First draft. This policy is provided for transparency during the private beta. It is not a substitute for legal advice. A qualified attorney should review it before you rely on it for compliance.
Privacy Policy
1. Who we are
Sumiba (“we,” “us,” or “our”) provides a software platform for real-estate professionals and their customers, including web and mobile applications and a Chrome browser extension. This Privacy Policy describes how we collect, use, disclose, and protect personal information when you use our services (the “Services”).
For data-protection inquiries, contact: [email protected] (update this address to your live inbox before production).
2. Program phases and eligibility
We may operate the Services in phases. During the private beta, access for companies is invite-only or otherwise controlled by us. Participating companies may invite individual consumers and users who join as members of their organization. In this phase, companies generally may not invite unrelated third-party companies to create their own Sumiba organization accounts unless we expressly enable that in a later phase.
We may publish updated eligibility rules (for example, a “public beta” or general availability). When we do, we will update this policy or provide notice as described in Section 12.
3. Personal information we collect
Depending on how you use the Services, we may collect:
- Account and profile data — such as name, email address, authentication identifiers, profile photo, and preferences you choose to save.
- Company and professional data — business names, license or registration information you provide, office addresses, branding assets, and employment or membership claims within an organization.
- CRM and transaction context — information your organization enters about parties, listings, properties, tours, notes, and similar operational records needed to provide broker and property-management workflows.
- Listing and property intake — when authorized users import or upload materials (for example, listing pages captured through the Chrome extension, flyers, or URLs), we process the content they submit to operate parsing, deduplication, and related features. Technical metadata (timestamps, source indicators, job status) may also be recorded.
- Verification-related information — images or documents you upload for identity, address, or company checks, and outputs of automated or manual review processes we use to reduce fraud.
- Communications — messages you send us (for example, beta waitlist submissions, support email) and transactional emails we send you.
- Payment data — billing-related information processed by our payment provider (we generally do not store full card numbers on our servers).
- Invite and program data — records needed to operate invite-only access (who invited whom, token lifecycle, cohort or allowlist status).
- Technical and usage data — device or browser type, IP address, diagnostic logs, and in-app signals we use to secure the Services and understand product usage (for example, lightweight activity signals during beta).
4. How we use personal information
We use personal information to:
- Provide, maintain, and improve the Services (including workspaces for consumers, brokers, and property managers).
- Authenticate users, enforce access controls, and protect against abuse, fraud, and security incidents.
- Operate AI-assisted features (for example, document or image analysis, listing assistance, or marketing-asset generation) where enabled, including by sending portions of content to model providers as described in Section 7.
- Communicate about the Services, beta program changes, security notices, and support.
- Comply with law, respond to lawful requests, and enforce our Terms of Use.
Where required by applicable law (for example, Japan’s Act on the Protection of Personal Information), we will identify appropriate legal bases and honor applicable rights. Statutory requirements prevail over this draft.
5. Workspaces and dual-role companies
Many customers use workspaces with different goals (for example, brokerage versus rental-management). A single legal entity may hold multiple licenses and use more than one workspace tied to the same organization. We process personal information to support each workspace’s purpose. Technical and contractual controls are designed to separate customer environments; we do not use one customer’s private operational data to solicit another customer’s end clients.
6. Public and unauthenticated areas
Some features may be available without an account (for example, viewing a tour preview when you hold a valid invite link, or submitting a public beta waitlist form). Those interactions collect only the information needed for that feature.
7. Service providers and sub-processors
We use third-party infrastructure and tools, which may process personal information on our instructions. Categories include:
- Cloud hosting, database, authentication, and file storage (for example, Supabase).
- Payment processing (for example, Stripe).
- Email delivery (for example, Resend).
- AI or machine-learning providers for vision, language, or image generation features (for example, Google Gemini), and optionally self-hosted or third-party model endpoints (for example, Ollama) depending on deployment configuration.
- Background job or workflow systems used for imports and media processing.
We require service providers to protect personal information appropriately. A current list of sub-processors may be published separately or provided on request during enterprise review.
8. International transfers
Our service providers may process data in Japan and other countries. Where cross-border transfer is restricted, we implement safeguards required by applicable law (such as contractual clauses or your consent, as appropriate).
9. Retention
We retain personal information for as long as needed to provide the Services, comply with law, resolve disputes, and enforce agreements. Retention periods may differ by data category (for example, audit logs, verification artifacts, or marketing drafts). You may request deletion subject to legal exceptions.
10. Your rights and choices
Depending on your jurisdiction, you may have rights to access, correct, delete, restrict, or object to certain processing, or to withdraw consent where processing is consent-based. To exercise rights, contact [email protected]. We may verify your request before responding.
11. Security
We implement administrative, technical, and organizational measures designed to protect personal information (including access controls and encryption in transit). No method of transmission or storage is completely secure; we cannot guarantee absolute security.
12. Children
The Services are not directed to children under 16 (or the age required locally). We do not knowingly collect personal information from children. If you believe we have, contact us and we will take appropriate steps.
13. Changes to this policy
We may update this Privacy Policy from time to time. We will post the revised version on this page and update the effective date. If changes are material, we will provide additional notice (for example, by email or in-product banner) where required by law.
14. Contact
Questions about this Privacy Policy: [email protected]