Afora.

Afora Privacy Policy

Effective date: July 10, 2026 · Last updated: July 10, 2026

Afora LLC ("Afora," "we," "us") provides a back-office platform for residential real-estate brokerages: email triage and drafting, receipt and expense processing, bank-transaction feeds, and accounting exports. This policy explains what data we handle, how we use it, and the choices you have. It is written to be read; if anything is unclear, email privacy@aforademo.com and we will answer plainly.

This policy is incorporated into our Terms of Service. Our Security page describes how we protect data; our Subprocessor list names every vendor that touches customer data.

1. Who this policy covers, and our two roles

We handle personal information in two distinct roles:

2. Information we collect

CategoryExamplesSource
Account & contact dataName, work email, role, brokerage affiliation, authentication identifiersYou, via signup (authentication is provided by Clerk)
Email dataThe contents of emails and attachments, message metadata, folder/label structure, contact names and addresses appearing in mailYour Gmail or Microsoft 365 account, only after you connect it via OAuth
Linked bank dataTransaction descriptions, amounts, dates, merchant details, account balances, and account/routing identifiers for accounts the brokerage connectsThe brokerage's financial institutions, via our bank-connectivity provider (see Section 7)
Receipts & expense dataReceipt images you upload, extracted merchant/amount/date fields, expense coding, approval historyYou / brokerage staff
Usage & log dataPages viewed, actions taken, device/browser type, IP address, error logsAutomatic

We do not collect: bank login credentials (we never see them — Section 7), biometric data, precise geolocation, or data about children. Afora is a business tool and is not directed at anyone under 18.

3. How we use information

We use data only to provide and secure the service. Each purpose maps to a feature you can see:

We do not use your data for advertising of any kind, and we do not sell personal information — to anyone, for anything.

4. Artificial intelligence and machine learning

Afora uses large language models to power specific, visible features: email triage and summarization, email drafting, receipt data extraction, and expense-coding suggestions.

5. Email data — Google and Microsoft commitments

Connecting an inbox is optional and uses OAuth: you grant access from your Google or Microsoft account, and you (or your admin) can revoke it at any time from your provider's security settings or from within Afora.

Google. Afora's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. In particular:

Microsoft. We apply the same commitments to Microsoft 365 / Outlook data accessed through Microsoft Graph: minimum necessary permissions, no advertising or marketing use, no use outside the permissions your organization granted, and retention and deletion per Section 9. Our privacy practices for Microsoft data are intended to be at least as protective as the Microsoft Privacy Statement requires of independent applications.

6. Receipt and expense data

Receipt images are processed with AI vision models (Section 4 terms apply) to extract merchant, amount, and date fields. Extracted entries enter the brokerage's approval queue; nothing posts to accounting without human approval. Content embedded in submitted documents is treated as data to be processed, never as instructions to our systems, and submissions that attempt to manipulate automated processing are flagged for human review.

7. Bank data and Plaid

Afora uses Plaid to connect brokerage bank and card accounts.

8. When we share information

We share personal information only with:

We never sell or rent personal information, and we never share it with data brokers or advertising platforms.

9. Retention and deletion

We retain data only as long as needed for the purposes above, with these specific rules:

10. Your rights and choices

11. Security

Data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Bank connection tokens are additionally encrypted at the application layer (AES-256-GCM) before storage. Access is role-scoped and logged. Payment-instruction changes that originate from email content are never applied automatically. Full details, including how to report a vulnerability, are on our Security page. No system is perfectly secure; if a breach affects your data, we will notify affected customers without undue delay (our Data Processing Addendum commits to notice within 48 hours of confirmation).

12. Changes to this policy

We will post changes here with an updated date. If a change materially expands how we use personal information, we will notify affected customers in advance and, where the change involves using existing data for a new purpose, obtain consent before applying it. We will never quietly repurpose your data through a policy edit.

13. Contact

Afora LLC · privacy@aforademo.com