Privacy Policy

Rental App · Last updated: May 2, 2026

This Privacy Policy describes how Rental App ("the App", "we", "us") collects, uses, and protects information when you use this application. The App is a private tool for managing rental properties, tracking utility bills, and sending payment notifications to tenants.

1. Data Controller

The App is operated by Tomasz Bekas. For privacy-related questions, contact: tomasz.bekas@gmail.com.

2. Information We Collect

Account information — when you sign in with Google we receive your name, email address, and profile photo from Google. This is used solely to identify you within the App.

Property data — addresses of rental properties you add to the App.

Utility portal credentials — usernames, passwords, and portal URLs for utility providers. These are stored encrypted at rest using Google Cloud KMS and are used exclusively to retrieve your bills automatically.

Bill data — billing records (amounts, dates, descriptions) and associated PDF documents scraped from utility portals on your behalf. Documents are stored in Google Cloud Storage in the EU (europe-central2 region).

Tenant data — first name, last name, email address, and tenancy dates that you enter for tenants of your properties. This data is used to populate payment notification emails.

Notification recipient data — email addresses you provide when sending bill notifications.

Push notification tokens — browser push notification registration tokens (FCM tokens) used to deliver alerts about newly scraped bills to your devices. These are stored per-device and removed automatically when a token becomes invalid.

3. Gmail Integration

If you connect your Gmail account, the App stores an OAuth 2.0 refresh token — encrypted with Google Cloud KMS — in a private, client-inaccessible Firestore document. This token is used exclusively to:

Send bill notification emails from your Gmail account to recipients you choose.
Create draft emails in your Gmail Drafts folder.
Check the delivery status of previously sent notification drafts.

The App does not read, index, store, analyse, or share the contents of your Gmail inbox or any Gmail messages other than those it creates itself. Gmail access is never used for advertising, profiling, or any purpose beyond the notification features described above.

You can revoke Gmail access at any time from the Profile Settings page or directly from your Google Account permissions.

4. How We Use Your Data

To authenticate you and control access to the App (email allowlist).
To automatically retrieve and display utility bills from your configured portals.
To send or draft payment notification emails to tenants on your instruction.
To deliver browser push notifications about newly scraped bills.
To share property access with collaborators you explicitly invite.

We do not use your data for advertising, marketing, or automated profiling.

5. Legal Basis for Processing (GDPR)

Processing is based on:

Contract performance — processing your property, bill, and tenant data to provide the core App functionality you requested.
Legitimate interests — security logging and token revocation to protect account integrity.
Consent — Gmail integration and push notifications, both of which you opt into explicitly and can withdraw at any time.

6. Data Sharing

We do not sell, rent, or share your personal data with third parties for their own purposes. Data is shared only with the following sub-processors to operate the App:

Google LLC — Firebase Authentication, Firestore, Cloud Storage, Cloud Functions, Cloud Run (all in the EU, europe-central2 region where supported), and Gmail API for the email integration.

When you send a notification, recipient email addresses are transmitted to the Gmail API to deliver the message. No recipient data is stored beyond what you entered.

7. Data Retention

Account data — retained while your account is active.
Property, bill, and tenant data — retained until you delete the property (which triggers a full cascade deletion of all associated data).
Gmail refresh token — deleted immediately when you disconnect Gmail from Profile Settings, or when you delete your account.
Push tokens — removed automatically when reported invalid by Firebase Cloud Messaging.

8. Data Security

Sensitive credentials (utility portal passwords, Gmail OAuth tokens) are encrypted at rest using Google Cloud KMS with automatic key rotation. Firestore security rules enforce that each user can only access their own data and properties they have been explicitly invited to. The Gmail token document is marked inaccessible to client-side code at the database rules level.

9. Your Rights

Under GDPR you have the right to:

Access — request a copy of your personal data.
Rectification — correct inaccurate data directly in the App.
Erasure — delete your properties (and all associated data) via the Danger Zone in property settings. To delete your account entirely, contact us.
Portability — request an export of your data.
Objection / restriction — object to or restrict processing.
Withdraw consent — disconnect Gmail or push notifications at any time in Profile Settings.

To exercise any of these rights, contact tomasz.bekas@gmail.com.

10. Cookies and Tracking

The App uses Firebase Authentication session cookies to keep you signed in. No third-party advertising or analytics cookies are used. No cross-site tracking occurs.

11. Children's Privacy

The App is not directed at children under 16. We do not knowingly collect data from children.

12. Changes to This Policy

We may update this policy as the App evolves. The "Last updated" date at the top of this page reflects when changes were last made. Continued use of the App after changes constitutes acceptance of the updated policy.

13. Contact

Questions or requests regarding this Privacy Policy: tomasz.bekas@gmail.com