Privacy Policy

1. Who We Are

Reni AI Ltd ("Reni", "we", "us", "our") is a company registered in England and Wales. We operate the Reni AI platform at reniailab.com, which provides AI-powered agent building tools for property management professionals.

We are the data controller for personal data processed through our platform. For any questions about this policy, contact us at privacy@reniailab.com.

2. What Data We Collect

2.1 Account Data

When you create a Reni account, we collect your name, email address, company name, and role. This is necessary to provide you with access to the platform and manage your subscription.

2.2 Property and Business Data

You upload property details, tenant records, contractor information, and other business data to the platform. This data is stored to enable your AI agents to provide accurate, contextual responses.

2.3 Conversation Data

Messages exchanged between your tenants, guests, or applicants and your AI agents are processed and stored. This includes messages received via email, WhatsApp, and web forms. Conversation data is retained to maintain context across interactions and to enable multi-turn conversations.

2.4 Connected Service Data

When you connect third-party services (Google Workspace, Microsoft 365, WhatsApp, Airbnb), we access calendar availability, email content, and file metadata through OAuth tokens. We only access data within the scopes you explicitly authorise during the connection process. OAuth tokens are encrypted at rest using AES-256-GCM.

2.5 Usage Data

We collect analytics about how you use the platform: pages visited, features used, agent performance metrics, and session duration. This data is used to improve the product and is not shared with third parties.

3. How We Use Your Data

We process your personal data for the following purposes:

• Service delivery — Running your AI agents, processing conversations, checking calendars, searching property records, and executing tool calls on your behalf.
• AI processing — Your conversation data and business context are sent to our AI infrastructure (AWS Bedrock with Anthropic Claude models) to generate responses. We do not use your data to train AI models.
• Account management — Authenticating your login, managing your subscription, and communicating service updates.
• Product improvement — Analysing anonymised usage patterns to improve platform features and reliability.
• Security and compliance — Detecting and preventing fraud, abuse, or security threats.

4. Legal Basis for Processing

Under UK GDPR, we process your data on the following bases:

• Contract performance (Article 6(1)(b)) — Processing necessary to provide the Reni platform as described in our Terms of Service.
• Legitimate interests (Article 6(1)(f)) — Product improvement, fraud prevention, and security monitoring, where these interests are not overridden by your rights.
• Consent (Article 6(1)(a)) — Where you explicitly consent, such as connecting third-party services via OAuth or subscribing to marketing communications.
• Legal obligation (Article 6(1)(c)) — Where processing is required to comply with UK law.

5. AI Processing and Automated Decisions

Your AI agents make automated decisions when responding to tenant and guest messages. These decisions include routing messages to the correct agent, composing responses using your business data, and escalating complex situations to human team members.

AI-generated responses are based on your property data, tenant records, calendar availability, and the instructions you provide when building each agent. The AI does not make decisions about tenancy agreements, legal matters, or financial transactions without human oversight.

You can review, modify, or override any AI agent behaviour through the platform dashboard. Agents are configured to escalate to a human team member when they encounter situations outside their defined scope.

6. Data Sharing

We share personal data only with the following categories of recipients:

• Cloud infrastructure providers — Amazon Web Services (AWS) hosts our platform, databases, and AI processing infrastructure. Data is processed in the EU/UK region.
• AI model provider — Anthropic (via AWS Bedrock) processes conversation data to generate AI responses. Anthropic does not retain or train on your data.
• Connected services — When you connect Google, Microsoft, WhatsApp, or Airbnb, data flows between Reni and those services as directed by your AI agents.
• Payment processor — Stripe processes subscription payments. We do not store card details.

We do not sell your personal data. We do not share data with advertisers or data brokers.

7. Data Retention

• Account data — Retained for the duration of your subscription plus 30 days after account deletion.
• Conversation data — Retained for the duration of your subscription. Deleted within 30 days of account closure.
• Property and business data — Retained for the duration of your subscription. Exported on request before deletion.
• OAuth tokens — Encrypted tokens are retained while the connection is active. Deleted immediately when you disconnect a service.
• Usage analytics — Anonymised data retained for up to 24 months.

8. Your Rights

Under UK GDPR, you have the right to:

• Access — Request a copy of all personal data we hold about you.
• Rectification — Correct inaccurate or incomplete data.
• Erasure — Request deletion of your personal data ("right to be forgotten").
• Restriction — Restrict processing in certain circumstances.
• Data portability — Receive your data in a structured, machine-readable format.
• Object — Object to processing based on legitimate interests.
• Withdraw consent — Where processing is based on consent, withdraw at any time by disconnecting services or contacting us.

To exercise any of these rights, email privacy@reniailab.com. We will respond within 30 days.

9. Data Security

We implement the following security measures:

• All data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
• OAuth tokens are encrypted with AES-256-GCM before storage in our database.
• Infrastructure is hosted on AWS with VPC isolation, security groups, and IAM least-privilege access.
• Application access is protected by JWT authentication and tenant isolation.
• We conduct regular security reviews and follow OWASP guidelines for application security.

10. International Transfers

Your data is primarily processed within the UK and EU (AWS London and Ireland regions). Where data is processed outside the UK (for example, AI model inference via AWS US regions), we ensure adequate safeguards are in place through AWS's Data Processing Addendum and Standard Contractual Clauses.

11. Children's Data

Reni is a business-to-business service. We do not knowingly collect personal data from anyone under the age of 18. If you believe a child has provided data to us, please contact privacy@reniailab.com.

12. Changes to This Policy

We may update this policy from time to time. We will notify you of material changes via email or an in-app notification at least 14 days before the changes take effect. The "Last updated" date at the top of this page indicates when the policy was last revised.

13. Complaints

If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

• Website: ico.org.uk
• Telephone: 0303 123 1113

14. Contact

For any questions about this privacy policy or your personal data:

• Email: privacy@reniailab.com
• Postal: Reni AI Ltd, London, United Kingdom