TenantTrailTenantTrail
Legal

Privacy Policy

Last updated: 18 June 2026

Who we are

TenantTrail is an Australian-based service that helps tenants organise tenancy documents, capture evidence, and prepare for tribunal disputes. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our website and services. We comply with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth).

What information we collect

We only collect what we genuinely need to provide the service:

  • Account information. your email, hashed password, and display name.
  • Case content you upload. documents, photographs, voice notes, inspection reports, contacts, and any text you write into cases.
  • Embedded metadata. EXIF data preserved on uploaded photographs (capture date, device, GPS where present). This is the same metadata your camera already stored in the file; we preserve it rather than strip it, because it is forensically valuable.
  • Email audit data. when you send a letter through TenantTrail we record the recipient, send time, content hash, and the delivery / open / bounce events Resend reports back to us.
  • Payment information. we use Stripe for payments. We never see or store your full card number; Stripe handles that under their PCI-DSS Level 1 certification. We retain your subscription tier, transaction IDs, and amounts.
  • Lead capture. when you use our public “Check a rental” tool we record the address you searched and (if you supply one) your email. We use this to follow up about your rental and to improve the tool.
  • Standard server logs. IP, browser user-agent, and timestamps of requests, retained for 30 days for security.

How we use your information

  • To deliver the core service: storing your evidence, drafting letters, generating AI guidance, and preparing tribunal-ready bundles.
  • To process payments and manage your subscription via Stripe.
  • To send transactional emails (receipts, password resets, security alerts) via Resend.
  • To improve the AI: anonymised, aggregated patterns may be used to refine prompts and detect issues. We do not train third-party AI models on your case content.
  • To comply with our legal obligations (for example, responding to a lawful subpoena).

Third parties we use

To run the service we share necessary data with these vetted processors:

  • Anthropic (Claude). your AI questions and the relevant case context are sent to Anthropic to generate the response. Anthropic does not train on this data per their commercial terms.
  • OpenAI. used only for voice transcription (Whisper) when you record voice notes. Voice data is sent for transcription and not retained by OpenAI under their API terms.
  • Stripe. payment processing.
  • Resend. outbound email delivery and inbound email reception.
  • MongoDB Atlas. encrypted database storage.
  • Cloud hosting. our application runs on cloud infrastructure with industry-standard security controls.

We do not sell your personal information. We do not share it with advertisers.

Where your data is stored

Your data is stored on cloud infrastructure that may be located inside or outside Australia. When data is transferred internationally we ensure the receiving party is bound by privacy obligations consistent with Australian Privacy Principle 8.

How long we keep your data

We retain your case data for as long as your account is active, plus a sensible window after deletion in case you need to restore it. You can request immediate deletion at any time by emailing the address below. We will respond to deletion requests within 30 days.

We recommend you export your tribunal evidence bundle PDF when you no longer need an active account, so your evidence remains useful to you even after deletion.

Security

We use TLS encryption in transit, encrypted database storage at rest, and hashed passwords. Sensitive integrations (Stripe, Resend, Anthropic) are accessed via API keys held only in our server-side environment, never in the browser.

No system is perfect. If a breach occurred we would notify you and the Office of the Australian Information Commissioner in accordance with the Notifiable Data Breaches scheme.

Your rights

Under the Australian Privacy Principles you have the right to:

  • Access the personal information we hold about you.
  • Correct information that is inaccurate, incomplete, or out of date.
  • Request deletion of your account and data.
  • Withdraw consent for non-essential processing.
  • Make a complaint to the Office of the Australian Information Commissioner (oaic.gov.au) if you believe we have mishandled your data.

Cookies

We use a small number of strictly necessary cookies for authentication (your login session) and security (CSRF protection). We do not use third-party advertising or tracking cookies.

Children

TenantTrail is intended for adults entering into tenancy agreements. We do not knowingly collect data from people under 18.

Contact us

Questions, access requests, or deletion requests can be sent to support@tenanttrail.net. We aim to respond within five business days.

Changes to this policy

If we make material changes we will email registered users at least 14 days before they take effect. Continued use after that date constitutes acceptance.

This policy is provided in plain English to be understandable. Where it conflicts with the Privacy Act 1988 (Cth), the Act prevails.

See also: Terms of Service