Privacy Policy

This Privacy Policy describes how SDG Group Inc. ("SDG," "we," "our") collects, uses, shares, and protects personal information in connection with the Landlord X web application (the "Service"). By using the Service you acknowledge the practices described here.

1. Who We Are

Landlord X is operated by SDG Group Inc. We act as the data controller for landlords (account holders) who use the Service, and as a data processor for tenant information that landlords enter into the Service while using it as a property-management tool.

2. Information We Collect

2.1 From landlords (account holders)

• username, email address, full name, phone number, password (stored as a BCrypt hash);
• profile signature image (drawn or uploaded for use on generated leases);
• account activity such as last-login timestamp and welcome-onboarding state;
• Gmail SMTP credentials you choose to provide so the Service can send email on your behalf (stored in our database; we recommend a Gmail App Password rather than your primary password).

2.2 From or about tenants (entered by landlords)

• full name, email address, phone number;
• lease records linking the tenant to a property (start/end dates, monthly rent, security deposit, co-tenant names, notes);
• when a tenant signs a lease electronically: the typed signer name, the signature image drawn on the signing page, the timestamp of signing, the IP address used to sign, and an acknowledgment that the tenant accepted the ESIGN/UETA consent and these Terms.

2.3 Property & financial records

• property addresses, descriptions, type, HOA fees, home insurance, property tax;
• optional mortgage details (monthly payment, escrow, lender name, loan number);
• maintenance entries and uploaded receipts.

2.4 Documents

• lease PDFs you upload, lease PDFs generated by the Service, signed lease PDFs, and any other documents you store via the Service. These are kept in Amazon S3 under your account's namespace.

2.5 Cookies & session data

The Service uses only the following strictly necessary cookies:

Cookie	Purpose	Lifetime
JSESSIONID	Maintains your authenticated session.	Session (cleared when you sign out or close the browser).
XSRF-TOKEN	Protects against cross-site request forgery (CSRF).	Session.

We do not use advertising or third-party analytics tracking cookies.

3. How We Use Your Information

• to provide and operate the Service (authentication, generating leases, sending emails, storing documents);
• to send transactional emails such as account invitations, signing links, expiry reminders, and signed-lease confirmations;
• to extract structured fields from lease PDFs you upload (via AI sub-processing);
• to investigate and prevent abuse, fraud, or security incidents;
• to comply with legal obligations and respond to lawful requests.

We do not sell, rent, or trade personal information. We do not use your data to train third-party AI models for purposes unrelated to operating the Service.

4. Sub-processors & International Transfers

We share personal information with the following sub-processors strictly as needed to deliver the Service. All sub-processors are bound by their own privacy commitments.

Sub-processor	Purpose	Location
Anthropic PBC	AI-assisted text extraction from uploaded lease PDFs (Claude API). Text content of uploaded leases is transmitted for processing.	United States
Amazon Web Services, Inc.	Encrypted storage of lease documents, signatures, and related files (Amazon S3).	United States (US region)
Google LLC	Outbound email delivery via Gmail SMTP using the credentials you provide in System Settings.	United States

If you access the Service from outside the United States, your information will be transferred to and processed in the United States, which may have different data-protection rules than your country of residence.

5. Data Retention

• Landlord account data is retained for as long as your account is active.
• After account termination, you have a thirty (30) day window to export your data; thereafter, we delete or de-identify your account data, subject to the retention exceptions below.
• Signed lease PDFs and associated signing-event metadata (signer name, IP, timestamp, consent record) are retained for up to seven (7) years after the lease's end date for legal-record purposes, or for the period required by applicable law.
• Backups and logs may persist for up to ninety (90) days after deletion.

6. Security

• All traffic between your browser and the Service is encrypted in transit using TLS.
• Account passwords are stored as one-way BCrypt hashes; we cannot recover your plaintext password.
• Documents in Amazon S3 are encrypted at rest using AWS server-side encryption.
• CSRF protection is enforced on all authenticated state-changing requests.
• Sensitive credentials you provide (e.g. Gmail SMTP password) are stored in our database; we recommend using a Gmail App Password limited to mail-send scope rather than your main account password.

No system is perfectly secure. We cannot guarantee absolute security and encourage you to use strong, unique passwords and enable two-factor authentication on linked services like Gmail.

7. Your Rights

7.1 All users

• Access & correction — view and edit most of your information directly inside the Service; for anything not editable in-product, email us.
• Deletion — request deletion of your account and personal information, subject to the retention exceptions above.
• Export — request a copy of the data we hold about you in a machine-readable format.

7.2 California residents (CCPA / CPRA)

If you reside in California, you have the right to know what personal information we collect, the categories of sources and third parties with whom we share it, and the purposes for which we use it; to request deletion of your personal information; to correct inaccurate information; and to opt out of any "sale" or "sharing" of personal information. We do not sell or share personal information as those terms are defined under the CCPA/CPRA. To exercise these rights, contact us using the details below.

7.3 European / UK residents (GDPR / UK GDPR)

If you reside in the European Economic Area, the United Kingdom, or Switzerland, you have the right to access, rectify, erase, restrict, or object to processing of your personal data, the right to data portability, and the right to withdraw consent at any time without affecting prior processing. You also have the right to lodge a complaint with your local data-protection authority.

7.4 How to exercise these rights

Email [email protected] from the address associated with your account. We will respond within the timeframe required by applicable law (generally within 30–45 days).

8. Tenant-Specific Notice

If you are a tenant whose information was entered into the Service by your landlord, your landlord is the controller of that information. SDG processes it on the landlord's behalf. To exercise rights over your tenant record (correction, deletion, export), please contact your landlord first; you may also contact us directly at the address above and we will assist where we are able.

9. Children

The Service is not directed at children under 18, and we do not knowingly collect personal information from children. If you believe a child has provided information to the Service, contact us so we can delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, the "Last updated" date above will change. Material changes will be announced via email to the address associated with your account or through a prominent in-app notice.

11. Contact

Privacy inquiries: [email protected]
Mailing address: SDG Group Inc., [Address line to be filled by attorney]