Privacy Policy

This Privacy Policy explains how the Florida Real Estate Marketing Association ("FLREMA," "we," "us," or "our") collects, uses, and shares personal information when you visit flrema.org or use any of our services (the "Services").

FLREMA is an independent, for-profit Florida corporation. We are not affiliated with the National Association of REALTORS®, Florida Realtors®, any local board of REALTORS®, or any state or federal regulatory body.

1. Information we collect

1.1 Information you provide. When you join FLREMA, we collect:

• First and last name
• Email address
• Florida real estate license number
• Mobile phone number, where SMS verification is enabled, used to send you a one-time verification code at signup
• Password (stored as a salted PBKDF2-SHA256 hash; we never see or store the plaintext)
• Optional profile content you choose to provide ("About Me" bio, optional NAR/NRDS member ID, optional city)
• Email preference selections
• Inputs to and outputs from AI-powered tools (e.g., listing descriptions you generate)

SMS verification consent. Where phone verification is enabled, by entering your mobile number and requesting a code you consent to receive a one-time verification text message from us. Message and data rates may apply. These are transactional, security-related messages tied to your signup — not marketing texts — and we do not use your phone number for marketing or share it for that purpose. We store the verification code only as a short-lived hash that expires within minutes.

1.2 Information collected automatically. When you interact with the Services, we automatically collect:

• IP address and approximate geographic region
• Browser type, version, and user-agent string
• Pages viewed, features used, and the time, frequency, and duration of activity
• Authentication cookies, anti-forgery (CSRF) cookies, and reCAPTCHA cookies set by Google
• Application telemetry (errors, performance, request paths) collected by Microsoft Application Insights

1.3 Information from third parties. We cross-reference your submitted license number and last name against the public Florida Department of Business and Professional Regulation (DBPR) licensee directory at signup. The DBPR record we retrieve includes your licensed name, license type, license status, original license date, expiration date, mailing address, county, and affiliated brokerage. This information is public record under Florida's Sunshine Law (Chapter 119, Florida Statutes).

1.4 Trademark-affirmation records. If you submit content that uses the term REALTOR® (a registered certification mark of the National Association of REALTORS®), we will ask you to affirm your current NAR membership. We log the affirmation, the exact content you submitted, the affirmation text version shown to you, your IP address, your user-agent, the timestamp, and any NAR/NRDS member ID you choose to provide. This audit log is required for trademark-compliance purposes.

1.5 Information from prospective clients and leads (non-members). Certain member-facing features — including a member's public agent page contact form and the home-value report tool a member shares with the public — allow members of the public who are not FLREMA members (for example, homeowners or prospective buyers and sellers) to submit their name, email address, phone number, a message, and/or a property address in order to request a report or to contact the member. We collect this information on behalf of the FLREMA member who shared the feature, store it, and route it to that member, who is its intended recipient. The receiving member is responsible for their own use of, and communications to, the leads they receive, in compliance with applicable law (including the federal CAN-SPAM Act, the Telephone Consumer Protection Act, and Do-Not-Call rules). We do not sell this information and do not use it for our own marketing. A lead may request deletion of their submission by emailing info@flrema.org or by asking the member who received it.

1.6 Trust-and-safety reports. If you submit a report that an account may be impersonating a licensee or using a brokerage's name without authorization, we collect the name, email, role, and details you provide, along with your IP address, to investigate the report and, where warranted, suspend the reported account pending verification.

2. How we use information

We use personal information to:

• Provide the Services — create and maintain your account, verify your active Florida real estate license, verify your mobile number by one-time SMS code where enabled, deliver AI tool outputs, send transactional emails (password resets, license-status notices), and route leads submitted through your public page or shared tools to you
• Communicate with you — send the welcome message, member updates, weekly newsletter, and other marketing emails (only with your consent and subject to one-click unsubscribe)
• Improve the Services — analyze aggregate usage, debug issues, and develop new features
• Protect against fraud and abuse — rate-limit signups and tool usage, detect impersonation attempts, and enforce our Terms of Service
• Comply with legal obligations — respond to lawful requests, defend against legal claims, and maintain records required by law (including trademark-affirmation audit logs)

3. Legal bases for processing

We rely on the following legal bases:

• Contract — to provide the Services you sign up for
• Consent — for marketing emails and any optional features you opt into
• Legitimate interests — to operate, secure, and improve the Services and to prevent fraud
• Legal obligation — to comply with applicable Florida and federal law

4. Third-party service providers

We share data with the following processors to operate the Services:

• Microsoft Azure — hosting, database (Azure SQL), email and SMS delivery (Azure Communication Services), and observability (Application Insights). Data resides in Azure's United States data centers.
• Anthropic, PBC — large-language-model API used for AI tool outputs (e.g., listing descriptions). Anthropic processes the prompts we send to generate output and retains data per Anthropic's Privacy Policy.
• Google reCAPTCHA — bot protection on signup, sign-in, password reset, and unsubscribe forms. Subject to Google's Privacy Policy and Terms of Service.
• Florida DBPR — we query public licensee data; DBPR is not a processor of your data, but the original source of your public license record.

We do not sell or rent personal information. We do not share member contact data with third parties for their own marketing purposes.

5. Cookies and tracking technologies

We use the following cookies:

• FlremaMember — authentication cookie set when you sign in. HttpOnly, Secure, SameSite=Lax, 30-day sliding expiration.
• .AspNetCore.Antiforgery.* — short-lived CSRF protection token used by all form submissions.
• ARRAffinity / ARRAffinitySameSite — set by Azure App Service for session continuity.
• reCAPTCHA cookies — set by Google for bot detection on form pages.

We do not use third-party advertising or cross-site tracking cookies.

6. Data retention

• Account data — retained while your account is active and for up to 90 days after deletion, except where longer retention is required by law or for legitimate operational purposes.
• Trademark-affirmation audit log — retained for at least six (6) years from the date of affirmation to support trademark-compliance defenses.
• AI tool inputs and outputs — retained for up to twelve (12) months for service-improvement and abuse-detection purposes, then deleted or de-identified.
• Email engagement (opens, clicks, bounces, complaints) — retained for up to twenty-four (24) months.
• Application logs and security telemetry — retained for ninety (90) days unless extended for an active investigation.
• DBPR licensee directory snapshot — refreshed weekly from public records; we retain only the most recent import.
• Phone verification codes — stored only as a short-lived hash; codes expire within minutes and used/expired records are pruned.
• Leads and prospect submissions — retained and made available to the receiving member for the life of that member's account, unless the lead or member requests earlier deletion.
• Trust-and-safety reports — retained as long as needed to investigate and as a record of the action taken.

7. Your rights and choices

You may:

• Access — view your profile and account data at any time via your account settings
• Correct — update your name, email, bio, NAR-affirmation status, and email preferences via your account settings
• Unsubscribe — opt out of marketing emails via the one-click unsubscribe link in every marketing message or via your account settings
• Delete — request deletion of your account by emailing info@flrema.org. We will remove your account within 30 days. Note that trademark-affirmation audit records and certain regulatory records are retained per the schedule in Section 6.
• Export — request a copy of your account data by emailing info@flrema.org

8. Florida-specific provisions

Florida Information Protection Act (FIPA) — Section 501.171, Florida Statutes. In the event of a security incident affecting personal information of Florida residents, we will provide notice as required by FIPA, including notice to affected individuals within 30 days of determination and, where required, notice to the Florida Department of Legal Affairs.

Florida Digital Bill of Rights — Section 501.71 et seq., Florida Statutes. The Florida Digital Bill of Rights generally applies to businesses meeting certain revenue or data-volume thresholds. FLREMA is below those thresholds and the statute does not apply to us at this time. We have nonetheless designed our practices to align with FDBR principles where reasonable.

9. Security

We implement administrative, technical, and physical safeguards including:

• Passwords stored as PBKDF2-SHA256 hashes with per-password salt and 100,000 iterations
• HTTPS / TLS 1.2+ for all client-server communication
• HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Content-Security-Policy headers
• Per-IP and per-member rate limiting on authentication, signup, and tool-generation endpoints
• Anti-forgery tokens on all state-changing forms
• Managed-identity authentication to Azure SQL (no database password in the application configuration)
• Secret values (API keys) stored in Azure Key Vault and accessed via managed identity
• Application-level logging of authentication events and security-relevant actions

No system is perfectly secure. We cannot guarantee absolute security of personal information, but we work to maintain a level of security appropriate to the sensitivity of the data we hold.

10. Children's privacy

The Services are intended for licensed Florida real estate professionals, who are adults. We do not knowingly collect personal information from children under 13. If you believe a child has provided information to FLREMA, please email info@flrema.org and we will delete it.

11. International users

FLREMA is operated from the United States and intended for Florida residents and license-holders. If you access the Services from outside the United States, you understand that your information will be processed in the United States.

11A. Notice to residents of other U.S. states

The Services are intended for Florida-licensed real estate professionals, and we expect substantially all members to be Florida residents. If you are a resident of another U.S. state that grants specific consumer-privacy rights (including without limitation California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Iowa, Montana, Tennessee, Delaware, Indiana, New Jersey, New Hampshire, Kentucky, or Minnesota), the protections below apply to you to the extent the corresponding statute would apply to FLREMA. FLREMA does not meet the revenue or data-volume thresholds of these statutes as of the "Last updated" date and the statutes likely do not legally apply to us; we nonetheless honor the substantive rights they grant as a matter of practice.

11A.1 Notice to California residents (CCPA / CPRA)

If you are a California resident, you may have the right to: (a) know what personal information we collect about you and how we use, disclose, and (if applicable) sell or share it; (b) request a copy of your personal information; (c) request correction of inaccurate personal information; (d) request deletion of your personal information, subject to legal exceptions; (e) opt out of any "sale" or "sharing" of personal information (FLREMA does not sell personal information and does not share it for cross-context behavioral advertising); (f) opt out of profiling that produces legal or similarly significant effects (we do not engage in such profiling); and (g) not be discriminated against for exercising these rights.

To exercise these rights, email privacy@flrema.org (alternate: info@flrema.org) with the subject "California Privacy Rights Request." We will verify your identity using the email and license-number information on file and respond within 45 days (extendable by an additional 45 days where reasonably necessary).

Categories of personal information collected in the past 12 months: identifiers (name, email, mobile phone number, license number, IP address), professional or employment-related information (Florida real estate license details), commercial/customer-records information for leads submitted through member tools (lead name, contact details, and property address), and internet activity information (cookies, session data). Sources: directly from you, from prospective clients who submit information through member features, from public DBPR records, and from automated logs.

FLREMA does not sell or share personal information and does not have a "Do Not Sell or Share My Personal Information" link because there is nothing to opt out of. If you have a Global Privacy Control (GPC) signal enabled, we honor it as an opt-out signal nonetheless.

11A.2 Notice to residents of Virginia, Colorado, Connecticut, Utah, and similar states

If you are a resident of a state with a comprehensive consumer-privacy law modeled on the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), the Utah Consumer Privacy Act (UCPA), or similar statutes, you may have rights to access, correct, delete, port, and opt out of certain processing of your personal data. To exercise these rights, contact privacy@flrema.org. We will verify and respond as required by your state's statute. FLREMA does not engage in "targeted advertising" or "sale" of personal data and does not conduct profiling that produces legal or similarly significant effects.

11A.3 Sensitive data; biometric data

FLREMA does not knowingly collect sensitive personal data as defined by state privacy statutes (precise geolocation, racial or ethnic origin, religious beliefs, mental or physical health diagnoses, sexual orientation, citizenship or immigration status, genetic data, biometric data processed for identification, or contents of mail/email/text messages). License-number data and government-issued identifiers are not used by FLREMA for purposes outside of license verification.

11A.4 Appeals

If we decline a privacy-rights request, you may appeal by replying to our response email. We will reconsider and respond within 60 days. If we maintain our decline, you may contact your state Attorney General as your statute may permit.

12. Changes to this Policy

We may update this Privacy Policy from time to time. We will post the updated policy here and update the "Last updated" date. Material changes will be communicated by email to active members.

13. Contact us

For privacy questions, requests, or concerns:

Florida Real Estate Marketing Association, Inc.
37601 Burhans Road, Eustis, FL 32736
Email: info@flrema.org