Privacy Policy
All Core
Last Updated: July 12, 2026
1. Introduction
All House Inc. ("All House," "we," "us," or "our") operates the All Core platform, accessible at https://allcore.ai and the web application at https://app.allcore.ai (together, the "Platform" or "Service"). This Privacy Policy explains what information we collect, how we use, disclose, and protect it, and the choices you have.
All Core is a workspace for managing real-estate transactions. Real-estate agents use it to run a deal — documents, parties, deadlines, e-signatures, messaging, and an assistant — and to invite the other parties to a transaction. By creating an account or using All Core, you agree to the collection and use of information as described in this policy. If you do not agree, do not use the Platform.
We do not intentionally collect special categories of sensitive personal data, and we ask that you not enter such data into free-text fields.
2. Information We Collect
2.1 Account and Profile Information
- Account information: Your name and email address, and — if you set them — your phone number, organization, and role.
- Professional credentials: Role-specific information you choose to provide, such as your real estate license number, bar number, law firm name, brokerage name, or company affiliation.
- Profile information: Your photo, title, and any other information you add to your profile.
2.2 Transaction ("Deal") Data
Information you enter or upload to run a transaction: property details, party names and contact details, milestones and deadlines, documents you upload or generate, form field values, messages, and e-signature records and their audit trails.
2.3 Calendar Data (only if you connect a calendar)
If you choose to connect your Google or Microsoft calendar, we access your calendar events to two-way-sync deal deadlines and events with the calendar you already use. See Section 4 for exactly how this data is handled and limited. We do not access your calendar unless you initiate the connection.
2.4 Technical and Usage Data
- Usage data: Pages viewed, features used, and interactions within the Platform, captured as product-analytics events to operate, secure, and improve the Service.
- Device and log data: IP address, browser and device information, server logs, error reports, and activity timestamps.
- Cookies: A session cookie to keep you logged in, and analytics cookies as described in Section 9.
2.5 Information from Other Users
We receive information about you from other users of the Platform when they invite you to join a deal or transaction. The inviting party provides your name, email address, and role in the transaction.
3. OAuth Sign-In (Google, Microsoft, LinkedIn)
You may sign in with Google, Microsoft, or LinkedIn. When you do, we receive your verified email address, name, and a stable subject identifier from that provider, and we store the subject identifier as a link to your All Core account. We use this only to verify your email and establish your account and session. We do not receive or store your provider password, and we do not post to, read from, or otherwise act on your provider account for sign-in.
4. How All Core Uses Google User Data
4.1 Google Calendar (Limited Use)
If you connect Google Calendar, All Core requests the https://www.googleapis.com/auth/calendar.events scope to read and write calendar events for the sole purpose of syncing your real-estate deal deadlines and events with your personal calendar. A narrower read-only or free/busy scope is insufficient because the feature creates and maintains deal-deadline events on your behalf.
All Core's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
- We use Google Calendar data only to provide and improve the user-facing calendar-sync feature that is prominent in the All Core interface.
- We do not transfer or sell Google user data to third parties such as advertising platforms, data brokers, or information resellers.
- We do not use Google user data for serving advertising, including retargeting, personalized, or interest-based advertising.
- We do not use Google user data to determine creditworthiness or for lending purposes.
- We do not allow humans to read Google user data, unless: (i) you have given specific consent to read specific data; (ii) it is necessary for security purposes (such as investigating abuse); (iii) it is required to comply with applicable law; or (iv) the data is aggregated and anonymized and used for internal operations.
You can disconnect your calendar at any time from within All Core, which revokes All Core's access, or revoke access directly at Google Account permissions.
4.2 Microsoft Calendar
If you connect a Microsoft/Outlook calendar, All Core requests the delegated Microsoft Graph Calendars.ReadWrite permission for the same purpose — syncing deal deadlines and events with the calendar you already use — and handles that data under the same limitations described above. You can disconnect at any time in All Core, or revoke access in your Microsoft account.
4.3 Token Storage
Access and refresh tokens for connected calendars are encrypted at rest and are used solely to power the calendar-sync feature you enabled.
5. How We Use Your Information
We use the information we collect to:
- Provide and operate the Platform: Create and manage your account, run and track transactions, store and organize your files and documents, and facilitate communication between deal parties.
- Authenticate and secure your account: Verify sign-in, detect fraud and unauthorized access, and enforce our Terms of Use.
- Send transactional communications: Deliver invitations, signing requests, deadline reminders, and notifications to users and to parties you invite.
- Power the AI assistant and forms: Provide the in-workspace assistant and the CREC forms field-mapping and fill features.
- Sync connected calendars: Keep deal deadlines and events in sync with a calendar you have chosen to connect.
- Comply with legal obligations and respond to lawful requests from authorities.
- Maintain and improve the Service: Analyze usage patterns, diagnose technical issues, and develop new features.
We process personal data on the legal bases of performing our contract with you, your consent (where required, e.g., calendar connection), our legitimate interests in operating and securing the Service, and compliance with law.
We do not sell your personal information, and we do not use your documents, deal data, or client information to train AI models or for any purpose other than providing the Platform to you.
6. Transactional Email
Off-platform parties to a deal are reached primarily by email. We use Resend, our transactional email provider, to deliver invitations, signing requests, and notifications. When someone replies to a platform email address, we process the inbound message to route it back into the relevant deal. We do not use these messages for advertising.
7. How We Share Your Information
7.1 With Other Users in Your Deals
All Core is a collaborative platform. When you are added to a transaction, relevant deal information — your name, role, contact information, and the documents, form values, and messages you contribute — is visible to other authorized parties in that deal. You control what you upload, and you should not upload documents containing third-party personal information unless you have the right to do so.
7.2 With Service Providers
We work with third-party service providers who process information on our behalf, under contract, limited to what they need to perform their service. They are contractually obligated to protect your information.
| Provider | Purpose | Privacy Reference |
|---|---|---|
| Google Cloud Platform (GCP) | Infrastructure, hosting, and file storage | cloud.google.com/privacy |
| Neon (NeonDB) | PostgreSQL database | neon.tech/privacy |
| Upstash | Redis cache and background job queue | upstash.com/privacy |
| Resend | Transactional email delivery | resend.com/legal/privacy-policy |
| PostHog | Product analytics (no advertising, no sale of data) | posthog.com/privacy |
| Google (Gemini) | AI assistant and forms field-to-role mapping | ai.google.dev/gemini-api/terms |
| Anthropic (Claude) | AI assistant and forms field-mapping cross-check | anthropic.com/legal/privacy |
We do not currently process payments, and there is no payment processor handling your data at this time. If and when paid features are introduced, we will update this policy before doing so.
7.3 For Legal Reasons
We may disclose your information if we believe in good faith that doing so is necessary to comply with applicable law or a valid legal process; to protect the rights, property, or safety of All House, our users, or the public; to detect or prevent fraud or security incidents; or to enforce our agreements.
7.4 Business Transfers
If All House Inc. is involved in a merger, acquisition, financing, or sale of all or part of its assets, your information may be transferred as part of that transaction, with prior notice. Any transfer of Google user data in such an event will occur only with your explicit prior consent.
We do not sell your personal information, and we do not use provider-obtained data (Google, Microsoft, or LinkedIn) for advertising.
8. Security
We protect data with industry-standard technical and organizational measures, including:
- Encryption in transit (HTTPS/TLS)
- Encryption at rest for sensitive personal data using AES-256-GCM
- Strong password hashing (argon2id)
- Access controls limiting access to user data, and audit logging
- Cryptographic sealing (PKCS#7) of completed e-signature documents for tamper-evidence
No method of transmission over the internet or method of electronic storage is completely secure. While we work to protect your information, we cannot guarantee absolute security. If you believe your account has been compromised, contact us immediately at info@myallhouse.com.
9. Data Retention and Deletion
We retain personal and transaction data for as long as your account is active and as needed to provide the Service. E-signature and transaction records may be retained thereafter to preserve the legal audit trail. Calendar data obtained via a connected calendar is retained only as needed to power the sync feature and is deleted when you disconnect the calendar or delete your account, subject to routine backup cycles.
You may request deletion of your account and associated data by contacting us at info@myallhouse.com. Deletion requests for data embedded in multi-party transactions may be subject to limitations where removal would destroy records other authorized parties rely on, or where we are required by law to retain it longer.
10. Your Rights and Choices
Depending on your location, you may have rights to access, correct, delete, export, or restrict processing of your personal data, and to object to certain processing. You can update profile information in the app, disconnect connected calendars at any time, and revoke provider access directly with Google, Microsoft, or LinkedIn. To exercise any right, contact us at info@myallhouse.com; we will respond as required by applicable law and may need to verify your identity first.
10.1 California Privacy Rights (CCPA)
If you are a California resident, the CCPA provides you the following rights:
- Right to know the categories and specific pieces of personal information we have collected, the sources, our purposes, and the categories of third parties with whom we share it.
- Right to delete your personal information, subject to certain exceptions.
- Right to correct inaccurate personal information.
- Right to opt out of sale — we do not sell your personal information.
- Right to non-discrimination for exercising any of your CCPA rights.
To exercise these rights, contact us at info@myallhouse.com with "CCPA Request" in the subject line. You may designate an authorized agent by providing written authorization.
11. Cookies and Tracking Technologies
We use only two categories of cookies and similar technologies:
- Essential: A session cookie that keeps you logged in and maintains your session.
- Analytics: Product-analytics technologies via PostHog to understand how users interact with features so we can improve the Service.
We do not use advertising cookies and we do not track your activity across third-party websites for advertising purposes. Most browsers allow you to refuse or delete cookies through your browser settings; doing so may affect the functionality of the Platform.
12. Children's Privacy
The Service is not directed to children under the age of 16 and we do not knowingly collect their personal information. If we learn that we have collected information from a child, we will delete it promptly. If you believe a child has provided us with personal information, please contact us at info@myallhouse.com.
13. International Users
All Core is operated from the United States. If you access the Service from elsewhere, your information may be transferred to and processed in the United States and other countries where we or our service providers operate, with appropriate safeguards where required.
14. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a prominent notice on the Platform, updating the "Last Updated" date above. Your continued use of the Platform after the effective date of the updated policy constitutes your acceptance of the changes.
15. Contact Us
If you have questions about this Privacy Policy or how we handle your information:
All House Inc.
Email: info@myallhouse.com
Website: https://allcore.ai
For California-specific requests, reference "CCPA Request" in your email subject line.
