Privacy Policy

PropDesk is a property management platform operated by Mehrshad Ghasemi, a sole proprietor based in Toronto, Ontario, Canada ("we," "us," "PropDesk"). This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our mobile app, website, and related services (the "Service").

By accessing or using PropDesk, you agree to the practices described here. If you do not agree, please do not use the Service.

Operator: Mehrshad Ghasemi, sole proprietor, Toronto, Ontario, Canada.

Privacy contact: [email protected] (subject: "Privacy Inquiry")

For Canadian residents, we act as our own Privacy Officer under the Personal Information Protection and Electronic Documents Act (PIPEDA). Any privacy question or request should be sent to the email above.

Information you give us directly

Account information (name, email, hashed password, profile photo if uploaded), workspace content (property addresses, unit details, tenant and vendor contact information, lease records, rent payments, maintenance orders, inspection notes, tasks, documents, calendar events), and any information you submit through support requests.

Tenant and vendor data (third-party information)

When you use PropDesk, you input personal information about people who may not be users of the Service — tenants, vendors, contractors, and other contacts. You are responsible for having a lawful basis to collect and upload that information. See Section 6 for how your role and ours are divided for this data.

Information collected automatically

A server-generated device identifier stored in an httpOnly cookie (pd_device_id) used for session security and fraud detection; session timestamps; security event logs; IP address; application, browser, and device metadata; login and authentication attempts.

Information from third parties

If you sign in with Google, we receive your name, email, and profile image from Google. From Stripe we receive subscription and billing status (we do not receive full card numbers). From Twilio and Resend we receive delivery status of verification messages. From Sentry we receive crash and error reports from the app. Public marketing and auth pages may also load illustrative images from Unsplash.

Biometric data

Face ID / Touch ID data is processed locally on your device by your operating system. It is never transmitted to or stored on our servers.

• Provide, maintain, and improve the Service
• Authenticate users and secure access (sessions, 2FA, device checks)
• Process payments and manage subscriptions via Stripe
• Send transactional messages (verification codes, password resets, security alerts, billing receipts)
• Investigate abuse, fraud, and violations of these Terms
• Analyze aggregate usage to improve reliability and performance
• Comply with legal obligations and respond to lawful requests
• Provide customer support

Where the General Data Protection Regulation (GDPR) or the UK GDPR applies, we rely on the following legal bases:

• Contract performance — to deliver the Service you have signed up for
• Legitimate interests — to secure the Service, prevent fraud, and improve reliability
• Consent — where required, for example for optional communications; you can withdraw consent at any time
• Legal obligation — to retain billing records, respond to lawful government requests, or meet tax obligations

For the personal information you enter about tenants, vendors, contractors, and other third parties, you are the data controller and PropDesk is the data processor. This means:

• You decide what third-party data to collect and why
• You must have a lawful basis to collect it (for example, your lease contract, a legitimate interest, or consent)
• You must comply with landlord-tenant, privacy, and fair-housing laws that apply to you
• We process that data according to your instructions and as needed to deliver the Service
• If a tenant or vendor contacts us directly about their data, we will refer them to you
• You must respond to data subject requests (access, correction, deletion) from those individuals. We provide tools within the Service to help

We do not sell, trade, or rent your personal information to third parties.

We share information only:

• With authorized members of your workspace, based on the permission level you assign them
• With service providers bound by confidentiality obligations (listed in Section 8)
• When required by law, court order, regulator request, or to defend legal claims
• In connection with a merger, acquisition, or sale of assets (with reasonable notice)
• With your consent for any other purpose

• Railway — backend and database hosting (primarily US)
• Cloudflare R2 — file and media storage (global edge network)
• Stripe — subscription billing and payment processing (Ireland / US)
• Twilio — SMS delivery for verification codes (US)
• Resend — transactional email delivery (US / EU)
• Expo — mobile push notification delivery (US)
• Google — sign-in with Google, if you choose to use it
• Sentry — crash and error monitoring (US)
• Unsplash — hosted marketing/auth imagery shown on public web pages
• Apple App Store / Google Play — mobile app distribution

Each provider is bound by its own privacy policy and data processing terms.

Our service providers are primarily located in the United States and European Union. Your information may be transferred to, stored in, and processed outside Canada (including in the US or EU). Where cross-border transfers apply, we use contractual, technical, and organizational safeguards designed to protect personal information in line with applicable privacy law.

By using the Service, you understand that your data may be processed in countries that may have different data-protection rules than your country of residence.

• Account data — retained while your account is active; deleted or anonymized within 90 days of account deletion
• Workspace and tenant data — retained until you delete it; purged within 90 days of account deletion
• Audit logs and authentication logs — 12 months, for security investigations
• Billing records — 7 years, as required by Canadian tax law
• Support correspondence — up to 24 months
• Legal holds — retained as long as needed for specific legal matters

Encrypted backups may persist for up to 30 days after deletion as part of standard disaster-recovery rotation and are then overwritten.

• All data encrypted in transit (TLS) and at rest
• Passwords hashed with bcrypt; never stored in plain text
• Two-factor authentication (TOTP, SMS, or email) available and required for sensitive actions
• Passkey / biometric app lock on supported devices
• Rate limiting, input sanitization, and device fingerprint checks
• Per-session revocation and audit logging
• Least-privilege access for any person working on the Service

No method of transmission or storage is completely secure. While we use commercially reasonable measures, we cannot guarantee absolute security. If a breach occurs that affects your personal information, we will notify you as described in Section 15.

Subject to applicable law, you generally have the right to:

• Access — request a copy of the personal information we hold about you
• Correction — correct inaccurate or incomplete information
• Deletion — request deletion of your account and related information
• Portability — request your data in a structured, portable format
• Objection / restriction — object to or restrict certain processing
• Withdraw consent — where processing is based on consent

Canadian residents (PIPEDA)

You may complain to the Office of the Privacy Commissioner of Canada at priv.gc.ca if you believe we are not handling your information properly.

Quebec residents (Law 25)

You have the right to an explanation of any automated decision that significantly affects you (we do not currently make such decisions), the right to have your data erased, and the right to receive your data in a structured format.

EU / UK residents (GDPR / UK GDPR)

You may lodge a complaint with your national supervisory authority. In the UK this is the Information Commissioner's Office (ico.org.uk).

California residents (CCPA / CPRA)

You have the right to know, delete, correct, opt out of the sale or sharing of personal information (we do not sell or share for targeted advertising), and not face discrimination for exercising your rights.

To exercise any right, email [email protected]. We respond within the timeframe required by applicable law.

We use cookies only for authentication and security. Specifically:

• pd_device_id — httpOnly, secure, SameSite=Lax; a server-generated device identifier used for session security and fraud detection. Persistent until cleared.
• Standard session cookies set by your browser to maintain login state.

We do not use advertising cookies, third-party tracking pixels, or analytics cookies at this time. If we add any, we will update this policy and obtain consent where required.

PropDesk is not intended for users under 18. We do not knowingly collect personal information from anyone under 18. If you believe a child has provided information to us, please email us and we will delete it.

If a breach affects your personal information and poses a real risk to your rights, we will notify you and the relevant regulator (in Canada: the Office of the Privacy Commissioner; in the EU / UK: your supervisory authority) within the timeframes required by law. Our notice will describe what happened, what data was involved, the steps we are taking, and what you can do to protect yourself.

We may update this Privacy Policy from time to time. The "Last updated" date shows when. For material changes we will provide in-app or email notice. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

For any question, concern, or request about this Privacy Policy or our data practices:

[email protected] — subject line: "Privacy Policy Inquiry"

A formal mailing address is available on request for legal notices (Toronto, Ontario, Canada).