Privacy Policy

Last updated: May 3, 2026

eMARCOTT ("we," "our," or "us") operates a multi-tenant SaaS platform for real estate photography businesses. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform at emarcott.com and related services.

By using eMARCOTT, you agree to the collection and use of information in accordance with this policy. If you do not agree with the terms of this privacy policy, please do not access the platform.

1. Information We Collect

1.1 Account Information

When you register for an account, we collect:

• Name and email address
• Password (stored securely using bcrypt hashing)
• Business name, address, and contact information
• Profile photo (optional)
• Timezone and language preferences

1.2 Client Data (For Photography Businesses)

If you are a photographer using our platform, you may store:

• Client names, email addresses, and phone numbers
• Client business information and addresses
• Client profile photos
• Communication history and notes

1.3 Property and Gallery Data

To provide our services, we collect and store:

• Property addresses and location information
• Property details (square footage, price, bedrooms, etc.)
• Photos, videos, floor plans, and 3D tour embeds
• Documents and contracts related to properties
• MLS information and gallery status

1.4 Order and Transaction Data

• Service orders and job details
• Scheduling and appointment information
• Invoices and payment records
• Communication threads and revision requests

1.5 Payment Information

Payment information is processed securely by our payment processors (Stripe, PayPal, Square). We do not store complete credit card numbers on our servers. We may store:

• Last four digits of payment cards (for display purposes)
• Billing addresses
• Transaction history and receipts
• Payment processor customer IDs

1.6 Usage Data

We automatically collect certain information when you use our platform:

• IP address and approximate location
• Browser type and version
• Device information and operating system
• Pages visited and features used
• Date and time of access
• Referring website or source

1.7 Cookies and Tracking Technologies

We use cookies and similar technologies to:

• Maintain your session and authentication state
• Remember your preferences and settings
• Analyze platform usage and performance
• Provide security features

1.8 SMS / Text Messaging Data

If you opt into our SMS messaging program (described in Section 18 of our Terms of Service), we collect and store the following:

• Your mobile phone number in canonical (E.164) format
• Phone-ownership verification timestamp (the moment you successfully completed Twilio Verify code-check)
• Affirmative SMS consent timestamp and consent source (e.g., explicit checkbox in Settings, double-opt-in YES reply)
• An audit trail of every SMS sent and received, including the message template name, status (sent / delivered / failed / opted-out), and provider message identifiers, retained as compliance evidence under the U.S. Telephone Consumer Protection Act and CTIA Messaging Best Practices
• If you reply STOP (or any opt-out keyword), the timestamp and the opted-out phone number, retained as evidence of honored opt-out

Our SMS messaging program sends transactional account notifications to eMARCOTT account holders about their own account only. These include trial-ending reminders, payment-failure alerts, plan-change confirmations, and security alerts (such as a new device sign-in or a password change). We never send marketing, promotional, or third-party content through this program. Message frequency varies with your account activity; a typical user receives from 0 to 4 messages per month. Message and data rates may apply. Reply HELP for help or STOP to unsubscribe at any time.

Phone numbers and SMS-related data are used solely to deliver the transactional messages described in our Terms of Service Section 18 and to comply with applicable laws governing SMS messaging. Phone numbers are shared with Twilio (our SMS delivery provider) for the purpose of message delivery and phone-ownership verification, and are not sold or shared with third parties for their marketing purposes. You may revoke SMS consent at any time by replying STOP to any message we send, or by visiting your account settings.

No mobile information, including phone numbers, SMS opt-in records, and consent timestamps, will be shared with third parties or affiliates for marketing or promotional purposes. All sharing of mobile data with our service providers (currently Twilio) is solely for the purpose of operating the Messaging Program described in our Terms of Service Section 18.

2. Google User Data

eMARCOTT's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

2.1 Data We Access from Google

When you connect your Google account, we may request access to:

• Basic Profile Information: Your name and email address for account identification and login
• Google Calendar: To sync photography appointments and display your availability
• Google Drive: To import and export media files to/from your cloud storage

2.2 How We Use Google Data

We use your Google data only for the following purposes:

• Authenticating your identity when you sign in with Google
• Syncing calendar events for scheduling photography appointments
• Displaying your availability to prevent double-booking
• Importing media files from Google Drive to your galleries
• Exporting finalized galleries to your Google Drive

2.3 What We Do NOT Do with Google Data

We will never:

• Sell your Google data to third parties
• Use your Google data for advertising or marketing purposes
• Use your Google data to train AI or machine learning models
• Share your Google data with third parties except as necessary to provide our services
• Store your Google data longer than necessary for the features you use

2.4 Google Data Sharing

Your Google data may be shared only with:

• Infrastructure Providers: Vercel (hosting), Supabase (database) - only as necessary to operate the platform
• You: Data you explicitly choose to share through gallery pages or with your clients

2.5 Google Data Storage and Security

• Google OAuth tokens are encrypted using AES-256-GCM before storage
• Access tokens are refreshed automatically and old tokens are invalidated
• All data is transmitted over TLS 1.3 encrypted connections
• Data is stored in secure, access-controlled databases with row-level security

2.6 Google Data Retention and Deletion

• Google authentication data is retained only while your account is active
• You can disconnect Google integration at any time from Settings > Integrations
• Upon disconnection, we delete your Google access tokens immediately
• Upon account deletion, all Google-related data is permanently deleted within 30 days
• You can also revoke access via your Google Account permissions

3. How We Use Your Information

We use the information we collect to:

• Provide Services: Operate the platform and deliver requested features
• Process Transactions: Handle payments, invoices, and refunds
• Communicate: Send service updates, notifications, and support responses
• Improve Platform: Analyze usage patterns to enhance features and fix issues
• Security: Detect and prevent fraud, abuse, and unauthorized access
• Legal Compliance: Meet legal obligations and respond to lawful requests
• Customer Support: Assist with inquiries and technical issues

4. Data Sharing and Disclosure

4.1 Service Providers

We share data with third-party service providers who assist in operating our platform:

• Vercel: Application hosting and deployment
• Supabase: Database, authentication, and file storage
• Cloudflare R2: Media file storage and delivery
• Stripe: Payment processing
• PayPal: Payment processing
• Square: Payment processing
• Resend: Transactional email delivery
• Twilio: Transactional SMS delivery and phone-number verification
• Google Cloud Vision: Image analysis for copyright protection (CopyPro feature)
• AI Editing Providers: Autoenhance.ai, Clipdrop (for optional AI photo editing)

We do not sell or share your phone number with third parties for their marketing purposes. Phone numbers shared with Twilio for SMS delivery and verification are governed by Twilio's own privacy and data-use practices.

4.2 Business Transfers

If eMARCOTT is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.

4.3 Legal Requirements

We may disclose information if required to:

• Comply with applicable laws, regulations, or legal processes
• Respond to lawful requests from government authorities
• Protect the rights, property, or safety of eMARCOTT, our users, or others
• Enforce our Terms of Service

4.4 With Your Consent

We may share information with third parties when you explicitly consent or direct us to do so.

4.5 Public Gallery Pages

When you create public gallery pages (branded or unbranded), the property information, photos, and media you include become publicly accessible. Client contact information on these pages is displayed as you configure it.

5. Data Security

We implement comprehensive security measures to protect your data:

5.1 Encryption

• All data transmitted over the internet uses TLS 1.3 encryption (HTTPS)
• Sensitive data at rest is encrypted using AES-256
• OAuth tokens and API credentials are encrypted with AES-256-GCM
• Passwords are hashed using bcrypt with unique salts

5.2 Access Control

• Row-Level Security (RLS) policies ensure complete data isolation between tenants
• 199+ database security policies enforce ownership-based access
• Role-based access control (Superadmin, Admin, Client)
• Secure session management with automatic expiration

5.3 Infrastructure Security

• Hosted on enterprise-grade cloud infrastructure (Vercel, Supabase)
• Regular security updates and patching
• DDoS protection and rate limiting
• Comprehensive audit logging of all actions

5.4 Application Security

• Protection against SQL injection, XSS, and CSRF attacks
• Input validation and sanitization
• Content Security Policy (CSP) headers
• Regular security assessments

6. Data Retention

• Active Accounts: Data is retained while your account is active
• Cancelled Subscriptions: Data is retained for 90 days to allow reactivation
• Account Deletion: Personal data is deleted within 30 days of request
• Backups: Backup copies are purged within 90 days of deletion
• Legal Holds: Data may be retained longer if required by law
• Anonymized Data: Aggregated, anonymous analytics may be retained indefinitely

7. Your Rights and Choices

Depending on your location, you may have the following rights:

7.1 Access

Request a copy of the personal data we hold about you.

7.2 Correction

Request correction of inaccurate or incomplete personal data.

7.3 Deletion

Request deletion of your personal data, subject to legal retention requirements.

7.4 Data Portability

Request your data in a structured, machine-readable format (CSV/JSON export).

7.5 Withdraw Consent

Revoke consent for specific data processing activities at any time.

7.6 Object to Processing

Object to certain types of data processing.

7.7 Opt-Out of Marketing

Unsubscribe from marketing communications at any time via email preferences.

To exercise these rights, contact us at privacy@emarcott.com or use the data management features in your account settings.

8. International Data Transfers

eMARCOTT is based in the United States. If you access our platform from outside the US, your data will be transferred to and processed in the United States. By using our services, you consent to this transfer.

We ensure appropriate safeguards are in place for international transfers, including standard contractual clauses where applicable.

9. Third-Party Services

Our platform integrates with third-party services that have their own privacy policies. We encourage you to review their policies:

• Stripe Privacy Policy
• PayPal Privacy Policy
• Square Privacy Policy
• Supabase Privacy Policy
• Vercel Privacy Policy
• Google Privacy Policy
• Dropbox Privacy Policy
• Cloudflare Privacy Policy

10. Children's Privacy

eMARCOTT is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 18, we will take steps to delete that information.

11. California Privacy Rights (CCPA)

California residents have additional rights under the CCPA:

• Right to Know: What personal information we collect and how it's used
• Right to Delete: Request deletion of personal information
• Right to Opt-Out: Opt out of the "sale" of personal information (we do not sell data)
• Right to Non-Discrimination: Equal service regardless of privacy choices

To exercise these rights, contact us at privacy@emarcott.com.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Posting the updated policy on this page with a new "Last updated" date
• Sending an email notification for significant changes
• Displaying a notice in the platform dashboard

Your continued use of eMARCOTT after changes constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us:

• Email: privacy@emarcott.com
• Support: support@emarcott.com
• Website: https://emarcott.com

eMARCOTT is operated by Marcott Enterprises LLC, doing business as eMARCOTT.