This Privacy Policy explains what personal data Rentr collects, why we collect it, how we use it, who we share it with, and what choices you have. It is written to comply with the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) (PDPL) and to be readable in plain English.
If anything is unclear, write to our Data Protection Officer at info@rentr.ae and ask us to explain.
1. Who we are
The data controller for the personal data described in this policy is Rentr (the company operating rentr.ae).
- Registered office: to be inserted post-incorporation
- Trade Licence No.: to be inserted
- Data Protection Officer (DPO): info@rentr.ae, subject line “DPO request”
- Supervisory authority: UAE Data Office (dataoffice.gov.ae)
2. What personal data we collect
We collect only what we need to run the Service.
2.1 Account data (all users)
- Full name
- Email address
- Mobile phone number
- Role (tenant, landlord, or contractor)
- Password (stored as a one-way hash; we never see the plaintext)
- Profile photo (optional)
- Sign-in identifier from Google or Apple if you use OAuth (limited to
profileandemailscopes)
2.2 Identity verification data
- Emirates ID: we store the last 4 digits in plaintext for convenience display, and the full number encrypted at rest with AES-256-GCM for verification when required. We do not store the Emirates ID image. Where verification is required, we rely on Ejari upload as the primary verification artefact.
- Date of birth (optional)
2.3 Property data (landlords + tenants)
- Building name and community
- Unit number, type, floor
- Ejari number, Makani code
- DEWA premise number
- DLD property number
- Rental terms (rent amount, start/end dates) where provided
2.4 Maintenance request data
- Request category, description, urgency
- Photos of the issue you upload
- Communications between tenant, landlord, contractor, and Rentr admin about the request
- Status updates, completion photos, ratings
2.5 Payment metadata
Amount, currency, date, status, a Stripe customer/account reference, the last 4 digits and brand of the card or bank reference used. We never see or store your full card number, CVV, or full bank-account number , Stripe handles that and is the responsible processor.
2.6 Contractor onboarding data
- Trade licence (number + uploaded copy)
- Trade-specific permits (Dubai Municipality, DCD, etc., where applicable)
- Trade categories applied for
- Bank account details, held by our payment partner (see Section 4), not by us
2.7 Technical data (all users)
- IP address (truncated for analytics; retained full for fraud / security investigation only)
- Browser and device fingerprint
- Approximate location derived from IP
- Pages visited, clicks, time on page
- Authentication session cookie (essential, no third-party trackers at launch)
2.8 Communications data
- Emails we send and receive about your account (through Resend)
- SMS / WhatsApp messages once that integration is live (via Unifonic)
- AI-support chatbot transcripts once that feature is live (with redaction)
3. How we use your data and on what legal basis
Under PDPL Article 6, every use of personal data must have a lawful basis. Our uses and bases are:
| What we use the data for | PDPL lawful basis |
|---|---|
| Creating and operating your account | Contract performance (Art. 6(1)(a)) |
| Matching tenants and contractors, coordinating requests | Contract performance |
| Processing payments, paying out | Contract performance + legal obligation (VAT, AML) |
| Verifying contractor licences, Emirates IDs, Ejari documents | Contract + legitimate interest in fraud prevention |
| Transactional emails (confirmations, request updates) | Contract performance |
| Marketing emails about Rentr features | Your consent, opt-in only, opt-out any time |
| Detecting fraud, abuse, account takeover | Legitimate interest in platform integrity |
| Aggregated, anonymised analytics | Legitimate interest in improving the Service |
| Complying with UAE tax, AML, other legal obligations | Legal obligation |
| Defending Rentr in legal claims | Legitimate interest |
You can withdraw consent for consent-based uses (e.g., marketing) at any time from your account settings or by emailing info@rentr.ae.
4. Who we share your data with
We share data only with the parties below, and only for the purposes shown. We bind each party by a written data processing agreement (DPA) in line with PDPL Article 8.
| Party | What they receive | Purpose | Country |
|---|---|---|---|
| Stripe | Payment metadata; for contractor payouts, identity + bank-account data | Payments + payouts | Ireland + US |
| Resend | Email content + recipient address | Transactional email delivery | US |
| Cloudflare (R2 + Workers) | Uploaded photos, request attachments | Object storage + edge delivery | EU primary, UAE PoP |
| Vercel | Application requests + logs | Application hosting | Frankfurt primary, global edge |
| Neon (Postgres) | All structured database content | Primary database | Frankfurt (eu-central-1) |
| Email + profile name (if you sign in with Google) | OAuth authentication | Global | |
| Apple | Email + profile name (if you sign in with Apple) | OAuth authentication | Global |
| Unifonic (when live) | Phone number + SMS / WhatsApp content | Messaging | UAE / GCC |
| Anthropic (Claude) (when AI support is live) | Redacted chat content, no full names, no IDs | AI customer support | US |
| Rentr’s professional advisers | Only what they need to advise us | Professional services | UAE |
| Law enforcement and regulators | What is lawfully required | Legal obligation | UAE |
We do not sell your personal data. We do not share it with advertising networks or data brokers. At launch we do not use third-party analytics or marketing cookies.
The current sub-processor list is published at /legal/sub-processors. We give at least 30 days’ notice before adding or changing a sub-processor.
5. International data transfers
Some of the parties listed in Section 4 are located outside the UAE. Under PDPL Articles 22–23, transfers outside the UAE require an appropriate legal basis. Rentr relies on:
- Adequacy, for countries the UAE Data Office has determined provide an adequate level of protection
- Contractual safeguards, for all other destinations, our DPAs contain protections substantially equivalent to EU Standard Contractual Clauses
- Contract performance, many transfers are necessary to deliver the Service you signed up for
- Your consent, where the transfer is not strictly necessary, we ask for your specific opt-in
You can ask the DPO for a copy of the contractual safeguards we have in place with any sub-processor.
Cross-border-transfer disclosure wording will be confirmed against final PDPL executive regulations.
6. How long we keep your data
| Data category | Retention period | Reason |
|---|---|---|
| Account profile | Until account closure, then 30 days, then deleted | Right to erasure |
| Verification artefacts (encrypted EID, Ejari) | 5 years after account closure | UAE e-transactions + AML |
| Maintenance request photos | 6 months after request completion | Minimisation; dispute window |
| Payment metadata | 5 years from transaction date | VAT + e-transactions |
| Email + message content | 12 months | Operations + dispute resolution |
| Technical logs (IP, device) | 12 months | Fraud + security |
| AI chatbot transcripts | 90 days | Operational improvement |
| Cookies (auth session) | Until logout or 30 days, whichever first | Authentication |
If a longer period is required by UAE law (for example, tax records), the longer period applies.
7. Your rights under the PDPL
PDPL Articles 13–19 give you the following rights, free of charge:
- Access, ask what personal data we hold about you
- Correction, ask us to fix data that is wrong
- Erasure, ask us to delete your data (subject to legal exceptions like tax retention)
- Restriction, ask us to stop using your data while we investigate a concern
- Portability, get a copy in a structured, machine-readable format
- Objection, to processing based on legitimate interest
- Withdraw consent, for any use we rely on consent for
- Not be subject to a wholly automated decision that significantly affects you
- Lodge a complaint with the UAE Data Office
Exercise any right from your in-app Manage your data page, pick access, correction, deletion, or withdraw consent, and the request reaches our Data Protection Officer with your account context attached. If you prefer email, write to info@rentr.aewith subject “DPO request”. We respond within 30 days as required by UAE PDPL.
If we need to verify your identity before responding, we may ask for additional verification, using the minimum data needed.
8. How we keep your data secure
- Encryption in transit: TLS 1.3 for every connection
- Encryption at rest: sensitive fields (full Emirates ID number, tokens) encrypted with AES-256-GCM. Database storage encrypted by Neon; object storage encrypted by Cloudflare R2
- Signed URLs: upload and download URLs short-lived (≤ 15 minutes) and signed
- Authentication: strong password rules + OAuth via Google / Apple; MFA available via your OAuth provider
- Access control: Rentr staff access role-restricted and audit-logged; code review on changes that touch personal data
- Backups: encrypted daily backups, retained 30 days
- Vulnerability management: dependency scanning, periodic penetration testing
No security is perfect. If a breach occurs and is likely to result in risk to you, we will notify you and the UAE Data Office without undue delay in line with PDPL Article 9.
9. Children
Rentr is not for children under 18. We do not knowingly collect personal data from anyone under 18. If you believe we have collected data from a child, please contact info@rentr.ae and we will delete it.
10. Cookies and tracking
At launch we use a minimal cookie set:
| Cookie | Purpose | Type | Duration |
|---|---|---|---|
rentr_session | Keep you signed in | Strictly necessary | Until logout / 30 days |
rentr_csrf | Protect form submissions | Strictly necessary | Session |
rentr_locale | Remember language | Functional | 1 year |
We do not use third-party analytics, advertising, or social-media trackers at launch.
11. Changes to this policy
If we make a material change to this policy we will give at least 30 days’ noticeby email or in-app message and update the “Last updated” date at the top.
12. Complaints and contacting the regulator
If you have a complaint about how we handle your data:
- First, email our DPO at info@rentr.ae, subject line “DPO complaint”. We will respond within 30 days
- If you are not satisfied, you can lodge a complaint with the UAE Data Office (dataoffice.gov.ae)
We will not penalise you for making a complaint.
13. Contact
Rentr, Data Protection Officer
Registered office address, to be inserted post-incorporation
Email: info@rentr.ae(subject: “DPO request”)