Privacy & security
How Listings Studio handles, protects, and respects your data.
Data we collect
We only collect what is necessary to provide the service. Here is exactly what we store:
- Profile information — your name, company name, phone number, location, and tagline. All entered by you and editable at any time from your profile.
- Listing drafts — AI-generated copy (title, subtitle, intro, description, highlights, location story, buyer angle, CTA), your uploaded media files, layout and style selections, and property details (type, intent, price, bedrooms, bathrooms, area).
- Usage metrics — aggregate page views on your published listings, WhatsApp CTA tap counts, and activity events (listing created, published, edited, shared). These power your Insights dashboard.
- Session and authentication data — login tokens for keeping you signed in. Passwords are never stored in plain text.
- Device preferences — your selected theme (light/dark), notification settings, and WhatsApp-ready CTA toggle. These are stored locally on your device.
Data we do not collect
- Buyer or visitor personal information — the WhatsApp CTA connects buyers directly to your phone. We never see, intercept, or store their messages or contact details.
- Browsing history or cross-site tracking — we do not use third-party trackers, advertising pixels, or browser fingerprinting on any of our pages.
- Visitor IP addresses — the city and country shown in your Studio analytics are resolved at request time from edge headers; the raw IP is discarded and never persisted.
- Financial details — plan upgrades and payments are handled by our payment processor. Your card number never touches our servers.
- Precise device location — we do not request GPS or geolocation permissions. The location field in your listings is text you type manually.
AI processing
- Listing copy is generated server-side using Groq (LLaMA 3.3 70B). Your property details, rough notes, and media summary are sent to the AI only during generation.
- Groq does not retain your data after the response is returned. Your content is not used to train or fine-tune any AI model.
- AI output is validated through strict Zod schemas before it reaches your listing page. Any HTML tags, scripts, or markup in the AI response are automatically rejected — not sanitised, rejected entirely.
- If the AI returns invalid output, we automatically retry once with a repair prompt. If it fails a second time, the request is rejected and you are notified.
- AI fair-use limits are enforced per plan (e.g. 5 full generations on Trial, 40 on Pro). When limits are reached, manual editing remains fully available.
Security measures
- All connections between your device and our servers are encrypted with HTTPS/TLS. There is no fallback to unencrypted HTTP.
- API keys and secrets (including the Groq API key) are stored server-side only and never exposed to the browser. The AI client module explicitly imports 'server-only' to prevent accidental bundling.
- Every piece of user input is validated through Zod schemas with strict length limits and content rules. The safeText validator rejects any string containing < or > characters to block HTML injection at the schema level.
- AI generation endpoints are rate-limited to 6 requests per minute per IP address to prevent abuse.
- The listing renderer whitelists all layout recipe IDs, hero variants, gallery variants, and section types. Any ID not in the approved set is silently dropped — unknown values can never reach the rendered page.
- No use of dangerouslySetInnerHTML anywhere in the application. All text content is rendered through React JSX, which escapes special characters by default.
- Public listing pages sanitise all rendered content to prevent cross-site scripting (XSS). Content is always treated as plain text, never as HTML.
Your published listings
- Public listing pages are accessible at /p/your-slug to anyone with the link. They are not indexed by search engines by default.
- Published pages display the property details, media, and broker contact information you have chosen to include. Nothing is shown that you did not provide.
- The broker card on public pages shows your name, company, tagline, and WhatsApp number — all fields you control from your profile and listing editor.
- You can unpublish a listing at any time from the editor, which removes it from public access immediately. You can also delete it entirely.
- Every public listing page includes a 'Powered by Listings Studio' footer. This is non-removable across all plans.
Visitor analytics on public listings
When someone opens a published listing at /p/your-slug, we record a small set of signals so brokers on the Studio plan can see how their listings perform. The trust contract with your buyers is deliberate and narrow:
- What is captured — a pseudonymous browser cookie (ls-visitor), a city + country derived at request time from edge headers, a device type (mobile / tablet / desktop), the operating system family (iOS / Android / etc.), and the source the visitor arrived from (UTM tag or referring site).
- What is recorded for engagement — page views, WhatsApp CTA taps, save toggles, scroll milestones (25 / 50 / 75 / 100 %), gallery photo positions that came into view, and time spent in each section. All keyed only on the anonymous cookie.
- What is never captured — the visitor's name, email, phone, IP address (used briefly for city lookup, then discarded), full URLs they came from, free-form text, GPS, or any cross-site identifier.
- The cookie — HttpOnly, 90-day expiry, set only on /p/* pages, contains a random UUID and nothing else. JavaScript on the page cannot read it. Cookies blocked? The page still works; the visitor simply doesn't contribute to returning-visitor stats.
- Saves — when a visitor taps the heart on a public listing, the saved state is stored on their device (localStorage) and the broker sees an aggregated count. No identity is ever attached.
- Access — analytics are visible only to the broker who owns the listing, gated server-side by row-level security. We never share or sell viewer data, and there are no third-party trackers on the public showcase.
Local storage on your device
- Listing drafts are stored in your browser's localStorage under the key listings-studio:drafts:v1. A maximum of 24 drafts are retained — older drafts are automatically removed when the cap is reached.
- Theme preference, notification settings, and other UI state are stored locally and never sent to our servers.
- On public listing pages, the heart-save state is stored under ls-saved:<slug> keys so the visitor sees their saved listings on return visits. These keys live only on their device.
- Clearing your browser cache or using a different device will remove locally-stored drafts and saved-listing markers. Published listings are stored on our servers and are not affected.
- Media uploaded during listing creation uses temporary blob URLs that are lost on page refresh. Published media is persisted server-side.
Third-party sharing
- We do not sell, rent, or trade your personal data or listing content to any third party.
- Your listing content is not shared with or used by any AI training pipeline, data broker, or advertising network.
- The only third-party service that receives your data is Groq (for AI generation), and only the specific property details needed for that generation request. Groq does not retain this data.
- WhatsApp links on your listing pages open the buyer's own WhatsApp app — the conversation happens entirely within WhatsApp, not through our platform.
Data retention
- Active listings and their associated data are retained as long as your account is active.
- Deleted listings are removed from public access immediately. Associated data may be retained in backups for up to 30 days before permanent deletion.
- If your trial expires without upgrading, your existing listings remain accessible but you cannot create new ones or use AI generation until you upgrade.
- Inactive accounts (no login for 12 months) may be flagged for review. We will notify you by email before taking any action.
Your rights
- Access — you can view all data we hold about you from your profile and listings pages at any time.
- Edit — you can update your profile information, listing content, and preferences at any time.
- Delete — you can delete individual listings from the editor, or delete your entire account and all associated data yourself from Profile → Account → Delete account.
- Export — you can copy your listing links and share them freely. Full data export is available on request.
- Withdraw consent — you can stop using the service at any time. Deleting your account removes your data as described above.
Account & data deletion
You can delete individual listings from the listing editor at any time. To permanently delete your account — including your profile, all listings, media, and analytics data — go to Profile → Account → Delete account. Deletion takes effect immediately and is irreversible; residual copies in backups age out within 30 days. If you have an active paid subscription, cancel it first so no further charges can occur. Prefer we handle it, or can no longer sign in? Email support@listings-studio.com and we will process the request within 7 business days and confirm once complete.
Changes to this policy
We may update this page as the product evolves. Material changes will be communicated via email or an in-app notification. Continued use of Listings Studio after changes constitutes acceptance of the updated policy.
Last updated · May 2026