Privacy Policy

Zurently (operated by Shin Park, “we”, “our”, or “us”) provides an AI-powered property management platform for landlords in Singapore, Taiwan, Hong Kong, and Malaysia. This Privacy Policy explains what personal data we collect, how we use it, and what rights you have. It applies to all users of the Zurently web application and mobile app.

We are committed to protecting your privacy and complying with the Singapore Personal Data Protection Act 2012 (PDPA). By using Zurently, you agree to the practices described in this policy. If you do not agree, please do not use the Service.

We collect the following categories of personal data:

• Account information — your name, email address, and phone number.
• Identity data — the last four digits of your NRIC or national ID, encrypted with AES-256-GCM before storage. We never store your full NRIC in plaintext.
• Property details — property addresses, unit types, rental amounts, and market region.
• Tenant details — tenant names, contact information, and lease associations.
• Lease terms — start and end dates, rental rates, deposit amounts, and AI-generated lease documents.
• Payment records — rent payment dates, amounts, and statuses. We do not store credit card numbers (Stripe handles payment processing).
• Expense records — expense descriptions, amounts, categories, receipt images, and AI-extracted receipt data.
• Maintenance requests — request descriptions, priority levels, statuses, and associated photos.
• Usage data — pages visited, features used, device type, and browser information (collected anonymously via PostHog).

We use your personal data for the following purposes:

• Property management — storing and organising your properties, tenants, leases, and maintenance requests so you can manage your portfolio effectively.
• AI lease generation — creating lease documents tailored to your property market using Anthropic's Claude API. Your data is processed transiently and is not stored by Anthropic.
• Rent tracking — recording payments, flagging overdue rent, and generating payment summaries.
• Tax reporting — generating income and expense reports to help you meet local tax filing requirements.
• Notifications — sending rent reminders, lease expiry alerts, and maintenance updates via email, WhatsApp, or LINE.
• Analytics — understanding how users interact with the platform so we can improve features and fix issues. Analytics data is anonymised.

We do not sell your personal data. We do not use your property or tenant data for advertising.

We process your personal data on the following legal grounds under the PDPA:

• Consent — you provide consent when you create an account and agree to this Privacy Policy. You may withdraw consent at any time by contacting us or deleting your account.
• Contractual necessity — processing your data is necessary to deliver the services you have subscribed to, including account management, data storage, and feature delivery.
• Legitimate interest — we process anonymised usage analytics, perform security monitoring, and carry out fraud prevention where these interests do not override your rights.

Your data is stored in a Supabase PostgreSQL database hosted on AWS in the Singapore region (ap-southeast-1). We apply the following protections:

• Encryption at rest — NRIC data is encrypted using AES-256-GCM with a dedicated encryption key before being stored in the database. Only the encrypted ciphertext is persisted.
• Encryption in transit — all connections use TLS 1.2 or higher, ensuring your data is protected between your browser and our servers.
• Row-Level Security (RLS) — database policies ensure that each user can only access their own data. No user can query another user's records.
• CSRF protection — all form submissions and state-changing requests are protected against cross-site request forgery attacks.

We share your data with the following trusted service providers, only to the extent necessary to deliver the Service:

• Supabase — database, authentication, and file storage. Data is hosted in the Singapore region (ap-southeast-1).
• Vercel — web application hosting and edge delivery. Requests may be processed at edge locations outside Singapore.
• Stripe — subscription payment processing. Stripe handles all credit card data directly; we never see or store your card number.
• Anthropic — AI-powered lease generation and receipt OCR via the Claude API. Your data is processed transiently and is not retained by Anthropic for model training.
• Resend — transactional email delivery for notifications, password resets, and account verification.
• Twilio — WhatsApp message delivery for rent reminders and notifications.
• LINE Messaging API — LINE notifications for users who prefer LINE as their messaging channel.
• PostHog — anonymised product analytics to help us understand usage patterns. No personally identifiable information is sent to PostHog.

All third-party providers are contractually bound to process your data only on our instructions and in accordance with applicable data protection law.

Zurently uses the following cookies:

• NEXT_LOCALE — stores your preferred language (e.g., English, Traditional Chinese, Simplified Chinese). This is a strictly necessary cookie that enables the application to display content in your chosen language.
• Supabase auth session — stores your authentication session token so you remain logged in between visits. This is a strictly necessary cookie.
• PostHog analytics — tracks anonymised usage data to help us improve the platform. No personally identifiable information is stored in this cookie.

We do not use advertising, retargeting, or cross-site tracking cookies. You can control cookies through your browser settings, but disabling session cookies will prevent you from logging in.

Your data is primarily stored in Singapore via Supabase (AWS ap-southeast-1). However, some processing occurs outside Singapore:

• Vercel edge network — web requests may be served from edge locations globally for performance.
• Anthropic API — AI lease generation and receipt OCR requests are processed by Anthropic's infrastructure, which may be located outside Singapore. Data is processed transiently and not retained.

Where data is transferred outside your home jurisdiction, we ensure appropriate safeguards are in place through data processing agreements with all sub-processors.

We retain your personal data as follows:

• Active account data — retained for as long as your account remains active.
• After deletion request — your data is deleted from active databases within 30 days of receiving a valid deletion request.
• Financial records — payment and expense records are retained for 7 years to comply with Singapore Inland Revenue Authority of Singapore (IRAS) tax record-keeping requirements.

Under the Singapore Personal Data Protection Act, you have the following rights:

• Access — request a copy of the personal data we hold about you.
• Correction — request that we correct any inaccurate or incomplete personal data.
• Withdrawal of consent — withdraw your consent for data processing at any time. This will not affect the lawfulness of processing carried out before withdrawal.
• Data portability — export your properties, tenants, leases, payments, and expenses in CSV format directly from the application.
• Deletion — request that we delete your account and all associated personal data, subject to legal retention obligations.

You can exercise these rights through the in-app data export and account deletion features under Settings, or by emailing us at support@zurently.com. We will respond to your request within 30 days.

We take the security of your data seriously and have implemented the following measures:

• AES-256-GCM encryption — sensitive identity data (NRIC) is encrypted using AES-256-GCM before storage. Only the last four digits are displayed in the application, masked as ****1234.
• TLS encryption — all data transmitted between your device and our servers is encrypted using TLS 1.2 or higher.
• Row-Level Security — database-level policies ensure strict data isolation between users.
• CSRF protection — all state-changing requests are validated against cross-site request forgery attacks.
• Rate limiting — API endpoints are rate-limited to prevent brute-force attacks and abuse.
• Audit logging — all significant actions (create, update, delete) are logged with timestamps and user attribution for accountability and incident investigation.

No system is 100% secure. While we implement industry-standard safeguards, we cannot guarantee absolute security. In the event of a data breach likely to cause significant harm, we will notify affected users and the relevant authorities as required by law.

Zurently is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at support@zurently.com and we will delete it promptly.

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make material changes, we will notify you by email at least 14 days before the changes take effect.

The effective date at the top of this page indicates when this policy was most recently revised. Your continued use of Zurently after the effective date constitutes your acceptance of the updated policy.

If you have any questions about this Privacy Policy, want to exercise your data rights, or need to report a privacy concern, please contact us:

We aim to respond to all enquiries within 30 days.