Phantom Logo
PHANTOM

Privacy Policy

Effective Date: March 8, 2026

1. Introduction

Phantom ("we," "us," or "our") provides an AI-powered email and communications platform designed for real estate professionals. This Privacy Policy explains how we collect, use, store, and share your information when you use our website, application, and related services (collectively, the "Service").

By creating an account or using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Full name
  • Email address
  • Password (stored securely via Firebase Authentication; we never store plaintext passwords)
  • Phone number (optional)
  • Brokerage or company name (optional)

2.2 Gmail Data

If you choose to connect your Gmail account, we request access to your email through Google's OAuth 2.0 authorization flow. We request the following permissions (scopes):

  • Read-only access to your Gmail messages (gmail.readonly) — to fetch your inbox and sent emails for analysis and inbox management features.
  • Send email on your behalf (gmail.send) — to send emails you compose or approve through the Service.
  • View your email address (userinfo.email) — to identify your connected Google account.

When connected, we access and process:

  • Email message content (subject lines, body text, sender and recipient addresses, dates)
  • Email metadata (message IDs, thread IDs, labels)
  • Sent email history (up to the past year) for writing style analysis

We store your Gmail OAuth tokens (access token and refresh token) securely on our servers to maintain your connection. We do not store the full content of your emails long-term — emails are processed in real time and only derived data (such as writing style metrics and pending response drafts) is persisted.

2.3 Writing Style Data

When you enable writing style analysis, we analyze your sent emails to extract patterns including:

  • Formality, warmth, and brevity scores
  • Preferred greetings and sign-offs
  • Common phrases
  • Average word count and sentence length

These aggregated metrics are stored in your account to personalize AI-generated communications. Individual email content is not retained after analysis.

2.4 CRM and Lead Data

The Service allows you to manage contacts and leads. Data you enter or that is derived from your email communications may include:

  • Contact names, email addresses, and phone numbers
  • Lead status, source, score, and tags
  • Notes and activity history

2.5 SMS Data

If you use our SMS features, we collect and process phone numbers you provide for your contacts and the content of text messages you compose or approve for sending through the Service.

2.6 Usage Data

We automatically collect standard usage information such as browser type, device information, pages visited, and interaction timestamps to improve the Service.

3. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Service
  • Authenticate your identity and manage your account
  • Connect to your Gmail account and facilitate email reading and sending
  • Analyze your writing style to personalize AI-generated emails and messages
  • Classify incoming emails and generate suggested responses
  • Enrich communications with relevant real estate market data
  • Send SMS messages on your behalf through our messaging partners
  • Provide customer support
  • Comply with legal obligations

4. Third-Party Services and Data Sharing

We share your information with the following categories of third-party service providers, solely to operate and deliver the Service:

4.1 Google (Firebase & Gmail API)

We use Google Firebase for authentication and data storage, and the Gmail API to access your email. Your use of these features is also subject to Google's Privacy Policy. Our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

4.2 Anthropic (AI Processing)

We use Anthropic's Claude AI to power email generation, classification, and response suggestions. When using these features, the following data may be sent to Anthropic for processing:

  • Your writing style profile (aggregated metrics, not raw emails)
  • Your name, email, and brokerage (for personalization)
  • Lead or contact information relevant to the communication
  • Incoming email content (for classification and reply generation)

Anthropic processes this data according to their Privacy Policy. Data sent to Anthropic's API is not used to train their models.

4.3 Resend (Email Delivery)

We use Resend as a transactional email service for certain system communications. Recipient email addresses and message content are shared with Resend for delivery purposes.

4.4 Twilio (SMS Delivery)

We use Twilio to send SMS messages on your behalf. Recipient phone numbers and message content are shared with Twilio for delivery. Twilio's use of this data is governed by Twilio's Privacy Policy.

4.5 No Sale of Personal Data

We do not sell, rent, or trade your personal information to third parties for marketing or advertising purposes.

5. Google API Services — Limited Use Disclosure

Phantom's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We only use access to Gmail data to provide and improve user-facing features of the Service.
  • We do not use Gmail data for advertising or to serve ads.
  • We do not allow humans to read your email content unless you have given affirmative consent for specific messages, it is required for security purposes, or it is required by law.
  • We do not transfer Gmail data to third parties except as necessary to provide the Service, as required by law, or with your explicit consent.

6. Data Storage and Security

Your data is stored using Google Cloud Firestore, which provides encryption at rest and in transit. We implement industry-standard security measures including:

  • Secure, HTTP-only session cookies for authentication
  • Server-side storage of OAuth tokens (never exposed to the client)
  • HTTPS encryption for all data in transit
  • Firebase Security Rules to restrict data access

While we take reasonable measures to protect your information, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

7. Data Retention

We retain your data as follows:

  • Account data: Retained for as long as your account is active. Upon account deletion, your data is removed within 30 days.
  • Gmail tokens: Stored while your Gmail account is connected. Tokens are revoked and deleted when you disconnect your Gmail account.
  • Writing style data: Retained while your account is active, even if you disconnect Gmail, so your personalization preferences are preserved.
  • Pending responses and drafts: Retained until sent, cleared by you, or your account is deleted.

8. Your Rights and Choices

You have the following rights regarding your data:

  • Disconnect Gmail: You can disconnect your Gmail account at any time from your account settings. This revokes our access and deletes stored tokens.
  • Revoke Google access: You can revoke Phantom's access to your Google account at any time via your Google Account permissions.
  • Delete your account: You may request deletion of your account and all associated data by contacting us.
  • Access and portability: You may request a copy of your personal data by contacting us.
  • Correction: You can update your profile information at any time through your account settings.

If you are located in the European Economic Area (EEA), you may also have the right to lodge a complaint with your local data protection authority.

9. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make changes, we will update the "Effective Date" at the top of this page. If we make material changes, we will notify you by email or through the Service. Your continued use of the Service after any changes constitutes your acceptance of the updated policy.

11. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at:

Phantom
Email: privacy@sharetech.dev

Back to sign in