Privacy Policy
Last updated: 23 June 2026
This Privacy Policy explains how RentalTracker collects, uses, shares and protects personal data when you use our rental-management platform. We are a UAE-based software-as-a-service provider serving landlords, property-management firms and their staff. This policy is written in plain English so you can actually understand what happens to data flowing through our Service.
1. Who we are
RentalTracker is a software product operated from the United Arab Emirates. We provide a multi-property rental- management platform for UAE landlords and property managers. For the purposes of UAE Federal Decree-Law No. 45/2021 (the "PDPL"), we act as the data controller for information about our signed-up users ("Operators") and as the data processor for any personal data those Operators upload about their tenants and counterparties ("Tenant Data").
Contact for any privacy matter: support@rentaltracker.io.
2. What data we collect
2.1 Operator data (you, the signed-up user)
- Full name, email address, phone number (optional)
- Organisation name, country, currency, timezone
- Password — stored only as a one-way bcrypt-equivalent hash
- IP address and approximate location at sign-in, for security auditing
2.2 Tenant data (data Operators upload about others)
When an Operator uses the Service to manage their portfolio, they may upload personal data about their tenants and counterparties, including:
- Names, contact details (email, phone, addresses)
- Emirates ID images and numbers
- Passport images, visa pages, residency-permit details
- Lease dates, deposits, rent schedules
- Financial records — rent payments received, cash handovers, receivables, refunds
- Maintenance requests, notes and property photos
The Operator is the controller of all Tenant Data they upload. RentalTracker processes Tenant Data only on the Operator's instructions and only for the purpose of providing the Service. Operators are responsible for having a lawful basis to collect each item of Tenant Data and for giving their tenants an appropriate privacy notice.
2.3 Usage data (collected automatically)
- Pages visited, actions taken, session duration
- Browser type, operating system, device identifiers
- Error logs and crash reports — scrubbed of personal data where technically possible
2.4 What we do NOT collect
- Credit card numbers — when paid plans launch, a PCI-DSS compliant processor will hold them, not us
- Biometric data
- Health data
- Advertising or cross-site tracking identifiers
3. Why we collect it (lawful basis)
Under PDPL Article 5, we rely on the following lawful bases:
- Contract — we process Operator data because it is necessary to deliver the SaaS service the Operator signed up for (authentication, displaying their portfolio, saving changes).
- Legitimate interest — we process Tenant Data on the Operator's behalf for the legitimate interest of running a UAE rental business (rent collection, tenancy administration, audit trail). The Operator is responsible for confirming this basis applies to each tenant.
- Consent — for any optional marketing or product updates we send. Withdrawable at any time.
- Legal obligation — when we are required to disclose data by UAE law or a competent authority.
4. How we use personal data
- To provide the Service — authenticate, display, save, back up
- To improve the Service — anonymised analytics, crash triage, feature research
- To communicate with Operators — account notifications, security alerts, opted-in product updates, support replies
- To comply with legal obligations
- To protect the Service — fraud detection, abuse, unauthorised access
We do not sell personal data. We do not use personal data for automated decision-making with legal or similarly significant effects.
5. Where data is stored
Operator and Tenant Data are stored in our managed Supabase (PostgreSQL) cluster, currently provisioned in the Singapore (ap-southeast-1) region. We chose this region for low latency to UAE users and proximity to common regional backup options. We may relocate the primary region in future and will give Operators at least thirty (30) days' notice before doing so.
Daily encrypted backups are held by the same hosting provider in the same region for up to 30 days.
6. Sub-processors
We rely on a small set of trusted vendors to deliver the Service:
| Sub-processor | Purpose | Primary region |
|---|---|---|
| Supabase Inc. | Database, authentication, file storage | Singapore (ap-southeast-1) |
| Vercel Inc. | Web hosting and edge CDN for the marketing site and app | Global edge network; primary US |
| Resend | Transactional email delivery (sign-up confirmations, password resets, alerts) | US |
A more detailed list and the contractual terms governing each sub-processor are set out in our Data Processing Addendum.
7. Cross-border transfer disclosure
Because our hosting and email vendors operate from Singapore, the United States and other locations, personal data processed through RentalTracker leaves the UAE. Under PDPL Article 22, transfers outside the UAE require an adequate-protection mechanism. We rely on:
- Vendor contractual commitments equivalent to the EU Standard Contractual Clauses, where the receiving jurisdiction is not on a UAE adequacy list.
- Encryption in transit (TLS 1.2+) and at rest for all personal data crossing borders.
- Operator-given consent, where required, recorded at sign-up.
8. Retention
- Operator account data — retained while the subscription is active. Deleted within 30 days of cancellation.
- Tenant Data uploaded by an Operator — kept for the life of that Operator's account. Deleted from active systems within 30 days of account cancellation; purged from encrypted backups within 90 days.
- Usage logs — retained up to 24 months in anonymised or pseudonymised form for product analytics and security.
- Legal / dispute records — retained longer where required by law or to defend a legal claim.
9. Tenants' rights (and how to exercise them)
Under PDPL Articles 13–20, every individual whose personal data is processed has the right to:
- Access — request a copy of their personal data
- Correction — fix inaccurate or incomplete data
- Deletion — have their personal data erased, subject to lawful retention obligations
- Portability — receive their data in a structured, machine-readable format
- Restriction / objection — restrict or object to certain processing
- Withdraw consent — at any time, where processing relies on consent
- Lodge a complaint — with the UAE Data Office
Tenants exercise these rights through the Operator who uploaded their data. The Operator (the data controller) is the first point of contact. RentalTracker provides the Operator with the tools to search, export, correct and delete tenant records, and we will support the Operator in responding to requests where we can. If a tenant cannot reach their Operator, they can email support@rentaltracker.io and we will route the request to the relevant Operator.
10. Security
We employ technical and organisational measures including TLS in transit, AES-256 at rest, row-level security policies, role-based access control, audit logging, and daily encrypted backups. See our Security Overview for detail. If we become aware of a breach affecting personal data we will notify affected Operators and the UAE Data Office in line with PDPL, typically within 72 hours.
11. Cookies
The marketing site and the application use only essential cookies — specifically the session cookie that keeps you signed in. We do not use cookies for advertising, cross-site tracking, or third-party analytics. The cookie banner shown on first visit lets you confirm or decline this minimal use; declining will not break the marketing site but you will need to accept session cookies to sign in.
12. Children
The Service is not directed at children under 18. We do not knowingly collect personal data from children. If you believe a child has provided data, email support@rentaltracker.io and we will delete it.
13. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be notified by email or in-app notice at least thirty (30) days before taking effect. The "Last updated" date at the top of this page tracks the latest version.
14. Contact
All data-protection questions, access requests, or complaints: support@rentaltracker.io. We respond within thirty (30) days.
For organisations: If you are an organisation processing tenant data through RentalTracker, you can request a Data Processing Agreement here: support@rentaltracker.io. A short summary of our standard processor terms is also available at /data-processing.