AI safety and fallbacks
The most common question we get from agency principals: "What happens when the AI is wrong?" Followed by "What happens when it's down?" And then "What about my tenants' data?"
Here's the honest answer to each.
What happens when the AI is wrong
The AI suggests; your PM decides. So when the AI gets something wrong:
- For triage: the suggestion is editable. Wrong category? Click the dropdown, pick the right one. Wrong urgency? Same.
- For drafted notices / digests / reports: every text field is a text editor. Read the draft, edit anything that's wrong, send.
- For ranked contractor picker: ignore the ranking. Pick anyone in your list, in any order.
- For case packs: the prominent disclaimer says "verify before submitting". You sign off, not the AI.
There's no AI output in PMFriend that goes anywhere autonomously. The human-in-the-loop is the safety mechanism. We don't pretend it's optional.
What happens when the AI is down
PMFriend uses a commercial AI provider (with AU data-residency). They have ~99.9% uptime, but outages happen. When they do:
Every AI feature has a deterministic fallback — a non-AI version that still works:
| Feature | AI fallback |
|---|---|
| Maintenance triage | Keyword-match against AU rental issue patterns. Same category + urgency suggestions, less polish. |
| Inspection report | Template-based recital. Same room order, same safety flags + follow-ups extraction, less prose flow. |
| Owner digest | Bullet-point summary of the period's events. PM has to write the warm framing themselves. |
| Legal notices | Static state-specific templates with the right form references. |
| Case pack | Chronology + numbered exhibit list with template prose. The structure is unchanged, the writing is just less nuanced. |
| Contractor matching | Score-based ranking on trade match + insurance status + past rating. No AI weighting on top. |
Every time a fallback runs, the response shows modelVersion: heuristic-v0
in the output. So if you see that and the prose seems a bit stiff,
that's why — and the AI provider will be back online shortly.
How the circuit breaker works
If the AI provider fails 3 times in a row, PMFriend stops calling them for 60 seconds and uses the fallback. After 60 seconds, it tries again. If it succeeds, full AI features resume; if not, another 60 seconds of fallback.
This protects your dashboard from feeling slow during an outage — every AI call has an 8-15 second timeout, but with the circuit breaker open, calls return instantly using the fallback.
What the AI sees
Here's exactly what data each AI feature has access to:
Maintenance triage
- Tenant's report text
- Property address (street + suburb + state — for context, e.g. NSW pool rules vs VIC)
- Issue category history at this property (e.g. "this is the third plumbing report at this address in 6 months" → AI may suggest inspection)
Does NOT see: Tenant name, contact details, owner identity, rent amount, lease details, other tenants' history.
Owner digest
- The period's maintenance + work orders + inspection reports + costs at the owner's properties
- Owner's first name (for the salutation)
- Property addresses
Does NOT see: Owner's other agency arrangements, owner's contact preferences for non-PMFriend systems, owner's bank or trust account details (we don't have access to those at all).
Inspection report
- The room-by-room checklist data (item descriptions, conditions, notes)
- Property address
- Tenant first name (for the report) + PM name (for sign-off)
Does NOT see: Tenant contact details, lease specifics, rent amount, photographs (until photos are wired — even then, only what you upload to that specific report).
Tribunal case pack
- Maintenance requests + work orders at the property in the date window
- The PM's free-text background paragraph
- Property + tenant first name (for the chronology)
Does NOT see: Bond amount, rent amount, owner identity, tenant financial information, statutory citations beyond what's in the chronology.
In every case, the AI sees just enough text to do its job, and nothing more. We don't send personally identifying information that isn't necessary for the task.
Where data is processed
- All your data lives in Sydney (
ap-southeast-2AWS region). - AI requests go to a commercial AI provider. We use providers that offer AU/Asia-Pacific endpoints where available so the request data stays close to home.
- AI providers do not train on your data. Our agreements with them contractually exclude your inputs from any training set. Your inspection reports aren't going into anyone else's model.
- Logs of AI requests (for debugging) are retained for 30 days then deleted. They show timestamps + which tenant the request was for, not the request body.
What if the AI is hallucinating
Two things can happen — both within bounds:
- The AI invents a fact. The most dangerous case. Always read AI-drafted text before sending. If the AI says "the tenant has been 3 weeks behind on rent" but you know it's 2 weeks, edit it. If the AI cites a statute section number, double-check it before sending.
- The AI uses a clunky phrase. Annoying, not dangerous. Edit it like you would any draft.
Both are edited in plain-text form fields. No special "fix the AI" button — just edit the text and submit.