Privacy Policy

This Privacy Policy describes how RentBase collects, uses, discloses, and protects your Personal Information in accordance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA). By using our Services, you consent to the practices described herein.

1. Definitions

• “Personal Information” means, as defined under PIPEDA, information about an identifiable individual. This includes any factual or subjective information, recorded or not, about an identifiable individual.
• “Customer Content” means all data, files, documents, images, and other materials that you upload to, create within, or transmit through the Services.
• “Services” means the RentBase web application accessible at app.rentbase.ca and all related features, functionality, and services provided by RentBase.
• “Privacy Officer” means the individual designated by RentBase as accountable for the organization's compliance with this Policy and with PIPEDA.
• “Breach” means any unauthorized access to, disclosure of, or loss of Personal Information under the control of RentBase.

2. Privacy Officer and Accountability

In accordance with PIPEDA Principle 1 (Accountability), our Privacy Officer is accountable for compliance with this Policy and with PIPEDA. The Privacy Officer can be reached at [email protected] (subject line: “Privacy Request”).

We maintain internal policies and practices to ensure the protection of Personal Information under our control. These include policies governing the collection, use, disclosure, retention, and disposal of Personal Information, as well as procedures for responding to inquiries, complaints, and access requests.

3. Scope

This Privacy Policy applies to all users of the websites located at rentbase.ca and app.rentbase.ca, as well as all related services, features, and functionality provided by RentBase. RentBase is operated from Ontario, Canada, and is subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) and other applicable Canadian federal and provincial privacy legislation.

By accessing or using our Services, you consent to the collection, use, and disclosure of your Personal Information as described in this Policy.

4. Personal Information We Collect

In accordance with PIPEDA Principle 4 (Limiting Collection), we collect only what is necessary to provide the Services. Personal Information we collect falls into four categories:

• Account and profile details you provide when signing up or updating your profile, such as your name, email address, organization name, province, and role.
• Customer Content you enter or upload while using the Services: financial records (rental income, expenses, mileage), property details, tenant information, and receipts or other documents. Customer Content remains yours. We use it only to operate the Services on your behalf.
• Operational data generated automatically as you use the Services, such as authentication and session data, activity logs for audit purposes, and standard technical information (IP address, browser type). This data is used only to keep the Services secure and reliable.
• Communication preferences you set, including your notification settings and marketing consent.

Sensitive fields such as tenant contact information are encrypted at rest using AES-256-GCM. Passwords are never stored in readable form.

We do not collect Personal Information for advertising, behavioural profiling, or sale to third parties. We have no advertising business.

5. Purposes for Collection, Use, and Disclosure

In accordance with PIPEDA Principle 2 (Identifying Purposes) and Principle 5 (Limiting Use, Disclosure, and Retention), we collect, use, and disclose your Personal Information for the following purposes:

• Providing, operating, and maintaining the Services, including expense tracking, income management, and property administration
• Generating CRA T776 Statement of Real Estate Rentals tax reports and related financial summaries
• AI-powered receipt parsing (with your express consent as described in Section 8)
• Sending transactional and service communications necessary for the operation of your account
• Sending automated alerts based on your notification preferences (lease expiry reminders, missing receipt notices, recurring expense alerts) and optional monthly digest emails
• Security monitoring, activity logging, and abuse detection to protect the integrity of the Services
• Error tracking and service reliability monitoring
• Compliance with legal obligations, including Canadian tax record-keeping requirements

We do not use your Personal Information for advertising, user profiling, behavioural targeting, or sale to third parties. We have no advertising business.

Platform administrators may access organization data for support, security, or compliance purposes. All administrative access is audit-logged and requires either a user-initiated support request or documented emergency justification.

6. Consent

In accordance with PIPEDA Principle 3 (Consent), we obtain your consent for the collection, use, and disclosure of your Personal Information as follows:

• Express consent is obtained at the time of account creation and acceptance of our Terms of Service, and at the time of enabling optional features such as AI receipt parsing and marketing communications.
• Implied consent is relied upon for operations that are necessary to provide the Services you have requested, such as storing your financial records and generating reports.

You may withdraw your consent at any time by deleting your account, subject to legal retention requirements described in Section 10. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

7. Third-Party Service Providers

We engage a limited number of third-party service providers to support the operation of our Services. Each provider receives only the minimum Personal Information necessary to perform its designated function:

AI Processing Provider (Anthropic - Claude API)

Receipt images are transmitted to Anthropic's servers in the United States for AI-powered text extraction. Only the receipt image is transmitted. See Section 8 for complete details on cross-border data transfer.

Email Service Provider

Email addresses and names are shared with our email service provider for the delivery of transactional, alert, and marketing communications. This provider operates in accordance with our data processing requirements.

Content Delivery Network

Our marketing website (rentbase.ca) is hosted on a content delivery network. No application user data is shared with this provider. Standard web server logs may be collected in accordance with the provider's own practices.

Error Tracking

Our error tracking system runs entirely on RentBase infrastructure in Canada. It collects technical data only (stack traces, request URLs, browser information). Session cookies are stripped before storage.

We require all third-party service providers to protect Personal Information to a standard comparable to our own, in accordance with PIPEDA's accountability principle (Principle 1).

We do not use advertising networks or social media pixels. We use Google Analytics to understand how visitors use our website. No personally identifiable information is shared with advertisers.

8. AI Receipt Processing and Cross-Border Data Transfer

What Happens

When you use the AI receipt scanning feature, the image of your receipt is transmitted to the Anthropic Claude API for automated text extraction. The extracted data (vendor name, amount, date, category) is returned to RentBase for your review.

What Is Transmitted

Only the receipt image itself is transmitted for text extraction. No account details, tenant information, or other records from your RentBase account are shared.

Where It Goes

Receipt images are processed on Anthropic's servers in the United States. This is the only Personal Information that leaves Canadian infrastructure.

Anthropic's Handling

Per Anthropic's API terms, inputs submitted through the API are not used for model training. For Anthropic's current data handling practices, please refer to their privacy policy at anthropic.com/privacy.

Your Control

AI receipt scanning is entirely optional. Manual data entry is always available as an alternative. You may use the full functionality of RentBase without ever using the AI parsing feature.

Consent

By using the AI receipt scanning feature, you provide express consent to the cross-border transfer of your receipt image under PIPEDA's accountability principle. You may withdraw this consent at any time by simply choosing not to use the AI scanning feature.

Accuracy

AI receipt parsing is provided as a convenience feature and may produce errors. You are responsible for reviewing and verifying all extracted data before saving it to your account.

9. Data Storage and Security

In accordance with PIPEDA Principle 7 (Safeguards), we protect your Personal Information with security safeguards appropriate to the sensitivity of the information:

• All application data is stored in RentBase data centres located in Ontario, Canada
• Database connections are encrypted using TLS
• Sensitive data, including tenant contact information, is encrypted at rest using AES-256-GCM
• Passwords are hashed using industry-standard algorithms and are never stored in readable form
• Session management uses HTTP-only, secure, same-site cookies
• TOTP-based two-factor authentication is available for all accounts
• Receipt files and document uploads are stored securely on Canadian servers
• All data in transit is protected with HTTPS/TLS encryption
• Regular security updates are applied to all infrastructure components

We employ physical, technical, and administrative safeguards appropriate to the sensitivity of the Personal Information under our control.

10. Data Retention

In accordance with PIPEDA Principle 5 (Limiting Use, Disclosure, and Retention), we retain Personal Information only as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. Our retention periods are as follows:

• Financial records (expenses, income, mileage, properties): minimum 7 years, as required by the Canada Revenue Agency
• Activity and audit logs: 2 years
• Account information: retained while the account is active, plus 30 days following a deletion request
• Receipt images: retained with the associated expense record (up to 7 years)
• Error tracking data: 90 days
• Email delivery records: 2 years
• Breach records: minimum 24 months, as required by PIPEDA

11. Cookies and Tracking Technologies

RentBase uses only essential cookies that are strictly necessary for the operation of the Services:

• Session authentication cookie - HTTP-only, secure, same-site; used to maintain your authenticated session
• Organization selection cookie - used to remember your active organization in multi-org accounts

We do not use tracking cookies, advertising cookies, or analytics cookies. We do not use localStorage-based tracking or browser fingerprinting techniques. Our marketing website (rentbase.ca) sets no cookies.

12. Your Rights Under PIPEDA

In accordance with PIPEDA Principle 9 (Individual Access) and Principle 10 (Challenging Compliance), you have the following rights with respect to your Personal Information:

• Right of Access - You may request a copy of all Personal Information we hold about you.
• Right of Correction - You may request that we correct any inaccuracies in your Personal Information.
• Right of Deletion - You may request the deletion of your Personal Information, subject to CRA retention requirements described in Section 10.
• Right to Withdraw Consent - You may withdraw consent by deleting your account or disabling optional features.
• Right to Know - You may request information about how your Personal Information has been collected, used, and disclosed.
• Right to Challenge Compliance - You may challenge our compliance with PIPEDA by contacting our Privacy Officer.

To exercise any of these rights, contact us at [email protected] or through the Settings page within the application.

We will respond to access and correction requests in accordance with PIPEDA timelines (within 30 calendar days). If additional time is required, we will notify you within that period.

If you are not satisfied with our response to your privacy concern, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada: 30 Victoria Street, Gatineau, Quebec K1A 1H3 - priv.gc.ca - 1-800-282-1376.

13. Data Deletion

You may request the deletion of your data through the following methods:

• In-app - Navigate to Settings > Danger Zone > Delete Organization. This initiates a 30-day grace period during which your data is scheduled for deletion but your account remains recoverable.
• By email - Send a request to [email protected] with the subject line “Data Deletion Request.”

After the 30-day grace period, deletion is permanent and irreversible. Where Canadian tax regulations require retention of financial records (minimum 7 years), those records may be retained with personal identifiers removed where technically feasible.

You will receive email confirmation when your deletion request has been processed.

14. Breach Notification

In the event of a breach of security safeguards involving Personal Information that creates a real risk of significant harm to an individual, we will:

• Notify affected individuals as soon as feasible after the breach is discovered
• Report the breach to the Office of the Privacy Commissioner of Canada as soon as feasible
• Maintain records of the breach for a minimum of 24 months as required by PIPEDA

Notification will include: a description of the breach, the types of Personal Information involved, the steps we have taken to reduce the risk of harm, the steps you can take to protect yourself, and our contact information.

15. Canada's Anti-Spam Legislation (CASL) Compliance

RentBase complies with Canada's Anti-Spam Legislation (CASL) in all electronic communications:

• Transactional emails (password resets, invitations, security alerts, account notifications) are sent without prior consent as permitted under CASL exemptions for messages facilitating a transaction or providing information about an ongoing commercial relationship.
• Alert emails (lease expiry reminders, missing receipt notices, recurring expense alerts) are controlled via per-user notification preferences accessible in Settings.
• Marketing communications (monthly digest) are sent only with express opt-in consent.

All electronic messages include: sender identification, contact information, and a functioning unsubscribe mechanism. Unsubscribe requests are processed within 10 business days as required by CASL.

16. Children's Privacy

RentBase is not directed at individuals under the age of 18. We do not knowingly collect Personal Information from children. If we become aware that we have inadvertently collected Personal Information from a child under 18, we will take steps to delete such information promptly. If you believe that a child has provided Personal Information to RentBase, please contact us at [email protected].

17. International Users

The Services are designed for Canadian landlords managing Canadian rental properties. If you access the Services from outside Canada, you do so on your own initiative and are responsible for compliance with applicable local laws. We make no representation that the Services are appropriate, available, or legally permitted for use outside of Canada.

18. Accuracy

In accordance with PIPEDA Principle 6 (Accuracy), we take reasonable steps to ensure that Personal Information is accurate, complete, and up-to-date for the purposes for which it is used. You may update your Personal Information at any time through the Settings page within the application. If you identify any inaccuracies in your Personal Information that you are unable to correct through the application, please contact us at [email protected].

19. Changes to This Policy

This Policy is version-tracked, and the effective date is updated with each revision. When we make material changes to this Policy, you will be notified on your next login to the application and will be required to review the updated Policy before continuing to use the Services.

Your continued use of the Services following notification of changes constitutes your acceptance of the revised Policy. Previous versions of this Policy are available upon request by contacting [email protected].

20. Contact

For privacy-related inquiries, access requests, or complaints:

• Privacy Officer: [email protected] (subject line: “Privacy Request”)
• General inquiries: [email protected]

If you are not satisfied with our response, you may contact the Office of the Privacy Commissioner of Canada:

30 Victoria Street
Gatineau, Quebec K1A 1H3
priv.gc.ca
1-800-282-1376