RRLTY Service

Privacy Policy

Last updated: April 16, 2026

Who we are

RLT NYC Property Lookup ("RLT", "we", "our") is a small utility that lets authenticated users search New York City property information by address or BBL using the public NYC Geosupport / GOAT data source. The service is hosted at https://rltyservice.com.

What data we collect

  • Account data: email address, display name, and a hashed password (only if you sign up with email + password).
  • OAuth profile data: if you sign in with Google, Microsoft, Facebook, or X (Twitter), we receive the minimum profile fields the provider returns — typically a provider-specific user id, email (when the provider shares it), and display name. We store a link between your RLT account and that provider id so you can sign in again.
  • Authentication events: timestamps of sign-in, sign-up, email verification, and password reset for security and abuse-prevention purposes.
  • Usage data: the property searches you run are processed in real time against the NYC GOAT data source; we do not currently build a long-term per-user search history.
  • Operational logs: standard server logs (IP, user-agent, request path, status code) kept for a short period for debugging and security.

Why we use it

  • To authenticate you and keep your session secure.
  • To answer your property lookups by forwarding them to the public NYC GOAT service.
  • To send transactional email (email verification, password reset) to the address you registered with.
  • To detect and block abuse of the service (e.g. repeated failed logins).

We do not sell your personal data, we do not share it with advertisers, and we do not use it for profiling or ad targeting.

Third-party services we rely on

  • Google, Microsoft, Meta (Facebook), X (Twitter) — only when you choose to sign in with them. They act as identity providers and receive a standard OAuth authorization request from our app. Their own privacy policies apply to data they hold about you.
  • NYC Department of City Planning / GOAT — we forward the address or BBL you type to the public NYC GOAT endpoint to resolve property information.
  • Email delivery (SMTP) — we use an SMTP provider to send verification and password-reset messages to the email address you registered with.

Cookies

We use a single, strictly necessary session cookie (authjs.session-token / the __Secure--prefixed variant in production) to keep you signed in. It is HttpOnly, scoped to our domain, and not used for analytics or advertising. We do not use third-party tracking cookies.

Data retention

Account and OAuth-link records are kept for as long as your account exists. You can ask us to delete your account (see "Your rights" below); once deleted, associated authentication data is removed. Short-lived tokens (email-verification, password-reset) are invalidated as soon as they are used or after they expire.

Your rights

You can request access to the personal data we hold about you, ask for corrections, or ask us to delete your account. To do so, contact cs@rltyconsulting.com from the email address associated with your RLT account.

Children

RLT is not directed at children under 13 and we do not knowingly collect personal data from them.

Changes to this policy

We will update this page when the service changes in a way that affects how we handle your data. The "Last updated" date at the top of this page reflects the most recent revision.