Privacy

Privacy policy

Last updated 2026-05-07. Draft — not yet legal-reviewed.

1. Who we are

Property Journal (working name) is a self-management software service for Australian residential landlords, built and operated by Brayden Currey of Oak Lane Property, Brisbane, Queensland. Contact: hello@propertyjournal.com.au.

We’re bound by the Privacy Act 1988 (Cth) and the Australian Privacy Principles. This policy explains what data we collect, how we use it, and what your rights are.

2. What we collect

When you sign up, we collect the data you provide and the data needed to run the service:

• Account data — email address, name, optional phone and business name.
• Property data you enter — addresses, tenancy details, tenant names and contact details (entered by you), rent payment records, expense records, maintenance records, inspection records, notices, documents, photos, communications log entries.
• AI assistant queries — the questions you ask the AI assistant. The full text of each question is sent to Anthropic (see Section 5) for processing; we don’t store the conversation history beyond your session unless you save it.
• Logs and metrics — IP address, user-agent string, basic page-view counts, error reports — used for debugging and capacity planning. We don’t use third-party tracking pixels or advertising cookies.

3. How we use your data

• To provide the service you signed up for — running your account, generating forms, hosting your records.
• To answer your AI queries (by sending the question text to Anthropic for processing).
• To email you about your account — billing receipts, security alerts, and product updates you opt into.
• To monitor and improve the platform — error tracking, performance, feature usage.

We don’t sell your data. We don’t share it with marketers. We don’t use it to train AI models on your behalf.

4. Where your data is stored

All operational data is stored in Supabase (PostgreSQL) hosted in Sydney, Australia (region ap-southeast-2). Files (lease drafts, condition reports, photos, certificates) are stored in the same region in private object storage with row-level security restricting access to your account.

The application itself is hosted by Vercel (edge nodes worldwide, but the database is fixed in Sydney).

5. Third parties we share data with

• Anthropic (USA) — when you use the AI assistant or AI features (lease analyser, email drafter), the relevant text is sent to Anthropic’s Claude API for processing. Anthropic has its own privacy policy and uses the data only to respond to the request, not to train its models. We pass only the data needed to answer the query — typically the property address, tenancy basics, and your question. We don’t pass tenant contact details, financial records, or documents.
• Supabase (USA company, Sydney data centre) — our database + storage + auth provider. Subject to its privacy policy.
• Vercel (USA) — application hosting. Subject to its privacy policy.
• Stripe (USA) — when paid plans launch, payment processing. Card details are handled directly by Stripe; we never see them.

We don’t engage other processors without updating this policy first.

6. Magic-link tokens (tenant portal + accountant access)

The service includes two magic-link patterns:

• Tenant portal — when you generate a portal link, the tenant opens a URL to see a read-only view of their tenancy. The token is a 32-byte random string. Anyone with the URL can view; revoke from the tenants tile to invalidate.
• Accountant access — same pattern, scoped to a read-only FY rollup of your finances. Revoke from /settings.

Treat these URLs like a password. Anyone with the URL can see what it shows.

7. Cookies and local storage

We use:

• A session cookie set by Supabase Auth so you stay logged in.
• Local storage for: your dismissal of the onboarding wizard, your dismissal of the onboarding tour, sample-data flags, and partial inspection-condition-report autosaves.

We don’t use third-party tracking cookies or advertising pixels.

8. Your rights

• Access — you have full access to all your data via the app. The FY tax-records export at /settings generates a ZIP of your tax-relevant CSV records on demand.
• Correction — every record in the app is editable by you.
• Deletion — email hello@propertyjournal.com.au with the subject “delete my account”. We’ll delete all account data within 14 days. Note that you can also delete individual records (properties, tenancies, etc.) yourself from the app.
• Complaint — if you have a privacy complaint, contact us first. If we don’t resolve it satisfactorily, you can complain to the OAIC at oaic.gov.au.

9. Data retention

We keep account data for as long as you have an active account, plus 30 days after deletion to support disaster-recovery. After 30 days post-deletion, all account data is permanently removed from our active systems. Backup retention is up to 90 days (Supabase default).

Tax records you’ve exported as ZIPs are yours — we don’t track downloads or have any way to retrieve them.

10. Security

We use industry-standard security: encrypted connections (HTTPS / TLS), row-level-security in the database (each user can only access their own rows), private object storage for files, and secure authentication via Supabase Auth. No system is perfectly secure; if we ever experience a breach affecting your data, we’ll notify you within 72 hours of becoming aware (consistent with the Notifiable Data Breaches scheme under the Privacy Act).

11. Changes to this policy

We’ll update this page and the “last updated” date at the top whenever the policy changes. Material changes will be flagged in-app and via email for active accounts.

12. Contact

Email hello@propertyjournal.com.au for any privacy questions or requests.