Privacy Policy
Last updated: June 12, 2026
This policy explains what personal data we process when you use Containeer, why we process it, who we share it with, how long we keep it, and the rights you have. It is written to satisfy Articles 13 and 14 of the EU and UK GDPR and the California Online Privacy Protection Act (CalOPPA).
1. Who we are (data controller)
The Containeer platform at containeer.com(the "Service") is operated by Containeer, a founder-led venture in formation under Spanish law; the registered company details will be published here as soon as incorporation is complete ("Containeer", "we", "us"). We are the data controller for the personal data described in this policy.
Privacy contact: privacy@containeer.com. We have not appointed a Data Protection Officer because we are not required to; the address above reaches the person responsible for data protection.
2. Scope — a B2B service, not for minors
Containeer is a professional, business-to-business data intelligence platform for commercial real estate. It is not directed at consumers acting in a personal or household capacity, and it is not directed at, nor may it be used by, anyone under 18. We do not knowingly collect personal data from minors; if you believe a minor has provided us data, contact us and we will delete it.
3. Personal data we collect
| Category | Data | Source |
|---|---|---|
| Account data | Email address, name, password (stored only as a one-way bcrypt hash — we never store or see your plaintext password), role, account status | You, at registration |
| Payment data | Subscription tier, billing history, Stripe customer reference. Card details are collected and processed directly by Stripe — your card number never touches our servers | You / Stripe |
| AI chat history | Your conversations with the Containeer AI assistant (prompts and responses), stored against your account so you can revisit them | You, when using the chat |
| Favorites & preferences | Saved companies/properties, theme and display preferences | You, while using the Service |
| Audit & security logs | IP address, timestamps, authentication events, API key usage | Generated by the Service |
| Analytics | Aggregated usage data via Google Analytics 4 and Vercel Analytics — only if you consent via the cookie banner (see the Cookie Policy) | Your browser, with consent |
| Support & contact | Messages you send us by email or contact form | You |
4. Purposes and legal bases (GDPR art. 6)
| Processing | Purpose | Legal basis |
|---|---|---|
| Account data | Create and operate your account, authentication | Art. 6(1)(b) — contract |
| Payments & billing | Process subscriptions, invoicing, tax compliance | Art. 6(1)(b) contract + 6(1)(c) legal obligation (tax records) |
| AI chat | Provide the AI assistant and your conversation history | Art. 6(1)(b) — contract |
| Audit & security logs | Security, fraud and abuse prevention, incident investigation | Art. 6(1)(f) — legitimate interest (security of the Service) |
| Analytics cookies | Understand aggregate usage to improve the Service | Art. 6(1)(a) — your prior consent (ePrivacy) |
| Service emails to customers | Transactional and service-related communications | Art. 6(1)(b) contract; 6(1)(f) for related-product notices, always with opt-out |
| Public-record real estate data | The data product itself (see section 6) | Art. 6(1)(f) — legitimate interest, public sources |
5. The AI assistant
When you use the Containeer chat, your messages (and the minimum context needed to answer them) are processed by a third-party large language model (LLM) provider acting as our processor under a data processing agreement. Your conversations are not used to train the provider's models.
- Do not input personal data about third parties (or any sensitive personal data) into the chat. The chat is designed for questions about properties, companies, loans and markets.
- You can delete individual conversations at any time from the chat sidebar; deleting your account deletes your chat history.
- The chat is an AI system: responses may contain errors and do not constitute investment, legal or other professional advice.
6. Where our real estate data comes from (art. 14)
The datasets served by the platform are derived from public, official government records, including: SEC EDGAR (US securities filings), NYC ACRIS (New York City property records) and the Cook County Assessor (Illinois), plus other public registers and statistical sources. These records overwhelmingly concern companies and properties. Where a public record relates to an identifiable individual (for example, a named party in a property transaction), we process it on the basis of legitimate interest (art. 6(1)(f)), exactly as published by the originating public authority, and we rely on art. 14(5)(b) GDPR (disproportionate effort) regarding individual notification — this policy serves as the public information notice. Publicly available government records of this kind are also excluded from the definition of "personal information" under US state privacy laws. You may object to the processing of public-record data about you (see section 11).
7. Who we share data with (processors)
We use the following service providers as processors, each bound by a data processing agreement. We never sell personal data.
| Provider | Role | Location / transfer mechanism |
|---|---|---|
| Vercel Inc. | Web hosting and delivery of the frontend | US — EU-US Data Privacy Framework + SCCs fallback |
| Railway Corp. | API backend hosting | US — SCCs |
| Amazon Web Services | Database and storage (eu-west-2, London) | UK region (EU→UK adequacy decision); AWS DPF/SCCs for support access |
| Stripe | Payment processing | US — DPF + SCCs (Stripe DPA) |
| Analytics (GA4/GTM) — only with your consent | US — DPF + SCCs (Google Data Processing Terms) | |
| LLM provider | AI assistant inference (no model training on your data) | DPA with SCCs; DPF where certified |
We may also disclose data where required by law or to protect our legal rights, and to a successor entity in a merger or acquisition (in which case this policy continues to apply and you will be notified).
8. International transfers
Where personal data is transferred outside the EEA/UK (primarily to the United States, to the providers above), we rely on the EU-US Data Privacy Framework for certified recipients, with the European Commission's Standard Contractual Clauses (2021) as a contractual fallback in every data processing agreement. Our primary database is hosted in AWS eu-west-2 (London), covered by the EU→UK adequacy decision.
9. How long we keep data
| Data | Retention |
|---|---|
| Account data | Life of the account + 30 days after deletion (backup roll-off) |
| Billing & invoicing records | 6 years (statutory tax/accounting obligation) |
| AI chat history | Until you delete the conversation or close your account |
| Favorites & preferences | Life of the account |
| Audit & security logs | 12 months (longer only if needed for an ongoing investigation) |
| Analytics data (with consent) | Up to 2 years (GA4 default), cookie durations in the Cookie Policy |
| Consent records | Choice cookie: 12 months; accountability record: 5 years |
10. We do not sell personal data
We do not sell personal data, and we do not share it for cross-context behavioral advertising. Our analytics run without advertising features, personalization signals or remarketing.
Do Not Track / Global Privacy Control: because we do not sell or share personal data, there is no sale for a GPC or DNT signal to opt out of. Analytics cookies are opt-in by default for all visitors — nothing is set unless you actively consent — which is a stronger protection than an opt-out signal. We disclose this in accordance with CalOPPA.
11. Your rights
Under the EU/UK GDPR you have the right to:
- Access the personal data we hold about you;
- Rectify inaccurate data (account details can be edited in your profile);
- Erase your data ("right to be forgotten") — deleting your account removes your profile, favorites and chat history, and we propagate deletion to our processors, including Stripe and the LLM provider, subject to statutory retention (e.g., invoices);
- Restrict or object to processing based on legitimate interest, including public-record data about you;
- Port the data you provided to us in a machine-readable format;
- Withdraw consent at any time (e.g., analytics cookies via "Configure cookies" in the footer), without affecting prior processing.
To exercise any right, email privacy@containeer.com. We will respond within one month (extendable by two further months for complex requests, in which case we will tell you). We may ask you to verify your identity. Exercising your rights is free of charge.
You also have the right to lodge a complaint with a supervisory authority — in Spain, the Agencia Española de Protección de Datos (AEPD, aepd.es); in the UK, the Information Commissioner's Office (ICO). We would appreciate the chance to address your concern first, but you are not required to contact us before complaining.
12. US state privacy rights
We are not currently subject to the CCPA/CPRA or other US state comprehensive privacy laws (we do not meet their applicability thresholds and operate B2B). Nevertheless: we do not sell or share personal information; we honor deletion and access requests from any user worldwide through the process in section 11; and if a state privacy law becomes applicable to us, we will update this policy and honor the rights it grants.
13. No automated decision-making
We do not make decisions about you based solely on automated processing that produce legal or similarly significant effects (GDPR art. 22). The AI assistant answers questions; it does not make decisions about users. We do not use your data for credit scoring or eligibility determinations of any kind.
14. Security
We protect data with TLS encryption in transit, bcrypt password hashing, role-based access controls and audit logging, hosted on the infrastructure providers listed above. See the Security page for details. No system can be guaranteed to be absolutely secure; if a breach affects your data we will notify the competent authority within 72 hours where required (GDPR art. 33) and notify you without undue delay where the breach is likely to result in a high risk to you (art. 34) or where state breach-notification laws require it.
15. Changes to this policy
When we change this policy we will post the new version here and update the "Last updated" date. For material changes we will additionally notify registered users by email or an in-app notice before the changes take effect. Earlier versions are available on request.
16. Contact
Containeer · privacy@containeer.com
Summary (not a substitute for the policy)
We collect what we need to run your account, payments via Stripe, your AI chats (no model training, processed by an LLM provider under contract), and — only with your consent — analytics. We never sell personal data. Our real estate datasets come from public government records. Email privacy@containeer.com to exercise any right.