Privacy Policy
- Effective:
- May 12, 2026
- Last updated:
- May 9, 2026
Applies to vicaso.com, properties.vicaso.com, and all Vicaso services.
This is a baseline policy prepared for review by qualified legal counsel before production deployment. Specific clauses may need adjustment based on jurisdiction, business model evolution, and regulatory changes. If you have questions, email privacy@vicaso.com.
1. Who We Are and Scope of This Policy
This Privacy Policy describes how Vicaso, LLC (“Vicaso,” “we,” “us,” or “our”), a Washington limited liability company, collects, uses, shares, and protects information about you when you use our websites, applications, APIs, and services, including vicaso.com, properties.vicaso.com, the property-website pages at vicaso.com/p/[slug], the client, photographer, editor, and admin portals, and our marketing-material editor (collectively, the “Service”).
This Policy applies to:
- Clients (real estate agents and brokerages who place orders);
- Photographers and Editors (independent contractors who fulfill orders);
- Visitors to our marketing site, blog, and public property websites;
- Lead submitters who fill out a contact form on a property website published through Vicaso.
Where Vicaso processes personal information on behalf of a Client (for example, leads submitted through a Client’s property website), Vicaso acts as a service provider or processor to that Client. Where Vicaso determines the purposes and means of processing (account information, order data, marketing communications), Vicaso acts as the business or controller.
By using the Service, you confirm you have read and understood this Policy. If you do not agree, please do not use the Service.
2. Information We Collect
2.1 Information you give us
- Account and profile information. Name, email address, password (hashed via Supabase Auth — we never store plaintext passwords), phone number (optional), brokerage name, role (client, photographer, editor, admin), profile photo, time zone, language preference, notification preferences, and (for Photographers) FAA Part 107 certificate information and equipment list.
- Order and property information. Property address, property type (condo/house/luxury), package selection, add-ons (drone, twilight, virtual staging, video, property website, marketing materials, etc.), shoot scheduling details, gate codes or access notes, lockbox information (where you choose to provide), seller name (if entered), and post-shoot notes.
- Payment information. Card brand, last 4 digits, expiry, and Stripe payment-method tokens — we do not store full card numbers, CVCs, or bank-account numbers. Full payment data is processed and stored by Stripe Payments (Stripe, Inc.) under its own privacy policy.
- Photographer and editor onboarding information. Government-issued ID, address, tax ID (W-9), Stripe Connect KYC information, insurance certificates, and background-check authorization where required. KYC and tax information is collected and stored by Stripe Connect; Vicaso receives only the result of the verification (verified / not verified) and references to Stripe-managed records.
- Communications. Messages you send us via support email, in-app comments, contact forms, and survey responses.
- Content you upload. Photographs (including raw and edited media), videos, audio, marketing materials you create, property-website content you author or edit.
- Lead submissions on Client property websites. When a member of the public submits a contact form on a property website hosted by Vicaso, we collect the lead’s name, email, phone (where provided), message, and the property URL where the lead originated. We share this lead with the Client whose property is being marketed.
2.2 Information collected automatically
When you visit the Service we automatically collect:
- Device and browser data. IP address, user-agent string, browser type and version, operating system, device type, screen resolution, language, and time zone.
- Usage data. Pages and routes visited, referrer URL, clicks, scroll depth, session duration, error events, performance metrics, and navigation paths.
- Cookies and similar technologies. Authentication session cookies, preference cookies, and analytics/tracking cookies as detailed in our Cookie Policy.
- Approximate geolocation. Derived from your IP address; we do not collect precise device GPS unless you explicitly enable location during photographer field-work features.
- EXIF and image metadata. Photographs uploaded by Photographers commonly include EXIF metadata (camera make/model, capture timestamp, GPS coordinates of the property). We retain this metadata as part of the asset record and may strip GPS coordinates from public deliverables.
2.3 Information we receive from third parties
- Stripe — payment status, payout status, dispute notifications, KYC verification status, fraud-risk signals.
- Google OAuth — name, email, and Google account ID when you sign in with Google. We request only basic profile scopes.
- Brevo — email delivery status (delivered, bounced, opened, clicked) for transactional and marketing emails we send to you.
- Google Maps Platform — geocoded property coordinates and place metadata used to validate service area.
- Background-check providers — for Photographers and Editors with appropriate consent.
2.4 Information we do not knowingly collect
We do not knowingly collect:
- Government-issued ID images directly (Stripe Connect handles all KYC capture);
- Biometric data, race, ethnicity, religion, sexual orientation, or other sensitive personal information unless you voluntarily provide it (please don’t);
- Information from children under 18 (see Section 9).
3. How We Use Your Information
We use information for the following purposes (with the indicated legal bases under EU/UK law, where applicable):
| Purpose | Examples | Legal basis (GDPR) |
|---|---|---|
| Provide the Service | Account creation, order fulfillment, photographer assignment, delivery, property-website hosting, marketing-material generation | Contract performance |
| Process payments and payouts | Stripe charges, refunds, Connect payouts, 1099 reporting | Contract performance; legal obligation |
| Communicate with you | Order status emails, photographer ETA, delivery notifications, support replies, account notices | Contract performance; legitimate interests |
| Personalize and improve the Service | Save preferences, suggest add-ons, surface relevant templates | Legitimate interests |
| Marketing | Newsletters, product announcements, referral reminders (with opt-out) | Consent (where required); legitimate interests |
| Analytics and product development | Usage analysis, error monitoring, A/B testing | Legitimate interests |
| Security and fraud prevention | Detect bot signups, payment fraud, referral abuse, takeover attempts | Legitimate interests; legal obligation |
| Comply with law and protect rights | Tax records, legal process, audit, dispute resolution | Legal obligation; legitimate interests |
| Train internal tooling (limited) | Improve quality-review processes, photographer routing — not generative AI training on user content | Legitimate interests |
We will not use your personal information for purposes materially different from those described here without first providing notice or obtaining consent, where required by law.
4. Cookies and Similar Tracking
We use cookies, local storage, and similar technologies for authentication, preferences, analytics, and limited marketing measurement. Categories include:
- Strictly necessary (Supabase Auth session, CSRF protection, Stripe checkout session) — cannot be disabled while you use the Service.
- Performance / analytics (Vercel Analytics, Google Analytics 4, Microsoft Clarity).
- Functionality (UI preferences, recently viewed orders).
- Marketing (limited; primarily campaign-tracking via UTM parameters and conversion measurement).
For the full list of cookies, third parties, and how to control them, see our Cookie Policy.
5. AI Processing of Your Content
Vicaso uses generative AI services to provide features such as virtual staging, sky replacement, day-to-dusk conversion, decluttering, object removal, AI listing descriptions, and AI neighborhood content. As of the Effective Date, our AI provider is Google Gemini (Google LLC).
When you use these features:
- Inputs. We send the relevant images and the prompt parameters required to perform the requested edit (for example, “stage this living room in modern style”). We send the property’s textual fields (address, type, square footage, bedrooms, bathrooms, etc.) to generate listing or neighborhood text.
- Personally identifying information. We do not intentionally send personally identifying information about owners, occupants, or contractors (names, phone numbers, email addresses) to AI providers. Property addresses are sent to Google Gemini for AI listing/neighborhood generation; addresses are also publicly disclosed via MLS in the ordinary course of real-estate marketing.
- No model training on your content. Our AI provider contracts and configurations are set so that your inputs are not used to train Google Gemini’s foundation models. AI providers may nevertheless retain inputs for a short period for safety filtering and abuse monitoring per their terms.
- Outputs. Generated images and text are returned to Vicaso, stored with your order record, and made available to you. Outputs are subject to the disclosure obligations described in our Terms of Service, Section 7.
- Withdrawal. You may decline to use AI features. If you have already used a feature and wish to delete the resulting outputs, contact privacy@vicaso.com.
6. How We Share Your Information
We share information only as described below. We do not sell personal information, and we do not engage in cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act (“CCPA”/“CPRA”).
6.1 With service providers (processors)
We share information with vendors that provide infrastructure and services on our behalf under written agreements requiring them to protect your information. Current key providers:
| Provider | Purpose | Data shared |
|---|---|---|
| Supabase, Inc. | Database, authentication, file storage, realtime | Account data, order data, uploaded media |
| Vercel, Inc. | Application hosting, edge functions, image optimization, Vercel Analytics | Request logs, performance metrics |
| Stripe, Inc. | Payments, payouts (Connect), tax reporting, fraud signals | Name, email, billing address, payment-method tokens, payout details |
| Brevo SAS | Transactional and marketing email delivery | Recipient email, message content, delivery/click metadata |
| Google LLC — Gemini | AI image editing, AI text generation | Property images and metadata (no PII per Section 5) |
| Google LLC — Maps Platform | Address validation, geocoding, distance calculations | Property addresses |
| Google LLC — Analytics 4 | Web analytics | IP address, device data, page paths (with IP truncation enabled) |
| Microsoft Corporation — Clarity | Heatmaps and session replay (with PII masking) | Anonymized session data |
| WalkScore (where used) | Walkability/transit/bike-score for property pages | Property addresses |
| Dropbox, Inc. (optional) | Photographer alternative-upload path | Files the Photographer chooses to share |
| Background-check providers | Photographer/editor screening | Identity information with consent |
6.2 With photographers and editors who fulfill your order
To fulfill your shoot, we share with the assigned Photographer and Editor: the property address, scheduled shoot time, package and add-on configuration, access notes (gate codes, lockbox, parking, pets, special requests), and the Client’s first name and phone number for on-site coordination. Photographers and Editors are bound by confidentiality and acceptable-use obligations.
6.3 With Clients (when you submit a lead on a property website)
If you submit a contact form on a property website published by a Vicaso Client, your name, email, phone, and message are sent to that Client (the listing agent) and to Vicaso for delivery and analytics. The Client’s privacy practices are independent of ours.
6.4 With law enforcement and in legal process
We may disclose information when we believe in good faith that disclosure is required to (a) comply with applicable law, subpoena, court order, or other legal process; (b) protect the rights, property, or safety of Vicaso, our users, or the public; (c) detect, prevent, or address fraud, security, or technical issues; or (d) enforce our Terms of Service.
6.5 In a business transaction
If Vicaso is involved in a merger, acquisition, financing, or sale of all or part of our assets, your information may be transferred as part of that transaction. We will notify you (e.g., by email and prominent notice) before your information is transferred and becomes subject to a different privacy policy.
6.6 With your consent
We may share information for other purposes with your consent.
7. Data Retention
We retain personal information only as long as necessary for the purposes described in this Policy, to comply with our legal obligations, to resolve disputes, and to enforce our agreements. Specific retention periods include:
| Data type | Retention period |
|---|---|
| Order and transaction records | 7 years (financial-record retention; Washington and California state and IRS) |
| Account profile data | Until you request deletion + 30 days to cover backup cycles, then deleted (subject to legal holds and order-related retention) |
| Email logs (delivery, bounce, click metadata) | 1 year |
| Activity / audit logs | 1 year |
| Property website data | Until you delete the website + 30 days, then purged |
| Uploaded media (raw and edited) | Retained while the order remains active and during the 7-year financial period; raw originals may be archived to cold storage after 90 days |
| Marketing-material exports | Until you delete them, or up to 2 years after subscription cancellation |
| Webhooks and Stripe payment metadata | At least 7 years |
| Backups | Up to 30 days rolling, longer for snapshots required by law |
| Lead submissions on property websites | Owned by the Client; we retain a copy for at least the duration of the website + 90 days for support and abuse review |
We may retain de-identified or aggregated data indefinitely.
8. Security
Vicaso applies a layered security approach:
- Encryption in transit. All Service traffic uses TLS 1.2+ with HTTPS-only redirects.
- Encryption at rest. Application data is encrypted at rest in Supabase Postgres and Supabase Storage; backups are encrypted.
- Access controls. Postgres Row Level Security (“RLS”) policies enforce that Clients can only see their own orders, Photographers can only see assigned shoots, and Editors can only see assigned/claimable orders. Admin access is restricted and logged.
- Authentication. Passwords are hashed by Supabase Auth; we support Google OAuth; we encourage strong, unique passwords.
- Payments. Card data is handled by Stripe (PCI DSS Level 1 service provider) and never touches Vicaso servers.
- Audit logs. Sensitive admin actions are recorded in
activity_logs. - Vendor diligence. We choose vendors with strong security postures and bind them by data-protection agreements.
No system is perfectly secure. If you believe your account has been compromised, contact security@vicaso.com immediately.
9. Children’s Privacy
The Service is intended for users 18 years of age or older and is not directed to children under 18. We do not knowingly collect personal information from children under 18. If you are a parent or guardian and believe your child has provided us information, contact privacy@vicaso.com and we will promptly delete it.
10. International Data Transfers
Vicaso operates from the United States. Our infrastructure providers (Vercel, Supabase, Stripe, Google) operate globally. If you access the Service from outside the United States, your information will be processed and stored in the United States and other countries that may not have the same data-protection laws as your country.
For transfers from the EU/UK/Switzerland to the United States, we and our processors rely on appropriate safeguards, including the EU Standard Contractual Clauses (2021), the UK International Data Transfer Agreement or UK Addendum, and (where applicable) the EU-U.S. Data Privacy Framework.
11. Your Rights
11.1 General rights
- Access — request a copy of the personal information we hold about you.
- Correction — request that we correct inaccurate or incomplete information.
- Deletion — request that we delete your personal information, subject to retention obligations.
- Portability — request a machine-readable copy of information you provided.
- Restriction / objection — request that we limit or stop certain processing, including direct marketing.
- Withdraw consent — where processing is based on consent.
- Lodge a complaint with your local data-protection authority (e.g., your EU member-state DPA, the UK ICO, the California Privacy Protection Agency, the Washington State Attorney General, or California Attorney General).
11.2 California (CCPA / CPRA)
California residents have, in addition:
- The right to know what categories of personal information we collect, the sources, the business purposes, and the categories of third parties to whom we disclose it.
- The right to delete personal information we have collected from you, subject to exceptions.
- The right to correct inaccurate personal information.
- The right to opt out of the sale or sharing of personal information for cross-context behavioral advertising — Vicaso does not sell or share personal information for those purposes, so this right is honored by default.
- The right to limit use of sensitive personal information — we do not collect sensitive personal information beyond payment-related data necessary for the Service.
- The right to be free from discrimination for exercising your rights.
To exercise California rights, email privacy@vicaso.com with “CCPA Request” in the subject line. We will verify your request and respond within 45 days (extendable by another 45 days where necessary, with notice). Authorized agents may submit requests with proof of authorization.
California “Shine the Light” (Cal. Civ. Code § 1798.83). California residents may request information about disclosures of personal information to third parties for direct-marketing purposes. As described, we do not disclose personal information to third parties for their own direct-marketing purposes.
11.3 EU / UK / Swiss residents (GDPR / UK GDPR)
You have the rights of access, rectification, erasure, restriction, objection, portability, and to lodge a complaint with a supervisory authority. Email privacy@vicaso.com. Where you have provided consent, you may withdraw it at any time without affecting the lawfulness of processing already carried out.
11.4 Other U.S. state laws
Residents of states with comprehensive privacy laws (e.g., Washington My Health My Data Act, California CCPA/CPRA, Virginia, Colorado, Connecticut, Utah, Oregon, Montana, Tennessee, and others as they take effect) have rights similar to those above. Email privacy@vicaso.com.
11.5 How to exercise your rights
- Email: privacy@vicaso.com
- Subject line: brief description (e.g., “Access request,” “Deletion request”)
- Provide enough information for us to verify your identity (typically the email associated with your account).
We will respond within the timeframes required by applicable law. We will not charge a fee unless your request is manifestly unfounded or excessive.
12. Marketing Communications and Opt-Out
We may send you marketing emails about new features, promotions, and the referral program. You can opt out at any time by clicking the unsubscribe link in any marketing email or by emailing privacy@vicaso.com. Opting out of marketing does not stop transactional emails (order confirmations, payment receipts, security notifications, password resets, legal notices) — we send those to operate your account.
We may send infrequent SMS notifications in the future (currently planned, not active). Where SMS is enabled, opt-out instructions (“STOP” reply) will be provided in the messages.
13. Do Not Track
Some browsers offer a “Do Not Track” (“DNT”) signal. There is no industry standard for DNT, so the Service currently does not respond to DNT signals. We will revisit this if a consensus standard emerges.
14. Third-Party Services and Links
The Service may contain links to third-party websites and services. This Policy does not apply to those third parties; please review their policies separately. The third parties named throughout this Policy each have their own privacy policies, including:
- Stripe — stripe.com/privacy
- Brevo — brevo.com/legal/privacypolicy
- Supabase — supabase.com/privacy
- Vercel — vercel.com/legal/privacy-policy
- Google (Maps, OAuth, Gemini, Analytics) — policies.google.com/privacy
- Microsoft Clarity — microsoft.com/privacy/privacystatement
15. Changes to This Policy
We may update this Policy. The “Last Updated” date at the top will reflect the latest revision. For material changes that broaden how we use personal information, we will provide at least 30 days’ advance notice by email and/or in-product notice and, where required by law, obtain your consent before applying the change to existing accounts.
16. Contact and Complaints
For privacy questions or to exercise rights:
Vicaso, LLC
Privacy Office
Seattle, Washington, United States
- Email: privacy@vicaso.com
- Security incidents: security@vicaso.com
- General support: support@vicaso.com
EU/UK residents may also contact our designated data-protection point of contact at privacy@vicaso.com and lodge complaints with their local supervisory authority.