Skip to main content

Privacy Policy (Australia)

Last updated: June 2026

Who we are

RentManager is operated by RentManager NZ Limited (NZBN 9429053511362), a New Zealand registered company providing property management software to residential landlords in Australia and New Zealand.

What information we collect

  • Account information: Name, email address, phone number (optional), company name (optional).
  • Property information: Addresses, tenancy details, rent amounts, bond details.
  • Tenant information: Names, contact details, tenancy dates. You are the data controller for tenant information you enter.
  • Bank transaction data: Imported via CSV upload or Open Banking (CDR) on a read-only basis. Transaction date, amount, description, and counterparty.
  • Address data: We use the Geocoded National Address File (G-NAF) for address validation. This is publicly available reference data.
  • Usage data: Pages visited, features used, login times. Used to improve the service.

How we store your data

Your data is stored on servers in New Zealand (AWS ap-southeast-6, Auckland). RentManager NZ Limited is a New Zealand company and New Zealand is recognised under APP 8 as providing substantially similar privacy protections to Australia. We comply with both the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs), and the New Zealand Privacy Act 2020.

All data is encrypted in transit (TLS 1.3) and sensitive fields (bank tokens) are encrypted at rest (AES-256-GCM).

How we use your information

  • To provide the property management service you signed up for.
  • To match bank transactions against rent schedules.
  • To generate tax reports (ATO rental property schedule).
  • To send service notifications (arrears alerts, reminders).
  • To match rent transactions and help you categorise expenses.
  • To improve the product based on usage patterns.

We do not sell, rent, or share your personal information with third parties for marketing purposes.

Artificial intelligence (AI) features

Some features use AI to read documents you upload (for example, extracting details from a tenancy agreement). AI features are clearly labelled, and any data extracted by AI may be subject to human review for quality purposes. We do not use your personal information to train third-party AI models.

Open Banking (Consumer Data Right)

If you connect your bank account via CDR Open Banking:

  • We access account information and transaction history on a read-only basis.
  • We cannot make payments, transfer money, or modify your account.
  • You can disconnect at any time from Settings - Bank Sync.
  • On disconnection, your CDR access tokens are deleted and bank data is purged.
  • CDR data is handled in accordance with the CDR Rules and Privacy Safeguards.

Sharing with third parties

  • Stripe: Payment processing. Stripe handles card details directly; we never see your full card number.
  • Xero: If you connect Xero, transaction data is synced to your Xero account at your request.
  • AWS: Infrastructure provider. Data stays in the Sydney region.
  • Anthropic: Reads tenancy agreements you choose to upload at /upload-agreement to extract the address, tenant names, rent, dates, and bond. The document is sent to Anthropic's PBC API for processing only; Anthropic does not use API-submitted data to train their models. We delete the staged copy within 30 days if you do not create an account. AI recognition can occasionally misread fields - any extracted data is a draft you must verify before relying on it. The endpoint accepts PDF or photo (JPG/PNG/WEBP) up to 8 MB, one upload per day per IP.
  • No other third parties receive your personal information.

Cookies

We use a small number of first-party cookies. Some make the site work; one recognises a return visit so we can offer you a relevant product demo. They store no personal information, only a first-seen date and the general topics you read about, and we share nothing with third parties. No tracking pixels, no advertising cookies.

Your rights under the Privacy Act 1988

Under the Australian Privacy Principles, you have the right to:

  • Access your personal information [APP 12].
  • Correct inaccurate information [APP 13].
  • Know how your information is collected, used, and disclosed [APP 1 and 5].
  • Complain if you believe we have breached the APPs.

To exercise these rights, contact us at support@rentmanager.nz.

Data retention

  • Active accounts: Data is retained for as long as your account is active.
  • Account closure: Your personal information (name, contact details, login credentials, tenant details, communications, and documents) is destroyed or de-identified within 30 days, except where we are required to keep specific records by law (see Legal holds below). This reflects our obligation under Australian Privacy Principle 11.2 to destroy or de-identify personal information once it is no longer needed.
  • De-identified property data: After your account is closed, we may keep de-identified information about the property itself, such as rent amounts paid, expenses, and physical attributes like bedrooms and property type, which we may aggregate to produce market insights (for example, typical rents in an area). This information relates to the property, not to you: it is not linked to your account or to any named owner or tenant, and is not used to identify any individual. De-identification is expressly permitted as an alternative to destruction under Australian Privacy Principle 11.2.
  • Fraud prevention: For a limited period after closure we keep a one-way hashed form of your email address solely to detect sign-up abuse. It is not used for any other purpose and is removed when your account is fully deleted.
  • Bank data and Open Banking: Previously synced transactions remain in your account for reporting unless you disconnect your bank or delete your account. CDR access tokens are revoked immediately on disconnection or account deletion, and CDR data is handled under the CDR Rules, which set their own retention and de-identification requirements.
  • Usage analytics and server logs: Page view, app event, and raw web server access log data is retained for up to 90 days, then automatically purged.
  • Legal holds: Where retention is required by Australian law (for example, financial records under the Income Tax Assessment Act and ATO record-keeping rules), we retain only the minimum data necessary for the minimum required period (generally 5 years for tax records).

Data export and deletion

You can download all your data at any time from Settings - Account - Download My Data. You can delete your account from Settings - Account - Delete Account. Deletion removes all your data within 30 days.

Data breach notification

In the event of a data breach likely to result in serious harm, we will notify you and the Office of the Australian Information Commissioner (OAIC) as required by the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988.

Complaints

If you have a privacy complaint, contact us at support@rentmanager.nz. If you are not satisfied with our response, you can lodge a complaint with the OAIC.

Changes to this policy

We may update this policy from time to time. Material changes will be communicated via email or in-app notification.