FrameX — Privacy Policy

1. Who We Are

FrameX is a real estate photography platform operated by Establish Properties LLC, a Tennessee limited liability company doing business as FrameX (“FrameX,” “we,” “us,” or “our”). Through the FrameX platform, we connect real estate agents, brokers, and property owners with professional photographers and editors to produce listing media, including photographs, floorplans, and virtual tours.

This Privacy Policy describes how FrameX collects, uses, shares, and protects personal information in connection with our website (framex.media), customer and contractor portals, mobile-accessible pages, and related services (collectively, the “Services”). It applies to everyone who interacts with the Services, including customers, photographers, editors, administrators, and visitors.

If you have questions about this Policy or our privacy practices, you can reach us at privacy@framex.media. Full contact details are in Section 12.

Relationship to our Terms. This Privacy Policy works together with our Terms & Conditions. The Terms govern your use of the Services; this Policy explains what happens to your data while you use them.

2. Information We Collect

We collect information in three ways: what you give us, what you upload, and what is automatically captured when you use the Services.

2.1 Account & Profile Information

When you create an account or place an order, we collect information you provide directly, including:

Identity and contact: name, email address, phone number.
Role and affiliation: account role (customer, photographer, editor, admin) and, for real estate customers, brokerage affiliation.
Property information: addresses of the properties you order photography for, access instructions (lockbox codes, gate codes, on-site meeting arrangements), and any notes you add to an Order.
Authentication credentials: a password you create, which we store as a salted, one-way hash — never in plain text.
Contractor information: for photographers and editors, additional details needed to run the engagement, including home base address (for mileage calculation), tax identification information collected through our payout processor, and payout account details (held by PayPal, not by FrameX).

2.2 Transactional & Payment Information

Order history: the Services you order, scheduling details, delivery status, and communications related to an Order.
Payment information: full card numbers and banking credentials are collected and processed directly by Stripe, our payment processor, and are not stored on FrameX systems. FrameX stores only the last four digits of a card, the card brand (e.g., Visa, Mastercard), the expiration month/year, a Stripe customer identifier, and transaction records (amounts, timestamps, refund status).
Contractor payouts: amounts paid, dates paid, and a PayPal payout identifier. Bank-account details used for payouts are held by PayPal.

2.3 Uploaded Content

Photographs and video: raw images captured by photographers, edited deliverables, watermarked previews, 3D tours, and floorplans.
Photo metadata (EXIF): most camera files contain embedded metadata such as camera model, shutter settings, timestamp, and — if the device has GPS enabled — geographic coordinates where the photo was taken. We do not strip this metadata by default. See Section 5 for more on photo-specific practices.
Customer assets: brand assets you choose to upload (e.g., logos, headshots) used on listing pages and delivery galleries.

2.4 Automatically Collected Information

When you use the Services, our servers and infrastructure automatically record:

Request logs: IP address, HTTP method, URL path, response status, user agent string, and timestamp. These logs are used for security, debugging, and abuse prevention.
Device and browser information: browser type and version, operating system, screen size, and language preference, as reported by your browser.
Session data: a JSON Web Token (JWT) that identifies your logged-in session. The token is stored in your browser’s localStorage and sent with each API request to authenticate you.
Error and diagnostic data: when the application encounters an error, we capture a stack trace and limited contextual information (user identifier, URL, browser) in our error-tracking system, Sentry, so we can diagnose and fix problems.

3. How We Use It

We use the information described above for the following purposes:

Providing the Services. Creating and managing your account, matching you with a photographer or editor, scheduling shoots, routing files through the editing pipeline, generating listing pages, and delivering final photos.
Processing payments and payouts. Charging customers for Orders through Stripe, issuing refunds when warranted, and paying contractors through PayPal. We share only the information each processor needs to run the transaction.
Communicating with you. Sending transactional messages (order confirmations, delivery notifications, receipts, password resets, schedule reminders) and responding to support inquiries. Marketing communications are only sent to customers who have an account with us or have opted in; you can opt out of marketing messages at any time.
Security, fraud prevention, and abuse mitigation. Detecting unauthorized access, preventing payment fraud, enforcing rate limits, investigating suspected violations of our Terms, and protecting the safety of FrameX users and contractors.
Legal and regulatory compliance. Meeting our obligations under applicable law, responding to lawful subpoenas, court orders, or government requests, and retaining records required for tax or accounting purposes.
Quality assurance and service improvement. Analyzing errors, monitoring performance, training our team on edge cases, and improving the Services. Where feasible we use de-identified or aggregated data for these purposes.
Enforcing the Photo License. Verifying that photographs are used only within the license granted in our Terms & Conditions, Section 5.

We do not sell personal information, and we do not share personal information with third parties for their own independent marketing.

4. Who We Share It With

To run the Services, we share specific data with specific service providers. Each provider processes data under its own privacy policy, which is linked below. We share only what each provider needs to perform its function, and we do not authorize any provider to use your data for its own marketing.

Provider	Purpose	Data Handled	Privacy Policy
Stripe	Customer payment processing	Name, email, billing address, full card or bank details entered in Stripe’s payment fields, transaction amounts	stripe.com/privacy
PayPal	Contractor payouts	Contractor name, email, payout amounts, PayPal account identifier, tax-related identifiers	paypal.com/us/legalhub/privacy-full
Amazon Web Services (AWS)	Application hosting, database, file storage, email delivery, and supporting infrastructure in the us-east-1 and us-east-2 regions	All application data stored at rest, including account records, orders, uploaded photos, request logs, and transactional emails sent via Amazon SES	aws.amazon.com/privacy
CubiCasa	Generating floorplans when a customer has selected a floorplan add-on	Property address and the scan or photo data submitted for floorplan generation	cubicasa.com/privacy-policy
Spark / MLS	Pushing photos and listing metadata to a local MLS (Multiple Listing Service) via the Spark API, when the customer uses the Push to MLS feature	Agent identifier, MLS listing identifier, property address, photo files, photo captions and ordering, and push-status responses	sparkplatform.com/docs/terms
Sentry	Application error tracking and diagnostics	Error stack traces, URL path, user identifier (not password), browser and OS version; we configure Sentry to filter sensitive values where feasible	sentry.io/privacy
Twilio	SMS delivery for transactional notifications (e.g., shoot reminders) when a customer has provided a phone number and SMS is used as a fallback channel	Phone number, message body, delivery status	twilio.com/legal/privacy

4.1 Other Disclosures

Contractors assigned to your Order. The photographer and editor assigned to an Order can see the information needed to perform the work: property address, access instructions, scheduling notes, and the photos themselves. Contractors are bound by confidentiality obligations under their engagement agreements with FrameX.
Professional advisors. We may share information with our attorneys, accountants, or auditors when reasonably necessary and subject to appropriate confidentiality obligations.
Law enforcement and legal process. We may disclose information in response to a valid subpoena, court order, or other lawful request, or when we believe in good faith that disclosure is necessary to protect the rights, property, or safety of FrameX, our users, or the public.
Business transfers. If FrameX is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, personal information may be transferred as part of that transaction. We will require any successor to honor the material commitments in this Policy or provide notice before changing them.

    We do not sell personal information for money or other valuable consideration, and we do not share personal information with third parties for their own independent advertising or marketing purposes.
  

5. Photo Content Specifics

Real estate photography carries privacy considerations that deserve to be called out directly rather than buried in boilerplate.

5.1 Embedded Location Data (EXIF GPS)

Many cameras and phones write latitude, longitude, and altitude into every photo they capture. Unless the photographer has disabled GPS tagging, the raw files uploaded to FrameX and, in many cases, the edited deliverables we return to you may contain coordinates that correspond to the exact position from which each photo was taken. For real estate photos this typically corresponds to the property itself or a street in front of it — the property address is already public through the listing, but you should be aware that this metadata exists.

If you are concerned about EXIF data in a specific Order, contact privacy@framex.media and we will strip location metadata from the deliverables on request.

5.2 Incidental Images of People

Real estate photos sometimes incidentally capture occupants, children, neighbors, or their personal belongings. Photographers are instructed to schedule shoots when the property is unoccupied when possible and to use standard post-production techniques to remove or obscure personal items when practical. You are responsible for ensuring the photographer has lawful access and that any individuals likely to appear in photographs have been informed of the shoot as your state and local laws require.

5.3 Customer Control Over Deletion

You may request deletion of Orders and their associated photos at any time by contacting privacy@framex.media. On request, we will:

Soft-delete your Order record in the application database (marking it as deleted so it no longer appears in portals or active queries);
Remove the associated edited and delivered photo files from active storage within a commercially reasonable time; and
Remove your customer record from active use on request, subject to the retention exceptions in Section 6.

Some information may remain in routine backups for the retention windows described in Section 6, and we may retain the minimum information required for tax, accounting, and fraud-prevention purposes.

5.4 Raw Files and the Photo License

Raw unedited photo files are retained by FrameX and are not normally delivered to customers. Our Terms & Conditions, Section 5, govern ownership and licensing of delivered photos; this Policy governs how we handle the data itself.

6. Retention

We keep personal information only as long as we need it for the purposes described in this Policy, or as long as required by law. The table below is a conservative description of our current practices; it is not a contractual commitment to any specific retention period.

6.1 Account Records

Active accounts are retained while the account remains in use.
Accounts closed at your request are soft-deleted promptly and purged from active systems within a commercially reasonable time, subject to the exceptions below.

6.2 Orders and Transactions

Order records, transaction records, and payment identifiers are retained for as long as is reasonably necessary to run the business, meet our tax and accounting obligations, resolve disputes, and enforce our agreements. Seven years is a common baseline for financial records and we generally plan to meet or exceed it.
Payment details stored by Stripe and payout details stored by PayPal are retained according to those providers’ own policies.

6.3 Photos and Deliverables

Raw photo files uploaded by photographers are retained indefinitely in our archival storage unless we are asked to delete them or determine they are no longer needed. Archival storage is designed for durability and low access frequency.
Edited and delivered photo files are retained indefinitely so you can re-download them from your delivery gallery after the Order is closed, subject to requested deletions and the license remaining in force.
Customer-generated download packages (zip files created when you request a bulk download) are purged automatically on a short lifecycle of approximately fourteen (14) days to free storage.

6.4 Logs and Diagnostic Data

Application request logs and error records are retained for operational windows measured in days to weeks. They are not used for marketing and are purged automatically when their retention window ends.
Database automated backups follow a rolling approximately seven (7) day retention window. A deletion request will remove your data from active systems quickly, but a copy may persist in backups until those backups age out of the window.

6.5 Legal and Safety Holds

We may retain specific records longer than the windows above when we reasonably believe they are needed to comply with a legal obligation, respond to a dispute, defend a claim, or protect the safety of users, contractors, or the public. In those cases, we limit access to the held records and delete them when the purpose is satisfied.

7. Security

We take reasonable and appropriate measures to protect personal information against loss, misuse, and unauthorized access, alteration, or disclosure, including:

Encryption in transit: all traffic between your browser and our servers is encrypted with modern TLS. We force HTTPS on our production hostnames and we do not issue authenticated cookies or tokens over plaintext connections.
Encryption at rest: database storage, S3 object storage, and secrets storage are configured with encryption at rest using AWS-managed encryption keys.
Access controls: application roles (customer, photographer, editor, admin) restrict what each user can see and do. Contractors can access only the Orders assigned to them. Administrative access to our AWS infrastructure is limited to the FrameX operations team and is protected by multi-factor authentication.
Password handling: passwords are stored only as salted, one-way hashes. We never store, log, or email your password in plain text. Session tokens use short-lived, signed JWTs.
Secret management: API credentials for our third-party processors are stored in AWS Secrets Manager and are not committed to source control.
Monitoring: we use automated error tracking, access logs, and alerting to detect unusual activity.

No system is perfectly secure. We cannot guarantee absolute security, and no method of transmission or storage is completely immune to compromise. If you become aware of unauthorized access to your account or any security concern, please contact us immediately at privacy@framex.media.

8. Your Rights

8.1 Rights Available to All Users

Regardless of where you live, you can ask us to:

Access the personal information we hold about you and receive a description of how it is used;
Correct information that is inaccurate or incomplete;
Delete your account and associated personal information, subject to the retention exceptions in Section 6;
Export a copy of the personal information you have provided in a portable format;
Opt out of marketing communications at any time by using the unsubscribe link in any marketing email or by emailing us. Opting out of marketing does not stop transactional messages required to run your Orders.

To exercise any of these rights, email privacy@framex.media from the address on your account, or contact us as described in Section 12. We may need to verify your identity before acting on a request. We aim to respond within thirty (30) days; complex requests may take longer and we will let you know if that is the case.

8.2 California Residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the “CCPA”), gives you specific rights in addition to those above:

Right to know what categories of personal information we have collected about you in the preceding twelve (12) months, the categories of sources, the business purpose for collection, and the categories of third parties with whom we have shared it. Those categories are described in Sections 2, 3, and 4 of this Policy.
Right to delete personal information we have collected from you, subject to statutory exceptions.
Right to correct inaccurate personal information.
Right to opt out of the sale or sharing of personal information for cross-context behavioral advertising. FrameX does not sell personal information and does not share personal information for cross-context behavioral advertising. There is therefore no opt-out mechanism to activate today; if this ever changes, we will update this Policy and provide a clear opt-out before any such sharing begins.
Right to limit use and disclosure of sensitive personal information. We do not use sensitive personal information for purposes that would trigger this right.
Right to non-discrimination. We will not deny you service, charge different prices, or provide a different level of service because you exercise your privacy rights.

To exercise your California rights, email privacy@framex.media. You may designate an authorized agent to submit a request on your behalf; we will require reasonable proof of the designation and of your identity before acting on an agent-submitted request.

8.3 European Economic Area, United Kingdom, and Switzerland Residents

FrameX is based in the United States and is primarily directed at customers located in the United States. We do not actively market the Services to residents of the European Economic Area, the United Kingdom, or Switzerland. Nonetheless, if you are located in one of those regions and interact with the Services, the General Data Protection Regulation (GDPR) or its UK equivalent may apply. To the extent it does, you have rights of access, rectification, erasure, restriction of processing, objection to processing, and data portability, and the right to lodge a complaint with your local supervisory authority. To exercise any of these rights, contact us at privacy@framex.media. Please note that fulfilling a request may require us to transfer data to the United States; by using the Services you consent to that transfer.

9. Children’s Privacy

FrameX is a business-to-business real estate service and is not intended for or directed to children under the age of thirteen (13). We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe that your child has provided personal information to us, please contact privacy@framex.media and we will delete the information in accordance with the Children’s Online Privacy Protection Act (COPPA) and applicable state laws.

Because real estate photographs may incidentally capture minors who reside at a photographed property, the practices described in Section 5.2 apply and we will honor deletion requests from a parent, guardian, or the property’s owner of record.

10. Cookies & Tracking

FrameX does not currently deploy third-party analytics cookies, advertising cookies, or tracking pixels (such as Google Analytics, Meta Pixel, TikTok Pixel, or similar). We do not use cross-site tracking, and we do not participate in advertising networks.

We do use the following essential mechanisms, without which the Services cannot function:

Session tokens in localStorage. After you sign in, your browser stores a JSON Web Token (JWT) and limited profile information (your user identifier, name, and role) in localStorage. This is how we keep you signed in across page loads. Clearing your browser storage will sign you out.
Short-lived, first-party cookies set by our content-delivery network and hosting infrastructure for load balancing, security, and fraud prevention.

If we add analytics or marketing cookies in the future, we will update this Policy before those cookies begin collecting data, we will provide a cookie notice on our site, and — where required — we will implement a consent mechanism that complies with applicable law.

Most browsers let you block or delete cookies and local storage. Doing so will generally require you to sign in again and may disable portions of the Services.

11. Data Breach Notification

If we determine that a security incident has resulted in the unauthorized access, acquisition, disclosure, or loss of personal information, we will notify affected users and, where required, regulators. We will provide notice without unreasonable delay and in any event within seventy-two (72) hours of confirming the incident, or within the shorter window required by applicable law.

Notifications will describe, to the extent then known: the nature of the incident, the categories and approximate number of individuals and records affected, the steps we have taken to contain and remediate the incident, and the steps you can take to protect yourself. Notices will generally be delivered by email to the address on your account and, where applicable, by a notice posted on the Services.

12. Contact

For privacy questions, rights requests, or reports of a possible security issue, contact us:

Email: privacy@framex.media
Entity: Establish Properties LLC (d/b/a FrameX)
Mailing address: FrameX Media, 327 N Parkway, Jackson, TN 38305, United States
Website: framex.media

For questions unrelated to privacy, please use support@framex.media.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes to our practices, new features, or legal requirements. When we do, we will update the “Last Updated” date at the top of this page. For material changes — for example, adding analytics tracking, beginning to share personal information with a new category of recipient, or changing how long we retain photos — we will also provide prominent notice through the Services or by email to the address on your account before the change takes effect.

Your continued use of the Services after an updated Policy takes effect constitutes your acceptance of the updated Policy. If you do not agree with a change, you may close your account and contact us to request deletion of your information as described in Section 8.

    Disclaimer. This Privacy Policy is comprehensive but is not legal advice. Consult a Tennessee attorney before relying on it in any legal matter.
  