Skip to main content

Privacy & Compliance

A plain-English summary of how we handle data, what we certify, and what we explicitly don't. Verbose legal text lives in Terms of Service below.

Australian Privacy Principles

PMFriend operates under the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs). Summary:

  • APP 1 (Open management): this documentation page, our FAQ, and inline UI notices cover our practices.
  • APP 3 (Collection): we collect only what's needed for the service we provide — property + owner + tenant + contractor contact info, maintenance history, compliance records.
  • APP 6 (Use & disclosure): data is used only for PM workflows inside your agency. Cross-agency isolation enforced at database level (row-level security).
  • APP 8 (Cross-border disclosure): tenant report text is sent to Anthropic (US-based). See AI Fallbacks & Privacy.
  • APP 11 (Security): encrypted-at-rest (RDS), encrypted-in-transit (TLS 1.2+), database-enforced multi-tenant isolation.
  • APP 12 (Access): an agency admin can export their full agency data via the Settings page (planned) or by request.
  • APP 13 (Correction): any record in the product can be edited by the agency admin.

Data residency

  • Database (PostgreSQL): AWS RDS in Frankfurt (eu-central-1) today. Migration to Sydney (ap-southeast-2) is on the roadmap.
  • Object storage (S3): same region as DB. Contains compliance documents, invoices, and photos.
  • Anthropic API calls: routed to Anthropic's commercial endpoint, which serves from US + EU regions. Agencies with AU-data-residency requirements can disable Anthropic (ANTHROPIC_ENABLED=false) for heuristic-only operation, or wait for our planned Bedrock (ap-southeast-2) routing.

Full detail: AI Fallbacks & Privacy.

Security controls

  • Auth: email+password (BCrypt with cost 12), Google SSO via OAuth2, HttpOnly + Secure session cookies, 14-day TTL.
  • Magic links: SHA-256 hashed server-side; plaintext tokens delivered once via email/SMS and never stored.
  • Database RLS: every tenant-scoped table carries FORCE ROW LEVEL SECURITY. Code bugs cannot leak across agencies.
  • Audit log: append-only 7-year retention on every INSERT / UPDATE / DELETE across watched aggregates.
  • Rate limits: per-IP + per-token on public endpoints.
  • Infrastructure: AWS App Runner, RDS (encrypted), S3 (SSE-KMS), IAM role-based access, GitHub Actions OIDC (no long-lived AWS keys).

What we certify

  • Cross-agency data isolation via Postgres RLS (demonstrable)
  • Encryption at rest (AWS KMS) and in transit (TLS 1.2+)
  • Only-report-text sent to Claude (unit-test-enforced; see AI Fallbacks & Privacy)

What we explicitly do NOT certify

  • Legal compliance of your agency. Our compliance register is a reminder tool. It does not certify you're meeting the current rules in your jurisdiction. The rules are state-specific and change; always verify with your principal.
  • Trust account compliance. We don't touch trust accounting. Audit compliance on your trust account is your PMS's (PropertyMe, PropertyTree, Console) responsibility, not ours.
  • SOC 2 / ISO 27001. Not pursued at pilot scale; roadmap item for post-ARR milestones.
  • Industry body accreditation (REIA, REIV, REIQ etc.). We're a software vendor; we're not authorised to represent your licensed activities.

AI transparency

  • Model: Anthropic Claude Haiku (family) via direct HTTP integration.
  • What we send: see AI Fallbacks & Privacy.
  • Training opt-out: Anthropic's commercial tier contractually doesn't train on our API data.
  • AI output human-reviewed: every outbound communication Claude drafts (owner digest, legal notice, etc.) requires PM approval before it sends. No autonomous delivery.
  • Prompt-versioning: every AI-generated output is stored with its prompt version (e.g. claude-haiku-4-5@prompt-v2) for audit.

Data retention

EntityRetention
Active agency dataFor as long as the agency is active
Audit log7 years
Sent owner digestsPer-owner log, retained for the life of the property
Uploaded invoices + photos7 years
Cancelled agency data30 days grace, then deleted

Export on cancellation is supported via CSV (the reverse of the CSV Wizard).

Terms of Service

The full Terms of Service live on our landing page (linked from the footer). Summary:

  • Monthly subscription, cancel any time.
  • Service provided "as-is" with no warranty of fitness beyond the specific commitments in these docs.
  • Limitation of liability capped at 12 months of paid fees.
  • Australian law, Victorian jurisdiction.
  • We retain data for 30 days after cancellation then delete; agencies can export before then.

Privacy Policy

Full Privacy Policy: pmfriend.com/privacy-policy.

Contacting us

Privacy + data access requests: hello@pmfriend.com with subject "APP access request — [your agency name]". We respond within 30 days as required.