redIQ Privacy Policy

Effective Date: January 1, 2020

IMPORTANT NOTICE [Download PDF Version]

This Privacy Policy (the “Policy”) governs the collection, use and management of Personal Information by redIQ LLC (“redIQ,” “we”, “us” or “our”), including through redIQ.com, redIQ.io and other websites where this Policy is posted (individually and collectively, the “Site”), and in the course of performing our business services (collectively our “Services”).

The Policy explains what Personal Information we collect, why we collect it, how we use it internally and under what circumstances we may share it with third parties. THIS POLICY AND OUR COLLECTION, USE AND RETENTION OF PERSONAL INFORMATION IS AT ALL TIMES SUBJECT TO ALL OF OUR OTHER LEGAL, CONTRACTUAL, REGULATORY, RECORD RETENTION AND OTHER COMPLIANCE REQUIREMENTS AND OBLIGATIONS APPLICABLE TO OUR BUSINESS AND SHALL NOT ACT TO AMEND OR MODIFY ANY OF THOSE REQUIREMENTS AND OBLIGTIONS. The Policy also explains how we protect your Personal Information and your choices in managing it.

We encourage you to read this Policy, as well as our Terms and Conditions of Use of this Site (“Terms”), which are incorporated herein by reference. YOUR CLICK-WRAP ACCEPTANCE OR USE OF THIS SITE CONSTITUTES YOUR ACCEPTANCE OF THIS POLICY AND THE TERMS.

Minimum Age to Use this Site

THIS SITE IS INTENDED FOR USERS AGE EIGHTEEN (18) AND OLDER. By using this Site, you acknowledge that you are at least 18 years old. The Site is not intended for children and we do not knowingly collect Personal Information from children. If redIQ discovers that it has inadvertently collected Personal Information from anyone younger than the age of 18, it will delete that information, unless otherwise required by law, contract and/or our business records retention and other business compliance requirements and obligations.

About redIQ and its Affiliates

redIQ is a member of a corporate group of operating companies comprised of several commonly controlled affiliates (the “Corporate Group”) providing complementary products and services to the Commercial Real Estate (CRE) market (collectively, the “Business”).

Our Corporate Group includes Berkadia Proprietary Holding LLC, together with the following operating subsidiaries: Berkadia Commercial Mortgage LLC, Berkadia Commercial Mortgage Inc., Berkadia Real Estate Advisors LLC, Berkadia Real Estate Advisors, Inc., Berkadia Affordable Tax Credit Solutions LLC, redIQ LLC and Berkadia Services India Private Limited. Other non-operating entities are included in our Corporate Group, and we may create, acquire or divest affiliates and operations over time. This Privacy Policy governs redIQ. To learn about the privacy practices of other members of our Corporate Group please visit: https://www.berkadia.com/general_page/privacy-policy.

redIQ develops and publishes applications supporting the CRE marketplace that employ a “Software-as-a-Service” computing model accessible from desktop and laptop computers, as well as from mobile devices and apps (“Applications”).

redIQ Applications utilize data-driven analytical tools to provide actionable insights into the CRE marketplace to help our customers to make better decisions regarding their CRE businesses and improve their operating efficiencies. For example, redIQ improves the efficiency of converting rent rolls and operating statements for CRE properties from PDFs into digital formats that can be electronically ingested and used in Applications to provide actionable insights. We also make redIQ Applications available to other members of our Corporate Group to improve their operations and provide actionable insights.

Your Privacy Rights in Personal Information

You have the right to know about Personal Information collected, used, disclosed or sold, and retained by redIQ. You have the right to request that we delete your Personal Information, subject to our legal, contractual, regulatory, record retention and other business compliance requirements and obligations. You have the right to be treated without discrimination in the exercise of your privacy rights.

What is Personal Information (PI)?

For purposes of this Policy, we define Personal Information (or “PI”) to mean any information that identifies, relates to, describes, is reasonably capable of being associated with or could reasonably be linked, directly or indirectly, with a specific individual or household of individuals. Depending on what redIQ Applications or Services you use and/or other business interactions you may have with our other Corporate Group members and/or whether those activities are linked to a person’s identity, Personal Information may include any of the following:

– Information obtained in connection with our Services and related Businesses from or on behalf of property owners, borrowers, guarantors, purchasers and potential purchasers of CRE, lenders, servicers, investors, other transaction participants, and their affiliates about themselves, their employees, their other representatives, their equity owners, their CRE and other assets (including, but not limited to, information about their tenants, lease applicants and related parties, vendors and other service providers), and their other business activities (which may include information about other third parties).

 

– Information obtained in connection with our Services and related Businesses from our third-party vendors and data providers.

 

– Information obtained from other private and public sources in connection with our Services and related Businesses.

 

– Identifiers such as real name, alias, postal address, unique personal identifier (e.g., cookies, beacons, pixel tags), IP address, device identifier, email address, account name, Social Security Number (SSN) or Taxpayer Identification Number (TIN), driver’s license number, passport number or other similar identifiers.

 

– Transaction histories and related information, as well as CRE and related personal and other property, products or services purchased, obtained and/or considered in connection with our other Corporate Group Businesses, as well as transaction histories, preferences and other activities.

 

– Internet browsing history, search history, interactions with a web site, application, advertisement or other online activities.

 

– Geolocation data, such as property addresses, latitude-longitude coordinates, mapping data.

 

– Biometric information.

 

– Audio, electronic, visual, thermal, olfactory or similar information.

 

– Professional or employment-related information, such as certifications, affiliations with companies or professional societies.

 

– Characteristics of protected classifications (e.g., race, religion, sex, national origin, etc.).

 

– Educational information.

 

– Inferences drawn to create a profile of an individual reflecting the person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities and aptitudes.

 

Personal Information generally does not include publicly available information, that is, information that is lawfully made available from federal, state or local government records.

How We Collect and Use Personal Information

We collect, use and may share Personal Information in numerous ways, depending on what Applications or features of our Site that you use and the extent to which you may use our Services or otherwise have a relationship with us or another member of our Corporate Group. The following is a link to an overview of how and why we collect, use and disseminate Personal Information, followed by a more detailed description of those activities summarized in the overview.

DOWNLOAD PI SUMMARY CHART

What Personal Information Do We Collect? Why? With Whom Do We Share it?

We may receive Personal Information: (1) internally through those who use our Applications in support of our other Services and related Businesses, (2) externally through those who use our Services, those who use our Applications in support of their CRE business activities, and those who otherwise interact with us in the course of our other Business activities, and (3) from third-party vendors and other public and private sources of information. Some Personal information may be provided to third parties at your request or as required by our legal, contractual, regulatory, record retention and other business compliance requirements and obligations. When permitted and reasonably practicable, we utilize Blind Data Pools and Derived Data to insulate and protect Personal Information. Please see our separate discussion of Blind Data Pools and Derived Data below.

User Content that You Upload through Your redIQ Account.

When you register to use redIQ Applications and related Services, our Site may ask you to provide certain information about yourself (such as name, email, phone, company affiliation), your properties (such as photographs, videos, rent rolls, operating statements) or your business or investment objectives or other user content (your questions, comments, suggestions or other user generated content) which may include Personal Information. It is completely optional for you to engage in these activities. Depending upon the activity, some of the information that you will be asked to provide is identified as mandatory and some as voluntary. If you do not provide the mandatory data with respect to a specific activity, you will not be able to engage in that activity.

Some user content may be disseminated to other users (information about a real estate transaction) at your request. Other user content may be posted publicly by you to the redIQ community forums. Postings to community forums generally will not be removed. If you choose to share user content through the Site, any recipient may be able to re-share the content, and that ability will not be subject to your control or redIQ’s control. redIQ is not responsible for your choice to share user content or another user’s choice to re-share your user content.

If you provide Personal Information about others, you represent that you have the legal right to provide such Personal Information in accordance with applicable law and this Policy and you agree to indemnify and hold us harmless from any third party claim to the contrary.

You are responsible for maintaining the accuracy of the information you submit to your account, such as your contact information, and the choices you make in using the Site and our other Services. The password-protected self-service “My Account” feature allows you to update and manage certain account-level Personal Information.

Deal Level Data and Physical Property Information in redIQ.

As part of user content, the redIQ Site allows you to upload user content that may include “Deal Level Data” (e.g., property size and occupancy rates, cash flow, income, expenses, debt levels) and “Physical Property Information” (property name, address, floor plan identification, unit sizes, number of units, number of beds/baths, etc.).

You also have the option of sharing your Deal Level Data and Physical Property Information with third parties and to receive such information from third parties who wish to share it with you. If you communicate with another user, that user may obtain certain Personal Information about you (your name and contact information). If you obtain Deal Level Data from a third party and add that real estate transaction to your redIQ account, the user who originally shared the real estate transaction on redIQ will be able to see certain Personal Information about you, such as your full name, job title, company, the number of times you viewed the deal, the types of changes you made to the transaction assumptions (e.g., that you changed expense and occupancy assumptions, but not the specific changes you made to those assumptions unless you consent to sharing such information). If a colleague forwards a link to a deal that is shared by a third party, it is the original third party who shared the real estate transaction (not your colleague) who would be able to see your Personal Information described above.

Default Settings on Certain Privacy Practices; Your Right to Opt-Out Prospectively.

redIQ is pre-configured to share Physical Property Information with other redIQ users unless you affirmatively opt-out of such information sharing. redIQ is also pre-configured to contribute Deal Level Data and Physical Property Information to its Blind Data Pools (on an aggregated, non-personally-identifying and non-property specific basis) for use in Applications and other Services by you and other users unless you affirmatively opt-out of participating in such activity. redIQ may condition your use of its Applications and other Services that utilize Blind Data Pools on your continuing to participate (i.e., not opting-out) of such features. Once data is contributed to a Blind Data Pool, it cannot later be re-identified or deleted even if you opt-out later or close your account.

Other Operational Uses of Personal Information by redIQ.

We may use Personal Information to: (1) process a transaction that you initiate or in which you are otherwise involved (either directly as a participant, or indirectly as being associated with a participant or related CRE property), (2) provide Services that you request or which otherwise may relate to you (either directly or indirectly, through your association with a client or potential client, a transaction, or a CRE property), (3) engage in our other Business activities that may relate to you, your CRE property, or your business activities or which otherwise may relate to you (either directly or indirectly, through your association with a client or potential client, a transaction, or a CRE property), (4) allow you to participate in Site and Application features we offer, or to provide related customer services, including, without limitation, to respond to your questions, complaints or comments; (5) tailor Site and Application content we display to you; (6) provide you with information, products or Services that you have requested, agreed to receive or may be of interest to you; (7) send you CRE property and market reports and related information, (8) send you marketing materials and other information about us, our clients and potential clients, CRE properties and related businesses, and our third-party business partners; (9) process your registration with the Site and our Applications, including verifying that your e-mail address is active and valid; (10) improve the Site, our Applications, other Services and products, and for internal Business purposes; (11) contact you with regard to your use of the Site and our Applications, in our discretion, changes to the Site and Application policies or functionality; (12) permit other users to contact you, and vice versa, if those features are present in the Site or in our Applications; (13) respond to audit requests and legal processes and otherwise to comply with our legal, contractual, regulatory, record retention and other business compliance requirements and obligations, and (14) for purposes as disclosed at the time you provide information about you or others or otherwise with your consent (as the supplier of such information), and as further described in this Policy.

Website Usage Information that We May Automatically Collect.

In addition to any Personal Information that you choose to submit to our Site (whether through our Applications or otherwise), we and our third party service providers, including any third party content providers, may use a variety of technologies that automatically or passively collect certain information whenever you visit or interact with our Site and Applications (“Usage Information”). Usage Information may include the browser and operating system you are using, the URL or advertisement that referred you to our Site, the search terms you entered into a search engine that lead you to our Site (if applicable), all of the areas within our Site that you visit and the Applications, if any, that you use, and the time of day you visited the Site, among other information. We may use Usage Information for a variety of purposes, including enhancing or otherwise improving the Site, our Applications and our other products and Services. In addition, we may automatically collect your IP address or other unique identifier (“Device Identifier”) for any computer, mobile phone or other device (any, a “Device”) you may use to access the Site and our Applications. A Device Identifier is a number that is automatically assigned to your Device used to access a Site and our servers identify your Device by its Device Identifier. Some mobile service providers may also provide us or our third-party service providers with information regarding the physical location of the Device used to access a Site. Usage Information is generally non-identifying, but if we associate it with you as a specific and identifiable person, we treat it as Personal Information.

The methods that we use to collect Usage Information include the following:

Cookies. A cookie is a data file placed on a Device when the Device is used to visit our Site or operate our Applications. Cookies may be used for many purposes, including, without limitation, remembering you and your preferences and tracking your visits to our web pages. A Flash cookie is a data file placed on a Device via the Adobe Flash plugin that may be built-in to or downloaded by you to your Device. Flash cookies may be used for various purposes, including, without limitation, enabling a Flash feature and remembering your preferences. For more information about Flash and the privacy choices Adobe offers, visit http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager.html. If you choose to disable cookies or to adjust your Flash privacy settings on your Device, some features of the Site may not function properly.

 

Embedded Scripts. An embedded script is programming code that is designed to collect information about your interactions with the Site and our Applications, such as the links you click on. The code is temporarily downloaded onto your Device from our web server or a third-party service provider. It is active only while you are connected to the Site and is deactivated or deleted thereafter.

 

Web Beacons. Small graphic images or other web programming code called web beacons (also known as “1×1 GIFs” or “clear GIFs”) may be included in our web pages and e-mail messages. Web beacons may be invisible to you, but any electronic image or other web programming code inserted into a web page or e-mail can act as a web beacon. Web beacons or similar technologies may be used for a number of purposes, including, without limitation, to count visitors to the Site and our Applications, to monitor how users navigate the Site and our Applications, to count how many e-mails that were sent were actually opened or to count how many particular articles or links were actually viewed.

 

How We Use Usage Information.

We collect Usage Information to support your participation in the features and activities you have selected on the Site and within our Applications. We may also use the information to keep you informed about new or improved redIQ or Corporate Group offerings and those of third parties. We may de-identify or aggregate the data and provide it to third parties for statistical analysis to improve the Site and the use of our Applications. We may also disclose any Usage Information as required by law or any governmental agency.

Other Reasons We May Disclose Your Personal Information.

redIQ does not sell your Personal Information to third parties. redIQ may share Personal Information with other members of our Corporate Group involved in operating the Business or providing Services or to third parties as reasonably needed to carry out your request for Services or to comply with legal, contractual, regulatory, record retention and other business compliance requirements and obligations. We may also disclose Personal Information to trusted third party vendors on a confidential contractual basis in support of our operations.

If redIQ or another Corporate Group member uses Personal Information in external-facing Applications, we generally first remove such Personal Information by converting it to Blind Data Pools (as described below) or use it to produce higher-level Derived Data (as described below). If Personal Information is exposed directly to a user of an Application, it is done so on a limited basis to carry out your instructions, to provide a Service requested by you or as more fully described above. Other ways in which we use or disclose Personal Information are as follows:

To Support Third Party Analytics Providers and Ad Servers.

Although the Site currently does not display ads from third parties, we work with network advertisers, ad agencies, third party traffic measurement services and other vendors to provide us with information regarding traffic on the Site, to serve our advertisements on other web sites, within third party applications, and across the internet, and to provide us with information regarding the use of the Site and the effectiveness of our advertisements. For example, if you clicked on a redIQ advertisement or other link that led you to our Site, our service provider(s) may be able to tell us which advertisement or link you clicked and where you were viewing the advertisement or link. In connection with providing analytics and advertisement services, our service providers may collect certain information about your visits to this or other web sites. We do not share Personal Information with these service providers, but they may set and access their own tracking technologies on your Device (including cookies and web beacons) and may otherwise collect or have access to information about you (such as your general interest in real estate and Usage Information). Cookies and web beacons, including those set by third party network advertisers, may be used to, among other things, target advertisements, prevent you from seeing the same advertisements too many times and to conduct research regarding the usefulness of certain advertisements to you. We may share Usage Information about visitors with third party advertising companies, analytics providers and other vendors for similar purposes.

To maintain our Business Records and to fulfill Your Specific Requests.

We may collect and maintain Personal Information (e.g., your name, contact information and other personal data) within our Business contacts databases. Based on your profile, we may use such Personal Information to send you information you have requested, to notify you about specific CRE opportunities or to provide you with reports and other information that may be of value to you. Specifically, we may notify you of upcoming seminars or programs sponsored by redIQ or other Corporate Group members, about Applications that we believe could benefit you or other offerings. You can generally avoid receiving such communications either by not subscribing to them (e.g., an email list) or by opting-out later. For example, our email newsletters contain an “unsubscribe” link at the bottom of each email that you can use to manage your subscription to that newsletter.

For Data Analytics and Site Improvements.

We gather data about your use of our Site, Applications and Services in order to perform data analytics and to improve our Service and other Business offerings. In some cases, we may use third party data analytics services to assist us with data gathering and analysis. For example, we may gather data about the web pages you visit, how long you visit them, whether you disengage from a specific page and other metrics that allow us to improve our offerings. Third party analytics services are subject to contractual restrictions consistent with this Policy.

For Legal Obligations and Compliance, Law Enforcement and Public Safety Purposes.

We may transfer and disclose Personal Information to other Corporate Group members or to third parties: (1) in order to fulfill contractual and related legal obligations we have in connection with our Business, (2) in the event we are required to respond to subpoenas or other legal process or if in our opinion such disclosure is required by law; (3) at the request of governmental and quasi-governmental authorities conducting investigations and routine audits; or (4) to protect and/or defend the Site’s and our Applications’ Terms of Use or other policies applicable to the Site and our Applications or to protect the personal safety, rights, property or security of redIQ and our Corporate Group or any individual. For example, subpoenas, discovery requests, regulatory requests or other valid legal process may result in the collection or transmission of Personal Information to third parties. Depending on the situation, a protective order or confidentiality agreement may be arranged to protect Personal Information or the Personal Information may be redacted and de-identified. However, it is possible that, in some situations (e.g., a court proceeding) certain Personal Information could be disclosed pursuant to valid legal process or court order.

We may also use Device Identifiers, including IP addresses, to identify users, and may do so in cooperation with copyright owners, internet service providers, wireless service providers or law enforcement agencies in our discretion. These disclosures may be carried out without notice to you.

In the event of an actual or contemplated sale of redIQ, another Corporate Group member or a Business.

We may share Personal Information within our Corporate Group for business and operational purposes. We also reserve the right to disclose and transfer all information related to our Business, our Services, the Site, and our Applications, including Personal Information: (i) to a subsequent owner, co-owner or operator of our Business, our Services, the Site, and any Application; or (ii) in connection with a corporate merger, consolidation, restructuring, the sale of certain of our ownership interests, assets, or both, or other change of ownership, including, without limitation, during the course of any due diligence process in connection with a potential sale transaction.

How We Use Blind Data Pools and Derived Data to Protect Personal Information.

Our Applications are designed to deliver actionable insights and the best customer experience, while protecting Personal Information. Our Corporate Group members use redIQ Applications to support our Business and to offer useful Services to the CRE marketplace. To accomplish these goals, our Corporate Group members have been moving away from “silos” of data accumulated by its departments and toward a centralized data repository to support our Corporate Group’s Business as a whole and to enable new innovations in Applications, including redIQ. We expect that trend to continue. As noted in this Policy, we use data security and may employ Derived Data and Blind Data Pools in the development of certain Applications, particularly in external offerings that would be made available to third parties. Derived Data and Blind Data Pools do not reveal your Personal Information. Conversion of Personal Information into Blind Data Pools and Derived Data is considered an irreversible deletion of such information and removes it from the scope of this Policy.

Derived Data results from calculations, manipulations, analyses and processes performed by our Applications on Personal Information and other data (for example, Derived Data may include an average aggregate rent for a particular zip code obtained from a column of actual unit rents for a sample of specific properties). Derived Data reflects data aggregates and does not reveal Personal Information. We use technical and business process constraints such as minimum size data samples in its Applications to limit an external user’s ability to construct queries that “drill down” or extract elements of Personal Information. Once Derived Data is generated, it may continue to be used in that form even if your Personal Information is later deleted from our system and your account is closed.

Blind Data Pools: We may de-identify and anonymize Personal Information (for example, by removing an individual’s name, email address, tax ID or other identifiers) and may collect data into a Blind Data Pool that can be used to generate actionable insights in a way that does not disclose your Personal Information to other users. Blind Data Pools may be enriched by data from third party data vendors and from publicly available sources (e.g., census data) to support a rich data-set, while respecting individuals’ privacy interests. An Application that offers subscribers access to features utilizing a Blind Data Pool may condition such access on the subscriber participating in the Pool by contributing its own data. Once your data is contributed to a Blind Data Pool, the decision cannot be revoked with respect to data already contributed, even if your account is closed. A subsequent decision to opt-out of further participation can only stop future contributions of data to the Blind Data Pool. We have implemented technical and business process safeguards so that once data is contributed to a Blind Data Pool, it cannot be reversed engineered to re-identify Personal Information and is therefore deemed outside the scope of this Policy.

OTHER POTENTIAL SOURCES AND USES OF PERSONAL INFORMATION

Personal Information Received from Outside of the United States

If you access or use our Site, Applications or Services from locations outside the United States, you consent to all data transfers and usage rights specified in this Policy and you agree to be solely responsible for compliance with your local laws and regulations with respect to any Personal Information you may transfer to or from the United States. We note that the data protection and privacy laws in the United States may offer a different level of protection than in your country or region.

Employment Applications, Records and Related Information

If you apply for a position at redIQ or a Corporate Group member or we receive your information in connection with a potential role here from a third-party recruiter or job website, we may use your submitted information to evaluate your candidacy and to contact you. If we consider you for a role here and if you are hired as an employee or engaged as an independent contractor, we may use and provide Personal Information to outside vendors (such as background checking and payroll processing companies and applicable regulators) in connection with those activities. If you are a candidate or are offered a position with us, you may receive more details about how we handle your Personal Information in each of those circumstances.

OTHER IMPORTANT POLICY ISSUES RELATED TO PERSONAL INFORMATION

Legal Basis for Processing Your Personal Information

This Policy grants us permission to collect, use, process and transfer Personal Information in accordance with this Policy. We may also obtain your consent indirectly through various contracts and other agreements that we enter into with you or other third parties in connection with our Services and other Business.

Personal Information collection, storage and use activities may be governed by contracts you enter into with redIQ or another Corporate Group member. We may also have permission indirectly, through contracts that we enter into with third parties, to collect, store and use Personal Information. Such contracts may include agreements with our other Corporate Group members and data service providers. Our collection, use and distribution of your Personal Information and the Personal Information of others will be governed in all circumstances by the applicable governing agreements. In addition to and without modifying any obligations you may have under agreements with redIQ and/or another Corporate Group member, in some cases we will ask for your additional consent to process your Personal Information at the data entry or processing point on our Site. You may indicate your consent in a number of ways, including, as permitted by law, ticking a box (or the equivalent action) to indicate your consent when: (a) providing us with your Personal Information through our Services or a form (including enrolling in email lists or promotions); or (b) registering or creating an account with us.

How We Protect Your Personal Information

We use data security procedures and practices to protect your Personal Information that we believe are reasonably appropriate given the level and nature of the risks associated with such information.

Important Notice. No system can be made completely secure from unauthorized access or hacker attack. The transmission and storage of Personal Information may not be entirely secure and third parties could compromise our systems even if we use reasonable data security measures to protect them, as described below.

We maintain a comprehensive information security management system (the “ISMS”) which includes administrative, technical and physical safeguards designed to: (a) protect and secure Personal Information from unauthorized access, use or disclosure; and (b) protect against anticipated threats or hazards to the security or integrity of Personal Information. The ISMS is documented and kept current based on changes to industry standard information security practices and legal and regulatory requirements applicable to us.

Standards. Our ISMS will, at a minimum, adhere to applicable information security practices that we implement from timer-to-time.

Independent Assessments. On an periodic basis, we may have one of our Corporate Group members’ audit departments or an independent, suitably qualified third party organization conduct an independent assessment of our ISMS.

Information Security Policies. Our information security policies address appropriate protection against such risks. These information security policies, at a minimum, include: organization of information security; asset management; human resources security; physical and environment security; communications and operations management; access control; information systems acquisition; development and maintenance; information security incident management and business continuity management.

Access Controls. In accordance with the ISMS, we maintain appropriate access controls (physical, technical, and administrative) to our facilities and our systems.

Encryption. We use industry best practices to encrypt highly sensitive Personal Information at rest within our systems. For such Personal Information in transit to and from our systems, we use encryption unless you use a method of transmission or feature which does not support encryption (such as unencrypted FTP, email, etc.).

Network and Host Security. We have network intrusion detection and firewalls in place. In accordance with its ISMS, we use commercially reasonable efforts to ensure that our operating systems and applications that are associated with Personal Information are patched or secured to mitigate the impact of security vulnerabilities in accordance with our patch management processes.

Data Management. In accordance with its ISMS, we have information security infrastructure controls in place for Personal Information obtained, transported and retained by us for the operation of its Business.

Audit Logging and Monitoring. We implement controls for audit logging and monitoring of events in its systems.

Facility and Equipment Security. We implement physical and environmental security measures to protect its computing environment and equipment.

Training. We provide regular training (or requires regular training to be provided) for our employees and contractors on security and privacy requirements applicable to their roles. Such training occurs at least annually and upon initial employment.

Business Continuity and Disaster Recovery. We implement and maintain business continuity and disaster recovery capabilities designed to minimize disruption of our Business in the event of a disaster or similar event.

Subcontractors. We make reasonable efforts to ensure that subcontractors are under contractual obligations that meet our security and privacy standards, to the extent applicable to their scope of performance, including contractual requirements that all persons authorized to perform services on behalf of us have agreed to an appropriate obligation of confidentiality.

Background Checks. We conduct background checks on personnel where legally permitted and in accordance with local law and custom.

Cyber Liability Insurance. We maintain cyber and privacy liability insurance protection which it deems appropriate to the level of risk for our Business and computer operations.

How Long Do We Keep Your Personal Information?

Different operating units within our Business may have specific data retention requirements which in some cases are imposed by law, rule or regulation based on their specific activity. Generally, we only retain Personal Information for so long as is necessary to carry out the purpose for which we collected it and for other purposes permitted by this Policy or as required by law.

Your Right to Know About Personal Information Collected, Used or Disclosed by redIQ

You have the right to ask us to disclose to you what Personal Information we collect, use, disclose or sell. This Policy is designed to answer most of those questions. With respect to your online password-protected accounts, you can view and manage that information yourself simply by accessing your account through the log-in process. For some requests, we may provide automated features that point you to places within this Policy that answer your questions. For other information, you may submit a verifiable request directly to us. In considering such requests, we will not discriminate against you. In some cases, you may be asked for certain information reasonably needed to verify your identify and to validate your request.

PRIVACY INFORMATION MANAGEMENT AND INQUIRY PROCEDURES

Self-Service Management Feature. You can use the password-protected self-service “My Account” feature of the Site to access and manage certain aspects of your Personal Information. You can also make decisions regarding our use of your information in Blind Data Pools by prospectively “opting out” or “opting back in” to the features.

Unsubscribing to Certain User-Requested Content. Certain content that relies on Personal Information given to us, such as email newsletters, allow you to unsubscribe or opt-out by clicking a link at the bottom of any email that you receive. Doing so should remove your email address from the mailing list.

For other privacy-related questions, please send an email to redIQ.Privacy@redIQ.com. In some cases, we will point you to relevant provisions of this Policy. In other cases, we will direct your communication to a Privacy Officer at redIQ for an individualized response. Depending on the nature of your request, we may require that you verify your identity.

PRIVACY GRIEVANCE PROCEDURES

To submit a privacy grievance to redIQ, send an email to redIQ.Privacy@redIQ.com or

By Toll-Free Telephone: 888-894-4804 (Note: Calls will go to a voice mailbox. The voice message will then be routed as an email attachment to us) or

By U.S. Mail: 323 Norristown Road, Suite 300, Ambler, PA (USA) 19002. Attn: redIQ Risk Compliance Officer.

We will respond as quickly as reasonably possible but in no event later than 30 days from receipt of (a) a plainly written statement identifying the specific provisions of this Policy or applicable law that you allege we have violated and the factual evidence for your allegation, and (b) reasonable proof from which we can validate your identity as the owner of such Personal Information. You irrevocably agree not to file a formal grievance with any court or government agency until you have complied with these procedures and we have had a reasonable opportunity to respond. If you do file a formal claim pertaining to this Policy or our privacy practices against redIQ or any member of our Corporate Group, you agree, to the maximum extent allowed by applicable law, to submit it as an individual claim (without joinder of other claims) to binding arbitration exclusively in Montgomery County, Pennsylvania (USA). Formal legal complaints need to be served according to law (not by email or U.S. mail).

This Policy applies to redIQ only. If you have a question or grievance about another Corporate Group member, visit https://www.berkadia.com/general_page/privacy-policy

Limitations on Disclosures to You: We will generally not disclose to you the specifics of certain highly sensitive information, such as a Social Security number, driver’s license number or other government-issued identification number, financial account number, any health insurance or medical identification number, an account password or security questions or answers. We may deny a request for other reasons, for example, if needed to comply with State or Federal law.

Your Request to Delete Personal Information is Subject to Certain Exceptions

You may request us to delete your Personal Information held by us. Once Personal Information is added to a Blind Data Pool or is used to create Derived Data, it is considered “deleted” for purposes of this Policy because it cannot later be re-identified. A request to delete Personal Information is also subject to important exceptions if we need the Personal Information to perform contractual, legal or regulatory responsibilities. As a practical matter, it may not be feasible to delete Personal Data contained in offline storage or other bulk archives until the entire archive segment is destroyed according to our document retention policy, which may require retention for an additional period. If you contributed content to a public forum, it may not be possible for you or redIQ later to delete the posting.

Exceptions to Deletion Requests: We may not act on your request to permanently delete Personal Information if retention and use of Personal Information is required to: (a) carry out a transaction or contractual relationship for which the Personal Information was collected; (b) protect against security incidents, illegal activity or enforcement activities; (c) perform debugging or maintenance work on our systems; (d) exercise or protect free speech rights; (e) engage in bona fide research where you have consented; (f) enable internal use by us consistent with our relationship or (g) comply with a legal obligation or regulatory requirement.

Links to Third Party Websites

Our Services may contain links pointing to features or websites operated by third parties that are outside of our control. Our Privacy Policy does not apply to third-party features or websites. We provide those links merely for your convenience. Those third-party features and websites may have privacy and data security practices that are materially different than this Policy provides. We have no control over, do not review and are not responsible for third party websites, their content, their privacy or data security practices or any goods or services available from them. We encourage you to review the privacy policies of any third-party website that you visit.

California Consumers

This Privacy Policy has been designed to comply with California law, including the California Consumer Privacy Act (CPPA), effective January 1, 2020 and other privacy laws and principles that have been adopted in other jurisdictions in various forms. To the extent this Policy violates any applicable privacy law, the offending word, phrase or provision shall be deemed modified to carry out our intention, or otherwise severed if it cannot be so modified, and the remaining provisions shall be given full force and effect.

Europeans, Canadians, and Persons from other Countries

The Site is operated within the United States. If you are located in the European Union, Canada or elsewhere outside the United States, please be aware that information we collect will be transferred to and processed in the United States. By using the Site, or providing us with any information, you consent to this transfer, processing and storage of your information in the United States, a jurisdiction in which the privacy laws may not be as comprehensive as those in the country where you reside and/or are a citizen.

Changes to this Policy

redIQ is a rapidly evolving enterprise actively developing Services and Applications to serve its Business and the CRE marketplace in new and better ways. We will continue to assess this Policy against new technologies and procedures and make adjustments as relevant privacy laws evolve or circumstances require. We reserve the right to change this Policy and will post a revised Policy on our Site with the effective date. In addition, we may use contact information you have provided to deliver enhanced forms of notice (e.g., notice by email or pop-up website banners with click-wrap acceptance) if this Policy changes in significant ways. Some changes to our Policy may require you affirmatively to make privacy choices (e.g., opt-in or opt-out) to accept or decline a new or different privacy practice.

(end of document)