GDPR Compliance
Last updated: 21 March 2026
Our Commitment
Reni AI Ltd is committed to protecting personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page explains how we meet our obligations as both a data controller and data processor.
Data Controller vs Data Processor
Reni as Data Controller
We act as the data controller for personal data we collect directly: your account information, usage analytics, and payment details. We determine the purposes and means of processing this data.
Reni as Data Processor
When your AI agents process tenant, guest, or applicant data on your behalf, we act as a data processor. You (the property manager or letting agent) are the data controller for that data. We process it only on your instructions and in accordance with our Data Processing Agreement.
Lawful Bases for Processing
We rely on the following lawful bases under Article 6 of UK GDPR:
| Data Type | Lawful Basis | Purpose |
|---|---|---|
| Account details | Contract performance | Providing Platform access |
| Conversation data | Contract performance | Running AI agents on your behalf |
| Connected services (OAuth) | Consent | Accessing calendar, email, files |
| Usage analytics | Legitimate interests | Product improvement |
| Payment information | Contract performance | Processing subscriptions |
| Security logs | Legitimate interests | Fraud prevention and security |
Data Subject Rights
Under UK GDPR, individuals have the following rights. We honour all requests within 30 days:
| Right | How to Exercise |
|---|---|
| Right of access | Email privacy@reniailab.com with "Data Access Request" |
| Right to rectification | Update directly in the Platform or email us |
| Right to erasure | Email privacy@reniailab.com with "Erasure Request" |
| Right to restrict processing | Email privacy@reniailab.com |
| Right to data portability | Export from Platform dashboard or email us |
| Right to object | Email privacy@reniailab.com |
| Rights related to automated decisions | Review AI agent actions in dashboard; request human review via email |
For tenants and guests: If a tenant or guest contacts us about data processed by your AI agents, we will direct them to you as the data controller. We will assist you in fulfilling data subject requests as your processor.
AI and Automated Decision-Making
Under Article 22 of UK GDPR, individuals have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects.
Our AI agents:
- Do not make legally binding decisions — Agents respond to messages, check calendars, and create tickets. They do not decide tenancy agreements, evictions, rent amounts, or legal matters.
- Escalate when uncertain — Agents are designed to hand off to human team members when they encounter complex, sensitive, or ambiguous situations.
- Are transparent — The property manager can review all agent decisions, conversation history, and tool calls via the dashboard.
- Can be overridden — Human operators can intervene in any conversation at any time.
Data Processing Agreement
When you use Reni to process personal data on behalf of your tenants, guests, or applicants, we enter into a Data Processing Agreement (DPA) with you. The DPA covers:
- The nature and purpose of processing
- Categories of data subjects and personal data
- Our obligations as processor (security, confidentiality, deletion)
- Sub-processor list and notification of changes
- Assistance with data subject requests and breach notification
- Data return and deletion upon termination
To request a copy of our DPA, email legal@reniailab.com.
Sub-Processors
We use the following sub-processors to deliver the Service:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, database hosting, AI processing (Bedrock) | UK / EU / US |
| Anthropic (via AWS Bedrock) | AI model inference for agent responses | US |
| Stripe | Payment processing | US / EU |
| SendGrid (Twilio) | Transactional email delivery | US |
We will notify you at least 30 days before adding a new sub-processor. You may object to a new sub-processor by contacting us within the notice period.
International Transfers
Where personal data is transferred outside the UK (for example, to AWS US regions for AI processing), we ensure adequate safeguards are in place:
- AWS — UK Addendum to the EU Standard Contractual Clauses, plus additional technical measures.
- Anthropic — Data processed via AWS Bedrock under AWS's DPA. Anthropic does not retain or train on customer data.
- Stripe — Certified under the UK Extension to the EU-US Data Privacy Framework.
Data Security Measures
We implement technical and organisational measures as required by Article 32 of UK GDPR:
- Encryption at rest (AES-256) and in transit (TLS 1.2+)
- OAuth tokens encrypted with AES-256-GCM before database storage
- Multi-tenant data isolation at the database query level
- AWS VPC with private subnets, security groups, and IAM least-privilege
- JWT-based authentication with session management
- Regular dependency audits and security reviews
- Automated monitoring and alerting for anomalous activity
Data Breach Notification
In the event of a personal data breach:
- We will notify the ICO within 72 hours where the breach is likely to result in a risk to individuals' rights and freedoms.
- We will notify affected customers without undue delay, providing details of the breach, the data involved, and remedial actions taken.
- We maintain an internal breach register and conduct post-incident reviews.
Data Protection Impact Assessments
We conduct Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in a high risk to individuals. This includes our AI agent processing, where automated decision-making processes personal data at scale.
Your Obligations as a Controller
When using Reni to communicate with your tenants and guests, you are the data controller. You should:
- Inform your tenants and guests that AI may be used to process their communications, as required by your own privacy notices.
- Ensure you have a lawful basis for processing tenant and guest data through the Platform.
- Respond to data subject access requests from your tenants and guests (we will assist as your processor).
- Configure your AI agents to handle personal data appropriately — avoiding unnecessary data collection and ensuring sensitive topics are escalated.
Supervisory Authority
Our lead supervisory authority is the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Telephone: 0303 123 1113
Contact
For GDPR inquiries or data protection matters:
- Email: privacy@reniailab.com
- Postal: Reni AI Ltd, London, United Kingdom