Privacy Policy

Last updated: 13 May 2026

1. Who We Are

RentFig ("we", "us", "our") is a property management platform designed for landlords in England. We act as a data controller for the personal data we collect through our service at rentfig.com.

2. What Data We Collect

We collect and process the following categories of personal data:

Account Data

  • Full name, email address, and phone number
  • Organisation name and billing address
  • Password (stored as a secure hash — we never store plaintext passwords)

Property & Tenancy Data

  • Property addresses, EPC ratings, and compliance certificates
  • Tenant names, contact details, and tenancy agreement information
  • Rent amounts, payment records, and deposit details
  • Documents you upload (tenancy agreements, certificates, invoices)

Financial Data

  • Bank transaction data imported via bank feed sync or CSV upload
  • Invoice and payment records
  • Subscription and billing information (processed by Stripe)

Usage Data

  • Log data (IP address, browser type, pages visited)
  • Activity logs within the application

3. How We Use Your Data

We use your personal data to:

  • Provide and maintain the RentFig service
  • Process rent payments and generate financial statements
  • Track compliance certificates and send expiry reminders
  • Send service notifications (e.g. payment confirmations, renewal alerts)
  • Improve our platform and develop new features
  • Comply with legal and regulatory obligations

4. Legal Basis for Processing

We process your data under the following legal bases (UK GDPR):

  • Contract: Processing necessary to provide the service you have subscribed to
  • Legal obligation: Retention of financial records as required by HMRC and UK tax law
  • Legitimate interest: Improving our service, preventing fraud, and ensuring platform security
  • Consent: Where you opt in to marketing communications

5. Data Retention

We retain your data for as long as your account is active, plus a mandatory retention period of 6 years after account closure or tenancy end. This retention period is required to comply with UK tax and financial record-keeping obligations.

After the 6-year retention period, your data is automatically archived and then permanently deleted. You may request early deletion of non-financial data at any time, but we are legally required to retain financial records for the full 6-year period.

6. Tenant Data

RentFig operates a one-directional communication model for tenants. Tenants receive messages, invoices, and PDF statements from landlords but do not have accounts on RentFig and cannot log in or interact with the platform directly.

Landlords are responsible for informing their tenants that their data is stored in RentFig and providing them with a copy of this privacy policy upon request.

7. Data Sharing

We share your data only with the following third parties:

  • Supabase: Database hosting and authentication (EU/UK data centres)
  • Vercel: Application hosting and serverless functions (EU/UK edge network)
  • Resend: Transactional and broadcast email delivery (EU)
  • Twilio: SMS, WhatsApp, and voice/voicemail processing (UK/EU data centres). All inbound voicemails are recorded, transcribed, and processed as described in Section 7a below.
  • Stripe: Subscription billing and payment processing (EU)
  • QuickFile: Accounting and bank feed sync (with your explicit consent) (UK)
  • HMRC: If you use the Making Tax Digital submission feature, your rental income and expense figures and your National Insurance number are transmitted directly to HMRC. See Section 8 below for full details.

We do not sell your personal data to third parties. We do not share your data with advertisers.

7a. AI Processing of Voicemails

When a tenant leaves a voicemail on your RentFig number, the recording is automatically transcribed by Twilio and the transcript is then sent to Anthropic (Claude AI) — based in the USA — for further processing. Claude generates a one-sentence summary, an urgency rating (emergency, high, medium, or low), and a category (maintenance, payment, complaint, or general) to help you triage messages quickly.

This AI processing constitutes automated processing of personal data under Article 22 UK GDPR. The output is advisory only and does not produce legal or similarly significant effects for tenants. You retain full visibility of the original recording and transcript alongside any AI-generated summary.

Transcript data is transferred to Anthropic in the USA under Standard Contractual Clauses. Anthropic processes transcripts transiently and does not retain them for model training. The full list of sub-processors used by RentFig is set out in our Data Processing Agreement.

8. Connecting to HMRC (Making Tax Digital)

RentFig supports direct submission of rental income and expenses to HMRC under the Making Tax Digital for Income Tax Self Assessment (MTD ITSA) scheme. This feature is optional and only active if you choose to connect your HMRC account.

What we collect and why

When you connect your HMRC account, we store:

  • Your National Insurance number (NINO) — to identify your tax record with HMRC
  • OAuth access and refresh tokens issued by HMRC — to submit data on your behalf without storing your Government Gateway password

We never store your Government Gateway username or password.

Data sent to HMRC

Each time you submit a quarterly update, we send HMRC:

  • Your rental income and expense figures for the period
  • Fraud prevention data required by HMRC under their Fraud Prevention specification. This includes technical identifiers about the device and browser used to initiate the submission (screen resolution, timezone, window size, and a randomly generated device ID). This data is mandatory for all MTD software providers and is collected by HMRC to protect taxpayers from fraudulent submissions.

Retention

OAuth tokens are retained until you disconnect your HMRC account via the RentFig dashboard, at which point they are permanently deleted. Submission records (amounts, dates, HMRC confirmation IDs) are retained as part of your accounting records for the standard 6-year financial retention period.

Your rights

You can disconnect your HMRC account at any time from the MTD settings page. This revokes RentFig's access and deletes your stored tokens. It does not affect any submissions already made to HMRC.

9. Your Rights

Under UK GDPR, you have the right to:

  • Access:Request a copy of your personal data (available via Settings > Data Export)
  • Rectification: Correct inaccurate personal data
  • Erasure: Request deletion of your data (subject to the 6-year financial retention requirement)
  • Portability: Receive your data in a structured, machine-readable format
  • Objection: Object to processing based on legitimate interest
  • Withdrawal of consent: Withdraw consent for marketing at any time

To exercise any of these rights, use the Data Export feature in your account settings or contact us at privacy@rentfig.com.

10. Cookies

We use essential cookies required for authentication and session management. We do not use advertising or tracking cookies. Analytics cookies (if enabled) are anonymised and do not track individual users.

11. Security

We implement appropriate technical and organisational measures to protect your data, including encryption in transit (TLS), encryption at rest, row-level security policies, and regular security reviews.

12. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of any material changes via email or an in-app notification. The "last updated" date at the top of this page indicates when this policy was last revised.

13. Contact

If you have questions about this privacy policy or our data practices, contact us at:

Email: privacy@rentfig.com