Privacy Policy

1. Who we are

The Service is operated by TQDM Inc., a corporation incorporated under the laws of the State of Delaware, United States of America. For the purposes of POPIA, TQDM acts as the Responsible Party in respect of the personal information processed through the Service. Our registered address, representative and contact particulars are:

• Company: TQDM Inc.
• Address: 1111B S Governors Ave, STE 23256, Dover, DE 19904, United States of America
• Authorised representative / Information Officer: Emil Suleymanov
• Email: [email protected]
• Telephone: +1 (814) 524-5685

In POPIA terms, our nominated Information Officer is Emil Suleymanov. Data Subject requests, complaints and enquiries may be directed to the email address above with the subject line "RentRight privacy request".

2. Scope of this Policy

This Policy applies to any personal information that you provide to us, that we collect automatically, or that we receive from third parties in the course of your access to or use of: (a) the website at rentright.co.za and any associated sub-domains; (b) the lease-audit service and any reports, emails, or documents generated in connection with it; (c) any communications, support interactions, or marketing we send you; and (d) any future RentRight-branded products, features, or communications offered by TQDM.

By accessing or using the Service, you acknowledge that you have read and understood this Policy and consent to the processing of your personal information described in it. If you do not agree, please do not use the Service.

3. Personal information we collect

We process the following categories of personal information.

3.1 Information you provide directly

• Identity and contact data — first name, surname, email address, telephone number, and any other identifiers you supply through forms.
• Lease documents and attachments — the full text of any residential lease, annexures, photographs of paper leases and related materials that you upload or otherwise submit for analysis. These documents may contain personal information about you, landlords, agents, co-tenants, minors, beneficiaries and other third parties.
• Payment data — where the Service includes paid features, payment card and billing information supplied via our payment processor (currently Stripe, Inc.).
• Communications — the contents of your messages to us and our replies, including support tickets and feedback.

3.2 Information we collect automatically

• Device and connection data — IP address, approximate geolocation derived from IP, device type, operating system, browser type and version, language preferences, screen resolution, user-agent string, and similar technical identifiers.
• Usage data — pages viewed, features used, upload timestamps, access-token activity, report views, email opens and link clicks, session duration, referral source, and similar telemetry.
• Cookies and similar technologies — strictly necessary cookies used for sessions and security, functional cookies used to remember your choices, and (where enabled) analytics and product-improvement cookies. See section 12.
• Server and request logs — request headers, response codes, latency, error traces, and diagnostic information retained for security and operational reasons.

3.3 Information from third parties

• Payment and anti-fraud providers (for example Stripe), who may confirm the validity of your payment method and flag suspected fraud.
• Email deliverability and verification services (for example Resend).
• Authentication, analytics, marketing, and advertising providers where integrated, subject to their own notices.
• Information from publicly available sources, regulators, or law enforcement where lawfully disclosed to us.

4. Why we process your personal information

We process personal information for the specific purposes below. Some purposes are required to provide the lease analysis, and others apply only if you choose the relevant optional consent.

• Lease analysis. To ingest your lease, extract text or images, send raw lease content to external AI processors through our model gateway where necessary, produce the report, deliver access tokens, and email you the resulting report.
• Additional uses. Only where you tick the optional consent box, to use your lease data and contact details for: product improvement (quality assurance, debugging, evaluation, model accuracy work, prompts, scoring rules, and statistical methods); marketing (RentRight updates and offers); and partner offers (sharing your contact details and a lease-derived profile with selected tenant-service partners for relevant offers). You may opt out at any time.
• Anonymized insights. To produce aggregated or anonymized insights, benchmarks, and research outputs relating to the South African residential lease market, which we may publish, share, license, or sell where they no longer identify a Data Subject.
• To detect, prevent, investigate, and respond to fraud, abuse, misuse, security incidents, and other unlawful activity.
• To comply with legal, regulatory and tax obligations; to establish, exercise, or defend legal claims; to respond to lawful requests from public authorities; and to enforce our Terms of Service.

5. Legal basis for processing (POPIA s.11)

We process personal information on one or more of the following legal grounds set out in POPIA s.11 and, where applicable, analogous provisions of other laws:

• Consent (s.11(1)(a)) — provided by you when you submit information, tick a consent box, or continue to use the Service after being given notice of this Policy.
• Performance of a contract (s.11(1)(b)) — necessary to provide the Service you have requested and to operate your account.
• Legal obligation (s.11(1)(c)) — where processing is necessary to comply with South African or foreign law binding on us.
• Protection of a legitimate interest of the Data Subject (s.11(1)(d)).
• Public-body function (s.11(1)(e)) — typically not applicable, but included for completeness.
• Legitimate interests (s.11(1)(f)) — our legitimate interests, including operating and improving the Service, developing new features, securing our systems and the Service, and responsibly commercialising the Service. Where we rely on legitimate interests, we take the rights and freedoms of Data Subjects into account and you may object to such processing as described in section 11.

6. Automated decision-making (POPIA s.71)

The Service includes components that use machine learning and rule-based scoring to review your lease and to produce a structured report. These include ensemble reviewers (third-party large language models), a combiner that merges their outputs into structured findings, and a deterministic scoring algorithm that maps the findings to a traffic-light verdict.

These outputs are informational only. They are not a legal decision, and they do not have any legal effect on your rights, obligations, or legitimate interests. They do not constitute legal advice, and no lawyer-client relationship is created by your use of the Service. You remain free at all times to disregard the report, to seek advice from a qualified legal practitioner, and to make your own decisions.

Notwithstanding the above, if you would like a human review of the findings you may contact us at [email protected] and we will consider your request in accordance with POPIA s.71.

7. Sharing of personal information

We share personal information with the following categories of recipients, in each case subject to appropriate safeguards and, where required, contractual terms requiring them to protect it in a manner consistent with this Policy.

• Service providers and sub-processors engaged to provide cloud hosting, object storage, payment processing (for example Stripe), email delivery (for example Resend), large-language- model inference (for example OpenAI, Anthropic, Google, z.ai, OpenRouter or other model providers), analytics, customer support, security monitoring, backup, audit, legal, insurance and similar operational services.
• Affiliates and related entities of TQDM Inc., where the receiving entity has committed to protect the information consistently with this Policy.
• Professional advisers, including lawyers, bankers, auditors, insurers and consultants acting as professional advisers to TQDM.
• Successors in interest — any third party to whom we sell, assign, or transfer all or part of our business or assets (including in the event of a reorganisation, dissolution, or liquidation), in which case personal information will be among the assets transferred.
• Courts, regulators, and law-enforcement authorities, where we are required or permitted to do so by law, or where we reasonably believe disclosure is necessary to protect our rights, your safety, or the safety of others.
• With your consent — any other recipient to whom you direct or authorise us to disclose personal information.

We do not sell identifiable personal information about Data Subjects in South Africa. We do, however, reserve the right to share, license, sell, publish, or otherwise commercialise aggregated, anonymised, statistical, or de-identified information derived from personal information, which, once so treated, no longer identifies a Data Subject and is not regulated as personal information under POPIA s.6(1)(b). You may not re-identify, or attempt to re-identify, any such information.

8. Cross-border transfers (POPIA s.72)

Because TQDM is incorporated in the United States and because many of our service providers operate globally, your personal information may be processed outside the Republic of South Africa, including in the United States, the European Union, the United Kingdom, Singapore and elsewhere. These jurisdictions may not have data-protection laws equivalent to POPIA.

Where personal information is transferred out of South Africa, we rely on one or more of the mechanisms permitted by POPIA s.72, including: (a) your consent, which you give by using the Service after being informed of the transfer through this Policy; (b) transfers made in performance of a contract with you or in furtherance of pre-contractual steps taken at your request; (c) contractual safeguards, including standard contractual clauses and data-processing addenda with our sub-processors; and/or (d) the country or recipient being subject to a law, binding corporate rules, or binding agreement which provides an adequate level of protection of personal information.

9. Retention

We retain personal information for as long as is reasonably necessary to achieve the purposes set out in this Policy, or for as long as we are required or permitted by applicable law, whichever is longer. Where information has been aggregated, anonymised, or de-identified, we may retain it indefinitely.

Raw uploaded lease files are deleted after processing where you do not give the optional additional consent, with a hard maximum of 24 hours. Where you do give that consent, raw or lightly redacted copies are retained for up to 30 days and then deleted. Generated reports and structured extracted data are retained for a limited service and support period. Payment records, consent records, security logs, and audit records may be retained where required for legal, tax, security, or dispute purposes. Aggregated or anonymized information may be retained indefinitely.

10. Information quality and security

We take reasonable technical and organisational measures to keep personal information accurate, complete, up to date, secure, and free from unlawful access, loss, or alteration. These measures include encryption in transit, encryption at rest where practicable, access controls, audit logging, least-privilege access for personnel, and regular reviews of our processing activities.

No electronic system is entirely secure. We do not warrant the absolute security of personal information and you acknowledge that you transmit information to us at your own risk.

11. Your rights as a Data Subject (POPIA s.23–25)

Subject to the conditions set out in POPIA, you have the following rights in respect of your personal information:

• Right of access — to request confirmation of whether we hold personal information about you and to request a record or description of it.
• Right to correction and deletion — to request that we correct inaccurate or misleading personal information, or destroy or delete personal information that we are no longer authorised to retain.
• Right to object to processing — on reasonable grounds relating to your particular situation, where processing is based on legitimate interest or public-body function.
• Right to object to direct marketing — at any time and without charge, by following the unsubscribe link in our emails or emailing us at the address in section 1.
• Right to complain — to the South African Information Regulator if you believe your rights under POPIA have been infringed. Contact details are:
  • Information Regulator (South Africa), JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001.
  • Email: [email protected] or [email protected] .

To exercise any of these rights with us, please email [email protected] with "RentRight privacy request" in the subject line. We may ask you to verify your identity before we action your request. We will respond within the time period required by applicable law.

12. Cookies and similar technologies

The Service uses cookies, localStorage and similar technologies. These fall broadly into three categories:

• Strictly necessary — required to authenticate you, keep the Service functional, and protect against abuse. These cannot be disabled.
• Functional — used to remember your choices and improve your experience (for example, persisting a session on the report page).
• Analytics and measurement — used to understand aggregate usage of the Service and to improve it. We may enable privacy-respecting analytics tooling (for example Umami) and/or third-party pixels.

You can control cookies through your browser settings. Disabling cookies may affect functionality.

13. Children

The Service is not directed at persons under the age of 18. We do not knowingly collect personal information from persons under 18. By using the Service you represent that you are at least 18 years old. If we become aware that we have collected personal information from a minor without appropriate consent, we will take steps to delete it.

14. Visitors outside South Africa

If you visit the Service from outside South Africa, you acknowledge that this Policy is primarily designed to comply with POPIA and that your personal information may be processed in jurisdictions other than your own. Where the General Data Protection Regulation (EU 2016/679) or the California Consumer Privacy Act applies to you, the rights described in sections 4, 5, 7, 8, 9, and 11 approximate the rights conferred by those laws; you may contact us at the address in section 1 to exercise them.

15. Changes to this Policy

We may update this Policy from time to time. Where we do, we will update the effective date at the top. If the change is material, we will take reasonable steps to notify you, such as by email or an in-product notice. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.

16. Contact

Questions, comments, or requests relating to this Policy or to your personal information should be directed to our Information Officer at:

• TQDM Inc., Attn: Information Officer (RentRight)
• 1111B S Governors Ave, STE 23256, Dover, DE 19904, USA
• [email protected]
• +1 (814) 524-5685