← Back to home

Privacy Policy

Last updated: April 2026

This policy explains how Rentoutbase processes personal data when you use the web platform and the tenant app. It is written to meet the requirements of the EU General Data Protection Regulation (GDPR) and Norwegian privacy law (personopplysningsloven).

1. Data controller

Rentoutbase is operated by Embrik Skrindo (sole proprietor), Norway. For any questions about this policy or your rights, contact emb.skrindo@gmail.com.

When you use the platform as a landlord, you are the data controller for any personal data you enter about your tenants, co-tenants or others, and Rentoutbase acts as your data processor for that information under these terms.

2. Categories of personal data

  • Account data: name, email address, phone, address, password hash, role.
  • Property data: addresses, rent amount, lease dates, images, meter numbers, bank account number.
  • Tenant data: name, email, phone, access code.
  • Contract data: lease agreements, signatures, signing timestamps.
  • Communications: messages exchanged in the platform; damage reports and photos.
  • Billing data: subscription status, plan and Stripe customer ID. Card details are processed by Stripe; we never store them.
  • Usage and security data: IP address (for rate-limiting and abuse prevention), session tokens, audit logs of admin actions.
  • Device data (tenant app only): photos captured or selected by the tenant, push notification token.

3. Purposes and legal basis (GDPR art. 6)

PurposeLegal basis
Creating and running your account, giving you access to the platformContract (art. 6(1)(b))
Processing payments and managing your subscriptionContract (art. 6(1)(b))
Sending transactional emails (access codes, contract links, reminders)Contract (art. 6(1)(b))
Security, rate limiting, fraud prevention, audit loggingLegitimate interest (art. 6(1)(f))
Bookkeeping, tax records (invoices, rent payments)Legal obligation (art. 6(1)(c))
Product improvements based on aggregated usageLegitimate interest (art. 6(1)(f))

We do not rely on consent for the processing described above (except for optional marketing, which we currently do not send). We do not sell your data. We do not use it for advertising or profiling, and we do not perform automated decision-making with legal effect on you (art. 22).

4. Sub-processors

We share personal data with the following processors, each under a data processing agreement (DPA):

  • Supabase (database, authentication, storage) — hosted in the EU. DPA in place.
  • Vercel (application hosting) — EU region. DPA in place. Transfers to the US are covered by Standard Contractual Clauses.
  • Stripe Payments Europe Ltd. (payments) — Dublin, Ireland. Some processing reaches the US; Stripe maintains SCCs and supplementary safeguards.
  • Resend (transactional email) — US. SCCs in place.
  • Apple / Google (push notifications, only if tenant app used) — standard platform terms apply.

Transfers outside the EU/EEA are based on EU Standard Contractual Clauses (SCCs) and, where applicable, additional technical safeguards such as encryption in transit and at rest. You can request a copy of the relevant safeguards at the contact address above.

If we engage a new sub-processor or replace an existing one, we will update this list and notify registered users at least 30 days before the change takes effect, so you have an opportunity to object.

4a. What we don't do

  • We do not sell your personal data.
  • We do not share your data with advertising networks, data brokers or profiling services.
  • We do not use your content to train AI or machine-learning models.
  • We do not send marketing emails unless you separately opt in. You can opt out at any time.

5. Device permissions (tenant app)

  • Camera: used only when you capture a photo for a damage report.
  • Photo library: used only when you attach an existing photo to a damage report.
  • Push notifications: used to deliver messages and reminders from your landlord, with your permission.

These permissions are never used for any other purpose. You can revoke them at any time in your device settings.

6. Retention

  • Active accounts: kept for as long as you have a paid or trial account.
  • Deleted accounts: personal data is erased immediately from the primary database when you delete your account. Encrypted backups are overwritten within 30 days.
  • Billing and tax records: invoices, receipts and payment records are kept for 5 years as required by Norwegian bookkeeping law (bokføringsloven §13).
  • Security logs and admin audit logs: up to 12 months.
  • Contract history: lease agreements are kept for as long as both parties have access to the platform, then deleted on account closure.

7. Your rights

Under the GDPR you have the following rights:

  • Access (art. 15): receive a copy of the data we hold about you. Available via Settings → Download your data in the app.
  • Rectification (art. 16): correct inaccurate or incomplete data. Most fields are editable in Settings, otherwise contact us.
  • Erasure (art. 17): delete your account and all personal data. Available via Settings → Delete account. Some records may be retained to meet the legal obligations listed in section 6.
  • Portability (art. 20): export your data in machine-readable format (JSON). Available via Settings → Download your data.
  • Restriction (art. 18) and Objection (art. 21): limit or object to processing. Contact us.
  • Withdraw consent at any time, where processing is based on consent.

You also have the right to lodge a complaint with the Norwegian Data Protection Authority, Datatilsynet, or with the supervisory authority in the EU/EEA country where you live.

8. Security

We apply industry-standard technical and organisational measures: TLS in transit, password hashing (bcrypt), row-level access controls, rate limiting on authentication, admin audit logging, and restricted access to production data. No system is completely secure, but we work hard to protect your data. If we discover a personal data breach affecting you, we will notify you and Datatilsynet within 72 hours as required by art. 33 and 34.

9. Children

Rentoutbase is intended for users who are 18 or older. We do not knowingly collect data about minors.

10. Cookies

We use essential cookies required to keep you signed in and to protect the service from abuse. We do not use advertising, tracking or analytics cookies that require consent under the ePrivacy rules.

11. Changes

We may update this policy. If we make material changes, we will notify registered users by email or in-app notice at least 14 days before the change takes effect.

12. Jurisdiction-specific rights

United Kingdom:the UK GDPR and the Data Protection Act 2018 give you rights equivalent to those described in section 7. Complaints can be directed to the UK Information Commissioner's Office (ICO).

Switzerland: the revised Federal Act on Data Protection (FADP) gives you rights equivalent to those described in section 7. Complaints can be directed to the Federal Data Protection and Information Commissioner (FDPIC).

Other EU/EEA countries: you may lodge a complaint with the supervisory authority in your country of residence instead of Datatilsynet.

13. Data protection contact

We are not legally required to appoint a Data Protection Officer, but Embrik Skrindo is the designated point of contact for all data protection matters and can be reached at emb.skrindo@gmail.com. We aim to respond to requests within 30 days as required by art. 12 GDPR.

Terms of serviceContact