Privacy Policy

At RentKeep, we take your privacy seriously. As a platform designed for property owners and landlords — personal and professional alike — operating primarily in the United States and the European Union, we are committed to full compliance with the EU General Data Protection Regulation (GDPR — Regulation 2016/679), the ePrivacy Directive, applicable US state privacy laws, and all other relevant national data protection laws.

This Privacy Policy applies to all users of our web application, mobile applications, and any related services (collectively, the "Service"). The Service is primarily intended for users in the United States and the European Union / European Economic Area. Please read it carefully.

1. Who We Are

RentKeep is a Software-as-a-Service (SaaS) property management platform app managed and provided by SoulSpark Games. The data controller responsible for your personal data is:

Company name: SoulSpark Games

Privacy contact: [email protected]

Legal contact: [email protected]

RentKeep is a product and service of SoulSpark Games, an independent technology and software company. SoulSpark Games develops digital tools and software products across multiple categories, of which RentKeep is one. All data controller responsibilities for the RentKeep service are held by the legal entity identified above.

For any questions about how we handle your personal data, you may contact us at any time at the addresses above. We aim to respond to all privacy-related enquiries within the timeframe required by applicable law.

2. Data We Collect

We collect only the data necessary to provide and improve our Service. The categories of personal data we process include:

2.1 Account & Identity Data

Full name and email address (provided at registration)
Encrypted password hash (we never store your password in plain text)
Account preferences (currency, date format, timezone)
Your subscription plan and billing status

2.2 Property & Tenant Data (Your Business Data)

As a landlord, you input data about your properties and tenants. This may include:

Property addresses, descriptions, photos, and room configurations
Tenant names, contact details, ID references, and lease terms
Financial records: rent amounts, payment records, expense receipts
Maintenance requests and associated notes or photos
Documents and files uploaded to the platform

Note on tenant data: You, as the landlord-user, are the data controller of your tenants' personal data. RentKeep acts as a data processor for this data under Article 28 GDPR. You are responsible for ensuring you have a lawful basis to process your tenants' personal data and for informing your tenants about how their data is used.

2.3 Usage & Technical Data

IP address and approximate geographic location (country/city level)
Device type, browser type, and operating system
Pages visited, features used, and session duration
Error logs and performance data for debugging purposes
Authentication tokens (stored locally on your device)

2.4 Communications Data

Emails sent to our support or legal addresses
In-app notification preferences

2.5 Payment Data

⏳ Paid plans are not yet available

RentKeep does not currently offer any paid subscription plans. No payment system is active and no payment data of any kind is collected, processed, or stored through the Service at this time.

We plan to introduce paid plans in the future. When that happens, payment processing will be handled exclusively by the trusted third-party providers listed below, depending on the platform. We will never store, log, or have access to your full payment card number, bank details, or raw payment credentials on our servers.

Web application (planned): Payments will be processed by Stripe, Inc. (USA), who handle card tokenisation and billing directly.
Android app (planned): In-app purchases and subscriptions will be processed by Google Play Billing (Google LLC, USA).
iOS / iPadOS app (planned): In-app purchases and subscriptions will be processed by Apple In-App Purchase (Apple Inc., USA). Apple Pay may also be supported.
Cross-platform subscription management (planned): RevenueCat, Inc. (USA) will serve as our subscription entitlement layer across all platforms. RevenueCat does not process payment card details.

We will update this Privacy Policy and notify all registered users before any paid plans or payment processing become active. Each provider's privacy policy is linked in Section 5 (Data Sharing & Sub-Processors) for reference.

3. How We Use Your Data

Providing the Service: Creating and managing your account, storing and displaying your property/tenant data, sending automated reminders and notifications.
Account security: Authentication, detecting fraud, protecting your account from unauthorised access.
Service improvements: Analysing aggregated usage patterns to improve features and performance (anonymised where possible).
Communications: Sending transactional emails (account confirmation, password reset, payment receipts, lease expiry alerts). We do not send marketing emails without explicit consent.
Legal compliance: Complying with applicable laws, responding to lawful requests from authorities, resolving disputes.
Billing & invoicing: Processing subscription payments and maintaining records required by EU tax law.

4. Legal Basis Under GDPR

Under Article 6 of the GDPR, we rely on the following lawful bases for processing your personal data:

Art. 6(1)(b) — Performance of a Contract

Processing your account data, property data, and tenant data to provide the Service you signed up for.

Art. 6(1)(c) — Legal Obligation

Retaining billing and financial records to comply with EU tax and accounting regulations (typically 7 years).

Art. 6(1)(f) — Legitimate Interests

Improving our Service, detecting and preventing fraud and abuse, maintaining platform security, and basic analytics (always balanced against your rights).

Art. 6(1)(a) — Consent

Where we rely on consent (e.g. optional marketing communications), you may withdraw it at any time without affecting the lawfulness of prior processing.

We do not sell your personal data. We do not share it with third parties for their own marketing purposes. We work with a limited number of trusted sub-processors:

Stripe, Inc. (USA) — Web Payment Processing Not yet active

Planned payment processor for the RentKeep web application

Stripe is not currently integrated. When paid plans launch, Stripe will process web subscription payments. Data shared will be limited to billing email and subscription events. Card details will be tokenised and handled entirely by Stripe; we will never store card data on our servers. Stripe is PCI-DSS Level 1 certified. Transfers to the US will be governed by Standard Contractual Clauses (SCCs). Stripe Privacy Policy →

Google LLC — Google Play Billing (USA) Not yet active

Planned in-app purchase processor for Android devices

Google Play Billing is not currently active. When paid plans launch, Android in-app subscriptions will be processed by Google in accordance with Google Play's Developer Distribution Agreement and Payments Terms. We will receive only anonymised purchase confirmation and subscription status from Google. Google Privacy Policy →

Apple Inc. — App Store In-App Purchase & Apple Pay (USA) Not yet active

Planned in-app purchase processor for iOS / iPadOS devices

Apple's payment systems are not currently active. When paid plans launch, iOS and iPadOS in-app subscriptions will be processed by Apple via their In-App Purchase system. Apple Pay may be offered where supported. We will receive only anonymised purchase receipts and subscription status from Apple. Apple Privacy Policy →

RevenueCat, Inc. (USA) — Subscription Management Not yet active

Planned cross-platform subscription entitlement and management layer

RevenueCat is not currently integrated. When paid plans launch, RevenueCat will manage subscription status, entitlements, and access control across iOS, Android, and the web using anonymised app user identifiers and purchase receipts. RevenueCat does not process payment card data. Transfers to the US will be governed by Standard Contractual Clauses (SCCs). RevenueCat Privacy Policy →

Resend Inc. (USA)

Transactional email delivery (account verification, reminders)

Data shared: your email address and the content of transactional emails. Transfer basis: Standard Contractual Clauses (SCCs). Resend Privacy Policy →

Self-hosted File Storage (MinIO)

Storing documents, photos, and files you upload

Files are stored on servers we control. Data does not leave to a third-party cloud provider. Stored files are encrypted at rest and in transit.

Self-hosted Database (PostgreSQL)

Primary data storage

All account, property, tenant, financial, and lease data is stored on servers we control. Data is encrypted in transit (TLS) and backed up securely.

We may also disclose personal data when required to do so by law, court order, or governmental authority, or when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, or investigate fraud.

6. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes described in this policy, unless a longer retention period is required or permitted by law.

Account dataRetained for the duration of your account. Deleted within 30 days of account deletion request, except where retention is legally required.

Property & tenant recordsRetained until you delete them or request account deletion.

Financial & billing recordsRetained for 7 years as required by EU VAT and accounting regulations.

Uploaded files & documentsDeleted within 30 days of account deletion. You can delete individual files at any time.

Technical/log dataRetained for as long as necessary for security, performance, and debugging purposes.

BackupsDeleted from backups within 90 days of the primary deletion.

7. International Data Transfers

Our primary servers are located within the European Economic Area (EEA). Where we engage sub-processors based outside the EEA (currently Stripe, Google, Apple, RevenueCat, and Resend — all US-based), we ensure adequate safeguards are in place:

Standard Contractual Clauses (SCCs): We have entered into EU Standard Contractual Clauses (Commission Implementing Decision 2021/914) with all US-based sub-processors, as required by GDPR Chapter V.
Data minimisation: We transfer only the minimum data necessary for the specific sub-processor to perform its service.
Transfer Impact Assessments (TIAs): We conduct assessments for transfers to third countries to evaluate risks and additional safeguards.

You may request a copy of the relevant SCCs by contacting us at [email protected].

8. Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights. To exercise any of these rights, contact us at [email protected]. We will respond without undue delay and within the timeframes required by applicable law.

Right of Access (Art. 15)

You have the right to request a copy of the personal data we hold about you, along with information about how and why we use it.

Right to Rectification (Art. 16)

You can ask us to correct inaccurate or incomplete personal data. You can update most profile information directly in your account settings.

Right to Erasure / 'Right to be Forgotten' (Art. 17)

You can request deletion of your personal data where it is no longer necessary for the purpose it was collected, or where you withdraw consent. Some data may be retained for legal obligations.

Right to Restriction of Processing (Art. 18)

You can request that we restrict processing of your data while a dispute about its accuracy or the lawfulness of processing is resolved.

Right to Data Portability (Art. 20)

Where processing is based on contract or consent, you can request your personal data in a structured, commonly used, machine-readable format (JSON/CSV export).

Right to Object (Art. 21)

You can object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.

Rights Related to Automated Decision-Making (Art. 22)

We do not use fully automated decision-making (including profiling) that produces significant legal effects. If this changes, we will update this policy and seek consent.

Right to Withdraw Consent (Art. 7(3))

Where processing is based on your consent, you may withdraw it at any time without penalty. Withdrawal does not affect the lawfulness of processing before withdrawal.

To exercise any of these rights or to request complete account and data deletion, see Section 9 — Delete Your Data for step-by-step instructions.

9. Delete Your Data

You have the right to request the permanent deletion of your account and all associated personal data at any time. This is free of charge and will be processed without undue delay, and in any event within one month, as required by law.

Request Account Deletion

Permanently removes your account and all data

1
Send an email to
[email protected]
2
Use this subject line
Data Deletion Request
3
Include in your email
The email address registered to your RentKeep account, so we can identify and verify your request.

Response time

Without undue delay

Confirmation

We email you when complete

Cost

Always free of charge

What gets deleted

Your account profile and login credentials

All property and room data

All tenant records and contact information

All lease agreements and rent records

All uploaded documents, photos, and files

Maintenance requests and notes

Notification preferences and settings

Authentication tokens and sessions

What may be retained

Financial & billing records — retained up to 7 years

EU VAT and accounting regulations (Council Directive 2006/112/EC and national tax laws) require us to retain billing records and invoices for up to 7 years from the date of the transaction, even after account deletion. This data is strictly isolated, used only for tax compliance, and never used for any other purpose. It will be automatically purged once the legal retention period expires.

10. Cookies & Tracking

We use only the cookies strictly necessary to operate the Service. We do not use advertising cookies, third-party tracking cookies, or profiling technologies.

Auth Session Token

Essential (localStorage)

Keeps you logged in. Expires after inactivity or on sign-out. Required for the Service to function.

UI Preferences

Essential (localStorage)

Stores your UI preferences (e.g. dismissed banners) locally on your device. Not transmitted to our servers.

We do not use Google Analytics, Facebook Pixel, or any other third-party tracking services. If this changes, we will update this policy and, where required, obtain your prior consent through a cookie consent mechanism.

You can clear locally stored data at any time through your browser or device settings. Clearing authentication tokens will sign you out of the Service.

11. Security

We implement appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access (as required by GDPR Article 32). These include:

All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher (HTTPS).
Passwords are hashed using bcrypt with a cost factor that exceeds current security recommendations. Plaintext passwords are never stored.
Database access is restricted to authenticated backend services only; no direct public database access is possible.
File storage is secured with pre-signed URL access controls; files are not publicly accessible without authorisation.
Regular security reviews and dependency updates are conducted to address known vulnerabilities.
Access to production systems is restricted to authorised personnel via role-based access controls.
Regular encrypted backups are maintained with restricted access.

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (as required by GDPR Article 33) and, where required, notify affected individuals without undue delay.

12. Children's Privacy

The Service is intended for use by adults (aged 18 and over) in a professional landlord capacity. We do not knowingly collect personal data from children under the age of 16.

If you believe we have inadvertently collected data from a minor, please contact us immediately at [email protected] and we will take immediate steps to delete such data.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

When we make material changes, we will:

Update the "Last updated" date at the top of this page.
Send an email notification to registered users for significant changes that affect their rights.
Where required by law, obtain fresh consent before processing data under the new terms.

We encourage you to review this policy periodically. Continued use of the Service after the effective date of changes constitutes acceptance of the revised policy for non-material changes.

14. Contact & How to Complain

For any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Privacy enquiries: [email protected]

Data deletion requests: [email protected] (subject: "Data Deletion Request")

Legal / DPO contact: [email protected]

If you are not satisfied with our response, you have the right to lodge a complaint with your national data protection supervisory authority (your local your national data protection authority). In the EU, you can find your national DPA at: European Data Protection Board — Members.

You also have the right to seek an effective judicial remedy against a data controller or processor (GDPR Article 79).