Trust

What we promise. What we verify.

Maintenance platforms see a lot. Tenant addresses, access windows, invoice amounts, builder licences. We treat that as a privilege, not data exhaust.

Privacy Act 2020

Per-user data export and account delete from day one.

We're a NZ-registered controller of personal information. Tenants and providers can export every byte we hold on them, and request hard-delete. We honour delete inside the statutory window. Breach response runbook tested and on-call.

RTA

RTA s.48 entry notice

Access windows captured on the ticket. Tradie arrives inside consented hours.

The Residential Tenancies Act requires reasonable notice for entry to a tenancy for maintenance. RentMate captures the tenant's consented access window on every ticket. Tradies see the window and schedule inside it. Anything outside the window goes back to the tenant for re-consent.

Residential Tenancies Act s.48 (Tenancy Services) ↗

REG

Trade registration verified

PGDB, EWRB, and LBP scopes checked. Expiry tracked.

Every tradie's registration class is verified against the relevant NZ board on signup. Cert expiry dates are stored in Postgres and the platform notifies the tradie at 30 / 7 / 1 days before expiry. Jobs requiring regulated work only surface to tradies with the matching active certification.

Security posture

The boring details.

The unglamorous list that matters when something goes wrong.

Hosting: AWS Sydney (ap-southeast-2). All data resident in Australia.
Encryption at rest: AES-256 on RDS Postgres, S3 attachments, and EBS volumes.
Encryption in transit: TLS 1.2+ everywhere, including DB connections (sslmode=require).
Authentication: Argon2id-hashed passwords during pilot. Better Auth (magic link + email verification) in flight.
Authorisation: Row-level security on every tenant-scoped table. App role is NOBYPASSRLS. Cross-tenant tests in CI.
Audit: Append-only ticket_activity + audit_log tables. Privacy Act actions logged with redaction.
Backups: RDS automated daily backups, 7-day retention during pilot. PITR available.
Disclosure: security@rentmate.scalioni.com · 24-hour ack, working fix within 14 days for high-severity.

Frequently asked

Where is my data stored?: AWS Sydney (ap-southeast-2). Closer to NZ than any US-region SaaS. We don't replicate to other regions.
Can I get a copy of everything you hold on me?: Yes. Export is a one-click action inside the app for tenants and tradies. Landlords can request via privacy@rentmate.scalioni.com. We respond inside 20 working days per the NZ Privacy Act.
Can you delete my account?: Yes. Soft-delete is instant. Hard-purge runs daily for accounts past their 30-day reflection window. Reviews and audit log are anonymised but kept (regulatory). Messages are redacted.
Do you sell or share data?: No. We never sell. We share only with the tradie a PM has accepted (their name, suburb, phone), and only after acceptance. No data brokers, no ad networks.
What about SOC 2 / ISO 27001?: Not certified at the pilot stage. The security posture above describes what we operate to; formal certification is a Series A item.