Privacy Policy
Effective date: June 15, 2026
Last updated: June 15, 2026
This Privacy Policy explains how Chateaux ("Chateaux", "we", "us", "our") — a product operated by Chateaux Labs as a sole proprietor ("the Operator"), located at Wilmington, Delaware, USA — collects, uses, discloses, and safeguards your information when you use our mobile application, our website at https://chateaux.ai, our API at api.chateaux.ai, and any public listing pages we host on your behalf (collectively, the "Service").
We respect your privacy. We do not sell your data. We do not train third-party AI models on your customer data.
Questions or requests? Email privacy@chateaux.ai.
1. Who this policy applies to
- Agents — real-estate professionals who create a Chateaux account.
- Team members — users invited by a brokerage to join a Chateaux team.
- Buyers / Sellers / Public visitors — consumers who scan a QR code, open a public listing landing page, submit a lead form, or view an AI-generated tour. No account is required.
2. Information we collect
2.1 Information you provide
- Account data: name, email address, password (hashed), phone number (optional), brokerage name, professional bio, profile photo.
- Listing data: property addresses, prices, bed/bath/sqft, descriptions, photos, virtual tours, staged images, 360° panoramas you capture.
- Client data you upload: lead names, emails, phones, notes, communications with prospects.
- Payment data: handled by our payment processor Stripe, Inc. We never store your card number — only a Stripe customer ID and last-4 digits for display.
- Content generated by AI at your request: staged photos, ad copy, promo kits, seller pitches.
2.2 Information collected automatically
- Device data: device model, OS version, app version, unique device identifier (advertising identifiers are not collected).
- Usage data: features used, screen views, timestamps. Used only to improve product experience.
- Diagnostic data: crash reports, latency metrics. No personally-identifying content is included.
- Approximate location: derived from property addresses you enter. We do NOT collect precise GPS coordinates from your device.
2.3 Information from third parties
- RentCast (US property data & AVM). We send addresses you enter; we receive comps and value estimates.
- Mapbox (map tiles & geocoding). Addresses transmitted for geocoding are pseudonymized where possible.
- Anthropic (Claude) and Google (Gemini Nano Banana) for AI generation. See § 5.
- Emergent for the Universal LLM key infrastructure.
3. How we use your information
We use the information to:
- Provide and operate the Service (staging, ad generation, lead scoring, tours).
- Process subscription payments via Stripe.
- Send transactional emails (receipts, invitations, password resets, promo reports) via Resend, Inc.
- Send you product update emails you can unsubscribe from at any time.
- Detect and prevent fraud, abuse, or violations of the Terms of Service.
- Fulfill legal obligations (tax, accounting, court orders).
- Improve the Service using aggregated and de-identified analytics only.
We do NOT use your listings, leads, or client data to train AI models — ours or anyone else’s. AI providers listed in § 5 process your content solely to return a single generated result and are contractually prohibited from using it for model training.
4. Legal bases (GDPR / UK GDPR users only)
| Purpose | Legal basis |
|---|---|
| Providing the Service to you | Contract performance (Art. 6(1)(b) GDPR) |
| Sending transactional email | Contract performance |
| Marketing / product emails | Consent (Art. 6(1)(a)) — unsubscribe any time |
| Fraud prevention | Legitimate interest (Art. 6(1)(f)) |
| Compliance with law | Legal obligation (Art. 6(1)(c)) |
If you are in the EEA or UK, our EU representative can be reached at privacy@chateaux.ai. We will nominate a formal Art. 27 GDPR representative once EU user counts exceed the safe-harbor threshold.
5. AI subprocessors
When you use an AI feature, the minimum data required is sent to the provider below and returned to you. Our contracts include a no-training clause on all customer content.
| Feature | Provider | Data sent |
|---|---|---|
| Ad copy, seller pitches, promo emails, chat | Anthropic (Claude Sonnet 4.5) via Emergent | Listing text you supply + your prompt |
| Virtual staging, AI restyle, 360 room re-render | Google Gemini (Nano Banana) via Emergent | The uploaded photo + your prompt |
| Optional TTS / STT | OpenAI (Whisper, TTS) via Emergent | Only if you use those features |
| Property data | RentCast | Property address |
| Map tiles & geocoding | Mapbox | Property address + coarse lat/lon |
| Image hosting | Cloudinary | Photos and stitched panoramas |
| Payments | Stripe | Customer ID, subscription info |
| Transactional email | Resend | Email address + email body |
| Panorama stitching | Self-hosted (OpenCV) | Frames stay on our infrastructure |
6. Sharing your information
We share personal information only with:
- Subprocessors listed in § 5 to operate the Service.
- Payment processor (Stripe) for billing.
- Legal or governmental authorities when required by valid legal process.
- Successor entity if Chateaux is sold or reorganized (users notified 30 days in advance; identical or stronger privacy terms apply).
We do not sell personal information. Ever. For California residents: see § 10.
7. Public content you publish
When you publish a public listing landing page, a public virtual tour, or a public business card, the information on it is intentionally public. This includes property photos, address, price, and your agent contact info. Buyer/seller leads submitted through those forms are stored privately in your account.
8. Data retention
- Account data: kept while your account is active. Deleted within 30 days of your deletion request (see § 11).
- Payment records: retained for 7 years as required by tax law.
- Backup archives: overwritten within 35 days on a rolling schedule.
- Server logs: 90 days.
9. Security
- In transit: TLS 1.3 for all API and web traffic.
- At rest: AES-256 encryption at the database layer (MongoDB Atlas).
- Password storage: bcrypt with a work factor of 12.
- Payments: PCI-DSS Level 1 (delegated to Stripe).
- Access controls: role-based, principle of least privilege, quarterly access reviews.
- Incident response: users notified within 72 hours of a confirmed personal-data breach as required by GDPR Art. 33.
No system is 100% secure. If you believe your account has been compromised, contact us at security@chateaux.ai immediately.
10. Your privacy rights
Depending on where you live, you have rights over your personal information:
Everyone
- Access — request a copy of the data we have about you.
- Correction — fix inaccurate data.
- Deletion — delete your account and all associated data (see § 11).
- Portability — export your listings, leads, and profile as a JSON file.
California residents (CCPA / CPRA)
- Right to know categories of personal information collected, sold, or shared. Chateaux does not sell or share for cross-context behavioral advertising.
- Right to correct inaccurate personal information.
- Right to delete personal information (see § 11).
- Right to limit use of sensitive personal information.
- Right to non-discrimination for exercising these rights.
Categories collected (last 12 months): identifiers, commercial information (subscription history), internet activity, geolocation (coarse only), professional information.
Categories sold or shared: None.
EEA / UK residents (GDPR / UK GDPR)
- All rights above, plus:
- Right to object to processing based on legitimate interest.
- Right to withdraw consent at any time.
- Right to lodge a complaint with your national data-protection authority.
Nevada residents
Under NRS 603A, you may direct us not to sell your covered information. We do not sell it. No opt-out is required, but requests are honored at privacy@chateaux.ai.
11. How to exercise your rights
In-app deletion
Tap Account → Delete account. Your data is queued for deletion and completed within 30 days. See Data Deletion for full details, including how to delete data as a lead or public visitor who does not have an account.
Email us
Email privacy@chateaux.ai with your request. We reply within 30 days (extendable by 60 days if complex, per GDPR Art. 12).
Verification
We may ask you to verify ownership of the account (usually by responding from the email on file, or by a signed-in in-app action).
12. International transfers
Our servers are hosted in Delaware, United States. If you are outside this region, your data will be transferred to and processed there. Where required by law, we rely on Standard Contractual Clauses (EU 2021/914) with all subprocessors.
13. Children
Chateaux is a professional tool. It is not intended for anyone under 18. We do not knowingly collect personal information from children. If we learn that we have, we will delete it promptly.
14. Cookies
Our marketing site uses privacy-friendly analytics that do not require consent (Plausible.io / Fathom). We use functional cookies to keep you signed in. Full details: Cookie Policy.
15. Changes to this policy
When we make material changes, we notify you at least 14 days in advance by email and by an in-app banner. Continued use of the Service after the effective date constitutes acceptance.
16. Contact
Chateaux Labs d/b/a Chateaux (sole proprietor)
Wilmington, Delaware, USA
- Privacy: privacy@chateaux.ai
- Support: support@chateaux.ai
- Security: security@chateaux.ai
Governing law: Delaware, United States.