Privacy Policy
Last updated: 2026-05-23
Capture Lab is a commercial real-estate prospecting platform. The product has two surfaces: a web dashboard at app.capture-lab.net and a Chrome extension that pulls authenticated data from industry sources (LinkedIn, CoStar, Reonomy, LoopNet) under each broker’s own logged-in session. This page explains what each surface collects, where data goes, and how brokers control it.
What we collect
- LinkedIn voyager-API responses.When a broker clicks “Search LinkedIn” on a prospect, the extension reads the broker’s own LinkedIn
JSESSIONIDcookie, authenticates against LinkedIn’s voyager API, and forwards the search results to our backend. We do not read passwords, DMs, private posts, or pages outside the host-permission allowlist declared in the extension manifest. - CoStar / Reonomy / LoopNet page content.When a broker requests a property scrape, the extension opens a background tab in the broker’s authenticated session, extracts the visible text we need (lease + ownership + listing details), and discards the rest. No screenshots, no full DOM, no off-page assets.
- User account. Name + email collected at sign-up via Clerk (our auth provider). Linked to a tenant (your firm).
- CRM data you upload.Companies, contacts, deals, notes, signals — anything you import via the onboarding wizard or add inside the app. Scoped to your firm’s tenant; never visible to other tenants.
What we don’t collect
- LinkedIn passwords (we read cookies, never credentials).
- LinkedIn DMs, private posts, or your non-public connections list beyond what voyager returns for the specific endpoints we call.
- Any web page outside the host-permission allowlist (linkedin.com, costar.com, reonomy.com, loopnet.com, and the Capture Lab api hosts).
Where the data goes
- Capture Lab Postgres database (Railway, US region), scoped to your tenant. Encrypted in transit; we are tracking at-rest encryption of OAuth tokens as a pre-public requirement (issue CAP-27).
- Anthropic API for LLM-driven analysis (deal briefs, signal extraction). Anthropic acts as a data processor under their data-processing addendum.
- Clerk handles authentication (name, email, sign-in events).
- No advertising networks. No analytics SDKs that resell data. No third-party sharing beyond the processors above.
Your control
- Uninstall the extension at any time from
chrome://extensions. Cookie access stops immediately. - Delete your account by emailing support@capture-lab.net. We remove all rows tied to your user within 30 days, including LinkedIn-graph edges, CRM imports, and audit logs.
- Per-feature consent. LinkedIn connection sync is opt-in (Settings → Connections) and shows a ToS-implication notice before enabling.
Retention
- LinkedIn-graph edges: 90 days from
last_seen_at(pruned weekly). - CRM data + prospects: as long as you keep your account, plus 30 days after deletion for backups.
- Audit logs (ownership / invitation changes): 1 year.
Contact
Questions, deletion requests, or security reports: support@capture-lab.net.