What we do — and don't do — with your data.

01 Introduction

This Privacy Policy describes how RentCaddie ("RentCaddie," "we," "us") collects, uses, discloses, and protects personal information when you use our website, product, and related services (the "Service"). It applies to property managers, landlords, and their team members who hold accounts with us (collectively, "Operators") as well as to tenants, applicants, and vendors whose information Operators enter into the Service.

We are a business-to-business software provider. Most of the personal information in our systems is placed there by Operators about their tenants, applicants, and vendors. For that information, the Operator is the data controller and RentCaddie is the data processor. For information we collect directly from Operators — such as Operator account details and our own marketing analytics — we are the data controller.

This policy is part of our legal agreement with Operators and is incorporated into our Terms of Service. If you are a tenant, applicant, or vendor whose information appears in RentCaddie through your landlord or property manager, please direct most requests to them — but we'll still help where we're required to under law (see Section 8).

02 Information we collect

We collect the following categories of personal information. Not all categories apply to every user — only the data necessary for the features in use.

Account information. When an Operator signs up, we collect name, email, business or workspace name, phone number, role, and authentication credentials (managed by our auth provider, Supabase Auth). Team members are invited by email and have similar account fields.

Customer Content — tenant and applicant data. Operators enter information about their tenants, applicants, and guarantors into the Service. This may include names, email and phone, postal and rental addresses, date of birth, government identifiers (where required for screening), lease terms, payment history, communication logs, uploaded documents (for example, IDs, pay stubs, or signed leases), maintenance requests, inspection findings, and cleaner records. We process this information on the Operator's instructions.

Payment information. Rent payments and subscription billing are processed by Stripe, Inc. We receive payment metadata (amount, last four digits, payment status, card brand) but we do not store full card numbers, CVV codes, or bank credentials.

Screening data (optional). When an Operator enables third-party screening, the applicant's authorized information is submitted to a credit-bureau partner and the report is returned to the Operator who requested it. These reports are governed by the Fair Credit Reporting Act.

Usage and device information. When you use the Service, we automatically collect device type, browser type and version, operating system, IP address, referring URL, pages visited, timestamps, and interactions with product features. We use this information for security, debugging, and product analytics (see Section 5 on cookies).

Communications. Emails, in-app messages, and support conversations you send us or that are sent on your behalf through the Service (for example, tenant rent reminders). We process message content to deliver it and to prevent abuse.

03 How we use information

We use the personal information described above for the following purposes:

• To operate the Service. Authenticate users, host workspaces, run rent collection and screening workflows, send transactional messages (password resets, payment receipts, rent reminders), generate documents like leases and rent rolls, render court-defensible signed PDFs with certificate of completion.
• To support and improve the product. Respond to your questions, investigate bugs, measure which features are used, and plan future features. Internal analytics are scoped to aggregate and pseudonymous signals where possible.
• To secure the Service. Detect and prevent fraud, account takeover, abuse, and unauthorized access. We log security-relevant events.
• To comply with law. Respond to lawful requests from regulators and law enforcement, meet tax and financial record-keeping obligations, and enforce our Terms of Service.
• To communicate with Operators. Send product updates, security bulletins, and — if you've opted in — marketing. You can opt out of marketing emails any time; transactional and security emails cannot be unsubscribed while you hold an account.

No AI training without consent. We do not use Customer Content to train general-purpose AI models. Where AI features operate on your workspace data (for example, photo-based inspection inference), processing is scoped to your workspace, results are returned only to you, and inputs are not retained for cross-customer model improvement.

04 Data sharing & third parties

We share personal information only with trusted service providers who help us run the Service, and only for the purpose described. We have a written contract with each provider that requires them to protect the data and use it only on our instructions. We do not sell personal information, and we do not share it with data brokers.

We may also disclose personal information: (a) in response to a valid legal process, such as a subpoena or court order; (b) to protect the rights, property, or safety of RentCaddie, our users, or the public; (c) to a successor entity in connection with a merger, acquisition, reorganization, or sale of assets, subject to this Policy; and (d) with your consent.

05 Cookies & tracking

We use a small number of cookies and similar technologies, all for functional or first-party analytics purposes.

Authentication cookies. Set by Supabase Auth to keep you logged in, protect against cross-site request forgery, and remember your workspace preference. These are strictly necessary and cannot be disabled without breaking sign-in.

First-party analytics. We use first-party analytics to record pseudonymous usage events (pages visited, buttons clicked, feature success rates) so we can find bugs and improve features. Analytics cookies never leave our infrastructure for advertising use.

What we don't do. We do not run third-party advertising trackers, pixels, or cross-site retargeting scripts on authenticated product pages. Our marketing site may include a small number of conversion-tracking pixels on the landing page; any such tracking is disclosed in our cookie banner where required by law.

06 Data security

Security is a first-class engineering priority at RentCaddie. Our full security program — including architecture, incident response procedures, and available audit artifacts — is documented on our Security page.

Key controls include:

• Encryption in transit. All connections to and from the Service use TLS 1.3 with modern cipher suites. HSTS is enabled on all production domains.
• Encryption at rest. Databases, object storage, and backups are encrypted at rest using AES-256.
• Workspace isolation. Every table that holds tenant data enforces row-level security keyed on the Operator's organization_id. A query from one workspace physically cannot return another workspace's rows.
• Payments. Card and bank credentials are handled by PCI-certified processors (Stripe). RentCaddie never stores full card numbers, CVV, or banking credentials.
• Access control. Production access is limited to a small number of authorized engineers with enforced authentication. All access is logged.
• Monitoring & response. Security-relevant events are logged and alerted on. We maintain an incident response plan with defined notification timelines.

No system is perfect. If you discover a vulnerability, please report it responsibly to security@rentcaddie.com. We credit researchers who give us a reasonable window to fix issues before public disclosure.

07 Data retention

We keep personal information only as long as needed to provide the Service or to meet legal obligations. Retention windows vary by data type:

• Active workspace data. Retained indefinitely for as long as the Operator's subscription is active. Operators may delete individual records at any time.
• Post-cancellation export window. For 30 days after cancellation or termination, the workspace is preserved in a read-only state so the Operator can export data. After the window closes, active Customer Content is deleted from production.
• Encrypted backups. Our encrypted, access-controlled backups roll off on a rolling 90-day retention. Canceled-workspace data ages out as backups roll over.
• Financial records. Transaction records, invoices, payout logs, and related accounting data are retained for at least 7 years to comply with IRS, state tax, and Stripe record-keeping requirements.
• Security and audit logs. Retained for up to 2 years for fraud investigation and incident response, then deleted.

08 Your rights

Subject to local law, you have the following rights with respect to personal information we hold about you:

• Right of access. Request a copy of the personal information we hold about you.
• Right to correction. Ask us to correct inaccurate or incomplete information.
• Right to deletion. Ask us to delete your personal information, subject to the retention exceptions above.
• Right to portability. Receive a machine-readable copy of your data and have it transmitted to another controller where technically feasible.
• Right to object or restrict. Object to certain processing or ask us to restrict processing where the law gives you that right.
• Right to withdraw consent. Where we rely on your consent, withdraw it at any time (without affecting prior processing).

If you are an Operator, you can exercise most of these rights directly within the product. Otherwise, contact privacy@rentcaddie.com. We verify identity before acting on requests and respond within 30 days, with a possible 30-day extension for complex requests.

09 California residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA") gives you additional rights:

• Right to know the categories and specific pieces of personal information we have collected about you.
• Right to delete personal information we've collected, subject to legal exceptions.
• Right to correct inaccurate personal information.
• Right to limit use of sensitive personal information to what's necessary to provide the Service.
• Right to opt out of sale or sharing. RentCaddie does not sell personal information, and we do not share it for cross-context behavioral advertising. There is nothing to opt out of.
• Right to non-discrimination for exercising your privacy rights.

To exercise your California rights, email privacy@rentcaddie.com with the subject line "CCPA Request." We will verify your identity using the information we already hold about you.

10 EU / UK residents (GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, the General Data Protection Regulation and its UK equivalent ("GDPR") apply to our processing. The rights described in Section 8 are available to you, and we process data on the following lawful bases:

• Contract. To provide the Service requested by an Operator and agreed to under our Terms of Service.
• Legitimate interests. To secure the Service, prevent fraud, improve the product, and communicate about the Service.
• Legal obligation. To comply with tax, financial, and other regulatory duties.
• Consent. Where we rely on your consent (for example, optional marketing emails), you may withdraw it at any time.

International transfers. RentCaddie's primary production infrastructure is located in the United States. When we transfer personal information from the EEA, UK, or Switzerland to the US, we rely on the Standard Contractual Clauses approved by the European Commission (and the UK Addendum / Swiss amendments where applicable), combined with supplementary technical measures such as encryption and workspace isolation. You may request a copy of our SCCs at privacy@rentcaddie.com.

11 Children's privacy

RentCaddie is a business tool designed for adult property owners, property managers, and their authorized team members. The Service is not directed to, marketed to, or intended for individuals under the age of 18, and we do not knowingly collect personal information from children.

If you believe that a child has provided personal information to us, please contact privacy@rentcaddie.com and we will delete it promptly.

12 Changes to this policy

We may update this Privacy Policy from time to time. When we make a material change, we will post the updated Policy at this URL, update the "Last updated" date at the top, and — if you are an Operator — provide at least 30 days' advance notice by email to the primary contact on your workspace before the change takes effect.

If you disagree with a material change, you may cancel your subscription and request deletion before the change takes effect. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.

13 Contact information

For privacy questions, data subject requests, or a copy of our DPA or SCCs, contact:

RentCaddie
Attn: Privacy
Email: privacy@rentcaddie.com
Security reports: security@rentcaddie.com
Legal notices: legal@rentcaddie.com