Privacy Policy
Last updated: February 7, 2026
1. Introduction
Welcome to Rentalot ("Rentalot," "we," "us," or "our"). We provide an AI-powered rental agent platform that helps property managers and rental agents automate tenant and prospect communications across multiple channels ("Service").
We take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our Service, visit our website at rentalot.ai ("Website"), or otherwise interact with us.
By using our Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use our Service.
2. Definitions
- "Customer" — A property manager, rental agent, or landlord who subscribes to Rentalot.
- "End User" — A tenant, prospective renter, or any individual who communicates with a Customer through our Service.
- "Personal Information" — Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to an individual or household.
- "AI Agent" — Our automated system that uses large language models (LLMs) to generate responses to communications on behalf of Customers.
3. Applicability and Scope
This Privacy Policy applies to:
- Our Website and all associated web applications
- Our AI-powered rental agent Service
- Communications processed through our Service via WhatsApp, Telegram, email (Gmail), and web chat
- Any other interactions you have with Rentalot (e.g., customer support, onboarding)
This policy does not apply to:
- Third-party websites or services linked from our platform
- Information collected independently by our Customers outside of our Service
- Third-party messaging platforms' own data practices (see Section 11)
4. Our Role: Data Controller vs. Data Processor
When we act as a Data Controller:
- When you visit our Website, create an account, or interact with us directly
- When we process Customer account and billing information
- When we use aggregated, de-identified analytics to improve our Service
When we act as a Data Processor:
- When we process End User communications on behalf of our Customers
- When we store and manage tenant/prospect data that Customers input into our Service
- When our AI Agent generates responses to End User messages on behalf of Customers
When acting as a Data Processor, we process Personal Information only on our Customers' instructions and in accordance with our Data Processing Agreement (DPA). Customers are responsible for obtaining appropriate consents from their End Users and for complying with applicable privacy laws regarding the data they input into our Service.
5. Information We Collect
5.1 Information Provided by Customers
- Account information: Name, email address, phone number, business name, billing address
- Payment information: Credit card or payment method details (processed by our third-party payment processor; we do not store full payment card numbers)
- Property information: Property addresses, rental prices, amenities, availability, lease terms, restrictions
- Agent preferences: Communication tone, response policies, escalation rules, business hours
- Calendar data: Google Calendar availability for showing scheduling (accessed via Google Calendar API)
- Email account access: Gmail account connection for email processing (accessed via Gmail API)
5.2 Information Collected from End Users (via Customer Channels)
- Contact information: Name, phone number, email address, messaging platform identifiers
- Communication content: Messages sent via WhatsApp, Telegram, email, or web chat
- Inquiry details: Property interests, showing preferences, scheduling requests, questions about listings
- Interaction metadata: Timestamps, message delivery status, channel used, conversation thread identifiers
5.3 Information Collected Automatically
- Usage data: Features used, pages visited, actions taken within the Service
- Device information: Browser type, operating system, device identifiers, IP address
- Log data: Server logs including access times, pages viewed, referring URLs, and crash reports
- Cookies and similar technologies: See Section 12
5.4 Information Generated by Our AI
- AI-generated responses: Text responses composed by our AI Agent on behalf of Customers
- Conversation summaries and context: Structured notes and context extracted from conversations to maintain continuity
- Contact profiles: Aggregated interaction history, preferences, and status classifications (e.g., prospect, applicant, scheduled) derived from communications
- Intent classifications: Categorization of incoming messages (inquiry, showing request, general question, etc.)
6. How We Use Your Information
6.1 To Provide and Operate the Service
- Process and respond to End User communications via the AI Agent
- Schedule and manage property showings
- Process and categorize incoming emails
- Maintain conversation history and context across channels
- Send follow-up messages and reminders on behalf of Customers
- Manage Customer accounts, subscriptions, and billing
6.2 To Improve the Service
- Analyze usage patterns to enhance features and performance
- Monitor AI Agent response quality and accuracy
- Debug issues and fix errors
- Develop new features and capabilities
6.3 For Safety and Compliance
- Detect, prevent, and address fraud, abuse, and security threats
- Enforce our Terms of Service and acceptable use policies
- Comply with legal obligations, including fair housing laws
- Monitor for prompt injection attacks and adversarial inputs
- Maintain audit logs for compliance purposes
6.4 To Communicate With You
- Send service-related notices, updates, and alerts
- Respond to customer support inquiries
- Send promotional communications (with your consent; you may opt out at any time)
7. AI and Automated Processing Disclosure
7.1 How Our AI Works
Rentalot uses large language models (LLMs) — specifically Google Gemini — to generate responses to tenant and prospect communications on behalf of our Customers. When a message is received:
- The message is classified by intent (inquiry, showing request, general question, etc.)
- Relevant context is assembled (property details, conversation history, Customer preferences)
- The LLM generates a response based on this context
- The response is delivered to the End User via the original channel
7.2 What This Means for Your Data
- Communication content is processed by AI: Your messages are sent to Google's Gemini API for response generation. Google processes this data in accordance with their Cloud Data Processing Terms.
- Persistent memory: Our system maintains conversation context and contact profiles to provide coherent, contextual responses across interactions. Prior conversation content informs future responses.
- No autonomous decision-making with legal effect: Our AI Agent does not make binding legal commitments, approve or deny rental applications, or make decisions that produce legal effects concerning individuals. It facilitates communication and scheduling only.
- Human oversight: Customers can review, override, and configure all AI Agent behaviors. Customers bear responsibility for reviewing AI-generated communications for accuracy and compliance.
7.3 Your Rights Regarding AI Processing
- You may request human review of any AI-generated communication that affects you
- You may request information about the logic involved in AI processing of your data
- You may object to automated processing (see Section 9 for how to exercise your rights)
- Customers may configure their AI Agent to require human approval before sending certain categories of responses
7.4 AI Training
We do not use Customer or End User communication content to train or fine-tune our AI models. Communication content is processed solely for the purpose of generating responses within the Service. Aggregated, fully de-identified usage analytics (e.g., response time distributions, message volume patterns) may be used to improve Service features.
8. How We Share Your Information
8.1 With Our Customers
End User communications and contact information are shared with the Customer on whose behalf the AI Agent is operating. This is the core function of our Service.
8.2 With Service Providers
We share information with third-party service providers who assist in operating our Service:
| Provider | Purpose | Data Shared |
|---|---|---|
| Google (Gemini API) | AI response generation | Message content, conversation context |
| Google (Gmail API) | Email processing | Email content, metadata |
| Google (Calendar API) | Showing scheduling | Calendar availability, event details |
| Meta (WhatsApp Business API) | WhatsApp messaging | Message content, phone numbers |
| Telegram | Telegram messaging | Message content, Telegram user IDs |
| Vercel | Application hosting | Application data, logs |
| Inngest | Async task processing | Task metadata, message IDs |
| Stripe | Payment processing | Payment information |
| Database provider | Database hosting | All stored data (encrypted) |
All service providers are bound by data processing agreements and are prohibited from using your data for their own purposes.
8.3 For Legal Reasons
We may disclose Personal Information if required to do so by law, or in good faith belief that such action is necessary to:
- Comply with a legal obligation, subpoena, court order, or regulatory request
- Protect and defend our rights or property
- Prevent or investigate possible wrongdoing in connection with the Service
- Protect the personal safety of users or the public
- Protect against legal liability
8.4 Business Transfers
If Rentalot is involved in a merger, acquisition, or asset sale, your Personal Information may be transferred. We will notify you before your data is transferred and becomes subject to a different privacy policy.
8.5 What We Do NOT Do
- We do not sell your Personal Information
- We do not share your Personal Information for cross-context behavioral advertising
- We do not use End User data to market to End Users directly
- We do not provide Personal Information to data brokers
9. Your Privacy Rights
9.1 Rights for All Users
Regardless of your location, you may:
- Access: Request a copy of the Personal Information we hold about you
- Correction: Request correction of inaccurate Personal Information
- Deletion: Request deletion of your Personal Information, subject to legal retention requirements
- Portability: Request your data in a structured, machine-readable format
- Objection: Object to processing of your Personal Information for specific purposes
- Withdraw consent: Withdraw previously given consent at any time
9.2 California Residents (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
- Right to know what Personal Information we collect, use, and disclose
- Right to delete your Personal Information (with limited exceptions)
- Right to correct inaccurate Personal Information
- Right to opt-out of the sale or sharing of Personal Information (we do not sell or share for advertising, but this right is available)
- Right to non-discrimination for exercising your privacy rights
- Right to limit use of sensitive personal information (we do not use sensitive personal information beyond what is necessary to provide the Service)
To exercise these rights, contact us at privacy@rentalot.ai or use the "Privacy Rights" section of your account dashboard. We will respond to verifiable consumer requests within 45 days.
Categories of Personal Information Collected (per CCPA):
- Identifiers (name, email, phone, IP address)
- Commercial information (subscription plan, billing history)
- Internet/electronic activity (usage data, interaction logs)
- Professional/employment-related information (real estate license, business name)
- Inferences drawn from the above (AI-generated contact profiles, intent classifications)
9.3 European Economic Area and UK Residents (GDPR)
If you are located in the EEA or UK, you have additional rights under the General Data Protection Regulation:
- Lawful basis: We process your data based on: (a) performance of a contract (providing the Service), (b) legitimate interests (improving and securing the Service), (c) consent (marketing communications), or (d) legal obligation (compliance and audit requirements)
- Right to restriction: Request restriction of processing under certain circumstances
- Right to data portability: Receive your data in a portable format
- Right to lodge a complaint: File a complaint with your local data protection authority
- Right regarding automated decision-making: You are not subject to decisions based solely on automated processing that produce legal or similarly significant effects. Our AI generates communication drafts, not legal determinations.
Data transfers: Your data may be transferred to and processed in the United States. We ensure appropriate safeguards for international transfers, including Standard Contractual Clauses (SCCs) where required.
9.4 Other US State Privacy Laws
We comply with applicable state privacy laws including the Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), and other state laws as they take effect. Contact privacy@rentalot.ai to exercise your rights.
9.5 Exercising Your Rights
To submit a privacy request:
- Email: privacy@rentalot.ai
- Account dashboard: Settings > Privacy Rights
We may need to verify your identity before processing your request. For End Users, we may need to coordinate with the relevant Customer.
Response times:
- CCPA/CPRA: Within 45 calendar days (extendable by 45 days)
- GDPR: Within 30 calendar days (extendable by 60 days)
- Other state laws: Within the applicable statutory timeframe
10. Data Retention
We retain Personal Information only as long as necessary for the purposes described in this policy:
| Data Type | Retention Period | Rationale |
|---|---|---|
| Customer account data | Duration of account + 30 days | Service provision; grace period for reactivation |
| End User conversation history | Duration of Customer account + 90 days | Service provision; fair housing record-keeping |
| AI-generated responses | Duration of Customer account + 1 year | Fair housing compliance audit trail |
| Billing and payment records | 7 years after transaction | Tax and legal compliance |
| Usage logs | 2 years | Service improvement and abuse prevention |
| Server and access logs | 90 days | Security monitoring |
After retention periods expire, data is permanently and securely deleted or fully de-identified. Customers may request deletion of their account and associated data at any time.
11. Third-Party Platform Compliance
11.1 Google API Services
Our use of Google APIs (Gmail API, Google Calendar API, Gemini API) complies with the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
- We access Google user data only for the purposes described in this privacy policy
- We do not use Google user data for advertising
- We do not allow humans to read Google user data unless: (a) we have the user's affirmative consent, (b) it is necessary for security purposes, (c) it is necessary to comply with law, or (d) the data is aggregated and de-identified
- We transfer Google user data to others only as necessary to provide the Service, as required by law, or with explicit consent
11.2 WhatsApp Business API
We use the WhatsApp Business API in accordance with the WhatsApp Business Policy. We process WhatsApp messages solely for facilitating Customer-End User communication, do not sell WhatsApp message data, and comply with opt-in consent and message template requirements.
11.3 Telegram Bot API
We use the Telegram Bot API in accordance with Telegram's Terms of Service. We process Telegram messages solely for Service provision and respect users' privacy settings and blocking preferences.
12. Cookies and Tracking Technologies
We use cookies and similar technologies on our Website:
| Cookie Type | Purpose | Duration |
|---|---|---|
| Essential | Authentication, security, core functionality | Session / persistent |
| Analytics | Understanding how our Website is used | Up to 2 years |
| Preferences | Remembering your settings | Up to 1 year |
We do not use advertising or tracking cookies. We do not engage in cross-site tracking. You can control cookies through your browser settings.
13. Data Security
We implement industry-standard security measures to protect your Personal Information:
- Encryption in transit: All data transmitted using TLS 1.2 or higher
- Encryption at rest: All stored data encrypted using AES-256
- Access controls: Role-based access limiting employee access on a need-to-know basis
- Tenant isolation: All data queries scoped to the owning user
- Webhook verification: Signature verification on all inbound channel messages
- Prompt injection defense: Multi-layered defenses against adversarial inputs (input classification, output filtering)
- Monitoring: Continuous security monitoring and logging
Breach notification: In the event of a data breach, we will notify affected individuals and relevant authorities as required by applicable law (within 72 hours for GDPR, per state law for US jurisdictions).
14. Children's Privacy
Our Service is not directed to children under the age of 16. We do not knowingly collect Personal Information from children under 16. If we learn that we have collected such information without parental consent, we will delete it promptly. Contact us at privacy@rentalot.ai if you believe we have collected information from a child under 16.
15. Do Not Track Signals
Our Website responds to Do Not Track ("DNT") signals. When we detect a DNT signal, we disable non-essential analytics cookies.
16. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our Website, sending an email notification to registered Customers, and displaying a prominent notice within the Service. Your continued use after changes are posted constitutes acceptance.
17. Contact Us
If you have questions about this Privacy Policy or wish to exercise your privacy rights:
- Email: privacy@rentalot.ai
- GDPR inquiries: gdpr@rentalot.ai
18. Supplemental Notices
18.1 Notice to End Users
If you are an End User (tenant or prospect) communicating with a Customer through our Service: The Customer is the data controller for your communications; we act as a data processor. Please contact the Customer directly for questions about how they use your information. You may also contact us at privacy@rentalot.ai to exercise your rights under applicable law.
18.2 Notice to California Residents — "Do Not Sell or Share"
Rentalot does not sell Personal Information and does not share Personal Information for cross-context behavioral advertising as defined under the CCPA/CPRA.
18.3 Fair Housing Compliance
Our AI system is designed and monitored to avoid housing discrimination. We do not use Personal Information to filter, score, or make decisions based on protected characteristics (race, color, national origin, religion, sex, familial status, or disability) as defined by the Fair Housing Act. We maintain audit logs of AI-generated communications to support compliance investigations.