Data Processing Addendum
Last updated: 23 June 2026
This Data Processing Addendum ("DPA") forms part of the Terms of Service between the Customer ("you", "Controller") and RentalTracker ("we", "us", "Processor"). It applies when you enter personal data about individuals (tenants, landlords, staff, or other End Users) into the Service and we process that data on your behalf.
For personal data about you as a signed-up user (your name, email, payment info), we act as an independent controller — see the Privacy Policy. This DPA governs only the data you process through the Service about End Users.
1. Definitions
- Applicable Data Protection Law — the UAE Federal Decree-Law No. 45/2021 on the Protection of Personal Data ("PDPL"), the EU General Data Protection Regulation (GDPR) where applicable, and any other data-protection law of a jurisdiction in which the Customer or relevant End Users are located.
- Personal data, processing, controller, processor, data subject, sub-processor — as defined in the Applicable Data Protection Law.
- Customer Data — personal data that the Customer enters into or uploads to the Service about End Users.
2. Scope and roles
With respect to Customer Data, the Customer is the Controller and RentalTracker is the Processor. Each party will comply with its obligations under Applicable Data Protection Law.
3. Processing instructions
We process Customer Data only (a) on documented instructions from the Customer, (b) as necessary to provide and support the Service in line with the Terms, and (c) as required by law. The Customer instructs us to process Customer Data to:
- host, display and back up the data within the Service;
- enable authorised users in the Customer's organisation to access it;
- generate reports, notifications and audit logs;
- provide product support when the Customer requests it;
- detect and prevent fraud, security incidents and abuse.
If we believe any instruction infringes Applicable Data Protection Law, we will inform the Customer.
4. Nature and purpose of processing
- Nature — hosting, storing, transmitting, displaying and organising the Customer Data within the Service.
- Purpose — to provide the Service the Customer has signed up for.
- Duration — for the term of the Customer's subscription, plus up to 30 days after cancellation for active-system deletion, and up to 90 days for final backup deletion.
- Categories of data subjects — the Customer's tenants, landlords, staff, and any other individuals whose data the Customer enters.
- Categories of personal data — names, contact details (email, phone), identity document images (e.g. Emirates ID), financial records (rent, deposits, cash logs), lease dates, notes, unit assignments.
5. Confidentiality
We ensure personnel with access to Customer Data are bound by confidentiality obligations and are trained on data-protection obligations. Access is restricted to those who need it to provide the Service or respond to support requests.
6. Security measures
We implement appropriate technical and organisational measures designed to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. These include:
- Encryption of data in transit (TLS 1.2+) and at rest
- Row-level security policies in the database
- Role-based access control with least-privilege principles
- Audit logging of sensitive actions, including cash handovers (append-only)
- Automated daily backups with 30-day retention
- Regular security review of dependencies
- Access controls and multi-factor authentication on administrative systems
See our Security Overview for more detail.
7. Sub-processors
The Customer authorises us to engage the following sub-processors to provide the Service:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database, authentication, storage | US, EU |
| Vercel Inc. | Web hosting, edge CDN | US, EU, global edge |
| Resend / Postmark (TBC) | Transactional email delivery | US, EU |
Each sub-processor is bound by data-protection terms at least equivalent to those in this DPA. We remain liable for the acts and omissions of our sub-processors as if they were our own.
We may add or replace sub-processors. We will notify Customers by email or in-app notice at least fifteen (15) days before a new sub-processor begins processing Customer Data. If the Customer has reasonable concerns based on data-protection grounds, the Customer may terminate the affected portion of the Service.
8. International transfers
Customer Data may be transferred to and processed in jurisdictions outside the Customer's country, including the United States and the European Union. Where such transfers are subject to GDPR or UAE PDPL restrictions, the parties agree to rely on appropriate safeguards — including Standard Contractual Clauses issued by the European Commission and equivalent safeguards recognised under UAE PDPL.
9. Data-subject requests
The Controller is primarily responsible for responding to requests from data subjects (e.g. a tenant's right-of-access request). The Customer can use the Service's built-in tools to search, export, correct and delete Customer Data. If we receive a request directly from a data subject concerning Customer Data, we will forward it to the Customer without undue delay and will not respond independently unless legally required.
10. Breach notification
If we become aware of a personal-data breach affecting Customer Data, we will notify the Customer without undue delay, typically within seventy-two (72) hours of discovery. The notice will describe the nature of the breach, the categories and approximate volume of affected data subjects and records, and the measures taken or proposed to mitigate it.
11. Audit rights
The Customer may, on at least thirty (30) days' written notice and no more than once per year (unless required sooner by a regulator), request information reasonably necessary to demonstrate our compliance with this DPA. At our discretion we may satisfy audit requests by providing a third-party report (e.g. SOC 2) or by responding to a written questionnaire. On-site audits are at the Customer's cost and subject to our security and confidentiality requirements.
12. Return or deletion
On termination or expiry of the Terms, we will, at the Customer's choice, delete or return all Customer Data within thirty (30) days and will delete remaining copies from active systems within that time, and from backups within ninety (90) days, unless retention is required by law.
13. Liability
Each party's liability arising out of or in connection with this DPA is subject to the limitations set out in Section 9 (Limitation of Liability) of the Terms of Service.
14. Governing law
This DPA is governed by the laws of the United Arab Emirates, and disputes are subject to the jurisdiction specified in the Terms of Service.
15. Contact
Data-protection questions or requests under this DPA: privacy@rentaltracker.io.