Last Updated March 18, 2026 · TourLytics and its affiliates
TourLytics is an AI-powered commercial real estate intelligence platform that helps enterprise CRE teams process broker survey documents, visualize properties on interactive maps, generate tour books, perform financial modeling, and conduct commute studies.
By accessing or using the Platform, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with the practices described in this Policy, please do not use the Platform. If you are accepting this Policy on behalf of an organization, you represent and warrant that you have the authority to bind that organization to this Policy, and references to "you" or "your" shall refer to that organization.
Capitalized terms not defined in this Privacy Policy shall have the meanings ascribed to them in our Terms of Service, available at tourlytics.ai/terms.
We collect information in several categories as described below. The types and amounts of information we collect depend on how you interact with the Platform.
When you register for an account on the Platform, we collect the following personal information:
When you use the Platform, you may upload or create content that contains information about third parties and commercial real estate transactions ("Customer Content" and "Customer Data"). This may include:
Important: You are responsible for ensuring that you have the right to upload and process any Customer Data and Customer Content through the Platform, and that doing so complies with all applicable laws and any obligations you may have to third parties.
When you use AI-powered features of the Platform, we collect:
We automatically collect information about how you interact with the Platform, including:
We automatically collect technical information from your device and browser, including:
When you purchase tokens or subscribe to the Platform, payment transactions are processed by Stripe, our third-party payment processor. We receive and store:
Important: We do not store, process, or have access to your full credit card numbers, CVV codes, or other sensitive payment credentials. All payment card data is processed and stored exclusively by Stripe in accordance with PCI DSS requirements. Please refer to Stripe's Privacy Policy for more information.
We process geolocation data derived from building addresses that you upload or enter into the Platform for purposes of geocoding and map visualization using Google Maps Platform. This geolocation data pertains to commercial real estate properties -- not to your personal physical location. We do not collect or track your real-time geographic location.
We use cookies and similar tracking technologies to collect information about your interactions with the Platform. For detailed information about the cookies we use, please see Section 10 (Cookies and Tracking Technologies) of this Policy.
We use the information we collect for the following purposes:
We do NOT use Customer Data or Customer Content to train, improve, or fine-tune artificial intelligence or machine learning models. Your uploaded documents and data are processed solely to provide the Service to you and are not used for any other purpose.
We do NOT sell your personal information. We have not sold personal information in the preceding twelve (12) months and do not intend to do so. For purposes of the California Consumer Privacy Act ("CCPA") and the California Privacy Rights Act ("CPRA"), we do not "sell" or "share" personal information as those terms are defined under applicable law.
We do not sell, rent, or trade your personal information to third parties. We may share your information only in the following limited circumstances:
We engage trusted third-party service providers to perform functions and provide services on our behalf. These providers have access to your information only to the extent necessary to perform their functions and are contractually obligated to protect your information. Our key service providers include:
When you participate in a Project on the Platform, certain information may be visible to other Authorized Users within that Project based on the role-based access control system. Project Owners and Admins may have access to broader information within the Project than Members or Viewers. You should only share information within Projects that you are comfortable making available to other Project participants.
We may disclose your information if we believe in good faith that such disclosure is necessary to:
In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will provide notice to you via email and/or a prominent notice on the Platform prior to any such transfer and before your information becomes subject to a different privacy policy. You will have the opportunity to delete your account before such transfer takes effect.
We may share aggregated or de-identified information that cannot reasonably be used to identify you for purposes such as industry analysis, market research, and Platform improvement. Such information is not considered personal information under applicable law.
The Platform integrates with and relies upon third-party services to provide its functionality. Each of these services has its own privacy policy governing the collection and use of data processed through their systems. We encourage you to review the privacy policies of these services:
We are not responsible for the privacy practices of these third-party services. We encourage you to review their respective privacy policies to understand how they handle your information.
We retain your information for as long as necessary to fulfill the purposes for which it was collected, as described in this Policy, unless a longer retention period is required or permitted by law. Our specific retention periods are as follows:
We retain your account information for the duration of your active account. Upon account deletion, we will delete or anonymize your account data within ninety (90) days, except as required by law or as necessary to comply with our legal obligations, resolve disputes, or enforce our agreements.
Customer Content and Customer Data are retained for as long as the associated Projects remain active. Upon account termination or deletion of a Project, we will delete Customer Content and Customer Data within thirty (30) days, unless retention is required by law or is necessary for the establishment, exercise, or defense of legal claims.
Usage and analytics data are retained in aggregated form for a period of twenty-four (24) months from the date of collection. After this period, such data is permanently deleted or further anonymized so that it cannot be associated with any individual user.
Payment and transaction records are retained as required by applicable tax, financial, and accounting regulations, which typically require a retention period of seven (7) years. These records are retained solely for compliance purposes and are not used for marketing or other unrelated purposes.
AI interaction logs -- including prompts, queries, and associated outputs -- are retained for a period of ninety (90) days for purposes of quality assurance, debugging, and service improvement. After this period, such logs are permanently deleted. AI interaction logs are not used to train or improve AI models.
We implement and maintain commercially reasonable administrative, technical, and physical security measures designed to protect your information from unauthorized access, disclosure, alteration, and destruction. These measures include:
We maintain incident response procedures to detect, respond to, and recover from security incidents. In the event of a data breach that affects your personal information, we will notify you in accordance with applicable law.
We are actively pursuing SOC 2 Type II compliance certification. We will update this section when certification is achieved.
No method of transmission over the Internet or method of electronic storage is completely secure. While we strive to use commercially reasonable means to protect your information, we cannot guarantee its absolute security. You acknowledge and accept that you transmit information to and through the Platform at your own risk.
If you are a California resident, you have certain rights under the California Consumer Privacy Act ("CCPA") as amended by the California Privacy Rights Act ("CPRA"). These rights include:
7.1.1 Right to Know
You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which that information is collected, the business or commercial purpose for collecting the information, the categories of third parties with whom we share the information, and the specific pieces of personal information we have collected about you.
7.1.2 Right to Delete
You have the right to request that we delete personal information that we have collected from you, subject to certain exceptions as provided by law (e.g., if the information is necessary to complete a transaction, detect security incidents, comply with legal obligations, or for other purposes permitted by law).
7.1.3 Right to Correct
You have the right to request that we correct inaccurate personal information that we maintain about you, taking into account the nature of the personal information and the purposes for which we process it.
7.1.4 Right to Opt-Out of Sale or Sharing
You have the right to opt out of the "sale" or "sharing" of your personal information, as those terms are defined under the CCPA/CPRA. As stated in this Policy, we do not sell or share personal information and have not done so in the preceding twelve (12) months.
7.1.5 Right to Limit Use of Sensitive Personal Information
You have the right to limit the use and disclosure of sensitive personal information to uses that are necessary to perform the services reasonably expected by an average consumer. We only use sensitive personal information for purposes permitted under the CCPA/CPRA.
7.1.6 Right to Non-Discrimination
We will not discriminate against you for exercising any of your CCPA/CPRA rights. We will not deny you access to the Platform, charge you different prices, provide you a different level or quality of service, or suggest that you will receive a different price or level of service for exercising your rights.
7.1.7 How to Submit a Request
To exercise any of the rights described above, please submit a verifiable consumer request to us by:
Only you, or a person you have authorized to act on your behalf (an "authorized agent"), may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child.
7.1.8 Verification Process
Upon receiving a request, we will verify your identity by matching identifying information provided in your request against information we already have on file. We may ask you to provide additional information to verify your identity. If you use an authorized agent to submit a request, we may require that you provide the authorized agent written permission to do so and that you verify your own identity directly with us.
7.1.9 Response Timeline
We will respond to verifiable consumer requests within forty-five (45) days of receipt. If we require additional time, we will inform you of the reason and extension period in writing. Any extension will not exceed an additional forty-five (45) days, for a maximum total response time of ninety (90) days. If we are unable to fulfill a request, we will explain the reason in our response.
Regardless of your location, we provide all users of the Platform with the following rights:
7.2.1 Access
You may request access to the personal information we hold about you and receive a copy of such information in a commonly used electronic format.
7.2.2 Correction
You may request that we correct any inaccurate or incomplete personal information we hold about you.
7.2.3 Deletion
You may request that we delete your personal information, subject to applicable legal requirements and our legitimate retention needs.
7.2.4 Data Portability
You may request a copy of your personal information in a structured, commonly used, and machine-readable format, and you may request that we transmit such data to another service provider where technically feasible.
7.2.5 Withdrawal of Consent
Where we process your personal information based on your consent, you may withdraw that consent at any time. The withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.
7.2.6 Objection to Processing
You may object to the processing of your personal information where we process it based on our legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
To exercise any of these rights, please contact us at privacy@tourlytics.ai. We will respond to your request in accordance with applicable law.
The Platform is not directed to, and we do not knowingly collect personal information from, children under the age of sixteen (16). If we become aware that we have inadvertently collected personal information from a child under 16, we will take steps to delete such information as soon as practicable. If you believe that we may have collected personal information from a child under 16, please contact us at privacy@tourlytics.ai so that we can investigate and take appropriate action.
The Platform is operated from the United States, and your information is primarily processed and stored in the United States. If you access the Platform from outside the United States, please be aware that your information may be transferred to, stored in, and processed in the United States and other jurisdictions where our service providers operate.
By accessing or using the Platform, you consent to the transfer of your information to the United States and other jurisdictions that may not provide the same level of data protection as the laws of your country of residence.
For enterprise customers that require additional safeguards for international data transfers, we offer standard contractual clauses and other appropriate transfer mechanisms upon request. Please contact us at privacy@tourlytics.ai to discuss your specific requirements.
We use cookies and similar technologies to enhance your experience on the Platform. This section describes the types of cookies we use and how you can manage them.
10.1.1 Essential Cookies
These cookies are strictly necessary for the operation of the Platform. They enable core functionality such as user authentication, session management, and security features. Essential cookies cannot be disabled without impairing the functionality of the Platform.
10.1.2 Analytics Cookies
These cookies help us understand how users interact with the Platform by collecting information about pages visited, features used, and usage patterns. We use this information to analyze and improve the Platform's performance and user experience. Analytics data is collected in aggregated or anonymized form where possible.
10.1.3 No Advertising or Marketing Cookies
We do not use advertising, marketing, or behavioral tracking cookies on the Platform. We do not serve targeted advertisements, and we do not share cookie data with advertising networks.
You can manage your cookie preferences through your browser settings. Most browsers allow you to block or delete cookies. Please note that disabling essential cookies may impair the functionality of the Platform. You may also manage analytics cookie preferences through the Platform's cookie settings, if available.
For more information about cookies and how to manage them, you can visit www.allaboutcookies.org.
"Do Not Track" ("DNT") is a privacy preference that users can set in certain web browsers. We respect your privacy choices. However, because there is no accepted standard for how to respond to DNT signals, the Platform does not currently alter its data collection and use practices in response to DNT signals. We will continue to monitor developments in DNT technology and update our practices accordingly if a uniform standard is adopted.
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes to this Policy, we will:
Your continued use of the Platform after the effective date of any updated Privacy Policy constitutes your acceptance of the changes. If you do not agree with any changes, you must discontinue your use of the Platform and delete your account before the effective date of the updated Policy.
For enterprise customers that require a formal Data Processing Addendum (DPA), we offer a comprehensive DPA that covers:
To request a Data Processing Addendum, please contact us at privacy@tourlytics.ai. Our DPA is provided at no additional cost and is designed to satisfy the requirements of applicable data protection regulations, including the CCPA/CPRA.
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
TourLytics and its affiliates
Email: privacy@tourlytics.ai
Website: tourlytics.ai
State of Incorporation: California
We strive to respond to all inquiries within thirty (30) days of receipt. For requests related to your privacy rights under the CCPA/CPRA, please see Section 7.1.9 for specific response timelines.
* * *