EMPIRE STATE REALTY TRUST PRIVACY POLICY

Last Updated: July 18, 2025

Empire State Realty Trust, Inc. (“ESRT”, “we”, “our”, “us”) is a publicly traded real estate investment trust (NYSE: ESRT) that owns and manages office, retail and multifamily assets in Manhattan and the greater New York metropolitan area. This Privacy Policy explains how we collect, use, disclose, and otherwise process your personal information in connection with our www.esrtreit.com website (the “Site”) and the services (“Services”) we offer.

PRIVACY HIGHLIGHTS

This summary provides key points from our Privacy Policy. You can find more details about any of these topics by clicking the respective links in our Table of Contents.

What personal information do we collect?

When you visit our Site or our properties, or otherwise interact with us, we collect and process personal information to assist you with obtaining the information and Services you need. We also collect and process personal information so we can share information we think you will find beneficial, and to help us improve and administer our Site and Services. When you visit our properties, we also collect personal information in relation to your visit, and to keep you and other visitors safe.

With whom do we share your personal information?

We do not sell your personal information. We may share information with our service providers and with other third parties, including advertisers, as defined in this Policy.

How do we keep your information safe?

We have administrative, technical and physical safeguards in place to protect your personal information. However, no computer system or network is 100% secure; and, as such, we cannot guarantee that hackers, cybercriminals, or other unauthorized third parties will not be able to circumvent our security efforts and improperly access your information.

What are your privacy rights?

Depending on where you are located, applicable privacy laws may give you certain rights regarding your personal information. See the section below entitled “What are your privacy rights?” for details on those rights and how to exercise them.

Table of Contents

Who are we?

ESRT is the legal entity that manages and operates this Site and provides the Services outlined above. When we collect your personal information through this Site or our Services, we are acting as a “Controller” of your data. A “Controller” is an entity that determines the purposes and means of processing of your personal information.

What is personal information?

When we use the term “personal information” in this Privacy Policy, we mean any data or information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular natural person or household, or any other data or information that constitutes “personal data”, “personal information,” or “personally identifiable information” as those terms are defined under applicable privacy laws.

How do we collect personal information from you?

We collect information in three primary ways: (1) we collect the information you provide to us, (2) we automatically collect certain information (for example, through our Site), and (3) we collect information from third parties. Each of these collection practices is described further below.

What personal information do we collect from you and how do we use it?

We collect the information you provide to us. During your visit to our Site or our properties, you may choose to provide us with certain information in order to:

Explore Properties. You may choose to book a tour of one of our properties. In doing so, we collect the following types of information: name, email address, telephone number and information concerning your potential move-in date and tour availability.

Tenant Services. We offer a third-party (VTS) developed application, called ESRT+, which empowers our tenants with an online platform for accomplishing a host of various tenant activities (such as the ability to submit and monitor maintenance requests, reserve various amenities, enable phone-enabled access to facilities, register for nearby events, receive and view property news and updates and resident documentation, etc.). Your use of this tool is governed by VTS’s Terms of Service – which you must consent to prior to accessing such tool. VTS’s processing of your personal information is governed by VTS’s Privacy Notice. We do receive your personal information through the ESRT+ platform, and our processing of your information collected through the platform is governed by this Privacy Policy.

Investors. You may choose to receive email updates for important investor related information (such as press releases, events, SEC filings, end of day stock quotes, etc.). If you elect to receive this information (as selected by you), we collect your email address.

Newsletter. You may choose to sign up for our latest news, updates, and other special offers. In doing so, we collect the following types of information: name, email address and telephone number.

Careers. We provide a portal where you may search for and apply for a job with us. This portal is managed by a third-party service provider (Lever). By means of this portal we may collect information from you that includes, but is not limited to: name, address, telephone number, email address and other contact information, educational or other credentials, employment history and experience, volunteer work; and other information necessary to evaluate a candidate’s suitability for employment such as Social Security number or work authorization, together with any other information we may collect with your consent or as required by applicable law.

Contact Us. If you contact us through the “Contact Us” form provided on our Site, you will be asked to provide certain information to help us assist you with your stated inquiry. In order to communicate with you concerning this request, we also ask that you provide us with basic contact information.

When You Visit Our Properties. We may collect information from security cameras and/or other monitoring devices on our premises. The information collected through cameras or monitoring devices, for example license plate number, may constitute personal information, depending on the circumstances. We use this information to help ensure security where we have physical locations.

When Applying for Tenancy. If you apply as a tenant to lease one of our properties, we may collect information from you that includes, but is not limited to, name, address, telephone number, government issued identification (e.g., driver’s license number), email address and other contact information, date of birth, social security number, co-applicant name, employer, occupation, income, duration of employment, financial information, and emergency contact information; together with any other information we may collect with your consent or as required by applicable law.

We automatically collect certain information. When visiting our Site, we automatically collect information about your computer hardware and software. This information can include: your IP address, browser type, domain names, access times and referring website addresses. This information is used for the operation of our Site, to maintain quality of our Services, and to provide general statistics regarding use of our Site and Services.

Cookies and other technologies

    We use cookies to allow us to personalize your visits, keep track of your preferences and learn about the way in which you use our Site. A cookie is a small file that is placed on your computer when you visit our Site and allows it to recognize you as a user. We employ both “Essential” and “Non-essential” cookies. Essential cookies are necessary for the effective operation of our Site and make the interaction between you and the Site faster and easier. Non-essential cookies are not required for a website to function but are used for other purposes, such as analytics or advertising.

    We also use web beacons, which allow us to count users who have visited our Site (and particular pages on the Site) and to recognize users by accessing our cookies. In addition, a web beacon can be used in HTML-formatted email to determine receipt of and responses to our communications and measure their effectiveness.

    We participate in behavioral-based, i.e., targeted advertising. This means that, if you permit targeting cookies in our cookie management tool, a third-party will place a cookie on your browser, or use a web beacon, to collect information about your use of our Site and Services, so that they can provide advertising about products and services tailored to your interests. That advertising may appear on our Site or on other websites you visit.

    We may also use services hosted by third parties, such as Google Analytics, a web analytics service used to assist in providing our Services. Google Analytics uses cookies and other tracking technologies to help us analyze how users use the Site. The information generated by the cookie or other tracking technology about your use of the website (including your IP address) will be transmitted to, and stored by, Google on their servers. Google will use this information for the purpose of evaluating your use of the Site, compiling reports on Site activity for us and providing other services relating to Site activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. By using the Services, you consent to the processing of data about you by Google in the manner and for the purposes set out above. To opt out of tracking by Google Analytics, click here.

    Your browser settings may also allow you to transmit a “Do Not Track” signal when you visit various websites. Like many websites, our Site does not use or respond to “Do Not Track” signals in your web browser. To learn more about “Do Not Track” signals, you can visit http://www.allaboutdnt.com/.

We also collect information from third parties.

    We may also collect information about you from social media or other publicly available sources. When an individual interacts with our Site through various social media networks, such as when someone “Likes” us on Facebook or follows us or shares our content on Google, Facebook, X, or other social networks, we may receive some information about individuals that they permit the social network to share with third parties. The data we receive is dependent upon an individual’s privacy settings with the social network, and may include your profile information, profile picture, gender, username, user ID associated with your social media account, age range, language, country, and any other information you permit the social network to share with third parties. Individuals should always review and, if necessary, adjust their privacy settings on third-party websites and social media networks and services before sharing information and/or linking or connecting them to other services. We use this information to operate, maintain, and provide to you the features and functionality of the Site, as well as to communicate directly with you, such as to send you email messages about Services that may be of interest to you.

    If you apply for tenancy or employment, we may also collect financial or other background information about you from third parties such as credit agencies or public databases. This information is collected to help us make job-related or tenancy-related decisions.

With whom do we share your information?

We may share information collected about you in the following ways:

(1) With service providers. We work with certain third parties who provide services to us, such as managing visitor/customer information, managing our marketing and promotions activities, managing certain information technology systems, and conducting other activities of the kind described elsewhere in this Privacy Policy on our behalf. In such cases, we may disclose your personal information to such service providers, who act as processors of your data on our behalf. Except as may be discussed in this Policy, we do not authorize any of these service providers to make any use of your information other than for our benefit.

(2) With analytics service providers and advertisers. We permit third parties to use cookies, web beacons, and similar tracking technologies on our Site. Such parties may collect information about how you use our Site and other websites over time and across different services. This information may be used to, among other things, analyze and track data, determine the popularity of certain content, and better understand your online activity. Information collected in this fashion may be used for targeted advertising purposes. To learn about your choices regarding this sharing of your information please see “How to exercise your privacy rights” section below.

(3) With third parties for legal reasons. We would share information about you if we reasonably believe that disclosing the information is needed to: (i) comply with any valid legal process, governmental request, or applicable law, rule, or regulation; (ii) investigate, remedy, or enforce potential violations of our Terms of Use or Privacy Policy; (iii) protect the rights, property, and safety of us, our users, or others; or (iv) detect and resolve any fraud or security concerns.

(4) With third parties as part of an acquisition or liquidation. If we are involved in a merger, asset sale, financing, corporate divestiture, reorganization, or acquisition of all or some portion of our business to another company, or if we undergo liquidation or bankruptcy proceedings, we may share your information with that company before and/or after the transaction closes or the proceedings are completed.

(5) Aggregated or de-identified information with third parties. We also share with third parties, such as advertisers, aggregated or de-identified information and we may permit our third-party providers to further use, sell, license, distribute, or disclose de-identified data. Aggregated or de-identified information does not identify you and, as such, is not considered personal information.

We process your personal information and share it with third parties for the purposes described in this Policy, based on the following legal grounds:

(1) With your consent. We ask for your consent to process or share your information for specific purposes and you have the right to withdraw your consent at any time. For example, we ask for your consent to provide you with certain promotional information.

(2) For our legitimate interests. We process and share your information for our legitimate interests and those of third parties while applying appropriate safeguards that protect your privacy. For example, we process and share your information in order to help us:

(3) To fulfill our contractual obligations. We process and share your information where necessary to provide a Service you have requested.

(4) To comply with legal obligations. We process and share your information when we have a legal obligation to do so.

Cross-border transfer

We transfer, process, and store information about you on servers located in the United States. Therefore, if you are located outside of the United States, your information will be transferred to, stored, or processed in the United States, whose data protection, privacy, and other laws may not provide the same level of protection as those in your country of residence. For example, government entities in the United States and other countries may have certain rights to access your personal information. If we transfer your information outside of your country of residence in this way, we will take steps to ensure that appropriate security measures are taken with the aim of ensuring that your privacy rights continue to be protected as outlined in this Policy. By using our Site, you understand and consent to the collection, storage, processing, and transfer of your information to our systems and network in the United States and to those third parties with whom we share it as described in this Notice.

How do we store and protect your personal information?

We take reasonable precautions, including the implementation of administrative, technical and physical safeguards, to protect your information. Please keep in mind that the internet is not a 100% secure medium for communication, and that no computer or network is 100% secure. We therefore cannot guarantee that the information collected about you will always remain private when using our Site or Services. As a result, while we strive to protect your personal information, we cannot guarantee the security of information you transmit to us, and you do so at your own risk.

How long do we retain your personal information?

We will usually store the personal information we collect about you for no longer than necessary to fulfill the purposes for which it was collected, and in accordance with our legitimate business interests and applicable law. However, if necessary, we may retain personal information for longer periods of time, until set retention periods and deadlines expire. For instance, where we are required to do so in accordance with legal, tax and accounting requirements set by law, regulation or government authority.

To determine the appropriate duration of the retention of personal information, we consider the amount, nature and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of personal information and if we can attain our objectives by other means, as well as our legal, regulatory, tax, accounting and other applicable obligations.

Once retention of the personal information is no longer necessary for the purposes outlined above, we will either delete or deidentify the personal information or, if this is not possible (for example, because personal information has been stored in backup archives), then we will securely store the personal information and isolate it from further processing until deletion or deidentification is possible.

What are your privacy rights?

In accordance with applicable privacy law, and depending upon the jurisdiction in which you reside, you may have some or all of the following rights in respect of your personal information:

Right of access. You may have the right to obtain: (i) confirmation of whether, and where, we are processing your personal information; (ii) information about the categories of personal information we are processing, the purposes for which we process your personal information and information as to how we determine applicable retention periods; (iii) information about the categories of recipients with whom we may share your personal information; and (iv) a copy of the personal information we hold about you.

Right of portability. You may have the right, in certain circumstances, to receive a copy of the personal information you have provided to us in a structured, commonly used, machine-readable format that supports re-use, or to request the transfer of your personal information to another person.

Right to rectification or correction. You may have the right to obtain rectification or correction of any inaccurate or incomplete personal information we hold about you.

Right to deletion or erasure. You may have the right, in some circumstances, to require us to delete or erase your personal information.

Right to restriction. You may have the right, in some circumstances, to require us to limit the purposes for which we process your personal information if the continued processing of the personal information in this way is not justified, such as where the accuracy of the personal information is contested by you.

Right to opt-out. You may have the right to opt-out of certain processing activities. For example, you may have the right to opt-out of the use of your personal information for targeted advertising purposes, or to “sell” or “share” your personal information with third parties in certain contexts.

Right to control over automated decision-making or profiling. You may have the right to direct us not to use automated decision-making or profiling for certain purposes.

Right to withdraw consent. If you have provided consent for the processing of your personal information, you may have the right to withdraw your consent. If you withdraw your consent, this will not affect the lawfulness of our use of your personal information before such withdrawal.

Right to appeal. In the event that we decline to take action on a request exercising one of your rights set forth above, you may have the right to appeal our decision.

You may also have the right to not receive retaliatory or discriminatory treatment in connection with a request to exercise the above rights. To exercise any applicable rights, please refer to the “How to exercise your privacy rights” section below.

Children’s Privacy

Our Site and Services are not directed to, and we do not intend to, or knowingly, collect or solicit personal information from children under the age of 18. If an individual is under the age of 18, they should not provide us with any personal information either directly or by other means. If a child under the age of 18 has provided personal information to us, we encourage the child’s parent or guardian to contact us to request that we remove the personal information from our systems. If we learn that any personal information we collect has been provided by a child under the age of 18, we will promptly delete that personal information.

Our Services may include links to third-party websites, such as to our job application and applicant tracking portal partner. Except where we post, link to or expressly adopt or refer to this Privacy Policy, this Policy does not apply to, and we are not responsible for, any personal information practices of third-party websites, online services or the practices of other third parties. To learn about the personal information practices of third parties, please visit their respective privacy notices.

How to exercise your privacy rights

Please submit a request as set forth in the “Contact Us” section below. Before processing your request, we may need to verify your identity and confirm you are entitled to the applicable privacy rights. In certain circumstances, we may decline a request to exercise the rights described above, particularly where we are unable to verify your identity or locate your information in our systems. If we are unable to comply with all or a portion of your request, we will explain the reasons why. We will respond to your request as required under applicable privacy laws, generally within a month or 45 days, unless we require more time, in which case we will provide you notice.

In certain circumstances, you are permitted to use an authorized agent to submit requests on your behalf through the designated methods set forth above where we can verify the authorized agent’s authority to act on your behalf.

Contact us

If you wish to exercise any of your privacy rights or have any questions about this Notice, please contact us at:

By mail at:Attn: Privacy
Empire State Realty Trust Inc.
111 West 33rd Street
12th Floor, New York, NY 10120

Changes to the Policy

We may update this Policy from time to time. When we make changes, we will change the date at the beginning of this Policy. All changes shall be effective from the date of publication unless otherwise provided.

Careers at ESRT

Learn More

Energy & Sustainability

Learn More

ESB

Learn More

Our Team

Learn More

News

Learn More