Privacy Policy

Last updated: May 28, 2026

1. Who We Are

RentAuth ("we", "us", or "our") operates the RentAuth platform at rentauth.ca and rentauth.app. We are based in Toronto, Ontario, Canada. This policy describes how we collect, use, and protect your personal information in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA).

2. What We Collect

We collect the following categories of personal information:

  • Account data: name, email address (via Clerk authentication)
  • Profile data: name, phone number (optional), occupation, employer, annual income, credit score — provided voluntarily by renters
  • Rental documents: government-issued ID, proof of income, credit report, rental history, and rental application forms — uploaded voluntarily by renters
  • Student & newcomer documents: if you identify as a student or newcomer, you may also upload immigration status documents (study or work permits), bank statements, school enrollment letters, sponsor support letters, and Canadian employment letters — all uploaded voluntarily
  • Sponsor & guarantor information: you may add a guarantor (a co-signer) to your household and may upload a sponsor's bank statement to demonstrate financial backing. These items contain another person's personal information — by uploading them you confirm you have that person's consent to share their information with RentAuth and with any landlord you choose to share your profile with
  • AI verification data: when you request verification, your uploaded documents and profile data are analyzed by our AI verification agent (Vera) to produce a Verification Report. We store the extracted structured fields (e.g. document type, employment status, income range) and the resulting report. We do not store raw document content beyond what you upload.
  • Anonymous format patterns: after a successful verification we store anonymized structural fingerprints of your documents (e.g. pay frequency, whether an HR contact was present, salary range bracket) to improve future verification accuracy. These patterns contain no names, dates, document numbers, or identifying information.
  • Usage data: pages visited, features used, timestamps — collected via PostHog analytics (only with your consent)

3. Why We Collect It

  • To provide the RentAuth verification service
  • To allow renters to share a verified profile with landlords and agents
  • To run AI-powered verification analysis when you request it (Vera)
  • To improve the accuracy of our verification system over time using anonymized structural patterns
  • To improve the platform and fix bugs
  • To send transactional emails (viewing confirmations, notifications)

We do not sell your personal information to third parties.

4. AI Verification Processing

When you click "Get Verified by Vera," your uploaded documents and self-reported profile data are sent to Anthropic's API for automated analysis. This processing is:

  • Explicit and opt-in: verification only runs when you press the button — documents are never sent to an AI automatically
  • Temporary: documents are transmitted to Anthropic's API solely to generate the verification report and are not stored by Anthropic beyond the duration of the API call
  • Not used for AI training: under Anthropic's API terms, data submitted via the API is not used to train their models
  • Structured output only: Vera extracts structured fields (e.g. employer name, income range, document type) and a verification score. The raw document images/PDFs remain in your Supabase storage under your account

By clicking "Get Verified by Vera," you consent to your documents being processed by Anthropic's API for the sole purpose of generating your RentAuth Verification Report. You may re-run verification at any time; previous reports are replaced, not accumulated.

5. Document Access and Consent

Your uploaded documents are private by default. You control who can download them by using the "Unlock documents" toggle on your dashboard. When unlocked, anyone with your profile link can download your documents. You can re-lock access at any time.

Signed download links expire after 2 hours. After re-locking, previously issued links will stop working at their next expiry.

6. Data Retention

We retain your data for as long as your account is active. You may request deletion of your account and all associated data at any time from your dashboard settings. Upon deletion, your documents are removed from storage and your profile is permanently erased within 30 days.

7. How We Protect Your Information

We apply layered safeguards appropriate to the sensitivity of the information we hold:

  • Private document storage: uploaded documents are kept in a private storage bucket and are never publicly accessible. Access is granted only through short-lived signed links (expiring after 2 hours) that you control with the document lock/unlock toggle.
  • Encryption in transit: all traffic to and from RentAuth is encrypted over HTTPS.
  • Database access controls: row-level security is enabled on all data tables, and your data is reachable only through our authenticated server — never directly from the browser.
  • Abuse protection: sensitive endpoints are rate-limited to guard against automated abuse and scraping.
  • Authentication: sign-in is handled by Clerk; RentAuth never stores your password.

No system is perfectly secure, but we protect your information using industry-standard measures and review our safeguards as the platform grows.

8. Third-Party Service Providers

We use the following sub-processors to operate the platform:

  • Clerk — authentication and identity (SOC 2 Type II certified)
  • Supabase — database and file storage (SOC 2 Type II certified, data hosted in US-East)
  • Vercel — hosting and edge compute (SOC 2 Type II certified)
  • Anthropic — AI document analysis for Vera verification (documents are transmitted transiently for processing only; not retained or used for training)
  • Resend — transactional email delivery
  • PostHog — product analytics (only activated with your consent)

9. Your Rights Under PIPEDA

You have the right to:

  • Access the personal information we hold about you
  • Correct inaccurate information
  • Withdraw consent for the collection or use of your information
  • Request deletion of your account and data

To exercise these rights, use the account deletion feature in your dashboard, or contact us at privacy@rentauth.app.

10. Cookies and Analytics

We use PostHog to understand how users interact with the platform. Analytics cookies are only set after you consent via the cookie banner. You may withdraw consent at any time by clearing your browser cookies.

Analytics events never include your documents, document contents, or financial details. Page addresses are stripped of profile, household, and application identifiers before any analytics event is recorded, so your shareable profile link is never sent to our analytics provider.

11. Contact

Questions about this policy or your data? Email us at privacy@rentauth.app.