RateMyFlat Privacy Policy
Version: 2.2 Effective Date: 14 February 2026 Last Updated: 14 February 2026
Document Notes
This Privacy Policy is drafted to comply with the New Zealand Privacy Act 2020 and addresses the unique operational requirements of RateMyFlat, including:
- Extended retention periods for verification documents
- AI-powered document processing and data extraction
- Mutual progressive disclosure between platform participants
- Commercialisation of anonymised and aggregated data
- Government and regulatory data sharing arrangements
Legal Review Required: This document must be reviewed by a qualified New Zealand legal professional before publication.
1. Introduction
Welcome to RateMyFlat ("we," "us," or "our"). We are committed to protecting your personal information and respecting your privacy rights under the Privacy Act 2020 (the "Act").
This Privacy Policy explains how we collect, use, disclose, and store your personal information when you use our website, mobile application, and services (collectively, the "Platform"). By accessing or using RateMyFlat, you consent to the practices described in this policy.
This Policy should be read together with our Terms of Use, which govern your use of the Platform.
2. Eligibility and Age Restriction
Our Platform is intended solely for users who are 18 years of age or older. We do not knowingly collect personal information from individuals under the age of 18.
2.1 Age Verification
We do not proactively verify age at registration. However, if during the verification process or through user reports we become aware that a user is under 18, we will:
- Immediately suspend the account;
- Delete all personal information associated with the account within 30 days, including uploaded documents;
- Retain only fully anonymised data that cannot be linked to the individual;
- If we have contact details for a parent or guardian, notify them of the account suspension.
2.2 Minors Referenced in Documents
If a Property Manager or other user uploads documentation that references a minor (e.g., as a listed occupant on a tenancy agreement), we will not create any record or profile for that individual and will exclude their information from data extraction.
3. Collection of Personal Information
We collect personal information directly from you, from third parties acting on your behalf or with your consent, and through automated means.
3.1 Information You Provide
| Data Type | Examples | Purpose |
|---|---|---|
| Account Information | Name, email address, phone number, password | Account creation and authentication |
| Profile Data | Current and past rental history, demographic information | Platform functionality and verification |
| Tenancy Documents | Residential Tenancy Agreements, bond lodgement forms, rent records, utility bills | Verification of property relationships |
| Certification Documents | Electrical certificates, plumbing compliance, building consents, Healthy Homes assessments | Property attribute verification |
| Communications | Feedback, support queries, reviews, dispute submissions | Platform operation and improvement |
| Photographs | Property condition photos, chattel images, certification evidence | Verification and complaint resolution |
3.2 Information Provided by Third Parties
#### Property Managers and Landlords
If you are a Property Manager, Landlord, or lead tenant uploading information about third parties (e.g., co-tenants, tenants in properties you manage, or tradespeople who performed work):
- Warranty of Consent: You warrant and represent that you have obtained the express consent of the individuals whose data you are uploading, or that you have provided them notice that their information may be shared with RateMyFlat.
- Authority: You confirm you have the legal authority to share this data with RateMyFlat for the purposes of verification and platform administration.
- Indemnity: You agree to indemnify RateMyFlat against any claims arising from a lack of consent or authority regarding the data you provide.
#### Verified Partners
We have commercial agreements with property assessors, installers, and other service providers ("Verified Partners") who provide data directly to the Platform regarding work performed on properties. Data received from Verified Partners is governed by separate B2B agreements and is used to create verification records and proof-of-work documentation.
#### Licensed Data Sources
We collect property ownership and attribute information from licensed data sources, including the LINZ Property API and other authorised providers. This data is used for internal verification purposes.
3.3 Pending Verification Data (Draft Relationships)
Where a Property Manager or Landlord uploads documentation that references individuals who are not yet registered on the Platform ("Unregistered Individuals"):
- Limited Extraction: We extract only the minimum information necessary to enable future verification (name, property address, tenancy dates).
- No Profile Creation: We do not create a user profile or public record for Unregistered Individuals.
- Retention Limit: Pending Verification Data is retained for a maximum of 7 years from the date of upload. If the individual does not register and verify within this period, the data is deleted.
- Verification Prompt: If an individual later registers with matching details, we will prompt them to verify the relationship. They may confirm the relationship, dispute it, or decline to verify.
3.4 Tradesperson and Service Provider Data
We collect information about tradespeople and service providers from multiple sources:
| Source | Data Collected | Use |
|---|---|---|
| User-Submitted Documentation | Tradesperson name, license number, company, work performed | Property attribute verification |
| Verified Partner Data | Work records, certifications, assessment reports | Proof-of-work and compliance verification |
| Tradesperson Registration | Profile information, qualifications, service areas | Discoverability and review receipt |
Visibility Rules:
- Extracted tradesperson data is held internally and is NOT publicly associated with properties unless the tradesperson has registered and claimed the work.
- Registered tradespeople may choose to make their profile and work history publicly discoverable.
- Tradespeople may dispute associations with work and request review.
3.5 Photographs and Visual Media
We collect photographs in two categories with different handling rules:
#### Certification and Complaint Evidence
Photos uploaded to support verification claims, certifications, or complaints are:
- Visible only to the uploading user and RateMyFlat administrators
- Used solely to assess the validity of claims
- NOT published or shared with other users
- Subject to long-term retention as part of the verification record
#### Property Profile Images
Photos uploaded to property profiles are:
- Visible to verified users according to the visibility rules in our Terms of Use
- Subject to our content guidelines (no identifiable individuals without consent)
Image Metadata: We extract and retain metadata from uploaded images (including timestamps, device information, and geolocation data) to verify authenticity. Metadata may be used in aggregated form but individual image metadata is not published.
Incidental Capture: If you upload images that incidentally capture identifiable individuals (e.g., flatmates, neighbours, tradespeople), you warrant that you have their consent OR that their faces are obscured. We reserve the right to reject or require modification of images containing identifiable individuals without apparent consent.
3.6 Automated Collection
When you visit our Platform, we automatically collect:
| Data Type | Collection Method | Purpose |
|---|---|---|
| IP Address | Server logs | Security, fraud prevention, analytics |
| Browser and Device Information | Browser headers | Platform optimisation |
| Usage Statistics | Analytics tools | Feature improvement |
| Session Data | Cookies | Authentication, preferences |
4. Use of Artificial Intelligence and Automated Processing
We utilise Artificial Intelligence (AI) and Machine Learning (ML) technologies to process documents and data you provide to the Platform.
4.1 What AI Processes
By uploading documents, you explicitly consent to automated processing for:
| Processing Type | Data Extracted | Purpose |
|---|---|---|
| Document Parsing | Property address, rent amounts, bond amounts, tenancy dates, party names | Verification and entity creation |
| Relationship Analysis | Landlord-tenant-property connections, property manager associations | Trust network mapping |
| Attribute Extraction | Chattels, property conditions, materials, certifications | Property profile enrichment |
| Compliance Analysis | RTA-relevant terms, bond handling, notice periods | Verification weighting |
| Fraud Detection | Document authenticity markers, cross-reference validation | Platform integrity |
4.2 Automated Decisions
Our AI systems assist with verification and content analysis but do not make final determinations that significantly affect your rights without human oversight.
Automated systems may:
- Flag content for human review
- Assign preliminary verification status (subject to human confirmation)
- Detect potential policy violations
- Suggest relationship matches for user confirmation
4.3 Human Review Rights
If you believe our automated systems have made an error regarding your verification status, content flagged as potentially violating our policies, or relationships attributed to you, you may request human review by contacting our Privacy Officer. We will respond within 20 working days with the outcome of that review.
5. Purposes of Collection and Use
We use your personal information for the following purposes:
5.1 Core Platform Functions
| Purpose | Description | Legal Basis |
|---|---|---|
| Verification | Validating tenancy, ownership, or management relationships with properties | Consent, legitimate interest |
| Platform Operation | Displaying reviews, ratings, property data, and facilitating user interactions | Contract performance |
| Safety and Security | Detecting fraud, preventing spam, ensuring rating system integrity | Legitimate interest |
| Communications | Administrative notifications, verification updates, marketing (where opted in) | Consent, contract performance |
5.2 Mutual Disclosure Between Users
Where users engage in the mutual progressive disclosure process described in our Terms of Use:
- Your name and verified tenancy/ownership period may be shared with a counterparty who has a verified relationship with the same property
- Your review content is shared with the counterparty ONLY after they have submitted a counter-review
- You control whether your reviews are made more broadly visible through opt-in settings
This mutual disclosure is a core function of the Platform and is necessary to enable trust and accountability between rental market participants.
5.3 Commercialisation of Aggregated Data
We process personal information to create anonymised and aggregated datasets. Once data is anonymised so that specific individuals cannot be identified, it is no longer "Personal Information" under the Act.
We reserve the right to sell, license, or share aggregated insights data to third parties (e.g., market researchers, government bodies, commercial entities) for commercial purposes. This may include:
- Rental market trend analysis
- Property condition benchmarking
- Regional tenancy pattern insights
- Anonymised landlord/property manager performance metrics
6. Anonymisation, Aggregation, and Property Data Standards
6.1 Personal Anonymisation
When we create anonymised datasets for commercial or research purposes, we remove or irreversibly transform all identifiers that could link data to a specific individual, including names, contact details, user identifiers, and unique demographic combinations.
6.2 Property Ownership Data
We collect property ownership information from licensed data sources (including the LINZ Property API) and by inference from documents uploaded to the Platform. This data is used for internal verification purposes, including:
- Confirming a user's relationship to a property
- Identifying common ownership across multiple properties
- Detecting potential fraud or misrepresentation
Internal Use Only: Property ownership data linking specific individuals to specific addresses is not included in anonymised datasets available to commercial customers or the general public.
6.3 Government and Regulatory Access
We may provide property-level ownership data (including links between specific addresses and their owners) to New Zealand government agencies and regulatory bodies under the following conditions:
- A formal B2B or data-sharing agreement is in place
- The agency has a lawful purpose for the data (e.g., tenancy compliance, tax investigation, housing policy research)
- Access is logged and auditable
- The agency is bound by confidentiality and use restrictions
This may include responding to lawful information requests, court orders, or providing API/portal access for ongoing compliance monitoring.
6.4 Aggregation Thresholds
Where releasing aggregated data could enable re-identification of individuals through combination of attributes (e.g., a property with only one tenancy record in a specific time period), we apply a minimum threshold of 5 records before releasing aggregated statistics.
6.5 No Re-identification
Recipients of anonymised data are contractually prohibited from attempting to re-identify individuals. This prohibition does not apply to government agencies receiving identified data under Section 6.3 for lawful purposes.
7. Disclosure of Information
7.1 Categories of Recipients
We may disclose your information to:
| Recipient | Data Shared | Purpose | Safeguards |
|---|---|---|---|
| Service Providers | As required for service delivery | Hosting, AI processing, data storage, IT support | Confidentiality agreements, data processing agreements |
| Other Users | Name, tenancy period, review content (per visibility rules) | Mutual disclosure, public profiles | User consent and control |
| Government Agencies | As permitted under Section 6.3 | Regulatory compliance, lawful requests | B2B agreements, audit trails |
| Law Enforcement | As required by law | Legal compliance | Court orders, statutory requirements |
| Acquirers | All data (in event of sale/merger) | Business continuity | Equivalent privacy protections required |
7.2 Public vs. Verified User Access
| Data Type | Public Access | Verified User Access | Mutual Disclosure Only |
|---|---|---|---|
| Property address and attributes | ✓ | ✓ | |
| Aggregated ratings | ✓ | ✓ | |
| Anonymised review summaries | ✓ | ✓ | |
| Detailed review content | ✓ (per visibility rules) | ||
| Reviewer identity | ✓ | ||
| Private Homeowner identity | ✓ |
7.3 What We Never Disclose Publicly
- Uploaded tenancy documents (PDFs, images of agreements)
- Bank account or financial details
- Contact information without consent
- Private Homeowner names (without their consent or mutual disclosure)
8. Data Retention
8.1 Retention Periods
| Data Type | Retention Period | Justification |
|---|---|---|
| Tenancy Documents (verified) | 12 years from upload OR 7 years from last platform activity, whichever is longer | Aligns with lease retention standards and provides long-term verification capability |
| Pending Verification Data | 7 years from upload | Business records standard; allows reasonable time for registration |
| Certification Documents | 12 years from upload | Building compliance and proof-of-work requirements |
| Extracted Metadata (anonymised) | Indefinite | No longer personal information once anonymised |
| Account Information | Duration of account + 7 years | Tax and audit requirements |
| Reviews and Ratings | Indefinite (may be anonymised) | Public interest in rental market transparency |
| Photographs (certification) | 12 years from upload | Evidence retention aligned with document retention |
| Photographs (profile) | Duration of association with property | User-controlled content |
8.2 Justification for Extended Retention
RateMyFlat's core value proposition requires long-term historical analysis of the rental market. Extended retention enables:
- Permanent verification records for the lifetime of the Platform
- Re-processing as AI extraction capabilities improve
- Long-term analysis of property attributes, market trends, and tenancy patterns
- Dispute resolution with access to original documentation
8.3 Security of Retained Data
All retained documents are stored in secure, encrypted environments (encryption at rest and in transit) and are accessible only to authorised personnel and automated processing systems.
9. Your Rights
Under the Privacy Act 2020, you have the following rights:
9.1 Access
You may request confirmation of whether we hold personal information about you and access that information. We will respond within 20 working days.
9.2 Correction
You may request correction of your personal information if you believe it is inaccurate, incomplete, or misleading. We will respond within 20 working days.
9.3 Deletion
You may request deletion of your personal information. Upon receiving a valid request, we will:
- Delete raw uploaded documents within 30 days, UNLESS we have a lawful basis to retain them (e.g., ongoing dispute, legal hold, regulatory requirement, or the retention period has not expired);
- Retain anonymised metadata extracted from those documents (this is no longer personal information);
- Anonymise (rather than delete) verified reviews, so the review content remains but is no longer linked to your identity;
- Notify you of the outcome within 20 working days.
9.4 Exceptions to Deletion
We may refuse or limit deletion where:
- The information is subject to a legal hold or active dispute
- Deletion would prejudice our legitimate interests in fraud prevention
- We are required by law to retain the information
- The information has been fully anonymised
- The retention period has not yet expired and we have ongoing lawful purpose
9.5 Withdrawal of Offers
If you have offered to share a review through mutual disclosure, you may withdraw that offer at any time before the counterparty submits their counter-review.
9.6 How to Exercise Your Rights
To exercise any of these rights, contact our Privacy Officer at: privacy [at] ratemyflat [dot] co [dot] nz
10. Cookies and Tracking Technologies
10.1 Types of Cookies We Use
| Cookie Type | Purpose | Duration | Third Party |
|---|---|---|---|
| Essential | Session management, security, authentication | Session | No |
| Functional | Language preferences, display settings | 12 months | No |
| Analytics | Usage patterns, feature engagement, error tracking | 24 months | Yes |
10.2 Third-Party Analytics
We use analytics services to understand how users interact with our Platform. These services may set their own cookies and collect information including your IP address, browser type, and pages visited.
Current analytics providers:
- Sentry (error and performance monitoring): https://sentry.io/privacy/
10.3 Managing Cookies
You can control cookies through your browser settings. Disabling essential cookies may prevent you from using certain Platform features, including authentication.
10.4 Do Not Track
We do not currently respond to "Do Not Track" browser signals. We will update this policy if this changes.
11. Storage and International Data Transfers
11.1 Data Location
Your data may be stored and processed in:
| Location | Provider | Purpose |
|---|---|---|
| United States | Render.com | Primary hosting and web application infrastructure |
| United States | Amazon Web Services (S3, us-east-1) | Document and file storage |
| United States | Sentry | Error monitoring and diagnostics |
| United States | Not currently configured | AI document processing (if enabled in future) |
11.2 Cross-Border Safeguards
Before transferring personal information overseas, we ensure the recipient is subject to privacy laws providing comparable protection to the Privacy Act 2020, or we implement contractual safeguards (such as standard contractual clauses) requiring the recipient to protect your information to an equivalent standard.
11.3 Security Measures
We implement robust security measures including:
- Encryption at rest and in transit (TLS 1.2+, AES-256)
- Access controls and authentication
- Regular security assessments
- Incident response procedures
No transmission over the internet is completely secure. You upload documents at your own risk. We recommend redacting highly sensitive financial information (such as bank account numbers) from documents before uploading, provided the name and address remain visible for verification purposes.
12. Privacy Breach Notification
12.1 Our Commitment
If we experience a privacy breach that we reasonably believe has caused, or is likely to cause, serious harm to any individual, we will:
- Notify the Office of the Privacy Commissioner as soon as practicable (targeting within 72 hours of becoming aware);
- Notify affected individuals as soon as practicable, providing:
- A description of the breach - Steps we are taking in response - Steps you can take to protect yourself - Confirmation the Commissioner has been notified - Your right to make a complaint to the Commissioner - Contact details for our Privacy Officer
12.2 Assessing Serious Harm
In determining whether a breach is likely to cause serious harm, we consider:
- The sensitivity of the information involved (tenancy documents are considered highly sensitive)
- Who has or may obtain the information
- The nature of potential harm (financial, reputational, emotional)
- Mitigating actions we have taken
12.3 Exceptions
We may delay or limit notification if:
- Required by law enforcement in connection with an investigation
- Notification would prejudice the security or defence of New Zealand
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make changes:
- Minor changes: Updated policy posted on the Platform with new "Last Updated" date
- Significant changes: Notification via email and prominent notice on the Platform at least 14 days before changes take effect
Your continued use of RateMyFlat after changes take effect constitutes acceptance of the updated policy. If you do not agree with changes, you should stop using the Platform and may request deletion of your data.
14. Contact Us
Privacy Officer RateMyFlat Email: privacy [at] ratemyflat [dot] co [dot] nz
Office of the Privacy Commissioner Website: https://www.privacy.org.nz Phone: 0800 803 909
*This document does not constitute legal advice. It must be reviewed by a qualified New Zealand legal professional before publication.*