Privacy Policy

1. Introduction & About This Policy

Prime Partners Group, LLC, doing business as 4EstateSale.com ("Company," "we," "us," or "our"), is committed to protecting the privacy, security, and integrity of the personal information entrusted to us by our users, subscribers, and visitors. This Privacy Policy ("Policy") describes in detail our information-handling practices for all activities conducted through or in connection with the website located at https://www.4estatesale.com (the "Site"), any related mobile applications, and any other services offered by the Company that link to or reference this Policy (collectively, the "Services").

This Policy has been drafted to comply with applicable privacy laws and regulations, including without limitation: the General Data Protection Regulation (EU) 2016/679 ("GDPR"); the UK General Data Protection Regulation (as retained in UK law by the European Union (Withdrawal) Act 2018); the California Consumer Privacy Act of 2018 (Cal. Civ. Code §§ 1798.100 et seq.) as amended by the California Privacy Rights Act of 2020 ("CCPA/CPRA"); the Florida Digital Bill of Rights (SB 262, enacted July 1, 2023) and related Florida statutes including Fla. Stat. § 501.171 (Florida Information Protection Act); the Children's Online Privacy Protection Act (15 U.S.C. §§ 6501 et seq.) ("COPPA"); the CAN-SPAM Act of 2003; the Telephone Consumer Protection Act ("TCPA"); and applicable Payment Card Industry Data Security Standards ("PCI-DSS").

We encourage you to read this Policy in full. If you do not agree with this Policy, you must immediately discontinue your use of our Services.

2. Who We Are & How to Contact Us

The data controller (under GDPR) and business (under CCPA) responsible for your personal data is:

Data Controller / Privacy Contact
Prime Partners Group, LLC
d/b/a 4EstateSale.com
Jurisdiction: Miami-Dade County, Florida, United States of America
Website: https://www.4estatesale.com
Privacy Inquiries: Use the "Contact Us" form at https://www.4estatesale.com and select "Privacy / Data Request" as the subject.
Subject Line: "PRIVACY REQUEST — [Your Name]"

Response Time: We will acknowledge your request within five (5) business days and respond substantively within the timeframes required by applicable law (30 days for GDPR; 45 days for CCPA; 30 days for Florida).

For EEA/UK data subjects who require a local representative, or to appoint an authorized agent for CCPA purposes, please contact us using the information above and specify your jurisdiction and the nature of your request.

3. Scope & Applicability

This Policy applies to:

• All visitors to the Site, regardless of whether they create an account;
• Registered users, including auction companies, estate sale companies, individual sellers, and any other persons who create an account on the Site;
• Subscribers who purchase a monthly or other recurring subscription plan;
• Prospective users who contact us via email, telephone, or contact form;
• Business contacts and service providers who interact with us on a commercial basis.

This Policy does not apply to:

• Third-party websites, platforms, or services linked to or from the Site. We are not responsible for the privacy practices of third parties and encourage you to review their privacy policies before providing any personal information;
• Information that has been rendered truly anonymous and cannot be used to identify any individual or entity.

4. Definitions

The following definitions apply throughout this Policy:

5. Information We Collect

We collect personal information through several means, as described in the categories below.

5.1 Information You Provide Directly

5.1.1 Account Registration & Profile Data

When you register for an account or update your profile, we may collect:

• Full legal name (individual or authorized representative);
• Business or company name;
• Business address, mailing address, and service area;
• Email address(es) — primary and any additional contact emails;
• Telephone and mobile phone numbers;
• Username and password (stored in hashed, salted form);
• Company logo, profile images, and marketing materials uploaded to your account;
• Business description, areas of operation, specialization, and license numbers (where voluntarily provided);
• Social media profile URLs (Facebook, Twitter/X, LinkedIn, Instagram) where voluntarily linked.

5.1.2 Subscription & Payment Data

When you subscribe to a paid plan, we collect:

• Subscription plan tier and billing cycle selected;
• Billing name and billing address (used for payment processing and tax compliance);
• Transaction records, including invoice amounts, dates, and subscription renewal history;
• Payment method type (e.g., Visa, Mastercard, American Express — card number, CVV, and expiration date are collected exclusively by our PCI-DSS-compliant payment processor and are never stored on our servers);
• Refund and chargeback records where applicable.

5.1.3 Sale Listing & User-Generated Content

When you create or manage sale listings, we collect:

• Sale or auction title, description, dates, times, and location address;
• Categories of items for sale;
• Photographs and media uploaded in connection with listings;
• Preview or teaser text;
• Contact preferences and display options for the listing;
• Any custom email addresses configured for routing public inquiries.

5.1.4 Communications & Support

When you contact us through email, contact forms, or other channels, we collect:

• Your name, email address, and any other information you choose to include in the message;
• The content of your message, including any attachments;
• Metadata about the communication (timestamp, channel, support ticket ID).

5.2 Information We Collect Automatically

5.2.1 Log Data & Device Information

Our servers and third-party analytics tools automatically record certain information when you visit the Site, including:

• IP address (which may constitute personal data under applicable law);
• Browser type, version, and language settings;
• Operating system and device type;
• Referring URL and exit pages;
• Date, time, and duration of your visit;
• Pages viewed, links clicked, and search terms used on the Site;
• Error logs and crash reports.

5.2.2 Cookies & Tracking Technologies

We use cookies and similar tracking technologies as further described in Section 9 of this Policy.

5.2.3 Analytics Data

We use Google Analytics and potentially other analytics services to understand how visitors interact with our Site. These services may collect aggregated and de-identified usage data. Please see Section 9 and Section 10 for full details.

5.3 Information We Receive from Third Parties

• Social media platforms: If you connect a social media account (e.g., Facebook, LinkedIn), we may receive basic profile information (name, email, profile photo) as permitted by your settings on those platforms;
• Payment processors: We receive transaction status and billing confirmations, but not full payment card details;
• Fraud prevention services: We may receive risk signals or verification status from identity and fraud-prevention providers;
• Publicly available sources: We may supplement your business profile information with publicly available information (e.g., state business registry records, professional directories).

5.4 Information We Do Not Collect

We do not intentionally collect:

• Government-issued identification numbers (Social Security Numbers, passport numbers, etc.) unless legally required;
• Racial or ethnic origin, religious beliefs, political opinions, trade union membership, genetic data, biometric data, health or medical data, or sexual orientation (collectively, "Special Category Data" under GDPR);
• Information from children under the age of 13 — see Section 18.

6. Legal Bases for Processing (GDPR)

7. How We Use Your Information

We use the personal information we collect for the following purposes:

7.1 Providing and Operating the Services

• Creating, authenticating, and maintaining your user account;
• Processing your subscription enrollment, billing, renewals, and cancellations;
• Publishing and displaying your sale listings and auction advertisements;
• Routing public inquiries directed to your listing to your designated contact;
• Providing customer support and responding to your inquiries;
• Sending transactional communications, including subscription confirmation, renewal reminders, payment receipts, and service announcements.

7.2 Improving and Developing the Services

• Analyzing usage patterns and user behavior in aggregate to improve platform features;
• Diagnosing and resolving technical issues;
• Conducting internal research and development;
• Testing new features before launch.

7.3 Safety, Security, and Fraud Prevention

• Detecting, investigating, and preventing fraudulent transactions, abuse, and violations of our Terms of Service;
• Verifying the identity of users and businesses where appropriate;
• Protecting the rights, property, and safety of the Company, our users, and the public;
• Maintaining the integrity of the platform and its content.

7.4 Legal and Regulatory Compliance

• Complying with applicable federal, state, and local laws and regulations;
• Responding to lawful requests from courts, law enforcement agencies, and regulatory authorities;
• Establishing, exercising, or defending legal claims;
• Maintaining required business records for tax and accounting purposes.

7.5 Marketing and Promotional Activities

• Sending promotional emails, newsletters, and platform updates (subject to your opt-out rights — see Section 19);
• Identifying you as a customer and, with your consent (or as permitted by applicable law), referencing your business name and/or logo in our marketing materials, website, case studies, or testimonials;
• Displaying targeted advertisements through third-party ad networks, subject to applicable cookie and consent requirements.

8. Disclosure & Sharing of Information

We do not sell, rent, or trade your personal information to third parties for their independent marketing purposes. We disclose personal information only in the circumstances described below.

8.1 Service Providers (Data Processors)

We share personal information with carefully vetted third-party service providers who perform functions on our behalf, including:

• Payment processing — processing subscription payments and handling chargebacks;
• Cloud hosting and infrastructure — storing data on secure servers;
• Email delivery — transmitting transactional and marketing emails;
• Analytics — analyzing Site usage data;
• Customer support tools — managing support tickets and communications;
• Fraud detection — assessing transaction and account risk.

All service providers are contractually bound to: (a) process personal data only on our documented instructions; (b) implement appropriate technical and organizational security measures; (c) not disclose personal data to unauthorized third parties; and (d) assist us in fulfilling our obligations to data subjects under applicable law.

8.2 Business Transfers

In the event of a merger, acquisition, consolidation, restructuring, sale of all or substantially all assets, or similar corporate transaction, personal information held by the Company may be transferred to the acquiring entity. We will notify users of any such transfer and any consequential changes to this Policy via email and/or prominent Site notice at least 30 days prior to the transfer becoming effective, where practicable.

8.3 Legal Compliance and Law Enforcement

We may disclose personal information when required by applicable law or in good-faith belief that disclosure is reasonably necessary to:

• Comply with a valid legal process (e.g., court order, subpoena, search warrant, regulatory demand);
• Cooperate with government and law enforcement investigations;
• Enforce our Terms of Service or other agreements;
• Protect the rights, property, or personal safety of the Company, our users, or any third party;
• Prevent or detect fraud, security breaches, or illegal activity;
• Respond to an emergency involving risk of death or serious injury.

Where legally permitted, we will notify affected users of such disclosure requests before complying.

8.4 Aggregated and De-Identified Data

We may share aggregated, de-identified, or anonymized information (which cannot reasonably be used to identify you) with third parties for industry analysis, research, marketing, or other purposes. We will not attempt to re-identify such data.

8.5 With Your Consent

We may share your personal information with third parties not described above if we have obtained your prior informed consent to do so.

8.6 What We Do NOT Do

• We do not sell your personal information to data brokers or third-party advertisers;
• We do not share your full payment card details with any third party outside of the PCI-DSS payment processing workflow;
• We do not share your information with social media platforms beyond what is described in Section 5.3, unless you explicitly authorize such sharing.

9. Cookies & Tracking Technologies

9.1 What Are Cookies?

Cookies are small text files that a website stores on your device when you visit. They are widely used to make websites function properly, improve user experience, and provide information to the website owner. Similar technologies include web beacons (pixel tags), local storage, and session storage.

9.2 Types of Cookies We Use

9.3 Cookie Consent

On your first visit to the Site, we will display a cookie consent banner that allows you to: (a) accept all cookies; (b) reject non-essential cookies; or (c) customize your cookie preferences by category. Your preferences are stored for a period of up to 12 months and can be changed at any time through the cookie settings accessible in the Site footer.

Residents of the EEA, UK, and California are entitled to withdraw consent at any time without detriment to the services you receive. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.

9.4 Google Analytics

We use Google Analytics, a web analytics service provided by Google LLC. Google Analytics uses cookies to collect information about your use of the Site. This information is transmitted to and stored by Google on servers in the United States. Google LLC is certified under the EU-US Data Privacy Framework. You may opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on available at https://tools.google.com/dlpage/gaoptout.

9.5 "Do Not Track" Signals

Some browsers transmit "Do Not Track" (DNT) signals. Because there is no consistent industry standard for responding to DNT signals, our Site does not currently alter its practices in response to such signals. We will continue to monitor developments in this area and update this Policy if our practices change.

9.6 Managing Cookies

In addition to our cookie consent tool, you can manage cookies through your browser settings. Most browsers allow you to refuse cookies, delete existing cookies, and set preferences for certain websites. Note that restricting cookies may impair the functionality of the Site. For guidance, visit your browser's help documentation or www.allaboutcookies.org.

10. Third-Party Service Providers

The following categories of third-party service providers may receive or process your personal data in connection with the Services. We maintain current data processing agreements or equivalent contractual safeguards with each provider in the applicable category.

We do not permit our service providers to use your personal data for their own independent purposes except as required to provide the services contracted to us. Each service provider is subject to appropriate contractual obligations, including confidentiality and data security requirements. We periodically review our service provider relationships to ensure continued compliance.

11. Data Retention & Deletion

11.1 General Retention Principles

We retain personal information for as long as necessary to: (a) provide you with the Services you have requested; (b) fulfill the purposes described in this Policy; (c) comply with our legal obligations; (d) resolve disputes; and (e) enforce our agreements. We periodically review our data holdings and delete or de-identify information that is no longer necessary for these purposes.

11.2 Retention Periods by Data Category

11.3 Account Cancellation and Deletion

Upon cancellation of your subscription or deletion of your account:

1. Your account profile and active sale listings will be deactivated and removed from public display within 30 days of cancellation;
2. You may request permanent erasure of your personal data in accordance with the rights described in Section 14;
3. We will retain financial transaction records for the period required by law (see table above);
4. De-identified or aggregated data derived from your account may be retained indefinitely for analytical purposes.

11.4 Backup Media

Personal data contained in backup media (snapshots, archives) will be deleted or overwritten in accordance with our backup rotation schedule, which provides for deletion of individual backups within 90 days of the scheduled deletion date for the underlying data.

12. Data Security

12.1 Technical Safeguards

• Encryption in transit: All data transmitted between your browser and our servers is protected using TLS 1.2 or higher (HTTPS). We enforce HTTPS through HTTP Strict Transport Security (HSTS);
• Encryption at rest: Sensitive data stored in our databases (including passwords, which are hashed using industry-standard algorithms such as bcrypt or Argon2) is encrypted using AES-256 or equivalent;
• Access controls: Access to personal data systems is restricted on a need-to-know basis. We enforce multi-factor authentication (MFA) for administrative access;
• Payment security: Payment card data is collected and processed exclusively through our PCI-DSS Level 1 certified payment processor. We do not store, process, or transmit full card numbers, CVV codes, or other sensitive authentication data on our systems;
• Vulnerability management: We regularly perform vulnerability scans, apply security patches promptly, and conduct periodic penetration testing;
• Web Application Firewall (WAF): We employ a WAF and DDoS-mitigation services to protect the platform from common web-based attacks;
• Audit logging: We maintain audit logs of access to sensitive systems and data to detect unauthorized activity.

12.2 Organizational Safeguards

• Staff with access to personal data are trained in data protection and security best practices;
• We maintain a written information security program (WISP) in compliance with Fla. Stat. § 501.171;
• We conduct periodic security risk assessments;
• Third-party service providers are evaluated for security compliance before engagement and on an ongoing basis.

12.3 Your Responsibility

You are responsible for: (a) maintaining the confidentiality of your account credentials; (b) ensuring that any device used to access your account is adequately secured; and (c) promptly notifying us at the contact information in Section 2 if you suspect unauthorized access to your account. We will never ask for your password by email, telephone, or chat.

13. International Data Transfers

13.1 Transfer Mechanisms

Where we transfer personal data from the EEA or UK to countries not recognized as providing an adequate level of data protection, we rely on one or more of the following safeguards:

• EU Standard Contractual Clauses (SCCs): We incorporate the EU Commission's approved Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) into our data processing agreements with service providers in non-adequate third countries;
• UK International Data Transfer Agreements (IDTAs): For transfers from the UK, we use the UK IDTA or UK Addendum to the EU SCCs as appropriate;
• EU-US Data Privacy Framework: Certain US-based service providers (e.g., Google LLC, Meta Platforms, Inc.) are certified under the EU-US Data Privacy Framework, which provides an adequate level of data protection for transfers from the EEA;
• Adequacy decisions: Where the European Commission or UK ICO has issued an adequacy decision for the recipient country, we rely on that decision.

13.2 Data Localization

Our primary data processing infrastructure is located within the United States (Miami-Dade County, Florida region and/or US-East cloud regions). We do not currently operate data centers outside the United States.

13.3 Right to Information

EEA and UK data subjects may request a copy of the safeguards we have implemented for cross-border transfers by contacting us at the address in Section 2.

14. Your Privacy Rights (All Users)

Regardless of your location, all users of the Services have the following rights with respect to their personal information:

14.1 Verifying Your Identity

To protect your privacy and the security of your data, we will verify your identity before processing any rights request. We may ask you to provide: (a) the email address associated with your account; (b) verification of your identity through account login; and/or (c) additional documentation for high-sensitivity requests. We will not use verification information for any purpose other than identity confirmation.

14.2 Response Times

We will acknowledge your request within 5 business days and provide a substantive response within the time periods required by applicable law: 30 days for GDPR requests; 45 days (with one 45-day extension if necessary) for CCPA requests; and 30 days for Florida requests. If we are unable to fulfill a request, we will explain the reason in writing.

14.3 No Discrimination

We will not discriminate against you for exercising any privacy right. We will not deny you services, charge different prices, or provide a lower quality of service because you exercised a privacy right.

15. GDPR Rights (EEA / UK Users)

15.1 GDPR Data Subject Rights

• Right of Access (Art. 15): Obtain confirmation that we process your data and receive a copy of it, along with supplementary information;
• Right to Rectification (Art. 16): Have inaccurate personal data corrected and incomplete data completed;
• Right to Erasure ("Right to Be Forgotten") (Art. 17): Request deletion in circumstances including where the data is no longer necessary, consent is withdrawn, or processing was unlawful;
• Right to Restriction of Processing (Art. 18): Request that we limit our processing of your data in certain circumstances;
• Right to Data Portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format, and transmit it to another controller where technically feasible;
• Right to Object (Art. 21): Object to processing based on legitimate interests (including profiling) and to direct marketing processing at any time;
• Rights Related to Automated Decision-Making (Art. 22): Not to be subject to solely automated decisions that produce legal or similarly significant effects without human review, unless specific conditions apply. We do not currently conduct automated decision-making of this type.

15.2 Right to Lodge a Supervisory Authority Complaint

EEA users have the right to lodge a complaint with the data protection supervisory authority in their EU member state of habitual residence, place of work, or place of an alleged infringement. UK users may contact the UK Information Commissioner's Office (ICO) at https://ico.org.uk. We kindly request that you contact us first to give us an opportunity to address your concern before escalating to a supervisory authority.

16. CCPA / CPRA Rights (California Residents)

16.1 Categories of Personal Information Collected (12 Months)

In the preceding 12 months, we have collected personal information in the following CCPA-defined categories: Identifiers; Customer Records information; Commercial information; Internet and other electronic network activity; Professional or employment-related information; and Inferences drawn from the above categories to create a profile about a consumer reflecting preferences and characteristics. We do not collect Sensitive Personal Information as defined in CCPA § 1798.140(ae) in the ordinary course of our business.

16.2 Categories Disclosed for Business Purposes

We disclose Identifiers, Customer Records information, Commercial information, and Internet activity information to service providers for the business purposes described in Sections 7 and 8.

16.3 Sale / Sharing of Personal Information

We do not sell personal information as defined in CCPA § 1798.140(t). We do not engage in cross-context behavioral advertising that constitutes "sharing" under CCPA § 1798.140(ah) other than through Google Analytics and Google Ads cookies, which you may opt out of via our cookie consent manager or via the Global Privacy Control (GPC) signal. We honor GPC signals as opt-out requests for sharing.

16.4 Your CCPA Rights

• Right to Know: Request information about the categories and specific pieces of personal information we have collected, the sources, our business purpose, and third parties with whom we share it;
• Right to Delete: Request deletion of personal information we have collected, subject to legal exceptions;
• Right to Correct: Request correction of inaccurate personal information;
• Right to Opt Out of Sale/Sharing: Opt out of the sale or sharing of your personal information. Submit via the "Do Not Sell or Share My Personal Information" link in our Site footer or via our cookie consent manager;
• Right to Limit Use of Sensitive Personal Information: Not applicable as we do not collect sensitive personal information;
• Right to Non-Discrimination: We will not discriminate against you for exercising any CCPA right.

16.5 Submitting CCPA Requests

California residents may submit requests to know or delete through: (1) our Contact form at https://www.4estatesale.com (select "CCPA Privacy Request" as the subject); or (2) by email to the address on our Contact page. Requests may be submitted by an authorized agent with written authorization. We will respond within 45 days (extendable once by an additional 45 days with notice).

17. Florida Privacy Rights (Florida Residents)

17.1 Florida Digital Bill of Rights (FDBR)

Florida consumers (defined as natural persons who are Florida residents) have the following rights under the FDBR:

• Right to Access: Confirm whether we are processing your personal data and obtain a copy of it;
• Right to Correction: Correct inaccuracies in your personal data;
• Right to Deletion: Request deletion of personal data you have provided or that we have collected;
• Right to Data Portability: Receive your personal data in a portable format that allows transmission to another controller;
• Right to Opt Out: Opt out of (a) the sale of personal data; (b) targeted advertising; and (c) profiling in furtherance of decisions that produce legal or similarly significant effects;
• Right to Appeal: If we deny your rights request, you may appeal our decision. We will respond to appeals within 60 days. If your appeal is denied, you may contact the Florida Attorney General.

17.2 Florida Information Protection Act (FIPA)

Fla. Stat. § 501.171 requires us to: (a) implement reasonable security measures to protect personal information; (b) take reasonable steps to destroy personal information when no longer needed; and (c) provide notification to affected individuals and the Florida Department of Legal Affairs in the event of a breach of personal information of Florida residents within 30 days of determination of a breach. See Section 22 for our breach notification procedures.

17.3 Submitting Florida Rights Requests

Florida residents may submit rights requests through the Contact form at https://www.4estatesale.com (select "Florida Privacy Request" as the subject). We will respond within 45 days of receiving a verifiable request.

18. Children's Privacy & COPPA Compliance

18.1 Age Restriction

By creating an account or using the Services, you represent and warrant that you are at least 18 years of age. We do not knowingly collect, use, or disclose personal information from children under the age of 13. Any person between the ages of 13 and 17 may only use the Services with the express consent and supervision of a parent or legal guardian.

18.2 Compliance with COPPA

In compliance with the Children's Online Privacy Protection Act (15 U.S.C. §§ 6501 et seq.) and the FTC's COPPA Rule (16 C.F.R. Part 312):

• We do not knowingly collect personal information from children under 13;
• If we discover that we have inadvertently collected personal information from a child under 13, we will promptly delete it;
• We do not knowingly sell, rent, or transfer personal information about children under 13 to third parties.

18.3 Parental Notice and Removal

If you are a parent or legal guardian and believe that your child under the age of 13 has provided personal information to us without your consent, please contact us immediately at the address provided in Section 2 with the subject line "COPPA — CHILD DATA REMOVAL." We will take prompt steps to verify the request and delete the information.

19. Marketing & Communications

19.1 Types of Communications

We may send you the following types of communications:

• Transactional communications (cannot be opted out of while your account is active): subscription confirmation, payment receipts, renewal reminders, account security alerts, critical service notices, and policy change notifications;
• Marketing communications (opt-out available): promotional emails, newsletters, feature announcements, surveys, and special offers.

19.2 Opt-In and Opt-Out

We will only send marketing communications where we have a legal basis to do so. For EEA/UK users, we obtain prior express consent before sending marketing emails. For US users, we rely on legitimate interest for existing subscribers ("soft opt-in") but provide a clear and easy opt-out mechanism on every communication.

You may opt out of marketing communications at any time by:

1. Clicking the "Unsubscribe" link at the bottom of any marketing email;
2. Updating your communication preferences in your account settings; or
3. Contacting us using the information in Section 2.

Opt-out requests are processed within 10 business days. After opting out, you may continue to receive transactional communications.

19.3 Marketing Use of Business Name and Logo

By maintaining an active subscription, you acknowledge that the Company may identify you as a customer of 4EstateSale.com and use your business name and/or logo in our marketing materials, website, press releases, and similar promotional contexts. If you wish to opt out of this use, please notify us in writing using the contact information in Section 2. We will honor such opt-out requests within 30 days.

19.4 Text Message Communications

If you have provided a mobile phone number and opted in to receive SMS communications from us, we will use it to send service-related text messages. Standard message and data rates may apply. You may opt out of SMS communications at any time by replying STOP to any message or contacting us directly. We comply with the Telephone Consumer Protection Act (TCPA) in all text messaging practices.

20. User-Generated Content & Public Listings

20.1 Public Nature of Listings

Sale listings, auction advertisements, and related content that you publish on the Platform are public-facing and visible to all visitors of the Site, including anonymous users, search engine crawlers, and third-party aggregators. By publishing a listing, you acknowledge that:

• The information contained in the listing (including sale address, dates, contact information, photographs, and item descriptions) will be publicly accessible;
• We cannot control the subsequent use of publicly available listing information by third parties after it has been indexed or viewed;
• You are responsible for ensuring that any personal information you include in a listing complies with applicable privacy laws and does not violate the privacy rights of third parties.

20.2 Content Responsibility

You are solely responsible for the accuracy and legality of all content you submit to the Platform. You represent and warrant that:

• You own or have the necessary rights to all content you submit;
• Your content does not violate any applicable law, regulation, or third-party right;
• You will not submit personal information of third parties without their consent.

20.3 Residual Data in Public Forums

If you participate in any public-facing features (e.g., comments, reviews, public profiles), information you post may remain visible to others after your account is deleted, subject to our content moderation policies. You may request removal of specific publicly posted content by contacting us.

21. Payment Processing & Financial Data

21.1 PCI-DSS Compliance

All payment transactions conducted through the Platform are processed by a PCI-DSS Level 1 certified payment processor. Payment card data (full card number, CVV/CVC, expiration date, and PIN) is collected directly by the payment processor through their secure, tokenized checkout environment and is never transmitted to, stored on, or accessible by our servers or personnel.

21.2 What We Do Retain

We retain the following payment-related information for our records:

• Billing name and billing address;
• Payment method type (card brand) and last four digits of the card number as provided by the payment processor;
• Transaction ID, amount, date, and status;
• Subscription plan, billing cycle, and renewal history.

21.3 Subscription Auto-Renewal

Monthly subscriptions auto-renew until cancelled. We will send a renewal reminder email at least 7 days before each renewal date. To cancel your subscription, log in to your account and follow the cancellation procedure, or contact us at the address in Section 2. Cancellations take effect at the end of the current billing period unless otherwise required by law.

21.4 Refund Policy

Refund eligibility is governed by our Terms of Service. This Privacy Policy does not create any additional refund obligations.

22. Data Breach Notification Procedures

22.1 Internal Response

Upon discovering or reasonably suspecting a breach of security involving personal information, we will:

1. Immediately activate our incident response plan and assemble a response team;
2. Contain and investigate the breach to assess its scope and nature;
3. Engage appropriate third-party cybersecurity professionals if necessary;
4. Document all response activities.

22.2 Regulatory Notification

We will provide notification to applicable regulators within the timeframes mandated by law:

• Florida (Fla. Stat. § 501.171): Notify the Florida Department of Legal Affairs within 30 days of determining a breach affecting Florida residents (if 500 or more Florida residents are affected);
• GDPR (Art. 33): Notify the relevant EU supervisory authority within 72 hours of becoming aware of a breach likely to result in a risk to the rights and freedoms of natural persons;
• State laws: Comply with the breach notification law of each affected user's state of residence.

22.3 Individual Notification

We will notify affected individuals without undue delay (and generally within 30 days of discovering the breach) using the most current contact information on file. The notification will include, to the extent known: (a) the date and description of the breach; (b) the type of personal information involved; (c) the steps taken to contain the breach; and (d) recommended steps for individuals to protect themselves. Where direct notification is not practicable, we will provide substitute notice through the Site and/or press release.

23. Limitation of Liability

IMPORTANT LEGAL NOTICE — PLEASE READ CAREFULLY. This section limits our liability to you in connection with privacy-related matters to the maximum extent permitted by applicable law. Nothing in this section limits liability that cannot be limited by law (including in consumer protection contexts where such exclusions are prohibited).

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, ADVERTISEMENT CAPITAL, LLC AND ITS MEMBERS, MANAGERS, OFFICERS, EMPLOYEES, AGENTS, SUCCESSORS, AND ASSIGNS SHALL NOT BE LIABLE FOR:

1. ANY UNAUTHORIZED ACCESS TO, OR ALTERATION, THEFT, OR DESTRUCTION OF, YOUR PERSONAL INFORMATION BY THIRD PARTIES, PROVIDED THAT SUCH ACCESS RESULTED DESPITE OUR REASONABLE SECURITY MEASURES;
2. ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES ARISING OUT OF OR RELATED TO THIS POLICY OR THE PROCESSING OF YOUR PERSONAL INFORMATION;
3. ANY LOSS OF PROFITS, REVENUE, DATA, GOODWILL, OR OTHER INTANGIBLE LOSSES;
4. THE ACTS OR OMISSIONS OF THIRD-PARTY SERVICE PROVIDERS, PROVIDED THAT WE HAVE ENTERED INTO APPROPRIATE DATA PROCESSING AGREEMENTS WITH SUCH PROVIDERS;
5. ANY PRIVACY BREACH ATTRIBUTABLE TO INFORMATION YOU VOLUNTARILY DISCLOSED IN PUBLIC LISTINGS OR FORUMS ON THE PLATFORM.

IN JURISDICTIONS THAT DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CERTAIN TYPES OF DAMAGES, OUR LIABILITY SHALL BE LIMITED TO THE FULLEST EXTENT PERMITTED BY LAW. IN ALL EVENTS, OUR AGGREGATE LIABILITY TO YOU FOR ANY CLAIM ARISING UNDER THIS POLICY SHALL NOT EXCEED THE GREATER OF (A) THE TOTAL SUBSCRIPTION FEES PAID BY YOU TO US IN THE TWELVE (12) MONTHS PRECEDING THE CLAIM, OR (B) ONE HUNDRED U.S. DOLLARS (USD $100.00).

24. Indemnification

To the fullest extent permitted by law, you agree to defend, indemnify, and hold harmless Prime Partners Group, LLC and its members, managers, officers, employees, agents, successors, and assigns from and against any and all claims, damages, losses, costs, liabilities, and expenses (including reasonable attorneys' fees) arising out of or relating to:

1. Your violation of this Privacy Policy;
2. Your violation of any applicable privacy law or regulation;
3. Any personal information of third parties that you submit to the Platform without proper authorization;
4. Your misrepresentation of your identity, authority, or the ownership of any content submitted to the Platform;
5. Any claim by a third party that your listing content, user-generated content, or other submissions violate their privacy rights.

25. Governing Law & Dispute Resolution

25.1 Governing Law

This Privacy Policy and any disputes arising under or related to it shall be governed by and construed in accordance with the laws of the State of Florida, without regard to its conflict-of-laws principles. Where required by applicable law, specific provisions of this Policy shall be interpreted in accordance with the laws of the applicable jurisdiction (e.g., GDPR provisions shall be interpreted in accordance with EU law; CCPA provisions shall be interpreted in accordance with California law).

25.2 Exclusive Jurisdiction

Any legal action or proceeding arising under or related to this Privacy Policy shall be brought exclusively in the state or federal courts of competent jurisdiction sitting in Miami-Dade County, Florida, and you hereby consent to and accept the personal jurisdiction of such courts.

25.3 Informal Dispute Resolution

Before initiating any formal legal proceeding, we encourage you to contact us to resolve any privacy-related concern informally. We will use reasonable efforts to address your concern within 30 days.

25.4 Class Action Waiver

TO THE EXTENT PERMITTED BY APPLICABLE LAW, YOU AGREE THAT ANY CLAIM OR DISPUTE UNDER THIS POLICY SHALL BE BROUGHT IN YOUR INDIVIDUAL CAPACITY ONLY, AND NOT AS A PLAINTIFF OR CLASS MEMBER IN ANY CLASS ACTION, CONSOLIDATED ACTION, OR REPRESENTATIVE PROCEEDING. NOTHING IN THIS SECTION LIMITS YOUR RIGHTS UNDER CONSUMER PROTECTION LAWS THAT DO NOT PERMIT CLASS ACTION WAIVERS.

26. Changes to This Privacy Policy

26.1 Right to Amend

We reserve the right to update, modify, or amend this Privacy Policy at any time to reflect changes in our data practices, applicable law, or the Services. All changes are effective upon posting the revised Policy on the Site with an updated "Last Reviewed" date at the top of the document.

26.2 Material Changes — Notice Procedures

For material changes — those that significantly affect the rights of users or substantially alter our data processing practices — we will provide advance notice as follows:

• Email notification: We will send an email to the address on file for all registered users at least 30 days before the change becomes effective, summarizing the nature of the change and directing you to the updated Policy;
• In-platform notice: We will display a prominent banner or notification within the logged-in user interface for at least 30 days;
• Site announcement: We will post a notice on the Site's homepage or privacy page identifying the nature of the change.

26.3 Your Options

If you do not agree to a material change to this Policy, you may close your account prior to the effective date of the change by following the account closure procedure. Your continued use of the Services after the effective date constitutes acceptance of the updated Policy.

26.4 Version History

We maintain a version history of prior iterations of this Policy. Prior versions are available upon written request to the contact address in Section 2.

27. Entire Agreement

This Privacy Policy, together with our Terms of Service and any supplemental policies or agreements incorporated herein by reference, constitutes the entire agreement between you and Prime Partners Group, LLC with respect to the privacy and processing of your personal information in connection with the Services. This Policy supersedes all prior privacy policies and representations made by us with respect to the same subject matter, including without limitation the prior version of this Privacy Policy posted at https://www.4estatesale.com/privacy-policy/.

If any provision of this Policy is found to be unlawful, void, or unenforceable by a court of competent jurisdiction, the remaining provisions shall remain in full force and effect and shall not be affected, impaired, or invalidated by such finding.

No waiver of any provision of this Policy shall be effective unless made in writing and signed by an authorized representative of the Company.

4EstateSale.com Privacy Policy • Prime Partners Group, LLC • Version 2.0 • Effective May 7, 2026

For privacy inquiries: https://www.4estatesale.com (Contact Us → "Privacy / Data Request")

© 2026 Prime Partners Group, LLC. All rights reserved. This document is subject to attorney-client privilege and legal professional privilege where applicable. This document has been prepared for informational purposes and does not constitute legal advice. Prime Partners Group, LLC recommends periodic review of this Policy with qualified legal counsel to ensure continued compliance with evolving privacy laws and regulations.