Skip to main content

Privacy Policy

Last Updated: March 13, 2026

1. Introduction

Tractic ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our real estate portfolio management platform ("Service"). By using Tractic, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Information You Provide Directly

  • Account Information: Name, email address, phone number (optional), and password (via Google OAuth)
  • Profile Settings: Display name, monthly income goal, theme preference, onboarding status
  • Property Information: Property addresses, values, purchase dates, mortgage details, rental income, operating expenses, unit information, tenant data
  • Financial Data: Transaction descriptions, amounts, dates, categories, property assignments
  • Payment Information: Credit card details are processed by Stripe and NOT stored on our servers. We store your Stripe Customer ID and Subscription ID only.

2.2 Information We Collect Automatically

  • Usage Data: Pages visited, features used, time spent on pages, click patterns
  • Device Information: Browser type, operating system, IP address, device identifiers
  • Cookies and Similar Technologies: We use cookies to maintain your session, remember your preferences, and analyze usage patterns (see our Cookie Policy)

2.3 Information from Third-Party Services

  • Plaid (Bank Connections): When you connect your bank account, we receive transaction data, account balances, and institution information via Plaid. Your bank login credentials are NEVER shared with us.
  • Google OAuth: Email address, name, and profile picture from your Google account
  • Google Drive: When you connect Google Drive, we access property-related documents (leases, insurance policies, receipts, tax documents) that you explicitly select or import. We use the drive.file scope, which limits access to files you choose to share with Tractic — we cannot access your entire Drive.
  • Google Maps: Property location coordinates when you enter addresses
  • Stripe (Payments): Subscription status, payment method type (last 4 digits), billing history

3. How We Use Your Information

We use the information we collect to:

  • Provide the Service: Display your portfolio, track income/expenses, generate reports, calculate metrics
  • AI-Powered Features: Generate property intelligence reports, market analysis, investment recommendations using Google Gemini AI
  • Bank Transaction Sync: Import, categorize, and match transactions to properties via Plaid integration
  • Tax Reporting: Generate IRS Schedule E, Form 1098, Form 4562, Form 8949, and other tax documents
  • Account Management: Process payments, manage subscriptions, send service-related emails
  • Improve the Service: Analyze usage patterns, fix bugs, develop new features
  • Security: Detect and prevent fraud, unauthorized access, and other illegal activities
  • Legal Compliance: Comply with legal obligations, respond to lawful requests from authorities

4. How We Share Your Information

We do NOT sell your personal information. We share your information only in the following circumstances:

4.1 Service Providers (Third-Party Processors)

  • Supabase: Database hosting and authentication (data stored in US-East region)
  • Vercel: Web hosting and content delivery
  • Plaid: Bank account connection and transaction data retrieval
  • Stripe: Payment processing and subscription management
  • Google (Gemini AI): AI-powered property analysis, intelligence reports, and market insights
  • Google Maps: Address geocoding and map display

All service providers are contractually obligated to protect your data and use it only for the purposes we specify.

4.2 Legal Requirements

We may disclose your information if required by law, court order, or government request, or to protect our rights, property, or safety.

4.3 Business Transfers

If Tractic is acquired, merged, or goes through a business restructuring, your information may be transferred as part of that transaction.

5. Google User Data Disclosure

Tractic integrates with Google services. This section specifically describes how we handle data received from Google APIs, in compliance with the Google API Services User Data Policy.

5.1 Google Data Accessed

  • Google OAuth (Sign-In): Your email address, display name, and profile picture to create and authenticate your Tractic account.
  • Google Drive (drive.file scope): Only files you explicitly select or create through Tractic — such as property documents, leases, insurance policies, receipts, and tax records. We cannot browse or access your entire Google Drive.

5.2 How We Use Google Data

  • Authentication: Your Google email and name are used to identify your account and enable sign-in.
  • Document Processing: Files you import from Google Drive are processed by our AI to extract property financial data (e.g., rent amounts, expense figures, closing costs) for portfolio tracking and tax reporting.
  • No Advertising: Google user data is never used for advertising, marketing profiles, or any purpose unrelated to providing the Tractic service.
  • No AI/ML Training: Google user data is not used to train machine learning or artificial intelligence models.

5.3 Google Data Sharing

We do not sell, rent, or trade Google user data. Google data may only be shared with:

  • Google Gemini AI: Document contents may be sent to Google's Gemini API for AI-powered data extraction (e.g., parsing lease terms, identifying expenses). This processing is subject to Google's own data handling policies.
  • Supabase (Database): Extracted data is stored in our encrypted database to power your portfolio dashboard. Raw files are not stored — only the structured data extracted from them.

No other third parties receive your Google user data.

5.4 Google Data Storage & Protection

  • Google OAuth tokens are encrypted using AES-256-GCM and stored in our Supabase database (US-East region).
  • All data transmitted between Tractic and Google APIs uses TLS 1.3 encryption.
  • Row Level Security (RLS) ensures your Google-sourced data is accessible only to your account.
  • Google Drive files are processed in-memory and not permanently stored — only the extracted structured data is retained.

5.5 Google Data Retention & Deletion

  • Google OAuth credentials are retained as long as your account is active.
  • Data extracted from Google Drive documents is retained for 7 years (IRS tax audit requirements) or until you delete the associated property or account.
  • When you disconnect Google Drive or delete your account, all Google-sourced data is deleted within 30 days.
  • You can request immediate deletion of all Google user data by emailing privacy@tractic.io.
  • You may also revoke Tractic's access to your Google account at any time via your Google Account permissions page.

6. Data Security

We implement industry-standard security measures to protect your data:

  • Encryption at Rest: Sensitive data (Plaid access tokens, financial amounts) is encrypted using AES-256-GCM encryption
  • Encryption in Transit: All data transmitted between your browser and our servers uses TLS 1.3 (HTTPS)
  • Database Security: Supabase Row Level Security (RLS) ensures users can only access their own data
  • Authentication: Google OAuth 2.0 with secure session management
  • Access Controls: Strict API authentication, no public endpoints for sensitive data
  • Regular Audits: We conduct security reviews and penetration testing

While we take reasonable precautions, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security.

7. Your Privacy Rights

7.1 GDPR Rights (EU Users)

If you are located in the European Union, you have the following rights:

  • Right to Access: Request a copy of all personal data we hold about you
  • Right to Rectification: Correct inaccurate or incomplete data
  • Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data
  • Right to Restrict Processing: Limit how we use your data
  • Right to Data Portability: Export your data in a machine-readable format
  • Right to Object: Object to certain types of data processing
  • Right to Withdraw Consent: Withdraw consent for data processing at any time

7.2 CCPA Rights (California Users)

If you are a California resident, you have the following rights:

  • Right to Know: Request disclosure of what personal information we collect, use, and share
  • Right to Delete: Request deletion of your personal information
  • Right to Opt-Out of Sale: We do NOT sell personal information. If this changes, you can opt out.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

7.3 How to Exercise Your Rights

To exercise any of these rights, email us at privacy@tractic.io with your request. We will respond within 30 days.

8. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. Specifically:

  • Account Data: Retained until you delete your account
  • Transaction History: Retained for 7 years (IRS tax audit requirements)
  • Property Records: Retained until you delete the property or your account
  • Backup Data: Deleted from backups within 90 days of account deletion

If you request account deletion, we will delete or anonymize your data within 30 days, except where we are required to retain it by law.

9. International Data Transfers

Tractic is based in the United States. If you access the Service from outside the US, your data will be transferred to and processed in the United States. By using the Service, you consent to this transfer. We ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) for EU data transfers.

10. Children's Privacy

Tractic is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If we learn we have collected data from a child under 18, we will delete it immediately.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or through a notice in the app. Continued use of the Service after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or how we handle your data, please contact us: