal information, but you have the right to confirm this and opt out if our practices ever change.
  • Non-discrimination — we will not treat you differently for exercising any of these rights.

How to exercise these rights: email support@advisorcm.co from the email address associated with your account. We will respond within 45 days as required by California law.

California residents have these rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). Residents of other states with comprehensive privacy laws (Virginia, Colorado, Connecticut, Utah, and others) have substantially similar rights and may exercise them the same way.

For users in the European Union, United Kingdom, or other jurisdictions where the General Data Protection Regulation (GDPR) or similar laws apply: we process personal information where necessary to provide the Service to you (contract), comply with our legal obligations, protect our legitimate business interests (e.g., preventing fraud and abuse), or based on your consent where required by law. You have the right to access, correct, delete, or restrict the processing of your personal information, and to lodge a complaint with a supervisory authority. Exercise these rights by emailing support@advisorcm.co.

6. Security

We use commercially reasonable technical and organizational measures to protect personal information, including: encryption of data in transit (HTTPS / TLS) and at rest (managed by our hosting and database providers); access controls and authenticated APIs; password hashing handled by our authentication provider; and segregation of customer data via row-level security policies.

No system can be guaranteed 100% secure. If you discover a vulnerability or suspect a breach affecting your account, please email support@advisorcm.co immediately.

7. Children's privacy

AdvisorCM is a business platform intended for commercial real estate professionals. Our Terms of Service require all users to be at least 18 years old. The Service is not directed to anyone under 18, and we do not knowingly collect personal information from anyone under 18. If you believe a minor has provided us with personal information, please contact us and we will delete it promptly.

8. Business transfers

If AdvisorCM is involved in a merger, acquisition, financing, reorganization, bankruptcy, sale of all or substantially all of our assets, or similar transaction, personal information may be transferred as part of that transaction subject to applicable law. We will notify you (e.g., by email or a prominent notice on the Service) before any such transfer results in your personal information becoming subject to a different privacy policy.

9. Changes to this policy

We may update this Privacy Policy from time to time. The “Effective date” at the top reflects the most recent change. Material changes will be communicated by email to account holders at least 7 days before taking effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

10. Contact us

For privacy questions, data requests, or any other inquiries related to this policy, contact:

CRE Capital Insights LLC
Email: support@advisorcm.co