Privacy Policy

Last updated: March 2026

Who we are

RentManager NZ is operated by RentManager NZ Limited (NZBN 9429053511362, IRD 148-225-788), a New Zealand registered company. We provide property management software to residential landlords and property managers in New Zealand.

Contact:

What information we collect

  • Account information: Your name, email address, and password (stored as a one-way bcrypt hash - we never see your plain-text password).
  • Property and tenancy data: Property addresses, tenant details (name, contact information, date of birth, emergency contacts), lease terms, and rent schedules you enter.
  • Financial data: Bank transaction data imported via CSV upload or Open Banking (if connected) and manual payment records.
  • Documents: Files you upload, stored in AWS S3 in Auckland (ap-southeast-6).
  • Communications log: Notes and activity records you create within the platform.
  • Tenant screening data: If a prospective tenant uses our RentManager Apply portal (apply.rentmanager.nz), we collect their name, email, phone, date of birth, current address, employment details, rental history, and references (required for tenancy applications and identity verification with our credit reporting partner). With their explicit consent, we may also retrieve income data via bank connection and obtain a credit report. Credit reports are stored encrypted and access is controlled by the tenant.
  • Referral data: If a tenant registers via a referral link, we record the referral code to attribute referral credit. Referral codes do not contain personal information.
  • Address data: We use NZ Post address lookup and LINZ (Land Information New Zealand) address databases to validate and enrich property addresses. This is publicly available reference data and does not involve collecting personal information from NZ Post or LINZ about you.
  • Language preference: If you select a preferred language (English, te reo Maori, or Chinese), this preference is stored with your account.
  • Usage analytics: We record page views (IP address, browser, operating system, device type, referring page) and in-app activity events (pages visited, session identifiers) to monitor service health, detect abuse, and improve the platform. This data is associated with your account while active.
  • Notifications: We generate in-app notifications (e.g. rent reminders, maintenance updates) stored within your account. Notification preferences and read status are recorded.

How we use your information

  • To provide and operate the RentManager NZ service, including the Apply tenant screening portal.
  • To send service-related notifications (in-app and email).
  • To monitor service health, analyse usage patterns, and improve the platform.
  • To detect and prevent fraud or abuse.
  • To display the interface in your preferred language.
  • To comply with legal obligations.

We do not sell your data to third parties and do not use it for advertising.

Data storage and security

All data is stored on servers located in New Zealand (AWS ap-southeast-6, Auckland), consistent with the New Zealand Privacy Act 2020.

Security measures include:

  • All connections encrypted with TLS 1.2+.
  • Passwords stored as bcrypt hashes (never reversible).
  • Database row-level security isolating each account's data.
  • Optional two-factor authentication (TOTP) for your account.
  • Bank OAuth tokens encrypted at rest using AES-256-GCM.

For full details, see our Security Practices page.

Third-party services

  • NZ Open Banking - optional bank transaction feed via Consumer Data Right (see dedicated section below).
  • Stripe - payment processing. Stripe stores your billing details; we do not store card numbers.
  • Google - optional sign-in. Google shares your name and email address with us.
  • AWS S3 - document storage in Auckland, bound by NZ data processing agreements.
  • Centrix - credit reporting (tenant screening). Credit checks are only performed with the tenant's explicit consent. See dedicated section below.
  • NZ Post - address validation and postcode lookup. Only the address query is sent; no personal information is shared.

Bank transaction data

You can import bank transactions via CSV upload from your bank. Live bank sync via NZ Open Banking (Consumer Data Right) is coming soon. This section explains what data we collect, how we use it, and your rights.

Data collected

  • Bank account name and number (for identification only).
  • Transaction history: date, amount, description, and merchant name.

How bank data is used

  • To automatically match incoming payments to tenancies and track rent.
  • To generate payment reports and detect arrears.

How bank data is stored

  • Bank access tokens (when live sync is available) are encrypted at rest using AES-256-GCM encryption.
  • Transaction data is stored in our New Zealand-hosted database (AWS Auckland, ap-southeast-6).
  • Access is restricted to your account via database row-level security.

How bank data is not used

  • We have read-only access - we cannot initiate payments or transfers.
  • We do not sell, rent, or share your bank data with any third party.
  • We do not use your bank data for advertising or profiling.

Data retention

  • You can disconnect your bank account at any time from Settings > Bank Connections.
  • Disconnecting immediately revokes access - we can no longer retrieve new data.
  • Previously imported transactions remain in your account for reporting purposes unless you delete your account.
  • On account deletion, all bank data (including imported transactions) is permanently deleted within 30 days, and all bank tokens are revoked.

Credit reporting (tenant screening)

Our RentManager Apply portal allows prospective tenants to obtain a credit report for use in tenancy applications. This section explains how credit data is handled, in accordance with the Credit Reporting Privacy Code 2020.

How credit checks work

  • Credit checks are tenant-initiated - only the tenant can request their own report.
  • The tenant must provide explicit consent before any check is performed. Consent text, timestamp, IP address, and browser details are recorded.
  • The tenant pays a fee for the credit check. Payment confirmation is required before the check is performed.
  • Credit reports are obtained from our credit reporting partner (a licensed NZ credit bureau).

How credit data is stored

  • Credit reports are stored encrypted in AWS S3 (Auckland, ap-southeast-6).
  • Access is controlled by the tenant - no landlord can see the report unless the tenant explicitly shares it.
  • Credit report contents are never sent by email. Sharing is via secure, time-limited, on-screen viewing only.

How credit data is not used

  • We do not use credit data for any purpose other than displaying it to the tenant and landlords they choose to share with.
  • We do not sell, aggregate, or analyse credit data.
  • We do not make lending or tenancy decisions based on credit data - we display it; the decision is yours.

Tenant rights regarding credit data

  • Tenants can view their credit report at any time within the portal.
  • Tenants control who can see their report by managing sharing permissions.
  • Tenants can revoke sharing at any time.
  • Credit reports expire after 30 days. After expiry, sharing links become inactive.
  • Tenants can request deletion of their credit report and profile by contacting us.
  • Disputes about the accuracy of credit information should be directed to the credit bureau that issued the report.

Tenant data and your obligations

You (as the landlord or property manager) are the data controller for tenant personal information. Under the Privacy Act 2020 you must tell tenants what information is collected and why, only collect information necessary for managing the tenancy, and keep it secure. RentManager NZ processes tenant data on your behalf as a data processor.

Your rights under the Privacy Act 2020

You have the right to:

  • Access your personal information (IPP 6) - request a copy of all data we hold about you.
  • Correct inaccurate information (IPP 7) - request correction of any errors.
  • Delete your data - request account deletion, which permanently removes all data within 30 days.
  • Export your data - request a machine-readable export of your property, tenancy, and transaction records.
  • Complain to the Office of the Privacy Commissioner if you believe we have breached the Act.

To exercise any of these rights, contact . We will respond within 20 working days as required by the Privacy Act 2020.

Data retention

  • Active accounts: Data is retained for as long as your account is active.
  • Account closure: All personal data, property records, tenant information, documents, and transaction history are permanently deleted within 30 days.
  • Bank data: Previously synced transactions remain in your account for reporting unless you disconnect your bank or delete your account. On disconnection, no new data is retrieved; on account deletion, all bank data is permanently deleted.
  • Bank tokens: Revoked immediately on bank disconnection or account deletion.
  • Usage analytics: Page view and app event data is retained for up to 90 days, then automatically purged.
  • Server logs: Raw web server access logs are retained for up to 90 days, then automatically purged.
  • Legal holds: Where retention is required by NZ law (e.g. tax records under the Tax Administration Act 1994), we retain only the minimum data necessary for the minimum required period (typically 7 years for financial records).

Breach notification

Under the Privacy Act 2020, we are required to notify both affected individuals and the Privacy Commissioner of any privacy breach that poses a risk of serious harm. In such an event we will:

  1. Notify affected users by email within 72 hours of becoming aware of the breach.
  2. Notify the Office of the Privacy Commissioner as required by the Act.
  3. Provide clear details of what data was affected, what we are doing to contain and remediate, and what steps you should take to protect yourself.
  4. Publish a notice on our website for transparency.

Information Privacy Principles

The Privacy Act 2020 sets out 13 Information Privacy Principles (IPPs) governing how personal information is collected, used, stored, and disclosed. Here is how we address each:

IPPPrincipleHow we comply
1Purpose of collectionWe collect information only for providing and operating the property management service.
2Source of informationInformation is collected directly from you, via bank connection with your explicit consent, from credit reporting agencies with the tenant's explicit consent, or from public reference databases (LINZ, NZ Post) for address validation.
3Collection from subjectWe collect information directly from the individual concerned. Tenant data is entered by the landlord as data controller.
4Manner of collectionCollection is lawful, fair, and not unreasonably intrusive. We collect via web forms and authorised bank feeds only.
5Storage and securityAll data stored in NZ (AWS Auckland). Encrypted at rest and in transit. Access controlled by RLS and authentication. See our Security Practices page.
6Access to personal informationYou can access your data at any time within the application, or request a full export by contacting us.
7CorrectionYou can edit your data directly in the application, or request corrections by contacting us.
8AccuracyWe take reasonable steps to ensure data is accurate and up to date. Bank data is sourced directly from your bank via CSV import or Open Banking.
9RetentionData is retained only while your account is active. On deletion, all data is permanently removed within 30 days (except where law requires retention).
10Use limitationData is used only for the purpose it was collected. We do not sell data or use it for advertising.
11Disclosure limitationData is not disclosed to third parties except as described (Stripe for billing, NZ Open Banking providers for bank sync, credit bureau for tenant screening with consent, NZ Post for address validation, AWS for hosting).
12Unique identifiersWe use internal UUIDs only - we do not assign or require government-issued identifiers.
13Overseas disclosureAll data stays in New Zealand. Third-party processors (Stripe, Google OAuth) receive only the minimum data necessary and are bound by their own privacy obligations.

Changes to this policy

Material changes will be notified by email or a banner in the application. Continued use of the service after changes constitutes acceptance.

Contact

RentManager NZ Limited

NZBN 9429053511362

IRD 148-225-788

Security Practices Terms and Conditions ← Go back