Product
Features
Pricing
Schedule a Demo
Product
Features
Pricing
Book a Demo

Privacy Policy

Effective Date: April 15, 2026

Vestibule Inc., a Delaware company (“Vestibule,” “we,” “us,” or “our”), provides software tools for commercial property owners, landlords, property managers, tenants, and related users.

This Privacy Policy explains how we collect, use, disclose, and protect information when you visit our website, use the Vestibule platform, access a tenant portal, interact with our dashboards, tools, integrations, or related services, or otherwise communicate with us. This Privacy Policy is incorporated into and subject to our Terms of Service.

By using Vestibule, you acknowledge that you have read and understood this Privacy Policy.

1. Our Role in Handling Information

Vestibule handles information in two different capacities.

For information that customers and their authorized users submit to or generate in the platform — including property, lease, tenant, billing, payment, document, and operational data — Vestibule generally acts as a service provider or processor on behalf of the customer (the landlord, owner, property manager, or other organization that controls the account). The customer determines what information is collected and how it is used, and is responsible for providing any privacy notices and obtaining any consents required from its tenants, personnel, and other individuals.

For information we collect about our own website visitors, account holders, and prospective customers — such as account and contact details and technical and usage information — Vestibule acts as a business or controller. If your information was provided to Vestibule by a landlord, owner, property manager, employer, tenant entity, or other customer, you should generally direct privacy requests to that customer, and we will support them as required.

2. Information We Collect

We may collect information directly from you, from customers or authorized users, through your use of the Services, from third-party integrations, and from service providers.

Account and Contact Information

  • Name
  • Email address
  • Phone number
  • Company name
  • Job title or role
  • Account login credentials
  • User permissions and account settings
  • Communications with us

Customer, Property, Lease, and Tenant Information

The Vestibule platform may collect and store commercial property and lease-related information, including:

  • Property names and addresses
  • Building, unit, or suite information
  • Landlord, owner, property manager, and tenant entity names
  • Lease terms
  • Rent schedules
  • Security deposit information
  • Critical dates
  • Insurance requirements
  • Tenant deliverables
  • Lease expirations
  • Payment obligations
  • Late fees
  • Additional rent
  • Operating expense information
  • Tax reimbursement information
  • Invoices, charges, statements, and billing records
  • Tenant ledger information
  • Work order and service request information
  • Notes, communications, and related operational information

Documents and Uploaded Files

Users may upload or provide documents through the platform. These may include:

  • Leases
  • Lease amendments
  • Certificates of insurance
  • W-9 forms
  • Letters of credit
  • Security deposit records
  • Notices
  • Invoices
  • Service records
  • Work order materials
  • Other lease, tenant, property, billing, or operational documents

Payment-Related Information

If payment features are enabled, we may collect or process limited payment-related information, including:

  • Payment records
  • Transaction history
  • Amounts due
  • Amounts paid
  • Payment status
  • Payment method type
  • Related billing or invoice information
  • Payment processor identifiers or records

All payment processing and money movement is performed by one or more third-party payment processors, including Stripe, and not by Vestibule. Customers and tenants provide payment details directly to the payment processor. Vestibule does not collect, hold, or store full payment card numbers, bank account credentials, or similar payment details, and does not hold property-related funds for its own benefit. We may receive limited payment-related records from the processor, such as payment status, amounts, payment method type, and processor identifiers.

Technical and Usage Information

When you use our website or platform, we may automatically collect technical and usage information, including:

  • IP address
  • Browser type
  • Device type
  • Operating system
  • Referring URLs
  • Pages viewed
  • Features used
  • Login activity
  • Session activity
  • Date and time of access
  • Error logs
  • Usage analytics
  • Cookie and similar tracking data

3. Categories of Personal Information (California)

For California residents, the following describes the categories of personal information (as defined under the California Consumer Privacy Act, as amended) that we may have collected in the preceding 12 months, and the categories of third parties to whom we may disclose it for a business purpose. We do not sell personal information, and we do not share personal information for cross-context behavioral advertising.

  • Identifiers — name, email, phone, account login, IP address. Collected: Yes. Disclosed to: service providers; legal/compliance; business transfers.
  • California customer records — contact details, billing and payment records. Collected: Yes. Disclosed to: service providers; legal/compliance; business transfers.
  • Commercial information — transaction and payment history, charges, invoices, amounts due and paid. Collected: Yes. Disclosed to: service providers (incl. payment processors).
  • Internet/network activity — usage data, device and browser info, cookies, log data. Collected: Yes. Disclosed to: service providers (incl. hosting, analytics).
  • Geolocation (approximate) — approximate location derived from IP address. Collected: Yes. Disclosed to: service providers.
  • Professional/employment information — company name, job title, role. Collected: Yes. Disclosed to: service providers; business transfers.
  • Sensitive personal information — account login credentials (username and password). Collected: Yes. Used only to provide and secure the Services; not sold or shared.
  • Other categories (protected classifications, biometric, sensory, education, inferences). Collected: No.

4. How We Use Information

We use information to provide, operate, maintain, secure, and improve Vestibule. We may use information to:

  • Create and manage accounts
  • Provide access to the platform and tenant portal
  • Manage user permissions
  • Display property, lease, tenant, billing, and payment information
  • Support invoice, charge, payment, and tenant ledger workflows
  • Support document storage and retrieval
  • Support service requests and work orders
  • Facilitate third-party integrations selected or enabled by customers
  • Support payment-related workflows
  • Provide customer support
  • Troubleshoot issues
  • Send administrative, transactional, security, and service-related communications
  • Monitor platform performance and security
  • Detect, prevent, and respond to fraud, misuse, security incidents, or technical issues
  • Improve our products, features, workflows, and user experience
  • Analyze usage trends
  • Comply with legal, regulatory, contractual, and payment processor requirements
  • Enforce our Terms of Service and other agreements

5. How We Share Information

We do not sell personal information, and we do not share personal information for cross-context behavioral advertising. We may share information in the following circumstances.

With Customers and Authorized Users

Information may be shared within a customer account based on user roles, permissions, and platform settings. For example, ownership users, property management users, accounting users, administrative users, building staff, or tenant users may have access to different information depending on their authorized permissions.

Tenant users may access limited information made available through the tenant portal, such as charges, invoices, payment history, documents, notices, service requests, or work orders related to their account.

With Service Providers

We may share information with third-party service providers that help us operate and improve Vestibule, including:

  • Cloud hosting providers
  • Database and infrastructure providers
  • Payment processors
  • Email and communications providers
  • Analytics providers
  • Customer support tools
  • Security and fraud prevention providers
  • Document processing or storage providers
  • Software development and monitoring tools
  • Professional advisors

These service providers may access information only as needed to provide services to us or on our behalf, and are contractually restricted from using it for their own purposes.

With Payment Processors and Financial Partners

If payment features are used, information may be shared with payment processors, banks, financial institutions, payment networks, compliance providers, or related service providers as needed to process transactions, route payments, verify accounts, assess fees, manage refunds, handle disputes, address chargebacks, comply with law, or meet payment network and processor requirements.

With Third-Party Integrations

Customers may choose to connect Vestibule with third-party systems, tools, platforms, APIs, or integrations. When a customer enables an integration, information may be shared with or received from that third party as needed to provide the integration. Use of third-party integrations may be subject to the third party’s own terms and privacy policies.

For Legal, Compliance, and Safety Reasons

We may disclose information if we believe it is reasonably necessary to comply with applicable law, regulation, legal process, or governmental request; enforce our Terms of Service or other agreements; protect the rights, property, or safety of Vestibule, our users, customers, or others; detect, prevent, or address fraud, security issues, or misuse; resolve disputes; or respond to lawful requests from courts, regulators, law enforcement, or other authorities.

In Connection With a Business Transaction

We may disclose or transfer information in connection with a merger, acquisition, financing, reorganization, sale of assets, bankruptcy, or similar business transaction involving Vestibule.

6. Aggregated and De-Identified Information

We may use aggregated, anonymized, or de-identified information for analytics, benchmarking, reporting, product development, security, research, and business purposes. We will not attempt to re-identify such information or use it in a way that is intended to identify a specific customer, tenant, property, lease, or individual user.

7. AI and Data Use

Some Vestibule features use artificial intelligence, machine learning, and automated processing to read, abstract, organize, analyze, and surface information from leases, documents, and other customer data, such as lease abstraction, anomaly detection, critical-date alerts, and plain-language search.

Where we use third-party artificial intelligence or machine-learning providers to deliver these features, we do so under enterprise or business agreements intended to protect customer data. Under those agreements, customer data is not used to train, fine-tune, or improve the providers’ general-purpose, foundation, or publicly available models, and is processed solely to provide the features to the customer.

Vestibule does not use customer-identifiable lease documents, payment data, tenant data, or other confidential customer data to train generalized or foundation AI models, except as disclosed to and permitted by the customer.

We may use aggregated, anonymized, or de-identified data for analytics, benchmarking, product development, reporting, and service improvement, provided the data does not identify a customer, tenant, property, lease, or individual user.

8. Cookies and Similar Technologies

We may use cookies, pixels, local storage, analytics tools, and similar technologies to operate our website and platform, remember preferences, understand usage, improve performance, detect security issues, and support analytics. You may be able to control cookies through your browser settings. Disabling cookies may affect the functionality of our website or platform.

Some browsers offer a “Do Not Track” signal or a Global Privacy Control (GPC) signal. Because we do not sell or share personal information or use it for cross-context behavioral advertising, our practices are consistent with these preference signals.

9. Data Retention

We retain information for as long as reasonably necessary to provide the Services, operate our business, comply with legal and contractual obligations, resolve disputes, enforce agreements, maintain security, and support customer accounts. The retention period may vary depending on the type of information, the customer agreement, legal requirements, payment processor requirements, operational needs, and whether an account remains active.

Customers should maintain their own copies of important legal, lease, payment, tenant, property, and business records.

10. Data Security

We use commercially reasonable administrative, technical, and organizational measures designed to protect information from unauthorized access, loss, misuse, disclosure, alteration, or destruction. However, no system is completely secure, and we cannot guarantee that unauthorized access, hacking, data loss, service interruptions, or security incidents will never occur.

Customers and users are responsible for maintaining the confidentiality of login credentials, managing user permissions, and using appropriate security practices.

11. Your Privacy Rights

Depending on where you are located and the laws that apply, you may have certain rights regarding your personal information. These may include the right to access personal information, correct inaccurate information, request deletion of certain information, object to or restrict certain processing, request a copy of certain information, and opt out of certain communications.

To make a request, contact us using the information below. We may need to verify your identity or authority before responding, and some rights are subject to exceptions and limitations under applicable law. Where required by law, we will not discriminate against you for exercising these rights.

Some information may be controlled by the customer that provides access to Vestibule. If your information is managed by a landlord, owner, property manager, employer, tenant entity, or other customer, we may direct your request to that customer.

12. California Privacy Rights

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (together, the “CCPA”), provides you with specific rights regarding your personal information, to the extent the CCPA applies to our processing of your information. The categories of personal information we collect, the sources, the purposes for use, and the categories of recipients are described in Sections 2 through 5 above.

Your California Rights

  • Right to know the categories and specific pieces of personal information we have collected about you
  • Right to delete personal information, subject to exceptions
  • Right to correct inaccurate personal information
  • Right to opt out of the sale or sharing of personal information
  • Right to limit the use and disclosure of sensitive personal information
  • Right to non-discrimination for exercising your rights

Sale, Sharing, and Sensitive Personal Information

We do not sell personal information and do not share personal information for cross-context behavioral advertising, and have not done so in the preceding 12 months. The sensitive personal information we collect (such as account login credentials) is used only for purposes permitted under the CCPA, such as providing and securing the Services, and not to infer characteristics. We do not use or disclose sensitive personal information for purposes that would give rise to the right to limit.

How to Exercise Your Rights

You may submit a request using the contact information in Section 19. We will verify your identity before responding, and an authorized agent may submit a request on your behalf with proof of authorization. We will respond within the timeframes required by applicable law.

Information We Process for Customers

Much of the information in the platform is processed on behalf of our customers as a service provider. If your information was submitted to Vestibule by a customer (for example, a landlord, property manager, or employer), please direct your request to that customer, and we will assist them as their service provider.


Other U.S. State Privacy Rights

Residents of other U.S. states that have enacted comprehensive privacy laws (such as Virginia, Colorado, Connecticut, Texas, and others) may have similar rights, including the rights to access, correct, delete, and obtain a copy of personal information, and to appeal a decision regarding a request. You may exercise these rights using the contact information below.

13. Communications

We may send administrative, transactional, security, and service-related communications, including account notices, payment-related notices, product updates, security alerts, support messages, and changes to our terms or policies. You may also receive communications from landlords, property owners, property managers, building staff, tenants, or other users through the platform.

If we send marketing communications, you may opt out where required by law. Even if you opt out of marketing communications, we may still send non-marketing communications related to your account or use of the Services.

14. Children’s Privacy

Vestibule is designed for commercial real estate and business use. The Services are not intended for children under 13, and we do not knowingly collect personal information from children under 13.

15. Business and Commercial Use

Vestibule is designed for commercial property owners, landlords, property managers, commercial tenants, and related business users. Tenant users are generally expected to be representatives of commercial tenant entities, such as employees, officers, finance contacts, office managers, administrators, or other authorized business users. Vestibule is not intended to be a residential consumer rent-payment platform.

16. International Users

Vestibule is operated from the United States. If you access or use the Services from outside the United States, you understand that your information may be processed, stored, and transferred in the United States or other locations where our service providers operate.

17. Third-Party Websites and Services

Our website or platform may contain links to third-party websites, services, tools, or integrations. We are not responsible for the privacy practices, security, content, or policies of third parties. Your use of third-party services is subject to their own terms and privacy policies.

18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we may provide notice by posting the updated Privacy Policy on our website, through the Services, by email, or by another reasonable method. Your continued use of the Services after an updated Privacy Policy becomes effective means you acknowledge the updated Privacy Policy.

19. Contact Us

Questions about this Privacy Policy, or requests to exercise your privacy rights, may be directed to:

Vestibule Inc. | Email: privacy@vestibule.com | Website: vestibule.com