Privacy Policy

Privacy Policy (GDPR + CCPA/CPRA 2026 Compliant)

Last Updated: March 26, 2026

This Privacy Policy explains how Marcus & Millichap (“we,” “us,” “our”) collects, uses, discloses, and protects Personal Data/Personal Information when you visit our website (the “Site”), receive our communications, or interact with us. It also describes your rights under the EU/EEA General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), as amended by the CPRA and 2026 regulations.

By using the Site or providing us with Personal Data/Personal Information, you acknowledge this Privacy Policy.

1) Who We Are (Data Controller / Business)

Data Controller/Business: Marcus & Millichap
Address: 1144 15th Street, Suite 2150, Denver, CO 80202
Email (privacy requests): [email protected]
Webform (CCPA/GDPR requests): https://leclaireschlossergroup.com/contact/

2) Scope & Definitions

“Personal Data” / “Personal Information (PI)”: Information that identifies, relates to, describes, can reasonably be associated with, or could reasonably be linked with a particular individual or household (GDPR/CCPA definitions).
“Sensitive Personal Information” (CCPA) may include government IDs, precise geolocation, account log‑in credentials, racial/ethnic origin, health data, union membership, contents of communications, biometric data, and (per 2026 update) certain neural data when applicable.
Children: The Site is not intended for individuals under 16 in the EU/EEA or under 18 in the U.S. We do not knowingly collect data from minors. If you believe we collected data from a child, contact us to delete it.

3) Categories of Data We Collect

We collect the following categories (examples are illustrative):

Identifiers: name, alias, email, phone, postal address, business affiliation.
Commercial/Preference Data: property interests, saved searches, communication/marketing preferences, survey responses.
Internet/Network Activity: IP address, device/browser, pages viewed, time on page, referrers, clickstream, interaction with emails.
Geolocation (approximate): derived from IP or device settings (when enabled).
Inferences: profiles about likely property interests or engagement levels.
Sensitive Personal Information (SPI) (limited): We do not seek SPI. If we must process SPI (e.g., account security info), purposes and limits are below.

Sources: Direct from you (forms, emails, calls, meetings, events), automated collection (cookies/SDKs/analytics), affiliates, service providers, lead partners, and publicly available sources.

4) Purposes (Business/Commercial) & GDPR Legal Bases

We process data to:

Provide services you request (send property information; manage your account) — GDPR: Contract necessity.
Communicate with you (support, updates) — GDPR: Contract necessity / Legitimate interests.
Marketing (newsletters, event invites, listings) — GDPR: Consent where required / Legitimate interests where permitted.
Personalize & improve the Site, analytics and security — GDPR: Legitimate interests.
Compliance & protection (fraud prevention, legal obligations) — GDPR: Legal obligation / Legitimate interests.

We apply data minimization, purpose limitation, storage limitation, accuracy, integrity/confidentiality, lawfulness/fairness/transparency, and accountability across our processing.

5) Notice at Collection (California)

At or before the point of collection, we disclose:

Categories collected: Identifiers, Commercial/Preference, Internet/Network, Geolocation (approx.), and Inferences; SPI only if strictly necessary (e.g., account security).
Purposes: As listed in Section 4.
Retention: See Section 10 for category‑level retention.
Selling/Sharing: See Section 7.
Links: Privacy Policy (this page).

6) Cookies, Consent & GPC

We use essential cookies and, with your opt‑in consent, non‑essential cookies (e.g., analytics, advertising).
You can accept, reject, or customize cookie categories via our Cookie Banner/Preferences Center and withdraw consent any time.
We honor Global Privacy Control (GPC) signals as an opt‑out of sale/sharing where applicable under California law.

7) Selling or Sharing PI (California)

We do not sell Personal Information.
We do not share Personal Information for cross‑context behavioral advertising.
If this changes, we will:
- Update this Policy and our Notice at Collection;
- Honor GPC signals; and
- Confirm your opt‑out.

8) Sensitive Personal Information (California Right to Limit)

We do not use or disclose SPI beyond exempt, necessary purposes (e.g., account security, preventing fraud, ensuring physical safety, short‑term transient use without profiling). If we ever use SPI for non‑exempt purposes, we will present the “Limit the Use of My Sensitive Personal Information” control and honor your choice promptly.

9) International Data Transfers (GDPR Chapter V)

If you are in the EU/EEA, your data may be transferred to the U.S. and other countries. We rely on Standard Contractual Clauses (SCCs) and additional safeguards, or other lawful transfer mechanisms. You can request a copy of the safeguards we use.

10) Retention

We retain PI only as long as necessary for the purposes described or as required by law. Typical periods:

Category	Typical Retention	Rationale
Identifiers	3–7 years after last interaction	Client relationship, legal obligations
Commercial/Preferences	Until you opt‑out or 5 years of inactivity	Relevance for listings/marketing
Internet/Network Activity	12–24 months	Analytics, security, abuse prevention
Geolocation (approx.)	12 months	Personalization, fraud prevention
Inferences	24 months	Service relevance, accuracy
SPI (if collected)	As short as possible; usually session‑level or <12 months	Security‑only, no secondary use

If retention must be longer (e.g., to meet legal obligations), we will keep only what’s necessary and secure it appropriately.

11) How We Disclose PI

We disclose PI for business purposes to:

Service providers/contractors (hosting, analytics, email, CRM, form processing, security) under written contracts;
Affiliates within Marcus & Millichap;
Professional advisors (legal, auditors) under confidentiality;
Authorities when legally required.

We do not disclose PI for monetary gain. If we ever “sell” or “share” under California definitions, we will provide required notices and opt‑out tools.

12) Automated Decision‑Making Technology (ADMT)

We do not use ADMT to make decisions that produce legal or similarly significant effects about you. If we introduce ADMT for such decisions, we will provide required notices, access/opt‑out tools, and meaningful information about the logic and outcomes, consistent with emerging California ADMT rules and timelines.

13) Your Rights (GDPR)

If you are in the EU/EEA, you can request: access, rectification, erasure, restriction, portability, and objection, and you may withdraw consent at any time. You also have rights relating to automated decision‑making. We ordinarily respond within 30 days (extendable as allowed).

14) Your Rights (California)

California residents have the right to:

Know/Access: Request the categories and specific pieces of PI we collected, used, disclosed, sold/shared in the preceding period back to January 1, 2022 (if retained).
Delete: Request deletion of PI, subject to exceptions.
Correct: Request correction of inaccurate PI.
Opt‑Out of Sale/Sharing: If applicable, opt‑out via GPC signals.
Limit SPI: If we use SPI for non‑exempt purposes, limit such use/disclosure.
Access ADMT Info/Opt‑Out (when applicable).
Non‑Discrimination: We will not discriminate against you for exercising your rights.

How to Submit Requests:

Webform: https://leclaireschlossergroup.com/contact/
Email: [email protected]

Verification & Authorized Agents:
We will verify your identity using reasonable methods (e.g., matching two or more data points). Authorized agents must provide signed permission; we may require you to verify identity directly.

Response Times:
We will confirm receipt and respond within 45 days (with a permissible extension, if reasonably necessary). Opt‑out of sale/sharing is processed as required by regulation, and you will receive confirmation that your request has been honored.

15) Security

We use administrative, technical, and physical safeguards appropriate to the nature of the data (e.g., TLS in transit, access controls, logging/monitoring). No method of transmission or storage is 100% secure, but we continuously improve our controls.

16) Non‑Discrimination

We will not deny services, charge different prices, or provide a different level/quality of services because you exercise your privacy rights.

17) Third‑Party Links

Our Site may contain links to third‑party websites or services. Their privacy practices are governed by their own policies.

18) Changes to This Policy

We may update this Policy from time to time. We will revise the “Last Updated” date and post the new version here. Significant changes will be communicated via the Site or by direct notice where appropriate.

19) Contact Us

Questions or requests regarding this Policy or your rights:
Email: [email protected]
Postal: 1144 15th Street, Suite 2150, Denver, CO 80202

20) Your California Privacy Choices

To exercise your rights to opt‑out of sale/sharing (if/when applicable) and to limit SPI, request at: https://leclaireschlossergroup.com/contact/

21) Category‑Level Mapping (California Disclosure)

The table below summarizes CCPA‑required details: categories, sources, purposes, disclosure, retention, and whether we sell/share.

CCPA Category	Examples	Sources	Purposes (Business/Commercial)	Third Parties Disclosed To (Business Purpose)	Sold?	Shared?	Typical Retention
Identifiers	Name, email, phone, address, business info	You; affiliates; events; lead partners	Provide services; communicate; security; compliance	Service providers (hosting, email, CRM); affiliates	No	No	3–7 yrs
Commercial/Preference	Saved searches, interests, survey responses	You; Site interactions	Personalize listings; marketing (with consent); analytics	Service providers (email, CRM, analytics); affiliates	No	No	Up to 3 yrs inactivity
Internet/Network	IP, device/browser, pages viewed, referrers, email interactions	Automated (cookies/SDKs)	Site operations; analytics; security; debugging	Hosting/CDN; analytics; security vendors	No	No	12–24 mos
Geolocation (approx.)	City/region from IP	Automated	Personalization; fraud prevention	Security & analytics providers	No	No	12 mos
Inferences	Interest profiles	Derived from other data	Tailor communications; measure engagement	Service providers (CRM/analytics)	No	No	24 mos
Sensitive PI (if any)	Account security data	You	Authentication; security	Security/IT providers	No	No	Shortest possible

If our practices change (e.g., begin selling or sharing PI), we will update this table and the Site‑wide controls immediately.

Compliance Notes & Sources

This policy is drafted to satisfy the GDPR and California’s 2026 CCPA/CPRA regulations concerning: privacy policy content, Notice at Collection, sale/share opt‑out, Limit SPI, GPC, opt‑out confirmation, expanded right‑to‑know timeframe, methods for submitting requests, anti‑dark‑patterns, retention disclosures, and ADMT notices.

Official Regulations (CCPA/CPRA) — structure and disclosures (privacy policy content, notice at collection, links, request methods, timelines): California Privacy Protection Agency regulations, effective January 1, 2026 (see §§7000–7016; 7020–7024).
Alternative Opt‑Out Link & Disclosure Expansion (use of “Your California Privacy Choices,” SPI limits, retention disclosure, categories/third parties, ADMT references): National Law Review summary of 2026 changes.
Core 2026 Updates (opt‑out workflows, request handling, dark pattern prohibitions, product design impacts): Traverse Legal analysis.
Mandatory Opt‑Out Confirmation, extended right‑to‑know look‑back, phased audits/risk assessments: SecurePrivacy update guide for 2026.
Expanded consumer rights (historical access back to 1/1/2022), SPI scope updates and practical impacts: Lathrop GPM client alert.