Kestrel RMS Privacy Policy

Version 1 · Effective 2026-04-22

Effective Date: 22 April 2026

This Privacy Policy describes how Kestrel RMS ("Kestrel", "we", "us", or "our") collects, uses, discloses, and protects personal information when you use the Kestrel real estate management platform (the "Service"). It applies to visitors to our marketing site, registered users of the Service, and their teammates.

By using the Service, you acknowledge that you have read and understood this Privacy Policy.

1. Information We Collect

1.1 Information you provide

  • Account details: your name, email address, password (stored hashed), and any profile information you choose to add.
  • Workspace and team data: the workspaces you create, the teammates you invite, and the roles you assign.
  • Property and entity records: addresses, ownership details, tax identifiers, purchase prices, and any documents or images you upload.
  • Lease and loan records: tenant names and contact details, rent amounts, lease dates, loan terms, payment schedules, and any supporting documents.
  • Support and feedback: the contents of messages you send us, including attachments.

1.2 Information from linked financial accounts

If you connect a bank, credit card, or loan account to the Service, our payments-data partner retrieves, on your instruction, account metadata, balances, and transactions. That data is delivered to Kestrel and stored so that we can present it to you in the Service. We never see or store your banking credentials — they are handled exclusively by our partner under your authorisation.

1.3 Information collected automatically

  • Usage data: pages viewed, actions taken, timestamps, referrer, device type, browser, and approximate location derived from IP address.
  • Device and log data: IP address, user-agent string, crash reports, and diagnostic information.
  • Cookies and similar technologies: we use strictly-necessary cookies to keep you signed in and to remember preferences, and we use first- and third-party analytics cookies (where permitted) to understand product usage.

2. How We Use Personal Information

We use personal information to:

  • provide, operate, and secure the Service, including authenticating you and maintaining workspace access controls;
  • surface your financial transactions, balances, property records, and lease and loan data;
  • send operational messages (verification, security, billing, product updates you cannot opt out of while using the Service);
  • monitor for fraud, abuse, and violations of our Terms of Service;
  • analyse usage to improve the Service, fix bugs, and plan new features; and
  • comply with legal obligations and respond to lawful requests.

We do not sell personal information, and we do not use personal information to show you third-party advertising.

3. Legal Bases (where applicable)

Where EU or UK data-protection law applies, we rely on the following legal bases:

  • Contract: to provide the Service you have requested.
  • Legitimate interests: to secure the Service, prevent abuse, and improve our product, balanced against your interests and rights.
  • Consent: for optional analytics cookies and for marketing communications where consent is required.
  • Legal obligation: to meet tax, accounting, and compliance requirements.

4. How We Share Personal Information

We share personal information only in the circumstances below.

  • Service providers and sub-processors. We use trusted vendors to run the Service. These include our cloud database and authentication provider, our payments-data provider, our model-inference provider for AI-assisted features, our product analytics provider, our email delivery provider, and our hosting and edge-compute provider. Each is bound by a written data-processing agreement that restricts their use of personal information to what is necessary to serve us.
  • Within your workspace. Data you create or link inside a workspace is visible to the other members of that workspace, according to the role they have been granted by the workspace administrator.
  • Business transfers. If Kestrel is involved in a merger, acquisition, reorganisation, or sale of assets, personal information may be transferred as part of that transaction, subject to standard protections.
  • Legal and safety. We may disclose personal information where we believe in good faith that disclosure is required by law, necessary to enforce our Terms, or needed to protect the rights, safety, or property of Kestrel, our users, or others.

5. International Transfers

Kestrel and several of its sub-processors are located in the United States and other jurisdictions. Where personal information is transferred from the EU, UK, or other jurisdictions with data-transfer restrictions, we rely on Standard Contractual Clauses or an equivalent lawful transfer mechanism.

6. Data Retention

We retain personal information for as long as needed to provide the Service and for the following additional periods:

  • Account profile data: retained for the lifetime of your account and up to 30 days after deletion, except where a longer retention is required by law.
  • Linked-account transaction history: retained for up to seven years to support your financial reporting, unless you delete the connection earlier.
  • Operational logs and security telemetry: retained for up to 12 months.
  • Legal-acceptance records: retained for seven years as evidence that you agreed to a specific version of our Terms and this Privacy Policy.
  • Backups: retained for up to 35 days and then overwritten.

Anonymised or aggregated data that can no longer be used to identify you may be retained indefinitely.

7. Your Rights

Subject to applicable law, you may have the right to:

  • access the personal information we hold about you;
  • correct inaccurate information;
  • delete your account and associated personal information;
  • export your data in a portable format;
  • object to or restrict certain processing; and
  • withdraw consent where processing is based on consent.

Most of these actions can be performed from within the Service. For anything else, contact us at privacy@kestrel.example. We will respond within the timeframes required by applicable law (typically 30 days). You also have the right to lodge a complaint with your local data-protection authority.

8. Security

We use administrative, technical, and physical safeguards designed to protect personal information, including encryption in transit and at rest, row-level access controls in our database, least-privilege access for our engineers, mandatory code review, and regular dependency and vulnerability scanning. No system is completely secure; if we become aware of a breach affecting your personal information, we will notify you and the relevant authorities as required by law.

9. Children's Privacy

The Service is not directed to anyone under 18 and we do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact privacy@kestrel.example and we will delete it.

10. Automated Decision-Making and AI Features

The Service offers AI-assisted features such as transaction categorisation suggestions, lease extraction from uploaded documents, and a conversational assistant. These features are decision-support tools only: a human (you) makes the final decision. We do not use your personal information to make decisions that produce legal or similarly significant effects on you without human involvement.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will publish the new version and increment the version number. If the change is material, you will be required to review and re-accept before continuing to use the Service. The "Effective Date" at the top of this document reflects the current version.

12. Contact

For questions about this Privacy Policy or to exercise your rights, contact privacy@kestrel.example.