Privacy Policy

Effective Date: January 1, 2025

CMA Studio ("Company", "we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the CMA Studio web application ("Service").

1. Information We Collect

Information You Provide

  • Account Information — When you accept an invitation and create an account, we collect your name, email address, and profile image through our authentication provider (Clerk).
  • API Tokens — When you create API tokens, we store the token name, a hashed version of the token value, and usage metadata.
  • Webhook Data — When you configure webhooks, we receive and process lead data from your connected systems (e.g., LeadSimple), including property addresses, contact names, email addresses, and phone numbers.

Information Collected Automatically

  • Usage Data — We collect information about how you interact with the Service, including pages visited, features used, and timestamps.
  • Device Information — We may collect browser type, operating system, and IP address for security and analytics purposes.
  • Cookies — We use essential cookies for authentication and session management. We do not use advertising or tracking cookies.

2. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Service
  • Generate CMA reports and profile search dossiers using AI
  • Authenticate your identity and manage your account
  • Send email notifications when reports are ready
  • Monitor usage patterns and optimize performance
  • Detect and prevent security threats and fraud
  • Comply with legal obligations

3. AI Processing

The Service uses third-party AI models (such as OpenAI) to generate CMA reports and contact profiles. Lead data submitted through webhooks is sent to these AI providers for processing. We select AI providers with appropriate data handling practices, but we encourage you to review their privacy policies as well.

AI-generated content is stored on our servers and in cloud storage (Amazon S3) for your access. We do not use your data to train AI models.

4. Data Storage and Security

Your data is stored on secure cloud infrastructure. We implement industry-standard security measures including:

  • Encrypted data transmission (TLS/HTTPS)
  • Secure credential storage with hashing
  • Role-based access controls
  • Regular security assessments

API tokens are stored in hashed form; the plaintext token is shown only once at creation time and is never stored by us.

5. Data Sharing

We do not sell your personal information. We may share your information with:

  • Service Providers — Third-party services that help us operate the Service, including cloud hosting (AWS), authentication (Clerk), AI processing (OpenAI), and email delivery. These providers are bound by contractual obligations to protect your data.
  • Legal Requirements — We may disclose information if required by law, regulation, legal process, or governmental request.
  • Business Transfers — In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.

6. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. Generated reports are retained until you or an administrator deletes them. If your account is terminated, we will delete or anonymize your personal data within 90 days, except where retention is required by law.

7. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal information we hold about you
  • Request correction of inaccurate information
  • Request deletion of your personal information
  • Object to or restrict certain processing activities
  • Request data portability
  • Withdraw consent where processing is based on consent

To exercise any of these rights, please contact us at privacy@cmapage.com.

8. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected information from a child under 18, we will promptly delete it.

9. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. We take appropriate safeguards to ensure your data is protected in accordance with this Privacy Policy.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the Service and updating the effective date. Your continued use of the Service after changes become effective constitutes acceptance of the revised policy.

11. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us at:

Email: privacy@cmapage.com