Property Alpha Agent (the "Service") is operated by Property Alpha. This policy describes what data we collect when an operator connects their account or a third-party integration, why we collect it, where we store it, and who we share it with.
1. Data we collect
1.1 Account data
When you accept an invite and create an operator account, we store your email, name, optional phone, optional mailing address, and the role assigned by the inviting admin. We also generate a session cookie scoped to agent.propertyalpha.ai for authentication.
1.2 Google Workspace data
When you click Connect Google, Google shows you a consent screen listing every scope the agent needs. If you grant access, we receive an OAuth refresh token and the scopes you approved. The agent then uses Google APIs on your behalf to perform the leasing operations you direct, including (subject to the scopes you grant):
- Gmail — read inbound prospect messages, send replies, and label leasing threads (scopes:
gmail.readonly,gmail.send,gmail.modify). - Calendar — create, update, and cancel tour appointments on your calendar (
calendar,calendar.events). - Drive / Docs / Sheets / Slides — read, create, edit, organize, and delete files across your Google Drive, and author leasing documents, listings, and reports as Docs, Sheets, and Slides, when you ask the agent to (
drive,documents,spreadsheets,presentations). - Meet — create virtual-tour Meet spaces (
meetings.space.created).
Property Alpha Agent's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
1.3 Operational data
We store the messages, leads, listings, tasks, and audit events that the agent processes on your behalf inside our managed Postgres database. Refresh tokens are encrypted at rest and access is row-level-security scoped to your user id.
2. How we use the data
We use the data only to provide the Service to you and your workspace: drafting and sending leasing comms, scheduling tours, generating listings and reports, and producing the audit trail your admin reviews. We do not sell your data, use it for advertising, train generic AI models on it, or share it with third parties beyond the sub-processors listed below.
3. Sub-processors
- Supabase — managed Postgres + authentication. Hosts your account, the encrypted refresh tokens, and the operational database.
- Google LLC — the Google APIs you authorize. Your data flows through Google by definition.
- Resend — transactional email delivery (sign-in OTP, invite emails).
- Self-hosted inference — AI model inference runs on our own infrastructure (self-hosted Gemma). Your prompts are not sent to any third-party model provider.
4. Retention
Account data is retained for the lifetime of your account plus 30 days after deletion. Google refresh tokens are deleted immediately when you click Disconnect in settings. Audit logs are retained for one year.
5. Your rights
You can disconnect any Google account at any time from /settings/integrations/google, which revokes the refresh token with Google and deletes our copy. You can request export or deletion of your account data by contacting support@propertyalpha.ai.
6. Security
Refresh tokens are encrypted with AES-GCM at rest using a key managed in the database environment. All traffic is TLS. Production access is restricted to authorized engineers with audit logging.
7. Contact
Privacy questions, deletion requests, or notice of a suspected incident: support@propertyalpha.ai.