Privacy Policy

The data controller responsible for your personal data is:

We collect the following categories of personal data:

2.1 Account Information

• Name and email address (provided at registration)
• Profile photo (optional, via Google OAuth)
• Password (hashed; we never store plaintext passwords)
• Preferred language and currency settings

2.2 Property & Tenant Data

• Property addresses, unit types, and rental details
• Tenant names, contact information (email, phone), NRIC/passport numbers (optional)
• Lease terms, deposit amounts, and rental rates
• Property market (SG, TW, HK, MY) and currency

2.3 Financial Data

• Rent payment records and amounts
• Expense records and categories
• Receipt images and AI-extracted data (vendor, amount, GST)
• Billing information (handled by Stripe; we do not store card numbers)

2.4 Usage Data

• Pages visited, features used, and session duration
• Device type, browser, and operating system
• IP address and approximate location
• Error logs and performance data

2.5 Communications

• Messages sent to our support team
• Feedback and survey responses

We use your personal data to:

• Provide the Service: Create and manage your account, store property and tenant information, generate reports, and deliver AI-powered features.
• Process Payments: Manage your subscription, issue invoices, and process refunds through Stripe.
• Send Notifications: Deliver rent reminders, lease expiry alerts, maintenance updates, and transactional emails via Resend.
• Improve the Platform: Analyse usage patterns (via PostHog analytics) to fix bugs, improve features, and optimise performance.
• Ensure Security: Detect and prevent fraud, abuse, and unauthorised access.
• Legal Compliance: Meet our obligations under applicable law, respond to legal requests, and enforce our Terms of Service.
• Customer Support: Respond to your queries and resolve issues.

We do not sell your personal data to third parties. We do not use your property or tenant data for advertising purposes.

Under the Singapore PDPA, we collect and use your personal data based on the following grounds:

• Contractual Necessity: Processing required to provide the Service you have subscribed to, including account management, data storage, and feature delivery.
• Consent: Where required by law (e.g., sending marketing communications), we obtain your explicit consent. You may withdraw consent at any time by contacting us or updating your notification preferences.
• Legitimate Interests: Analytics, security monitoring, product improvement, and fraud prevention — where these interests are not overridden by your rights.
• Legal Obligation: Compliance with Singapore law, tax requirements, and lawful requests from regulatory authorities.

For users in Taiwan, we also comply with the Personal Data Protection Act (個人資料保護法). For users in Hong Kong, we comply with the Personal Data (Privacy) Ordinance (PDPO). For users in Malaysia, we comply with the Personal Data Protection Act 2010 (PDPA Malaysia).

We share your data with the following trusted service providers only to the extent necessary to deliver the Service:

All third-party providers are contractually bound to process your data only on our instructions and in accordance with applicable data protection law. We do not share your data with any third party for their own marketing purposes.

We may also disclose your data to law enforcement or regulatory authorities where required by law or court order.

We retain your personal data for the following periods:

• Active account data: Retained for the duration of your account and for twelve (12) months after account closure, to allow you to reactivate.
• Financial records: Retained for seven (7) years to comply with Singapore Inland Revenue Authority (IRAS) and applicable tax regulations.
• Support communications: Retained for three (3) years.
• Analytics data: Pseudonymised usage data retained for two (2) years.
• Deleted data: Data you delete from the application is removed from active databases within thirty (30) days. Backup copies may persist for up to ninety (90) days before being purged.

Under the Singapore PDPA and applicable laws, you have the following rights in relation to your personal data:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete personal data.
• Deletion: Request deletion of your account and personal data, subject to legal retention obligations.
• Portability: Export your property, tenant, lease, payment, and expense data in CSV format from within the application at any time.
• Withdrawal of Consent: Withdraw consent for processing where consent is the legal basis, by contacting us or updating notification settings.
• Objection: Object to processing based on legitimate interests.

To exercise any of these rights, contact our Data Protection Officer at privacy@rentsmart.sg. We will respond within thirty (30) days. We may ask you to verify your identity before processing your request.

If you are dissatisfied with our response, you have the right to lodge a complaint with the Personal Data Protection Commission of Singapore (PDPC) at www.pdpc.gov.sg.

We use the following types of cookies and similar technologies:

• Strictly Necessary Cookies: Required for authentication session management (Supabase auth tokens) and language preference (NEXT_LOCALE). Cannot be disabled.
• Analytics Cookies: PostHog collects pseudonymised usage data to help us understand how the platform is used. You can opt out via your browser settings or by contacting us.
• No advertising cookies: We do not use advertising, retargeting, or cross-site tracking cookies.

You can control cookies through your browser settings. Disabling strictly necessary cookies will prevent you from logging in to the Service.

RentSmart serves users in Singapore, Taiwan, Hong Kong, and Malaysia. Your data is primarily stored in AWS Singapore (ap-southeast-1) via Supabase. Some data may be transferred to service providers in the United States and European Union.

For transfers outside your home jurisdiction, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by relevant data protection authorities.
• Adequacy decisions where applicable.
• Data processing agreements with all sub-processors.

AI processing (lease generation and receipt OCR) is performed by Anthropic's Claude API. Input data is processed transiently and is not retained by Anthropic for training purposes under our enterprise agreement.

RentSmart is not directed at children under the age of 18. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected data from a child, please contact us at privacy@rentsmart.sg and we will delete it promptly.

We implement industry-standard security measures to protect your personal data, including:

• Encryption: All data is encrypted in transit (TLS 1.2+) and at rest (AES-256) via Supabase.
• Access Control: Row-Level Security (RLS) ensures users can only access their own data. Service-role database access is restricted to server-side processes.
• Authentication: Passwords are hashed using bcrypt. OAuth tokens are short-lived and rotated.
• Rate Limiting: API endpoints are rate-limited to prevent abuse.
• Input Validation: All user-submitted data is validated and sanitised before processing.
• Security Headers: HTTP security headers (CSP, HSTS, X-Frame-Options, etc.) are enforced on all pages.

Despite these measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we are committed to maintaining appropriate safeguards and responding promptly to any security incidents.

In the event of a personal data breach that is likely to result in significant harm, we will notify affected users and the PDPC within the timeframes required by law.

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the features we offer. We will notify you of material changes by email or via an in-app notification at least fourteen (14) days before the changes take effect.

The “Last updated” date at the top of this page indicates when this policy was most recently revised. Your continued use of RentSmart after the effective date of any changes constitutes your acceptance of the updated policy.

For any questions about this Privacy Policy, to exercise your rights, or to report a data concern, please contact our Data Protection Officer:

For general support enquiries, please contact support@rentsmart.sg.