Privacy Policy
This policy explains what personal data Estatya collects, why, who processes it on our behalf, how long we keep it, and the rights you have. We collect the minimum needed to operate a rental listing platform and never sell personal data.
What we collect
- Account data (when you create an account): email, name, and role. Authentication is handled by a dedicated, industry-standard identity provider. Your credentials are never stored on Estatya servers, and your session is managed through encrypted tokens that Estatya does not have access to.
- Inquiry data (when you contact a landlord): the name, email, optional phone, message, and preferred contact method you submit, plus the IP address, browser user-agent, and referring URL of the request — kept to detect spam and abuse.
- Usage analytics: aggregate page and interaction events via our analytics provider to understand and improve the product. We do not enable session recording, and events are collected without personally identifying information.
- Error diagnostics: technical error reports via our error monitoring service, configured to exclude personally identifying request data.
We never collect Social Security numbers, government ID numbers, or payment card data. Listing source data (addresses, rents) originates from public records and licensed third-party data providers, not from you.
Why we use it
- To operate search, listings, and landlord contact.
- To prevent spam, fraud, and abuse of the contact form.
- To diagnose errors and improve performance and usability.
We do not use your data for targeted advertising and we do not sell it. We do not engage in profiling that produces legal or similarly significant effects.
Service providers
We share data only with service providers who process it strictly on our instructions and for no other purpose. The table below describes each category of provider, the data they handle, and where it is processed.
| Category | Purpose | Data involved | Location |
|---|---|---|---|
| Authentication | Account sign-in, session management, MFA | Email address, hashed credentials, session tokens | United States |
| Database hosting | Storing accounts, listings, inquiries | Account data, inquiry records | United States |
| Email delivery | Inquiry notifications, account emails | Email address, inquiry content | United States |
| Error monitoring | Diagnosing application errors | Anonymized error traces, device metadata | United States |
| Product analytics | Measuring aggregate usage | Page views, interaction events (no PII) | United States or EU |
| Infrastructure / CDN | Hosting, DDoS protection, caching | Traffic metadata, IP addresses | Global edge network |
Tenant screening: When a landlord initiates a background check, you are directed to our licensed screening partner — an independent consumer reporting agency operating under the Fair Credit Reporting Act. Estatya does not receive, store, or process credit reports, criminal history records, or Social Security numbers. The screening partner acts as a separate data controller under FCRA, not as a sub-processor of Estatya.
Retention
Account data is kept while your account is active. Inquiry records are retained for up to 24 months for abuse prevention and dispute resolution, then deleted or anonymized. Analytics and error data are retained on a rolling basis per the providers' defaults (typically 12 months).
Your privacy rights
Depending on your state of residence, you may have the right to confirm whether we process your data, to access it, to correct inaccuracies, to delete it, to obtain a portable copy, and to opt out of targeted advertising or sale — we do neither. Specifically:
- Virginia residents have rights under the Virginia Consumer Data Protection Act (VCDPA), including the right to appeal a declined request by replying to our response. If an appeal is denied, you may contact the Virginia Attorney General.
- California residents have rights under the California Consumer Privacy Act (CCPA / CPRA), including the right to know, delete, and opt out of sale (we do not sell).
- Residents of other states with applicable privacy laws (Colorado, Connecticut, Texas, and others) have equivalent access, correction, and deletion rights where those laws apply.
To exercise any of these rights, email [email protected]. We will respond within the timeframe required by applicable law (typically 45 days).
Security
Data is encrypted in transit (HTTPS enforced) and at rest. Database access is row-level-security default-deny. Access to production data is least-privilege. Listing photos are stripped of EXIF metadata — including GPS coordinates — before storage. No method is perfectly secure, but we design to minimize what we hold and who can reach it.
Children
Estatya is not directed to children under 13 and we do not knowingly collect their data. If you believe a child has provided personal information, contact us at [email protected] and we will promptly delete it.
Data transfers
Estatya is operated from the United States. If you access the platform from outside the United States, your data will be transferred to and processed in the United States. We use contractual safeguards (data processing agreements) with all service providers to ensure your data is handled to the same standard regardless of where it is processed.
Changes
We may update this policy as the platform evolves. Material changes will be reflected in the effective date below and, where appropriate, announced in-product.
Effective May 28, 2026. Estatya operates nationally; Virginia law governs these policies. Questions: [email protected].