§ Legal
Privacy Policy
Last updated · 28 May 2026
This policy explains what personal data RMJRent collects, why, and what you can do about it. It is written for the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We are the data controller for personal data processed by the Service. If you have questions or want to exercise a right, email [email protected].
1. What we collect
We try to collect only what we need to run the Service.
- Account data: name, email address, password (stored as a salted hash), and your chosen account type (landlord or renter).
- Service data: properties, tenancies, rent payments, expenses, notes, documents, and any other information you enter into your journal.
- Billing data:if you subscribe, Stripe handles your card details directly — we never see or store full card numbers. We do store your Stripe customer ID, your subscription status, and billing-event timestamps.
- Technical data: IP address, device/browser type, and basic request logs for security and debugging. Retained for 30 days.
- Communications: if you contact [email protected], we keep the message and any reply.
2. Why we process it (legal basis)
- Contract:to provide the Service you signed up for — account, journal, reminders, billing.
- Legitimate interests: to keep the Service secure, debug problems, prevent abuse, and improve features. We always weigh this against your rights.
- Legal obligation: to meet tax, accounting, and regulatory record-keeping requirements.
- Consent: for any optional marketing or analytics that requires it. You can withdraw consent at any time.
3. Sub-processors
We use a small set of trusted third-party services to deliver the Service. None of them sell your data:
- Hetzner(Germany) — hosting and database storage. EU-located.
- Stripe(Ireland / US) — payments and subscription management.
- Resend(US) — transactional email delivery.
- Google(US) — if you sign in with Google, your name, email, and profile photo are shared back with us.
- Cloudflare(US) — DNS, DDoS protection, CDN.
Transfers outside the UK rely on the UK’s adequacy decisions or Standard Contractual Clauses where required.
4. Cookies
We use a small number of strictly necessary cookies to sign you in and remember your session (set by NextAuth.js). These cookies are required for the Service to work and do not need consent under UK law. We do not use third-party advertising or tracking cookies.
5. How long we keep data
Account and journal data is kept for as long as your account is active. If you close your account, we delete personal data within 30 days, except where we’re required to keep limited records longer (e.g. billing records for HMRC, typically 6 years). Technical logs are kept for 30 days.
6. Your rights
Under the UK GDPR you have the right to:
- access the personal data we hold about you;
- have inaccurate data corrected;
- have your data deleted (subject to legal record-keeping exceptions);
- restrict or object to processing in some circumstances;
- receive a copy of your data in a portable format;
- withdraw any consent you previously gave;
- complain to the UK Information Commissioner’s Office (ICO) at ico.org.uk.
To exercise any of these rights, email [email protected]. We’ll respond within one month.
7. Security
We protect your data with HTTPS in transit, encrypted-at-rest disks on our hosting provider, hashed passwords (never stored in plaintext), and least-privilege access to production systems. No system is perfectly secure, but if there’s ever a personal data breach affecting your rights, we’ll notify you and the ICO without undue delay.
8. Children
The Service is not intended for anyone under 18. We don’t knowingly collect data from children.
9. Changes
If we make material changes to this Policy we’ll update the “last updated” date above and, where appropriate, notify you by email or in-app.
10. Contact
For anything privacy-related, contact [email protected].