Data Processing Agreement

1. Definitions

• "Controller" means the landlord or property manager who holds a RentFig account and determines the purposes and means of processing tenant personal data.
• "Processor" means RentFig, which processes personal data on behalf of the Controller.
• "Personal Data", "Data Subject", "Processing", "Sub-processor" and "Supervisory Authority" have the meanings given in the UK GDPR.
• "Services" means the RentFig property management platform provided under the Terms & Conditions.

2. Subject Matter & Duration

This DPA covers the Processing of Personal Data by RentFig in connection with the provision of the Services. Processing will continue for the duration of the Controller's subscription and, where required by law, for up to six years after account termination to meet financial record-keeping obligations.

3. Nature & Purpose of Processing

RentFig processes Personal Data for the purpose of providing landlord property management services, including: tenancy management, rent collection, compliance tracking, document storage, tenant communications (email, SMS, WhatsApp, voice), financial reporting, and Making Tax Digital submissions to HMRC.

4. Categories of Personal Data

RentFig may process the following categories of Personal Data on behalf of the Controller:

• Full name, date of birth, and contact details (email address, phone number, postal address)
• Tenancy information (start and end dates, rent amounts, deposit details)
• Financial records (invoices, payments, rent statements)
• Identity documents (copies uploaded for Right to Rent checks)
• Right to Rent check records and status
• Communications content (SMS messages, WhatsApp messages, email content, voicemail recordings and automated transcripts and summaries)
• Referencing and credit check results (where the landlord uses the tenant referencing feature)
• Emergency contact details (where provided)

5. Categories of Data Subjects

The Data Subjects are tenants and prospective tenants of the Controller, together with any additional occupants or guarantors whose Personal Data the Controller enters into RentFig.

6. Processor Obligations

RentFig agrees to:

1. Process only on instructions. Process Personal Data only on documented instructions from the Controller, unless required to do so by UK law.
2. Confidentiality. Ensure that all persons authorised to process Personal Data are bound by appropriate confidentiality obligations.
3. Security. Implement appropriate technical and organisational measures under Article 32 UK GDPR, including encryption in transit (TLS), encryption at rest, row-level security policies, and access controls.
4. Sub-processors. Only engage Sub-processors in accordance with Section 7 below, and remain liable for their acts and omissions to the same extent as its own.
5. Data Subject rights.Assist the Controller in fulfilling obligations to respond to Data Subject rights requests under UK GDPR. Data Export requests can be made via Settings > Data Export; all other requests should be sent to privacy@rentfig.com.
6. Controller obligations.Assist the Controller in ensuring compliance with Articles 32–36 UK GDPR (security, breach notification, data protection impact assessments, and prior consultation).
7. Deletion or return.At the Controller's election, delete or return all Personal Data on termination of the Services, unless UK law requires retention. Financial records are retained for the statutory six-year period and then permanently deleted.
8. Audit and information. Make available all information necessary to demonstrate compliance with Article 28 UK GDPR, and allow audits by the Controller or its mandated auditor, subject to reasonable advance notice.

7. Sub-processors

The Controller hereby grants RentFig general written authorisation to engage the following Sub-processors. RentFig will inform the Controller of any intended changes with reasonable notice before the change takes effect.

8. International Transfers

Most Personal Data is stored and processed within the UK and EU. Where Personal Data is transferred to the USA (currently only for AI voicemail processing by Anthropic), RentFig relies on Standard Contractual Clauses as the transfer mechanism.

9. Security Incident Notification

RentFig will notify the Controller without undue delay, and where feasible within 72 hours, of becoming aware of a Personal Data breach involving the Controller's data. Notification will include, to the extent known: the nature of the breach, categories and approximate number of Data Subjects and records affected, likely consequences, and measures taken or proposed.

10. Controller Responsibilities

The Controller is responsible for:

• Establishing a lawful basis for processing tenant Personal Data (typically contractual necessity under Article 6(1)(b) and legal obligation under Article 6(1)(c))
• Providing tenants with a privacy notice — RentFig provides a template via the Communications Hub
• Registering with the Information Commissioner's Office (ICO) where required under the Data Protection (Charges and Information) Regulations 2018
• Ensuring Personal Data entered into RentFig is accurate and lawfully obtained
• Responding to Data Subject rights requests from tenants in a timely manner

11. Governing Law

This DPA is governed by the laws of England and Wales and incorporates the requirements of the UK GDPR and the Data Protection Act 2018.

12. Contact

For questions about this DPA, contact us at: privacy@rentfig.com