Executive Summary
Metropolis Group treats personal data as an institutional asset governed by the same discipline that defines our investment and operational practice. We collect only what is necessary, process it for clearly defined purposes, secure it through layered technical and organizational controls, and retain it only for as long as the underlying business or legal obligation requires.
We do not sell, lease, trade, or broker personal information under any circumstance.
1. Data Capture Vectors
We collect personal information only through defined inbound channels and only to the extent required to operate, secure, and improve our services.
1.1 Contact and inquiry portal
- Full Name
- Email Address
- Phone Number
- Inquiry Type (general, investment, leasing, property management, careers)
- Message content submitted by the user
1.2 Career applications
- Identifying information voluntarily provided by the applicant
- Contact details and professional history
- Application correspondence routed through our recruitment inbox
1.3 Operational and tenant relations data
- Information required to onboard, service, and account to investors, partners, and tenants
- Records necessary to comply with accounting, audit, and regulatory obligations
1.4 Technical telemetry
- Standard server logs (IP address, user agent, request metadata) used for security, abuse prevention, and platform integrity
- Strictly necessary cookies and session identifiers
2. Operational Processing Logic
Personal data is processed exclusively to operate the platform, deliver services, and fulfill legal obligations. Specifically:
- Investment inquiries: to evaluate, route, and respond to prospective investor and partner communications.
- Tenant relations: to administer leases, coordinate maintenance, manage billing, and support resident communications.
- Talent acquisition: to evaluate applications submitted through the careers pipeline and manage candidate communications.
- Distribution partnerships: where a property is listed via authorized distribution platforms (such as Airbnb and Booking.com), the minimum data required to fulfill a confirmed booking is shared with the corresponding partner under contractual data-protection terms.
- Compliance and security: to detect, investigate, and respond to fraud, abuse, or unauthorized activity, and to meet anti-money-laundering, tax, audit, and regulatory obligations.
3. Data Scarcity, Sharing, and Retention
We operate on a principle of data minimization: we collect the least amount of information necessary, restrict access to authorized personnel, and retain records only for as long as the underlying purpose remains active.
- Personal data is never sold, leased, traded, or brokered to third parties for marketing, profiling, or commercial enrichment.
- Information is shared with service providers (hosting, email delivery, payment processing, accounting) only under binding confidentiality and data-protection agreements, and only to the extent required for the service.
- Inquiry records are retained for the period necessary to service the request and demonstrate compliance, after which they are securely deleted or anonymized.
- Tenant and investor records are retained for the duration of the relationship and any post-relationship period required by applicable law, audit, or contractual obligation.
4. Your Rights
Depending on your jurisdiction, you have the right to access, correct, port, restrict, or delete the personal information we hold about you, and to withdraw consent where processing relies on it. Requests are reviewed and actioned in line with applicable law.
To exercise these rights, contact us at the address listed under Execution & Contact below.
5. Regional Variations
5.1 Canada (PIPEDA)
Our Canadian operations are governed by the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial legislation. Individuals may file a complaint with the Office of the Privacy Commissioner of Canada if they believe their rights have been infringed.
5.2 European Economic Area and United Kingdom (GDPR / UK GDPR)
Where the General Data Protection Regulation applies, we process data on lawful bases including contractual necessity, legitimate interest, legal obligation, and explicit consent. Data subjects retain the full set of GDPR rights, including the right to lodge a complaint with the relevant supervisory authority.
5.3 United States (CCPA / CPRA)
For California residents, we honour the rights provided under the California Consumer Privacy Act, as amended. We do not sell or share personal information as those terms are defined under the CCPA.
5.4 International expansion
As Metropolis Group expands into additional markets, this policy will be aligned with the data-protection regimes of each jurisdiction in which we operate, including planned Zanzibar operations.
6. Security
We apply layered technical and organizational controls including access restriction, encryption in transit, secure hosting, and routine review of administrative privileges. No system is absolutely secure; in the event of a material incident affecting personal data, we will notify affected individuals and regulators in accordance with applicable law.
7. Updates to This Policy
We may update this policy to reflect operational, legal, or regulatory changes. Material changes will be communicated through the website and, where appropriate, by direct notice.
8. Execution & Contact
Direct all privacy inquiries, rights requests, and complaints to:
Metropolis Management Group
EY Tower, 100 Adelaide Street West, Suite 2100
Toronto, Ontario, Canada
Phone: +1 (647) 877-2884
Email: info@metropolisgroup.ca