Privacy Policy

Last updated: May 18, 2026

Effective Date: May 18, 2026

This Privacy Policy explains how Every Nook, LLC, doing business as Everynook ("Everynook," "we," "us," or "our"), collects, uses, shares, and protects personal information when you use the Everynook website at https://www.everynook.com, our mobile applications, and our services, including NookSign (electronic signature service), Virtual Nooks (AI virtual staging service), Neighborhood Niche / Area Insights (community knowledge service), and any other Everynook-branded features (collectively, the "Service").

This Policy is incorporated into our Terms of Service. Capitalized terms not defined here have the meanings in the Terms.

1. WHO THIS POLICY APPLIES TO

This Policy applies to:

Users — real estate professionals, brokerage staff, and other authorized Account holders who use the Service.
Visitors — anyone who visits our website or interacts with our marketing.
Signers — individuals who sign or are invited to sign documents through NookSign, whether or not they are Users.
End Clients of Users — consumers whose personal information our Users upload to or process through the Service.

If you are an End Client and your Agent has uploaded your information to Everynook, please note: Everynook is a service provider to your Agent. The Agent (and the Agent's brokerage) is the controller of your information. Direct privacy requests about your real estate transactions to your Agent first; we will support them in responding.

1.1 Our role: controller vs. processor / service provider

The way privacy laws apply to a piece of personal information depends on who is making the decisions about it. To be explicit:

(a) For personal information about Users themselves (Agents and brokerage staff who hold Everynook accounts) — including account credentials, profile information, billing data, and usage of the Service — Everynook is the "controller" or "business" under applicable privacy laws and is directly responsible for the obligations described in this Policy.

(b) For personal information that Users upload, manage, send, or otherwise process about clients, leads, consumers, signers, tenants, buyers, sellers, or other third parties through the Service — including listing inquiries, NookSign signer data, contract content, communications, and similar information — the User and/or the User's brokerage is the "controller" or "business," and Everynook acts solely as a "processor," "service provider," or similar role on the User's instructions. When acting in this role, Everynook processes such information solely to provide the Service and to carry out the related business operations described in this Policy and the Terms of Service.

(c) Users acting as controllers are responsible for:

Providing legally required notices to the individuals whose data they upload
Obtaining any required consents
Establishing a lawful basis for the processing under applicable law
Responding to consumer privacy requests (access, deletion, opt-out) from those individuals
Ensuring the accuracy and lawfulness of the data they upload
Complying with applicable privacy, real estate, and consumer protection laws

(d) For enterprise users: A Data Processing Addendum ("DPA") is available on request to enterprise customers. Contact privacy@everynook.com.

2. PERSONAL INFORMATION WE COLLECT

We collect the categories of personal information described below. Some of these are collected from you directly, some automatically, and some from third parties (see Section 3).

2.1 Identifiers

First name, last name, preferred name, email address, mailing address, telephone number, mobile number, account username, IP address, device identifiers, and similar identifiers.

2.2 Professional information

Real estate license number, license state, license expiration, brokerage affiliation, MLS membership, NAR or local association membership, professional designations, business address, business email, business phone, agent photo, agent bio, and team affiliations.

2.3 Account and authentication data

Username, hashed password, multi-factor authentication settings and history, login timestamps, IP address at login, and account preferences.

2.4 Payment information

Payment card details are collected and processed directly by our payment processor, Stripe, Inc., and are not stored on our systems in full form. Stripe's privacy practices are described at https://stripe.com/privacy. We retain limited payment metadata such as the last four digits of your card, card brand, billing ZIP code, transaction IDs, subscription plan, billing history, and invoices.

2.5 Listing and property data

Property addresses, listing descriptions and edits, photos, floor plans, listing prices, listing status, MLS numbers (where you provide them), and other property data you upload or generate.

2.6 Contract and signature data (NookSign)

Documents, contract template selections, field entries (including names, addresses, prices, financial terms, and other contract data), signing events, audit-trail metadata (timestamps, IP addresses, browser/device fingerprints, geolocation if enabled), email addresses of signers, and signing-flow communications. See Section 9 for details.

2.7 Image processing inputs and outputs (Virtual Nooks)

Photos you submit for AI virtual staging, AI-generated derivative images, processing metadata, and the prompts or styles you select. See Section 10 for details.

2.8 User Content and community contributions

Listing descriptions, neighborhood posts, reviews, ratings, messages between Users on the Service, support tickets, feedback, survey responses, and other content you submit. See Section 11 for Neighborhood Niche / Area Insights specifically.

2.8a Offer, transaction, and platform-activity data

Offers submitted through the Service (including offer terms, prices, contingencies, dates, and counter-offer activity); listing activity (price history, status changes, days on market); negotiation patterns; deal stage transitions; and agent-contributed transaction data. This data is used to power the Service's market intelligence features (see Section 4.5). It is processed in both identified form (to operate transaction features for you) and in de-identified, aggregated form (to generate market insights served back to Users).

2.9 Usage and device data

Pages and features accessed, clicks, search queries, AI feature usage, error logs, session duration, referrer URLs, browser type and version, operating system, screen size, language preference, time zone, device type, mobile carrier, and approximate location derived from IP address.

2.10 Precise geolocation (mobile app, with permission)

If you grant permission, the mobile app may collect precise geolocation from your device to provide location-based features. You can disable this in your device settings at any time.

2.11 Communications metadata and content

Email and SMS opt-in status, communications history (sent, opened, replied, opted out), push-notification opt-in status, and the content of messages you send to us (support, sales, feedback).

2.12 Information about other people you provide

When you upload contact information for clients, leads, or signers, we collect the personal information you upload. You are responsible for confirming that you have the right and any required consents to share that information with us.

2.13 Inferences and aggregate insights

We may derive inferences from the information above for legitimate business purposes (e.g., feature recommendations, plan suitability, fraud signals). We also generate de-identified aggregate insights from offer, transaction, and platform-activity data to power market intelligence features. See Section 4.5 for a comprehensive description of this practice. We do not use individually identifying inferences to build profiles for sale to third parties.

2.14 Categories we do not intentionally collect

Unless you upload it as User Content, we do not seek to collect: Social Security numbers, full financial account numbers, government-issued ID images (other than your real estate license number), health information, biometric identifiers, contents of privileged communications, or other special categories. You should not upload such information to the Service. Doing so violates our Terms.

If you upload sensitive information in violation of this Policy or the Terms — including but not limited to wiring instructions, settlement statements, loan applications, driver's licenses, medical or accommodation documents, divorce filings, estate documents, or other materials containing categories listed above — you acknowledge that Everynook may process, store, transmit, and delete such information as necessary to operate the Service. Everynook is not responsible for unintended access, exposure, or processing consequences resulting from your prohibited upload. You remain responsible for any obligations you have to the individuals whose sensitive information you uploaded.

3. HOW WE COLLECT INFORMATION

3.1 Directly from you

When you register, complete a profile, upload content, send a message, make a payment, or use any Service feature.

3.2 Automatically

When you access the Service, through cookies, log files, analytics tools, and similar technologies (see Section 12).

3.3 From third parties

From signers when they sign or interact with documents you send through NookSign.
From integrated services when you connect your Account (e.g., social login, MLS or CRM integrations, payment processors).
From AI providers in the form of outputs derived from your inputs (see Section 8).
From service providers acting on our behalf (fraud-prevention, analytics, etc.).
From public sources such as public real estate license registries, when verifying your professional status.

3.4 From you about others

When you upload information about clients, leads, signers, or other third parties, we collect that information as you provide it.

4. HOW WE USE PERSONAL INFORMATION

We process personal information only as reasonably necessary and proportionate to provide and improve the Service, maintain security, comply with law, and carry out the specific purposes described in this Policy. Consistent with modern state privacy laws (including the Maryland Online Data Privacy Act, CCPA/CPRA, and similar regimes), we limit our collection and use of personal information to what is reasonably required for these purposes.

We use personal information to:

(a) Provide the Service — create and manage your Account, deliver features, process documents through NookSign, generate virtual staging through Virtual Nooks, host Neighborhood Niche content, and respond to your requests.
(b) Process payments — bill you, send invoices, prevent payment fraud, and manage refunds.
(c) Communicate with you — send transactional messages, security alerts, product updates, support replies, and (with your consent) marketing.
(d) Improve the Service — analyze how Users use features, identify bugs, develop new features, and benchmark performance.
(e) Train and operate AI features — process inputs through AI models to produce outputs you request. We do not use User Content to train general-purpose third-party AI models; see Section 8.
(f) Protect the Service — detect and prevent fraud, abuse, security incidents, and violations of our Terms.
(g) Comply with law — respond to legal process, enforce our rights, comply with tax and accounting obligations, and meet real estate-related record-keeping obligations of our Users.
(h) Conduct business operations — internal audits, financial reporting, mergers and acquisitions, and similar corporate purposes.
(i) Generate aggregated market insights — combine, de-identify, and analyze offer, transaction, and platform-activity data across Users to produce market intelligence, trend analysis, comparative pricing context, and similar insights served back to Users. See Section 4.5 below for a detailed description.

We do not use personal information for purposes incompatible with these without your consent or as otherwise permitted by law.

4.5 Special notice: aggregated market insights

A key feature of the Service is to take data submitted by Users (offers, transactions, listing activity, negotiation patterns, and agent-contributed transaction data), de-identify and aggregate it across many Users, and serve the resulting market intelligence back to Users as analyzed insights, trend data, and benchmarks. This subsection explains how that practice works and how we manage privacy and antitrust considerations.

What data feeds the aggregate. Offer terms (price, contingencies, dates, counter-offer activity), listing data (price history, status changes, time on market), negotiation patterns, deal stage transitions, and other agent-contributed transaction data submitted to the Service. Listing photos, narrative client communications, and contract content are not used for market-insights generation.

De-identification methodology. Before data is used for aggregate insights:

Direct identifiers (names, email addresses, phone numbers, agent identifiers, brokerage identifiers, client identifiers) are removed.
Property-level identifiers are generalized to areas (e.g., a ZIP code, a neighborhood polygon, or a radius around a subject property) rather than specific addresses, except where the address is itself the relevant data point and is already public record.
Aggregate insights are generated only when a minimum threshold of distinct transactions is present in the relevant cohort (5+ is our floor; higher thresholds may apply in cohorts with elevated re-identification or demographic-inference risk).
The Service uses hierarchical geographic fallback to maximize useful coverage while preserving the cohort threshold. If your query targets a specific neighborhood, ZIP, or radius that does not have enough activity to meet the threshold, the Service automatically broadens the geographic scope (e.g., neighborhood → ZIP → city → county → state) until a cohort meets the threshold. The actual scope of any insight is clearly labeled in the result (e.g., "based on 47 offers across Maryland in the last 30 days"), so Users always know what geography the data reflects. As platform activity grows in a given area, queries automatically refine to tighter geographies without changes to the User's workflow.
Insights are generated at the segment level — never as individual transactions, individual-property identifiers, or individual-agent activity. Users cannot see "Property X received offers of Y, Z, W"; they see statistics like "homes in this ZIP received an average of 3.2 offers in the last 14 days."
Commission-specific data is excluded from aggregate insights at the data-pipeline level, so it is structurally impossible for commission information to appear in an aggregate output.
Agent-level performance data (e.g., "Agent X's offers tend to come in at Y% over ask") is not surfaced in aggregate insights served to other Users.

Timing. Aggregate insights operate on near-real-time data, because their purpose is to inform live transactions and agents need current market context. Users may request data over any time window they choose (e.g., last 7 days, last 30 days, last 90 days), subject to the cohort-size threshold above; the Service does not impose a hidden time delay before recent data becomes available in aggregate.

Once de-identified. Once data has been de-identified through this process, it is not considered "personal information" under CCPA/CPRA or similar laws, and is not subject to the rights described in Sections 21–25 (which apply only to identifiable personal information). De-identified aggregate data may be retained, analyzed, used to improve the Service, used to develop new features, and (in fully aggregated form) shared as insights to Users.

Antitrust safeguards. Because aggregate insights involve data submitted by multiple competing brokerages and agents, we apply the following safeguards:

5+ distinct transactions minimum for any insight data point.
No visibility into individual transactions, individual properties, or individual-agent activity.
No commission-specific data in aggregate outputs (structurally excluded at the pipeline level).
No surfacing of individual-agent performance data to competing Users.
Insights are descriptive of how the market has behaved — not prescriptive about future pricing, future commissions, or competitor conduct.
We do not use the Service to facilitate price coordination, commission coordination, or any horizontal agreement among Users.

Fair housing safeguards. Aggregate market data can inadvertently reveal or reinforce demographic patterns. We do not generate or surface insights that effectively encode protected-class information (race, color, religion, national origin, sex, familial status, disability, source of income, or other protected characteristics under federal, state, or local fair housing law). Where a cohort is small enough that demographic inference becomes plausible — particularly in small neighborhoods with strong demographic concentration — the cohort-size threshold is raised or the query is refused in favor of a broader area. We do not generate insights that could facilitate steering.

Your role. Because aggregate insights use de-identified data, individual privacy rights (access, deletion, correction, etc.) generally do not extend to the aggregate data product. However, if you delete your Account, the data you submitted prior to deletion that has already been incorporated into aggregate insights may remain in the aggregate (in its de-identified form). New data after deletion will not be added. If you have specific questions about how this affects you, contact privacy@everynook.com.

Source distinction. Aggregate insights are derived from User-submitted data on Everynook. They are not redistribution of MLS feed data, which is governed by your separate MLS agreement and not licensed for derivative commercial use by Everynook.

5. LEGAL BASES (FOR USERS IN THE EU / UK)

If GDPR or UK GDPR applies to you, we rely on the following legal bases:

Contract (Art. 6(1)(b)) — to provide the Service you have subscribed to.
Legitimate interests (Art. 6(1)(f)) — to improve the Service, prevent fraud, secure our systems, and conduct business operations, balanced against your rights.
Consent (Art. 6(1)(a)) — for marketing communications, optional cookies, precise geolocation, and other elective processing.
Legal obligation (Art. 6(1)(c)) — to comply with applicable law.
Vital interests (Art. 6(1)(d)) — in rare emergencies.

You may withdraw consent at any time without affecting prior lawful processing.

6. HOW WE SHARE PERSONAL INFORMATION

We share personal information only as described in this Policy:

6.1 With service providers and subprocessors

Hosting, AI processing, email delivery, SMS delivery, push notifications, payment processing, analytics, customer support, and similar functions (see Section 7).

6.2 With signers and recipients you designate

When you send a Document via NookSign or share content via integrations, we transmit information to the recipients you specify.

6.3 With other Users (limited)

Your name, profile photo, brokerage, license info, and any community contributions may be visible to other Users in the parts of the Service designed for that purpose (e.g., Neighborhood Niche, public profile features). You control your public profile visibility in account settings.

6.4 With your authorization

With any third party when you direct us to share (e.g., a CRM integration you authorize).

6.5 For legal, safety, and compliance reasons

To respond to subpoenas, court orders, and lawful government requests; to enforce our Terms; to prevent or address fraud, abuse, security incidents, or threats to safety; and to comply with applicable laws and real estate regulations. We push back on overbroad requests and apply applicable legal standards.

6.6 In a corporate transaction

Personal information may be disclosed or transferred in connection with due diligence, financing, investment, merger, acquisition, reorganization, sale of all or part of our assets, change of control, dissolution, receivership, or bankruptcy, subject to reasonable confidentiality protections and applicable notice obligations. In any such transaction, the recipient will be required to honor this Policy or to provide affected individuals with notice and an opportunity to opt out of materially different uses.

6.7 De-identified or aggregated information

We may use, retain, and share data that has been de-identified or aggregated such that it does not reasonably identify any individual. This includes the aggregated market insights described in Section 4.5. Consistent with CCPA/CPRA requirements for "deidentified" information, we (a) take reasonable measures to ensure that such information cannot be reasonably linked, directly or indirectly, to a particular individual or household; (b) maintain business processes that specifically prohibit re-identification; (c) maintain business processes to prevent inadvertent release of de-identified information in identifiable form; and (d) make a public commitment, through this Policy, to maintain and use such information only in de-identified form, and to not attempt to re-identify it.

Once de-identified, such information is not subject to the privacy rights set forth in Sections 21–25, which apply only to identifiable personal information.

6.8 What we do not do

We do not sell personal information for money.
We do not rent or trade personal information for the marketing benefit of third parties.
We do not knowingly authorize third-party AI providers to use your User Content to train their general-purpose models.

Note on CCPA/CPRA definitions: California broadly defines "sale" and "sharing" to include some non-monetary disclosures for cross-context behavioral advertising. The Service may in the future include targeted advertising features that meet these definitions; see Section 14 for our advertising practices and your opt-out rights.

7. SUBPROCESSORS AND SERVICE PROVIDERS

We engage the following categories of subprocessors. A current, more detailed list is maintained at https://www.everynook.com/subprocessors (or available on request to privacy@everynook.com):

Function	Provider	Data Processed
Cloud infrastructure (hosting, database, inbound email parsing, logging)	Amazon Web Services, Inc. (AWS)	All categories
Payment processing	Stripe, Inc.	Payment data, billing data
Outbound email delivery	Mandrill (Mailchimp Transactional Email; operated by Intuit Inc.)	Email addresses, message content
SMS delivery	Twilio Inc.	Phone numbers, message content, delivery metadata
AI text and image processing	Anthropic, PBC; Google LLC	Inputs and outputs of AI features (text, images, prompts)
Maps, push notifications (Android), analytics	Google LLC (Maps Platform, Firebase Cloud Messaging, Google Analytics 4)	Location data, device identifiers, usage data
App distribution, push notifications (iOS)	Apple Inc. (App Store, Apple Push Notification service)	Device identifiers, app metadata
Error monitoring	Sentry (Functional Software, Inc.)	Error logs, device data, request metadata

We require subprocessors to (a) process data only on our documented instructions, (b) maintain confidentiality, (c) implement appropriate security, and (d) assist us in meeting our legal obligations. We use commercially available offerings that disable model training by AI providers where available.

We do not bind specific AI providers to specific features in this Policy; vendors named above are used across our AI features in various roles, and we may add, change, or substitute providers from time to time. The subprocessor list at the URL above is the source of truth.

8. AI PROCESSING AND AI PROVIDERS

8.1 What we process with AI

The Service includes AI-powered features such as listing description drafting, document summarization, contract draft suggestions, image enhancement, search, and Neighborhood Niche content suggestions. When you use these features, your inputs (including text, photos, and documents) and the resulting outputs are processed by AI models.

8.2 Who processes it

AI processing may be performed by Everynook directly or by third-party AI providers acting as our subprocessors. Current AI providers are listed in Section 7. We may add or change AI providers and will update the subprocessor list accordingly.

8.3 AI training and your data

We do not knowingly authorize third-party AI providers to use your User Content to train their general-purpose models.
We use commercial, enterprise, or "no-training" offerings from AI providers where they are commercially available.
We may use de-identified, aggregated data about how AI features are used to improve our own Service (e.g., which feature flows succeed, which AI prompts produce errors). This does not include training models on your User Content.
We use AI models to analyze de-identified, aggregated offer and transaction data to power the market insights feature described in Section 4.5. AI is one of several techniques used to generate aggregate insights; it operates on data that has already been de-identified and aggregated.

8.4 No AI legal/professional advice

AI outputs are not, and may not be relied on as, legal, financial, tax, real estate, appraisal, inspection, or other professional advice. See ToS Section 11.

Avoid uploading sensitive content to AI Features. You should not submit confidential, privileged, regulated, or highly sensitive information to AI Features unless it is necessary for the requested task and you are authorized to do so under applicable law and your client agreements. This is especially important for: wiring instructions, settlement statements, loan documents, divorce or estate documents, accommodation requests, medical information, or content subject to attorney-client privilege.

8.5 AI output may be inaccurate

AI outputs can be incorrect, biased, or fabricated. You are responsible for verifying any AI output before relying on it. See ToS Section 11.

8.6 Right to opt out of certain AI processing

You may be able to disable AI features in your account settings. Some AI functions (e.g., spam/fraud detection, content moderation) are essential to operating the Service and cannot be disabled without ending Service use.

8.7 No human review by Everynook of AI output

AI-generated outputs delivered to you are not independently reviewed, vetted, or approved by Everynook personnel prior to delivery, unless we expressly state otherwise for a specific feature. The Service does not provide editorial supervision, professional review, or compliance review of AI output. You are the human in the loop.

8.8 Third-party AI provider security and availability

Information transmitted to third-party AI providers is subject to the security, availability, and incident-response practices of those providers. While we select reputable providers and prefer offerings with strong security commitments, we cannot guarantee against incidents affecting third-party AI providers. AI-provider outages, breaches, or service interruptions may affect AI Features and the data processed through them. See Sections 19–20 for our general security and breach-notification commitments.

8.9 Automated analysis of Service content

For security, fraud prevention, content moderation, abuse detection, and Service-improvement purposes — and to operate AI Features themselves — we may automatically analyze content, messages, documents, images, metadata, and usage activity submitted to or generated by the Service using automated tools (including AI models, classifiers, and rule-based systems). Examples include:

Scanning uploaded images for malicious content
Analyzing NookSign documents for completion status and required field detection
Reviewing community contributions for compliance with our Acceptable Use Policy (especially fair housing rules)
Detecting unusual access patterns indicative of account compromise
Processing AI prompts and outputs through safety classifiers

This automated analysis is part of operating and protecting the Service and does not result in human review unless an automated system flags content for review. By using the Service, you consent to such automated analysis to the extent your jurisdiction requires consent.

9. NOOKSIGN-SPECIFIC DATA PRACTICES

9.1 What we process

Documents, fields, signing events, audit trails, signer identifiers (email, IP, timestamps, optional geolocation), and authentication data.

9.2 Why

To provide the e-signature service, generate audit trails, satisfy E-SIGN/UETA requirements, and enable post-execution Document access.

9.3 With whom

The senders and signers you designate.
Our subprocessors (hosting, email).
Law enforcement or courts, if required by valid legal process and consistent with our policies.

9.4 How long — tier-based retention

Document retention depends on your subscription tier:

Premium subscriptions: Documents and audit trails are retained for the duration of your active Premium subscription, plus a 30-day grace period after expiration, downgrade, or Account termination, during which you may export them.
Non-Premium subscriptions (free trial, basic, or any plan not designated Premium): Documents and audit trails are retained for thirty (30) days after the Document is completed (fully signed) or last modified, whichever is later, after which they may be permanently deleted from the Service. We will use commercially reasonable efforts to email a deletion warning to the Account holder at least 7 days before deletion.
At signing, all signers receive an emailed copy of the completed Document. We recommend that signers retain that copy regardless of Everynook's retention.

You — not Everynook — are the record custodian for your real estate transactions. State real estate licensing laws, MLS rules, and brokerage policies typically require licensees to retain executed contracts and related records for several years (often 3 to 7 years, sometimes longer). Compliance with those obligations is your responsibility. Everynook is a software tool and does not perform regulatory record-keeping on your behalf, regardless of subscription tier. You should download and independently archive every executed Document.

We may retain limited audit-trail metadata (e.g., signing events, hashes, IP/timestamp logs) for longer than the periods above where reasonably necessary to defend disputes, respond to legal process, or comply with law.

9.5 Security

NookSign Documents are encrypted in transit (TLS) and at rest. Access is restricted to authenticated Users and authorized Everynook personnel under confidentiality obligations.

9.6 Signer privacy

If you are a signer (not a User), we process your information to deliver the Document, capture your signature, and produce the audit trail. The sender (the User, typically an Agent or brokerage) is the controller; we act as their service provider. To exercise privacy rights regarding a Document, contact the sender first; we will support them.

10. VIRTUAL NOOKS-SPECIFIC DATA PRACTICES

10.1 What we process

Source photographs you upload, AI-generated derivative images, and processing metadata.

10.2 Where it goes

Source photos are transmitted to one or more third-party AI image-processing subprocessors identified in our subprocessor list at https://www.everynook.com/subprocessors. We use commercial offerings under which the provider is contractually required to use submitted images only to deliver the service and not for general model training. We may add or change providers and will update the subprocessor list.

10.3 Retention

Source and derivative images are retained in your Account until you delete them or terminate your Account. After deletion, copies may persist in backups for a reasonable period before secure deletion.

10.4 Faces and individuals

If a source photo contains identifiable individuals, you confirm you have the necessary rights and consents to upload and process the photo. We do not perform facial recognition.

11. NEIGHBORHOOD NICHE / AREA INSIGHTS

11.1 Public by design

Content you contribute to Neighborhood Niche / Area Insights is intended to be visible to other Users and may be visible to non-Users where features are public-facing. Do not include private information you do not want shared.

11.2 Moderation

We use automated and human moderation tools to screen contributions for compliance with our Terms, including fair housing rules. Moderation involves processing your content and metadata.

11.3 Reporting

You may report problematic content to abuse@everynook.com.

11.4 Deletion

You may delete your contributions; we will remove them from public display promptly. Copies may persist in backups and may be retained in logs for compliance and dispute purposes for a reasonable period.

12. COOKIES, PIXELS, AND SIMILAR TECHNOLOGIES

12.1 What we use

We and our service providers use cookies, local storage, web beacons, pixels, and similar technologies to operate the Service, remember your preferences, secure your session, analyze usage, and (where applicable) measure marketing performance.

12.2 Categories

Strictly necessary — required for the Service to function (e.g., session, authentication, security).
Functional — remember preferences (e.g., language, plan).
Analytics — measure aggregate usage.
Marketing / Advertising — measure campaign performance and (when active) support targeted advertising. Not currently in use; see Section 14.

12.3 Your choices

Most browsers let you control cookies through settings. You can also manage cookie preferences through our cookie banner. Disabling strictly necessary cookies may break Service features. For more details, see our Cookie Policy at https://www.everynook.com/cookie_policy.

13. ANALYTICS

We use Google Analytics 4 (GA4) to understand how Users interact with the Service. GA4 is configured with IP anonymization enabled. Analytics data is primarily aggregated and de-identified; where it constitutes personal information, we apply the principles of this Policy. You may opt out of GA4 specifically through:

Browser settings or extensions (e.g., the Global Privacy Control signal — see Section 29);
Provider-specific opt-outs (e.g., Google Analytics opt-out browser add-on).

14. ADVERTISING

14.1 Advertising on the Service

The Service may display advertisements, including advertisements served by Everynook directly and advertisements served by third-party advertising partners and ad networks. We may use the personal information described in this Policy to:

Show you advertisements within the Service;
Measure the effectiveness of advertisements;
Tailor advertisements to your profession, inferred interests, location, or use of the Service ("targeted advertising").

14.2 What "targeted advertising" means

"Targeted advertising" generally means advertising selected based on your activity over time across different websites or services. Under several state privacy laws (including California's CCPA/CPRA, Maryland's MODPA, Colorado's CPA, Connecticut's CTDPA, Virginia's VCDPA, and others), and under GDPR and UK GDPR, you have the right to opt out of targeted advertising and similar processing.

14.3 How to opt out

You can opt out of targeted advertising by:

Clicking the "Do Not Sell or Share My Personal Information" link in our website footer or in your Account privacy settings;
Submitting a request to privacy@everynook.com;
Enabling the Global Privacy Control (GPC) signal in your browser — we honor GPC as a valid opt-out for residents of states that recognize it (see Section 29);
Following the opt-out instructions of any specific ad network we use, which we will maintain in our Cookie Policy and subprocessor list.

We do not discriminate against you for opting out.

14.4 California "sale" and "sharing"

Under CCPA/CPRA, certain disclosures of personal information to third parties for cross-context behavioral advertising are deemed a "sale" or "sharing," even when no money changes hands. To the extent any of our advertising practices meet that definition, we treat them as "sales" or "sharing" subject to your right to opt out as described in Section 14.3.

14.5 Current status

As of the Last Updated date of this Policy, targeted advertising is not active in the Service. When we begin serving targeted advertising:

The opt-out infrastructure described in Section 14.3 will be live;
We will provide notice in the Service before targeted advertising begins for you specifically;
This Policy may be updated to reflect the specific ad networks and data flows then in use.

Until that time, the disclosures in this Section 14 describe our framework so that you understand your rights in advance.

15. COMMUNICATIONS, SMS, AND PUSH NOTIFICATIONS

15.1 Transactional email

Required for the Service (security alerts, billing, Document delivery). Cannot be opted out of while your Account is active.

15.2 Marketing email

Sent only with consent. Unsubscribe via the link in any marketing email or by contacting privacy@everynook.com. Consistent with CAN-SPAM, we will honor opt-out within 10 business days.

15.3 SMS

Sent only with your express written consent obtained at opt-in.
Frequency: up to 10 messages per month, frequency may vary.
Message and data rates may apply.
Reply STOP to unsubscribe. Reply HELP for help.
Consent is not a condition of purchase.
We comply with the FCC One-to-One Consent rule: SMS consent obtained by Everynook is used only for Everynook messages, not shared or sold.

15.4 Push notifications

Delivered via the native push services of Apple (Apple Push Notification service / APNs on iOS) and Google (Firebase Cloud Messaging / FCM on Android). You may disable in device settings.

15.5 Service messages to End Clients

If you (as an Agent) use the Service to send communications to your clients or leads, you are responsible for obtaining any required consents (including TCPA consent for SMS to consumers). Everynook is acting on your instructions as your service provider for those communications.

16. MOBILE APP PERMISSIONS

The Everynook mobile app may request the following device permissions. Each is optional, and you can disable any of them in your device settings — though some features may not function without the relevant permission.

Camera — to capture listing photos or scan documents.
Photo library — to upload existing photos.
Precise location (foreground only) — for location-based search, listing context, and area features while you are actively using the app. We do not collect location in the background when the app is closed.
Notifications — for push notifications you opt in to.
Contacts — to enable sharing listings, NookSign signing invitations, and other Service features with people in your address book. Contact data is used only to send the communications you direct and is not stored on Everynook servers as a contact list beyond what is needed to send the requested message.
Calendar — to add showings, signing deadlines, and other transaction events to your device calendar when you choose.
Microphone — to record voice notes for listings, transactions, or in-app communications when you initiate a recording. We do not access the microphone unless you affirmatively start a recording.

The Everynook app does not request: background location, SMS access, or biometric data beyond what your device uses locally for authentication (FaceID / TouchID / fingerprint unlock, which never leave your device).

17. INTERNATIONAL DATA TRANSFERS AND DATA RESIDENCY

17.1 Where data is hosted and processed

The Service is operated from and primarily hosted in the United States, on Amazon Web Services (AWS) infrastructure. If you access the Service from outside the United States, your information will be transferred to the U.S. for processing.

17.2 Access by personnel and subprocessors

Personal information may be accessed and processed by authorized Everynook personnel and by our subprocessors (listed in Section 7) in the United States and other jurisdictions where those subprocessors operate. For example, AI providers, payment processors, and email/SMS delivery providers may process data in jurisdictions where they maintain operations. We require subprocessors to maintain appropriate safeguards regardless of jurisdiction.

17.3 Transfers from outside the United States

For transfers of personal information from the EEA, UK, or Switzerland to the United States, we rely on appropriate safeguards, including (as applicable) the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Agreement / Addendum. A copy of the relevant safeguards is available on request to privacy@everynook.com.

17.4 Enterprise Data Processing Addendum

Enterprise customers (including brokerages and large team accounts) may request a Data Processing Addendum ("DPA") covering controller/processor obligations, subprocessor commitments, and cross-border transfer mechanisms. Contact privacy@everynook.com.

18. DATA RETENTION

We retain personal information only as long as necessary for the purposes described in this Policy or as required by law. The general retention principles are:

Data Category	Retention
Account profile and credentials	Duration of Account + reasonable period after termination
Listing and property data	Duration of Account + reasonable period; longer if needed for legal claims
NookSign Documents and audit trails	Premium: duration of subscription + 30-day grace period after expiration/termination. Non-Premium: 30 days after Document completion, then permanently deleted. Limited audit-trail metadata may be retained longer where reasonably necessary to defend disputes or comply with law. See Section 9.4.
Virtual Nooks images	Until you delete or terminate Account
Billing records	As required by tax and accounting law, typically 7 years
Communications (email, SMS, support)	2–3 years from last interaction; longer for disputes
Cookies and analytics	Per Cookie Policy (typically up to 24 months)
Backup data	90 days from primary deletion (longer for some backups)
Audit logs and security records	12–24 months
De-identified aggregate insights data	Retained indefinitely in de-identified form. Once data has been de-identified per Section 4.5 and Section 6.7, it is no longer "personal information," and account deletion does not require its removal from the aggregate. See Section 4.5 for details.
Legal holds	As long as required

When the retention period ends, we either delete or de-identify the data.

Deleted information may persist in encrypted backups, disaster recovery systems, archival storage, audit logs, or other systems for a limited period before permanent deletion. Such residual copies are excluded from active processing — they are not used to serve the Service, are not searchable in the application, and are not made available to anyone except as required by law, but they may not be immediately removable on an individual-record basis. When backups age out on their normal rotation, the residual copies are permanently destroyed.

If you request deletion under an applicable privacy law (Section 21), we will delete the data from our active systems within the timeframes required by law and confirm completion to you. We will rely on backup rotation for the final removal of residual copies.

19. DATA SECURITY

19.1 Our practices

We implement administrative, technical, and physical safeguards designed to protect personal information, including:

TLS encryption in transit.
Encryption at rest for sensitive data, including NookSign Documents.
Role-based access control with least-privilege principles.
Multi-factor authentication for administrative access.
Routine security monitoring, logging, and patching.
Reputable infrastructure providers (Amazon Web Services / AWS) with industry-standard certifications.
Employee/contractor confidentiality and security training where applicable.

19.2 No system is perfectly secure

No security measures are 100% effective. We do not guarantee that personal information cannot be accessed, disclosed, altered, or destroyed by breach of our safeguards.

19.3 Your responsibilities

Use a strong, unique password; enable multi-factor authentication where available; protect your devices; do not share credentials; and notify us immediately at security@everynook.com if you suspect unauthorized access.

20. BREACH NOTIFICATION

If we discover a security incident that affects your personal information and triggers notification obligations under applicable law (including state breach notification statutes, MODPA, CCPA, GDPR, and similar laws), we will notify you and applicable regulators within the timelines required by those laws. Timing and content of notice depend on the nature and jurisdiction of the incident. We are not required to notify of every incident; only those meeting legal triggers.

21. YOUR PRIVACY RIGHTS — ALL USERS

Regardless of where you live, you may:

Access your Account information and download your User Content;
Correct inaccurate Account information through your settings;
Delete your Account by following the cancellation process (subject to legal retention requirements and continued storage of certain data, such as executed NookSign Documents, where required);
Opt out of marketing communications;
Manage cookies through your browser and our cookie banner; and
Contact us with questions at privacy@everynook.com.

22. STATE-SPECIFIC PRIVACY RIGHTS (US)

If you are a resident of a U.S. state with a comprehensive privacy law, you may have additional rights as described below. The rights and the procedures for exercising them are set out in the applicable law; we summarize them here.

22.1 California (CCPA / CPRA)

California residents may:

Know what personal information we collect, use, disclose, and sell or share;
Access specific pieces of personal information;
Delete personal information (subject to exceptions);
Correct inaccurate personal information;
Opt out of "sale" or "sharing" of personal information (we do not currently sell or share for cross-context behavioral advertising — see Section 14);
Limit the use and disclosure of "sensitive personal information" (see Section 27);
Be free from discrimination for exercising rights.

We also comply with the "Shine the Light" law (Civil Code § 1798.83): California residents may request a list of personal information categories disclosed to third parties for direct marketing in the prior year. Submit requests to privacy@everynook.com.

Authorized agents: California residents may use an authorized agent to submit requests, with proof of authorization.

Minors (under 18) right to remove public posts: see Section 26.

22.2 Maryland (MODPA — effective October 2025)

Maryland residents may:

Confirm whether we process personal data and access it;
Correct inaccuracies;
Delete personal data;
Obtain a portable copy;
Opt out of targeted advertising, "sale" of personal data, and certain profiling that produces legal or similarly significant effects;
Limit the collection and use of sensitive data to what is reasonably necessary (data minimization is mandatory under MODPA).

MODPA imposes specific protections for consumers reasonably believed to be under 18 and for sensitive data.

22.3 Virginia, Colorado, Connecticut, Utah, Texas, Florida, Oregon, Montana, Delaware, New Jersey, Tennessee, Iowa, Minnesota, Indiana, Kentucky, Rhode Island, New Hampshire, Nebraska, and other comparable laws

Residents of these states generally have rights to:

Access personal information;
Correct inaccuracies (most states);
Delete personal information;
Obtain a portable copy;
Opt out of targeted advertising, sale, and (in some states) profiling for legal or similarly significant effects.

The specific scope and procedure varies by state. We honor verified requests as required by the applicable law.

22.4 Sensitive data and minors

Most state laws require opt-in consent for processing of sensitive personal information and for processing of data of known minors. We do not knowingly process sensitive data or data of minors without consent (see Sections 26–27).

23. GDPR / UK GDPR RIGHTS

If GDPR or UK GDPR applies to you, you have the following rights regarding personal data:

Access (Art. 15)
Rectification (Art. 16)
Erasure / right to be forgotten (Art. 17)
Restriction of processing (Art. 18)
Data portability (Art. 20)
Object to processing (Art. 21), including objections to processing based on legitimate interests and to direct marketing
Withdraw consent for processing based on consent (Art. 7)
Not be subject to solely automated decisions producing legal or similarly significant effects (Art. 22)
Lodge a complaint with your data protection authority. EU authorities: https://edpb.europa.eu/about-edpb/about-edpb/members_en. UK: https://ico.org.uk.

To exercise these rights, contact privacy@everynook.com.

EU/UK representative: We do not currently target the EU/UK and have not designated an Art. 27 representative. If you are an EU or UK resident and believe we are processing your personal data in a manner that requires a representative, contact privacy@everynook.com and we will work with you on an appropriate response.

24. SUBMITTING A PRIVACY REQUEST

24.1 How to submit

You may submit a privacy request by:

Email: privacy@everynook.com
Online form: https://www.everynook.com/privacy/request
In-account: logged-in Users can submit requests and exercise certain rights directly from Settings → Privacy

Please include your name, account email, the state or country in which you reside, the right you wish to exercise, and any details that help us locate your information.

24.2 Verification

We will verify your identity before fulfilling a request. The verification method depends on the request type and the sensitivity of the information.

24.3 Timing

General response: within 45 days, with one 45-day extension permitted when reasonably necessary (CCPA/CPRA).
GDPR/UK GDPR: within 30 days (one-month), extendable by two additional months for complex requests.
We will acknowledge receipt of your request within 10 business days.

24.4 No discrimination

We will not deny you Service, charge you different prices, or provide a lower quality of Service because you exercised a privacy right.

24.5 Authorized agents

You may use an authorized agent to submit a request, with written authorization and (where required) proof of identity verification.

25. RIGHT TO APPEAL

If we deny a privacy request, you may appeal by replying to our denial within 30 days or emailing privacy@everynook.com with "Appeal" in the subject. We will inform you of the outcome of the appeal within 60 days, in compliance with applicable state laws (including Virginia, Colorado, Connecticut, Texas, and Montana).

If the appeal is denied, you may contact your state attorney general or applicable regulator. Maryland users may contact the Office of the Maryland Attorney General. California users may contact the California Privacy Protection Agency.

26. CHILDREN'S PRIVACY

26.1 Under 13

The Service is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe we have collected such information, contact privacy@everynook.com and we will delete it consistent with COPPA.

26.2 Under 16

For users in jurisdictions where the relevant age is 16 (some U.S. states and GDPR), the same principles apply, with consent obtained from a parent or guardian where required.

26.3 Under 18 (Service age requirement)

The Service requires Users to be at least 18 years old. Persons under 18 may not register.

26.4 California minors' right to remove

If you are under 18, reside in California, and have somehow posted public content on the Service, you may request removal under Cal. Bus. & Prof. Code § 22581. Email privacy@everynook.com from the email associated with your Account, with a statement that you reside in California. We will remove the content from public display.

26.5 MODPA and similar

Maryland and other state laws now impose specific protections when we have actual knowledge or reason to know a User is under 18, including restrictions on processing of their data. We comply with these as required.

27. SENSITIVE PERSONAL INFORMATION

Under CCPA/CPRA and similar laws, "sensitive personal information" includes (depending on the law) government-issued IDs, financial account information, precise geolocation, racial or ethnic origin, religious beliefs, union membership, contents of mail/email/messages, genetic data, biometric data, health data, and information about sex life or sexual orientation.

We may process the following sensitive personal information for the limited purposes shown:

Category	Source	Purpose
Real estate license number	You	Verification of professional status
Precise geolocation (mobile, with consent)	Your device	Location-based features
Contents of NookSign Documents (may include financial terms)	You and signers	E-signature service

We do not use sensitive personal information to infer characteristics about you. California residents may request that we limit our use of sensitive personal information to what is necessary to provide the Service.

We do not knowingly process biometric identifiers. If you upload images that include faces, those images are processed by AI providers for the requested feature (e.g., virtual staging) but are not used to build biometric templates.

28. AUTOMATED DECISION-MAKING AND PROFILING

We use automated systems for:

Fraud and abuse detection — to prevent unauthorized use of the Service.
Content moderation — to flag potentially non-compliant content.
Service personalization — to surface relevant features or content.
AI-assisted features — to generate or suggest content.

We do not make solely automated decisions that produce legal or similarly significant effects about you (e.g., we do not deny anyone Service based on an automated decision alone — humans are involved in account-closure decisions).

For residents of states or countries with profiling opt-out rights (including Colorado, Connecticut, Virginia, Montana, and the EU/UK), you may request that we restrict profiling for legal or similarly significant effects. Contact privacy@everynook.com.

29. DO NOT TRACK AND GLOBAL PRIVACY CONTROL

29.1 Do Not Track

There is no industry consensus on how to interpret "Do Not Track" browser signals. We do not currently respond to DNT signals.

29.2 Global Privacy Control (GPC)

We honor the Global Privacy Control signal as a valid opt-out of "sale" or "sharing" for residents of states that require it (currently including California and Colorado). When we detect a GPC signal from your browser, we treat it as a request to opt out of any applicable "sale" or "sharing" of personal information.

30. CHANGES TO THIS POLICY

We may update this Policy from time to time. The "Last Updated" date will reflect any change. For material changes, we will provide at least 30 days' advance notice by email to your registered address or by prominent in-Service notice, and in some cases (where required by law) we will seek your renewed consent.

Continued use of the Service after the effective date of changes means you accept the revised Policy.

31. CONTACT US

Privacy questions and requests: privacy@everynook.com

Mailing address: Every Nook, LLC Attn: Privacy 6325 Woodside Court, Suite 105 Columbia, MD 21046 United States (888) 502-6080

Other contacts:

Security incidents: security@everynook.com
Abuse / content reports: abuse@everynook.com
DMCA / copyright: dmca@everynook.com
General / billing: info@everynook.com