RentFolder.com
GuidesLog inSign up

Privacy Policy

Effective Date: 7 March 2026
Last Updated: 7 March 2026

This Privacy Policy explains how Elm & Co. Limited, a company incorporated in the Isle of Man (Company Number: 136494C) (“Company”, “we”, “us”, or “our”), collects, uses, stores, and protects information in connection with the RentFolder web application (“Service”). This Policy applies to all users of the Service, including Landlords and Tenants.

By using the Service, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. This Policy should be read alongside our Terms of Service.

1. Definitions & Data Roles

1.1 Data Controller vs. Data Processor

This distinction is critical to understanding each party’s responsibilities:

  • Landlord as Data Controller. When a Landlord uploads or inputs tenant information into RentFolder—including but not limited to names, phone numbers, email addresses, lease documents, inspection photographs, and maintenance records—the Landlord is the Data Controller for that data. The Landlord determines the purposes and means of processing their tenants’ personal data.
  • RentFolder as Data Processor. Elm & Co. Limited acts as a Data Processor with respect to tenant personal data. We process tenant data solely on the Landlord’s instructions and for the purpose of providing the Service. The terms of our processing are set out in our Data Processing Agreement.
  • RentFolder as Data Controller. We act as a Data Controller for data we collect directly from users for our own purposes, such as account registration data, billing information, usage analytics, and support communications.

1.2 Landlord Responsibility for Tenant Data

The Landlord is solely and fully responsible for:

  • Obtaining all necessary legal consents, authorisations, and lawful bases required under applicable data protection laws before uploading any tenant Personally Identifiable Information (“PII”) to the Service;
  • Providing tenants with appropriate privacy notices regarding how their data will be processed via the Service;
  • Responding to tenant data subject access requests, correction requests, or deletion requests in accordance with applicable law;
  • Ensuring that tenant data is accurate, up to date, and not retained beyond what is necessary for its original purpose.

Elm & Co. Limited accepts no liability for a Landlord’s failure to comply with applicable data protection legislation.

2. Information We Collect

2.1 Information You Provide Directly

CategoryExamplesPurpose
Account DataName, email address, password (hashed)Account creation and authentication
Property DataProperty addresses, unit detailsProperty management features
Tenant Data (uploaded by Landlord)Tenant names, phone numbers, email addresses, lease documents, inspection photosTenancy management, maintenance requests
Financial DataRent amounts, payment dates, ledger entriesRent tracking and reporting
Maintenance RequestsIssue descriptions, photographsMaintenance tracking and resolution
Support CommunicationsEmails, messagesCustomer support

2.2 Information Collected Automatically

  • Usage Data: Pages visited, features used, timestamps, and interaction patterns to help us improve the Service.
  • Device & Browser Information: IP address, browser type, operating system, and device identifiers.
  • Cookies & Similar Technologies: We use strictly necessary cookies for authentication and session management. We do not use advertising or tracking cookies.

3. How We Use Your Information

We use the information we collect to:

  1. Provide, maintain, and improve the Service;
  2. Authenticate users and manage accounts;
  3. Process transactions via our Merchant of Record (Paddle);
  4. Send transactional communications (e.g., password resets, billing receipts);
  5. Respond to support requests and communicate about your account;
  6. Detect, prevent, and address technical issues, fraud, and security incidents;
  7. Comply with legal obligations and enforce our Terms.

4. Legal Bases for Processing

Where applicable (including under the UK GDPR, Isle of Man GDPR, and EU GDPR), we rely on the following legal bases:

  • Performance of a Contract: Processing necessary to provide the Service in accordance with our Terms.
  • Legitimate Interests: Improving the Service, ensuring security, preventing fraud, and conducting analytics, provided these interests are not overridden by your rights.
  • Legal Obligation: Processing required to comply with applicable laws, such as tax and financial record-keeping.
  • Consent: Where required by law, such as for optional marketing communications (which you may withdraw at any time).

5. Data Sharing & Third Parties

We do not sell your personal data. We may share data with:

  • Paddle.com Market Limited (Merchant of Record) — for payment processing, invoicing, and tax compliance;
  • Cloudflare, Inc. — for hosting, content delivery, data storage, and security services;
  • Service Providers — carefully selected third parties who assist with email delivery, analytics, or support, bound by contractual data protection obligations;
  • Law Enforcement & Regulators — where required by law, regulation, legal process, or governmental request;
  • Corporate Transactions — in connection with a merger, acquisition, or sale of assets, subject to the acquirer agreeing to honour these privacy commitments.

6. International Data Transfers

RentFolder serves users in multiple jurisdictions (USA, UK, Canada, Australia, New Zealand, Isle of Man, Jersey, and Guernsey). As a result, your data may be processed in, and transferred to, countries other than your country of residence.

Data is stored and processed on Cloudflare’s global network, which means it may reside in multiple geographic regions. Cloudflare does not guarantee storage in any single country; however, all data is encrypted at rest and in transit regardless of location.

Where personal data is transferred internationally, we ensure that appropriate legal safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms approved by the relevant data protection authority;
  • Adequacy decisions, where the receiving country has been assessed as providing an adequate level of data protection;
  • Binding contractual obligations with our sub-processors requiring them to protect data in accordance with applicable law.

6.1 Users in the EU/EEA

The Service is not specifically targeted at users in the European Union or European Economic Area. However, we do not restrict access from those regions. If you are an EU/EEA resident who chooses to use the Service, the legal basis for international transfers of your data is the Standard Contractual Clauses in place between Elm & Co. Limited and our sub-processors (primarily Cloudflare, Inc.), combined with our legitimate interest in providing the Service as described in Section 4.

7. Data Storage & Security

We take the security of your data seriously and implement industry-standard technical and organisational measures, including:

  • Encryption at rest for all stored data;
  • Encryption in transit using TLS (HTTPS) for all data transmissions;
  • Modern cloud infrastructure provided by Cloudflare, including edge security, DDoS protection, and geographically distributed storage;
  • Access controls limiting data access to authorised personnel on a need-to-know basis;
  • Secure password hashing and token-based authentication.

While we implement robust security measures, no method of electronic transmission or storage is 100% secure. To the maximum extent permitted by applicable law, Elm & Co. Limited disclaims liability for any unauthorised access to, or breach of, your data resulting from circumstances beyond our reasonable control, including but not limited to sophisticated cyber-attacks, zero-day vulnerabilities, or acts of third parties.

8. Data Retention & Deletion

8.1 General Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. When data is no longer needed, it is securely deleted or anonymised.

8.2 Financial & Ledger Data

Certain financial records and transaction data (rent payments, ledger entries) may be retained for up to seven (7) years after account closure to comply with legitimate business, tax, and legal record-keeping obligations.

8.3 Account Deletion

You may request deletion of your account by:

  1. Using the account deletion feature within the Service; or
  2. Contacting us at privacy@rentfolder.com.

Upon receiving a valid deletion request, we will:

  • Delete your account and associated personal data within 30 days;
  • Retain only the minimum data required by law (e.g., financial ledger data for tax purposes as noted in Section 8.2);
  • Permanently and irreversibly delete or anonymise all remaining data once the retention period has expired.

Note for Landlords: Deleting your account will permanently remove tenant data stored in connection with your account. You are responsible for complying with any data retention obligations you may have under applicable tenancy or data protection laws before requesting deletion.

9. Your Rights

Depending on your jurisdiction, you may have some or all of the following rights in relation to your personal data:

9.1 Rights Under UK/IOM GDPR

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Request correction of inaccurate or incomplete data.
  • Erasure: Request deletion of your data (subject to legal retention obligations).
  • Restriction: Request that we restrict processing of your data in certain circumstances.
  • Portability: Request a machine-readable copy of data you have provided to us.
  • Objection: Object to processing based on legitimate interests.
  • Automated Decisions: We do not make decisions based solely on automated processing that produce legal effects concerning you.

9.2 Rights Under Canadian Law (PIPEDA)

Canadian residents have the right to access, correct, and challenge compliance with PIPEDA through our Privacy Officer. You may also file a complaint with the Office of the Privacy Commissioner of Canada.

9.3 Rights Under Australian Privacy Principles (APPs)

Australian residents may access and correct personal information held by us and may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) if they believe we have breached the APPs.

9.4 Rights Under US State Privacy Laws

Residents of California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and other states with applicable privacy laws may exercise rights including:

  • The right to know what personal information we collect and why;
  • The right to delete personal information;
  • The right to opt out of the sale of personal information (we do not sell personal data);
  • The right to non-discrimination for exercising your privacy rights.

9.5 Exercising Your Rights

To exercise any of your rights, please contact us at privacy@rentfolder.com. We will respond within the timeframe required by applicable law (typically 30 days).

10. Children’s Privacy

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice within the Service. The “Last Updated” date at the top of this page indicates when this Policy was last revised. Your continued use of the Service after changes constitutes acceptance of the updated Policy.

12. Governing Law & Jurisdiction

This Privacy Policy shall be governed by and construed in accordance with the laws of the Isle of Man. Any disputes arising under or in connection with this Policy shall be subject to the exclusive jurisdiction of the courts of the Isle of Man.

13. Contact

If you have any questions, concerns, or complaints about this Privacy Policy or our data practices, please contact us at:

Elm & Co. Limited
Isle of Man
Email: privacy@rentfolder.com

You also have the right to lodge a complaint with your local data protection supervisory authority, including but not limited to:

  • Isle of Man: Isle of Man Information Commissioner
  • UK: Information Commissioner’s Office (ICO)
  • Australia: Office of the Australian Information Commissioner (OAIC)
  • Canada: Office of the Privacy Commissioner of Canada (OPC)
  • New Zealand: Office of the Privacy Commissioner