Privacy Policy
Last Updated: April 10, 2026
This Privacy Policy describes how 24 Engine ("we," "us," or "our") collects, uses, and protects your information when you use the 24 Engine application at https://24engine.com (the "Service"). This policy applies to all users of the Service and is incorporated into and subject to our Terms of Service.
Quick Reference for Enterprise Reviewers
- No data sale. We do not sell, share, or monetize your data in any form.
- No AI training. Anthropic, our AI subprocessor, does not use your data to train its models under our commercial API agreement.
- US-hosted infrastructure. All data is stored and processed on US-based servers.
- Encrypted at rest and in transit. Stored data is encrypted at rest and transmitted over HTTPS/TLS.
- DPA available. Enterprise customers may request a Data Processing Agreement.
1. Information We Collect
1.1 Account Information
When you create an account, we collect your email address for authentication and communication purposes. We use Supabase Auth to manage accounts; we do not collect or store passwords directly.
1.2 Calculation and Scenario Data
When you use the Service, we store the data you create, including lease scenario inputs, project organization data, and calculation results. This includes building addresses, rentable square footage, lease terms, rent schedules, escalation structures, operating expense assumptions, capital costs, financial assumptions, project names, scenario names, descriptions, client names, cash flow projections, NER, NPV, and GAAP estimates generated from your inputs.
1.3 Uploaded Documents
When you use the AI extraction feature, you may upload PDF documents such as letters of intent, term sheets, or lease abstracts. We do not permanently store raw uploaded PDF files. The file is held in memory only for the duration of extraction, never written to disk. Text content is extracted transiently, transmitted to our AI provider for structured extraction, and returned to your scenario.
1.4 Usage and Technical Data
We may collect standard technical information to operate and improve the Service, including browser type and version, pages accessed, features used, timestamps, error logs, and performance data. We use PostHog for anonymized product usage analytics and configure it to avoid names, emails, financial data, property addresses, and deal terms. No person profiles are created. Session recordings are disabled by default.
1.5 Public Property Data
When you use property lookup features, we query public data sources including NYC Open Data, Geoclient, PLUTO, Department of Finance, and Cook County data sources. Map rendering may transmit building addresses or coordinates to Google Maps API solely for display. Public property data may be cached temporarily to improve performance.
2. How We Use Your Information
We use information to provide the Service, store scenarios, run calculations, generate reports, enable scenario comparison, process document uploads, authenticate accounts, operate and improve reliability, diagnose technical issues, and send essential service communications. We do not use your data for advertising, profiling, or any purpose unrelated to providing the Service.
3. Confidentiality of Your Data
We treat customer data, including lease scenario inputs, financial assumptions, deal economics, building addresses, and client names, as confidential. 24 Engine is currently a single-operator business. The founder may access customer data solely to diagnose technical issues at a customer's explicit request. We do not review, analyze, or use customer scenario contents for product development, benchmarking, or internal purposes without express written consent.
4. How We Share Your Information
4.1 No Sale of Data
We do not sell, rent, trade, or otherwise disclose your data, confidential deal metrics, lease terms, or financial inputs to third parties, data brokers, competing real estate firms, or any other party for commercial purposes.
4.2 Third-Party Subprocessors
To provide the Service, we use the following infrastructure providers who may process data in the course of service to us:
| Provider | Purpose | Data Processed | Data Residency |
|---|---|---|---|
| Vercel | Frontend hosting and content delivery | Browser requests, static assets | US edge network |
| Railway | Backend server compute | Scenario data, calculation results, API requests | US-East |
| Supabase | Authentication and database storage | Email address, authentication tokens, account sessions, scenario and project data | US-East-1 (AWS) |
| PostHog | Anonymized product usage analytics | Event names, categorical properties, redacted URLs, standard request metadata | US |
| Anthropic | AI-powered lease document extraction | Extracted text from uploaded documents, transient and not used for model training | US |
| Google Maps | Map display for property lookup | Building addresses and coordinates for map rendering | Google infrastructure |
| NYC Open Data / Geoclient | Public property data lookups | Building addresses and BBL numbers | US |
4.3 Subprocessor Change Notification
Before adding, replacing, or materially changing a subprocessor, we will provide existing customers with at least 30 days' advance written notice by email. Customers with a Data Processing Agreement have the right to object within that notice period.
4.4 Anthropic (AI Provider)
When you use document extraction, extracted text is transmitted to Anthropic via its commercial API. Anthropic does not use your data to train its AI models. API inputs and outputs may be retained by Anthropic for up to 30 days solely for abuse monitoring and service integrity under its commercial data retention policy.
4.5 Legal Compliance and Compelled Disclosure
We may disclose information only to comply with valid legal process, protect safety from imminent harm, prevent or detect fraud or criminal activity directed at 24 Engine or users, or enforce our Terms of Service in active legal proceedings. To the extent permitted by law, we will notify affected customers before disclosure and cooperate with reasonable efforts to limit or challenge the scope.
4.6 Acquisition or Change of Control
If 24 Engine is acquired, merged, or undergoes a change of control, data may be transferred to the successor entity. We will provide at least 30 days' advance notice before transfer and require the successor to honor this Privacy Policy. If no successor acquires the Service, users will receive notice and a 60-day export window before permanent deletion.
5. Data Storage and Security
Scenario and calculation data is stored in Supabase-managed databases, with compute provided by Railway. Authentication is managed by Supabase. Infrastructure is located in the United States. We use HTTPS/TLS, encryption at rest, workspace isolation, authenticated access controls, HTTP security headers, memory-only document handling for uploaded PDFs, rate limiting, and dependency monitoring. No method of transmission or storage is 100% secure.
6. Data Retention and Deletion
6.1 Active Accounts
We retain account data and saved scenarios for as long as your account is active. Accounts inactive for 24 consecutive months will receive an email notification. If no login occurs within 60 days of that notice, the account and associated data will be permanently deleted within 30 days after the grace period expires.
6.2 Your Right to Delete
You may request deletion of your account and associated data at any time. Upon verified request, we will generate an export, delete account credentials, delete projects, scenarios, and calculation results, and remove cached property lookup data linked to your scenarios. Deletion will be completed within 30 days, except for minimal records required by law or active disputes.
6.3 Data Export
Active accounts may export projects and scenarios using the built-in export feature. At account deletion or termination, we will generate and deliver a complete export of scenario and project data to your registered email address or via secure time-limited download link.
6.4 Uploaded Documents
Raw uploaded PDF files are not permanently stored. Files are held in server memory only for extraction and discarded after the result is delivered.
6.5 Product Analytics
We retain anonymized PostHog product analytics event data for up to 1 year. Session recordings are disabled by default. If enabled in the future, they will require explicit opt-in and will be retained for no more than 30 days.
7. Cookies and Tracking Technologies
We use authentication session tokens stored by Supabase Auth and an anonymous analytics identifier stored by PostHog. We do not use advertising cookies, third-party tracking pixels, or tracking technology for behavioral advertising.
8. Your Data Rights
Depending on your jurisdiction, you may have rights to access, export, correct, delete, restrict, or obtain a portable copy of your personal data. To exercise these rights, contact us using the information in Section 14.
9. U.S. State Privacy Rights
9.1 California (CCPA/CPRA)
California residents may have rights to know, delete, correct, and non-discrimination. Categories collected in the preceding 12 months include identifiers, commercial information, and internet or electronic network activity. We do not sell or share personal information for cross-context behavioral advertising.
9.2 Other U.S. States
We respect privacy rights established under applicable state laws, including the Virginia Consumer Data Protection Act, Colorado Privacy Act, Connecticut Data Privacy Act, Texas Data Privacy and Security Act, and Oregon Consumer Privacy Act.
10. Children's Privacy
The Service is designed for commercial real estate professionals and is not directed to individuals under 18. We do not knowingly collect personal information from children under 13.
11. Security Incident Notification
In the event of a data breach or security incident affecting personal information, we will notify affected users within 72 hours of becoming aware of the incident. Notification will be sent to the email address associated with your account.
12. Enterprise Customers - Controller/Processor Relationship and DPA
When 24 Engine is used by a business customer such as a brokerage or advisory firm, that customer is typically the data controller and 24 Engine acts as a data processor. Enterprise customers may request a Data Processing Agreement with subprocessor obligations, breach notification procedures, data subject rights assistance, and audit rights. Customers subject to GDPR or UK GDPR should contact us before using the Service so appropriate contractual terms can be provided.
13. Changes to This Policy
We may update this Privacy Policy from time to time. For non-material changes, we update the Last Updated date. For material changes, including changes to data sharing practices, new subprocessors with access to sensitive data, or changes to your rights, we will provide 30 days' advance notice by email.
14. Contact
For questions about this Privacy Policy, to exercise data rights, or to request a Data Processing Agreement, contact 24 Engine at support@24engine.com. Website: https://24engine.com.