What we collect, why, and where it goes.

Renterprise is operated by Mya Bertolini, trading as Renterprise, in Sydney, NSW, Australia. References to we, us, and our in this policy mean Renterprise.

We are bound by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

We collect only the personal information we need to operate the platform.

Account information you give us when you sign up:

• your email address (the only identifier we require).

Sign-in is email and password. The first time you create an account we send a one-time email-verification link (valid for 7 days) to confirm you own the address. The same one-time-link mechanism is used if you ever forget your password (a reset link valid for 1 hour). Passwords are stored as scrypt hashes, never in plain text.

Server-side account record we maintain:

• a SHA-256 hash of your email address (used as the storage key);
• your email address (so we can email you for sign-in and receipts);
• the timestamps when your account was created, when your email was verified, and when you last signed in;
• your current plan (free, 6-month, 12-month, or 24-month toolkit) and its start and expiry dates;
• identifiers for any Stripe payment sessions you have completed (so we can reconcile a payment to your account);
• aggregate counters of how many times you have used each tool, used to enforce free-tier limits.

Matter content you submit when you use the platform:

• text you paste into the analysis fields (a lease, a notice, an email from your landlord);
• files you upload (PDF leases, photos, screenshots);
• dates and notes you add to your matter timeline;
• any personal details you choose to include in the matter intake (such as a property address, the landlord's name, the bond amount).

This matter content is stored in your browser's local storage on the device you are using. It is not stored on our servers. It is transmitted to our AI processor only at the moment you ask for an analysis, and is not retained there.

Information automatically collected:

• basic server logs (IP address, request time, user agent) for security, rate limiting, and abuse prevention;
• an HTTP-only Secure session cookie containing a signed token (used to keep you signed in for up to 30 days); we do not run third-party advertising or behavioural tracking cookies on the platform;
• privacy-respecting page-view counts (currently via Plausible Analytics, EU-hosted, cookieless), which do not collect personal data.

If you pay for a plan:

• your email and billing information are sent to our payment processor (Stripe). We do not receive or store your full card details. Stripe's privacy policy applies to that processing.
• once Stripe confirms a successful payment, we record the Stripe session identifier and the plan you purchased against your account so we can grant access.

If you complete a CAPTCHA challenge:

• sign-in and account-creation requests are protected by Cloudflare Turnstile. Cloudflare may process limited request metadata to confirm you are not a bot. Cloudflare's privacy policy applies to that processing.

We use your personal information only for these purposes:

• to provide you with access to the platform and the analyses, documents, and packs you request;
• to maintain your account and authenticate you (by emailing one-time sign-in links to your address);
• to send you essential service emails (for example, sign-in links, payment receipts, security notifications, material changes to these policies);
• to respond to your support enquiries;
• to comply with our legal obligations.

We do not:

• sell your personal information to anyone;
• share your personal information with landlords, real estate agents, or any commercial third party for their marketing or any other purpose;
• use your Content to train any AI model;
• run third-party advertising or behavioural tracking on the platform.

4.1Your matters, photos, timeline, and saved analyses are stored in your browser's local storage on the device you are using. They are not transmitted to or stored on our servers as part of normal use.

4.2Your minimal account record (email, plan, plan expiry, Stripe session identifiers, last sign-in timestamp, and aggregate usage counters) is stored on our server using Netlify Blobs (an encrypted key-value store operated by Netlify). The storage key is a SHA-256 hash of your email so the record cannot be browsed by guessing email addresses.

4.3When you submit Content for AI analysis (for example, you click "Analyse my lease" or "Generate pack"), we transmit the relevant text to our AI processor (Anthropic, in the United States) for the sole purpose of producing the requested output. Once the output is returned, Anthropic does not retain the Content and we do not log it.

4.4We do not use any cloud database for matter content. We use cloud infrastructure for the website itself (Netlify, with @netlify/plugin-nextjs), for transactional email delivery (Resend, used to send sign-in links and receipts), for payment processing (Stripe), and for bot mitigation on the sign-in flow (Cloudflare Turnstile).

The following third parties process limited personal information on our behalf:

• Anthropic, PBC (United States): AI processing of Content you submit for analysis. Anthropic processes the Content transiently to produce a response. Anthropic does not retain or use submitted Content to train any AI model. Anthropic Privacy Policy.
• Stripe, Inc. (Ireland and United States): payment processing and checkout for paid plans. Stripe also notifies us via signed webhook when a payment succeeds, so we can grant access. We never see or store full card details. Stripe Privacy Policy.
• Netlify, Inc. (United States): web hosting, request routing, and the encrypted Netlify Blobs key-value store that holds our minimal account records. Netlify Privacy Policy.
• Resend, Inc. (United States): transactional email delivery — signup verification links, password-reset links, payment receipts, and any service-essential message we send you. Resend Privacy Policy.
• Cloudflare, Inc. (United States): the Turnstile CAPTCHA challenge on sign-in and account-creation requests, used to block bots. Cloudflare Privacy Policy.
• Plausible Insights OÜ (Estonia, EU): privacy-respecting, cookieless page-view analytics that do not collect personal data and do not track you across sites. Plausible Privacy Policy.

We do not share your personal information with any other third party except where required by law or to defend our legal rights.

6.1Because our AI processor, payment processor, email provider, web host, bot-mitigation provider, and analytics provider are located outside Australia (in the United States, Ireland, and Estonia), some of your personal information will be transferred and processed outside Australia.

6.2We rely on our service agreements with these processors, which require them to provide a standard of protection at least comparable to the Australian Privacy Principles.

6.3By using the platform, you consent to these cross-border transfers. If you do not consent, you should not use the platform.

7.1We take reasonable and current-industry steps to protect your personal information from misuse, interference, loss, unauthorised access, modification, and disclosure.

7.2All traffic between your browser and our servers is encrypted in transit. We require HTTPS at the edge via a preloaded HSTS policy with a two-year max-age covering all subdomains.

7.3Defence in depth is applied at the edge and at the application layer: a Content-Security-Policy that restricts which origins can be loaded or contacted, X-Frame-Options to refuse iframing, X-Content-Type-Options to block MIME-sniffing, a strict Referrer-Policy, a Permissions-Policy that disables device features the platform does not use, and a no-store cache policy on every API route.

7.4We authenticate you using email and password. Passwords are hashed with scrypt (a memory-hard key-derivation function designed to resist GPU brute-force attacks), never stored in plain text. Email verification and password-reset links, plus session cookies, are signed with HMAC-SHA256 using a server-side secret. Session cookies are HTTP-only, Secure, and SameSite=Lax, and expire after 30 days.

7.5Server-side account records are keyed by a SHA-256 hash of your email address, so the underlying store cannot be browsed by email.

7.6Sign-in and account-creation requests are rate-limited per IP and protected by a Cloudflare Turnstile CAPTCHA. Payment success is verified server-side via signature-verified Stripe webhooks; we will not grant paid access on the basis of a URL parameter alone.

7.7Our cloud providers maintain physical and logical security controls appropriate to their role.

7.8No system is perfectly secure. We cannot guarantee absolute security. You are responsible for keeping access to your email address safe, because possession of your email address is the only thing required to sign in to your account.

8.1Matter content stored in your local browser remains until you delete it from your dashboard, clear your browser storage, or change device.

8.2Your server-side account record (email, plan, plan expiry, Stripe session identifiers, last sign-in timestamp, aggregate usage counters) is retained for as long as your account is active.

8.3If you ask us to delete your account, we will delete the server-side record we hold about you within 30 days, except where we are required by law to retain records (for example, taxation or accounting records relating to payments processed by Stripe). To request deletion, email privacy@renterprise.com.au from the address on the account.

Under the Australian Privacy Principles, you have the right to:

• access the personal information we hold about you;
• request correction of any inaccurate or outdated personal information;
• request deletion of your personal information (subject to any legal requirement we have to retain it);
• withdraw any consent you have given;
• make a complaint about how we handle your personal information.

To exercise any of these rights, contact us at privacy@renterprise.com.au. We will respond within 30 days.

10.1We do not deliberately collect "sensitive information" as defined in the Privacy Act (for example, health information, racial origin, religious beliefs, sexual orientation, criminal record).

10.2However, if you choose to submit such information as part of a matter (for example, a hardship application referencing your medical condition), you are doing so voluntarily and we will treat it with the same care as your other matter content.

10.3If you have a sensitive matter (such as a domestic violence tenancy application), we recommend that you do not store any identifying details about other parties unless necessary, and that you make use of the platform's local-only storage rather than any future cloud sync option.

11.1The platform is intended for adults aged 18 and over. We do not knowingly collect personal information from people under 18.

11.2If you become aware that a person under 18 has provided personal information to us, please contact us so we can delete it.

12.1If we become aware of a data breach that is likely to result in serious harm to any person whose personal information is involved, we will notify the affected individuals and the Office of the Australian Information Commissioner as required by the Notifiable Data Breaches scheme.

12.2We maintain a data breach response plan. Material incidents are also published in our law updates feed where they affect users.

13.1If you have a complaint about how we handle your personal information, email us at privacy@renterprise.com.au. We will acknowledge your complaint within 7 days and respond substantively within 30 days.

13.2If you are not satisfied with our response, you can lodge a complaint with the Office of the Australian Information Commissioner: oaic.gov.au or 1300 363 992.

14.1We use only essential cookies and browser storage required for the platform to function. Specifically: an HTTP-only Secure session cookie that holds your signed sign-in token (valid for 30 days), and browser local storage that holds your accepted terms version and any matters, photos, notes, or analyses you create.

14.2We do not use third-party advertising cookies, retargeting pixels, or behavioural tracking. Our page-view analytics (Plausible) is cookieless and does not collect personal data.

14.3You can clear our cookies and local storage at any time through your browser settings. Doing so will sign you out and delete any matters stored locally on that device.

15.1We may update this policy from time to time to reflect changes in our practices, the law, or the platform.

15.2Material changes will be notified to you through the platform and may require you to re-accept the policy.

15.3The current version of this policy is always available at /legal/privacy.

For privacy questions or to exercise any of your rights:

privacy@renterprise.com.au

For general enquiries: hello@renterprise.com.au