Privacy Policy

1. Introduction

Tenant Griffin™ ("we", "us", or "our") operates the tenant screening platform at https://tenantgriffin.com/ (the "Service"). We are committed to protecting your personal data and respecting your privacy rights.

This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our Service. This policy applies to users in Singapore 🇸🇬, Malaysia 🇲🇾, Thailand 🇹🇭, Indonesia 🇮🇩, and Vietnam 🇻🇳.

By using our Service, you consent to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our policies and practices, please do not use our Service.

2. Who We Are

Service Name: Tenant Griffin™
Service Type: Tenant Screening Platform
Operating Countries: Singapore, Malaysia, Thailand, Indonesia, Vietnam
Data Protection Officer: privacy@tenantgriffin.com

For privacy-related inquiries, please contact our Data Protection Officer at privacy@tenantgriffin.com

3. Information We Collect

3.1 User Account Information

When you create an account, we collect:

• Full name
• Email address
• User type (landlord, property manager, real estate agent)
• Country of residence
• IP address (for geo-location and fraud prevention)
• Preferred language
• Age confirmation (that you are 18 years or older)

3.2 Third-Party Data (Tenant Reports)

When you submit a report about a tenant, we collect:

• Tenant's full name
• Tenant's national ID or passport number
• Tenant's contact information
• Property address
• Tenancy issues and details
• Supporting documents (tenancy agreements, payment records, correspondence)
• Amount owed (if applicable)

3.3 Payment Information

Payment processing is handled by our payment processor, Stripe, Inc. We do not store credit card information on our servers. Stripe collects payment card details, billing address, and transaction history.

Transaction records are retained by Stripe according to financial and tax regulations, typically for 7 years or longer, even after account deletion. For more information, see Stripe's Privacy Policy.

3.4 Usage Data

We automatically collect:

• Search queries and results
• Pages visited and features used
• Browser type and version
• Device information
• Log data (IP address, timestamps, error logs)

3.5 Analytics and User Behavior Data

We use Microsoft Clarity to understand how users interact with our Service. Clarity collects:

• Session recordings (visual recordings of how you interact with pages)
• Heatmaps (click and scroll patterns)
• Page views and navigation patterns
• Mouse movements, clicks, and scrolling behavior
• Device and browser information
• General location (country-level, not precise GPS)

Important Notes:

• Clarity does NOT record your keystrokes or sensitive form inputs (passwords, credit cards)
• Clarity is NOT enabled on our admin panel (/tg-internal pages)
• Session recordings are automatically deleted after 30 days
• Data is stored on Microsoft servers in the United States

This data helps us improve user experience, identify bugs, and optimize our Service. You can opt out of Clarity by using browser privacy extensions or Do Not Track settings.

4. Legal Basis for Processing

We process your personal data based on the following legal grounds:

4.1 Consent

You provide explicit consent when you create an account and agree to this Privacy Policy. You may withdraw consent at any time through your Account Settings.

4.2 Contract Performance

Processing is necessary to provide our tenant screening services as outlined in our Terms of Use.

4.3 Legitimate Interests (Third-Party Data Collection)

For tenant reports submitted by landlords, we rely on legitimate interests as the legal basis:

• Singapore: PDPA Section 17(1)(a) + First Schedule - Evaluative purposes
• Malaysia: PDPA General Principle - Necessary for legitimate interests
• Thailand: PDPA Section 24(5) - Legitimate interests of data controller
• Indonesia: UU PDP Article 20(2)(f) - Legitimate interests
• Vietnam: Decree 13/2023 Article 17.4 - Lawful purposes without consent

5. How We Use Your Information

We use your personal data for the following purposes:

• Provide tenant screening services
• Process search queries and display results
• Verify and approve tenant reports
• Manage your account and subscription
• Process payments and credit transactions
• Send service-related notifications and updates
• Prevent fraud and ensure platform security
• Comply with legal obligations
• Improve our Service and user experience
• Respond to customer support inquiries

6. Third-Party Service Providers

We share your data with the following trusted third parties:

All third-party processors are bound by data processing agreements and are required to protect your data in accordance with applicable privacy laws.

7. Cross-Border Data Transfers

Your personal data may be transferred to and processed in countries outside your country of residence, including the United States, European Union, and Singapore. These countries may have different data protection laws than your home country.

We ensure appropriate safeguards are in place for all cross-border transfers, including:

• Standard Contractual Clauses (SCCs) with all processors
• Data Processing Agreements (DPAs) ensuring GDPR-level protection
• Certification schemes (ISO 27001, SOC 2) for all major processors
• Your explicit consent provided during account creation

8. Your Data Rights

You have the following rights regarding your personal data. These rights apply across all 5 countries we operate in (Vietnam provides the most comprehensive set of rights):

9. Data Retention

We retain your personal data for the following periods:

• User accounts: While active + 1 year grace period after inactivity
• Tenant reports: 7 years (tenancy reference validity period)
• Search logs: 2 years (analytics and fraud prevention)
• Email logs: 1 year (customer support and audit trail)
• Credit transactions: 7 years (accounting and tax requirements)
• Payment records: Retained by Stripe for 7+ years per financial and tax regulations, even after account deletion

After the retention period, we securely delete or anonymize your data. You can request earlier deletion using the "Delete Account" feature.

10. Data Security

We implement industry-standard security measures to protect your data:

• Encryption in transit (TLS/SSL) and at rest (AES-256)
• Row Level Security (RLS) in database to prevent unauthorized access
• Multi-factor authentication for administrative access
• Regular security audits and penetration testing
• Secure file storage with access controls
• Automated backup and disaster recovery systems
• Security monitoring and incident response procedures

While we take every precaution, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security but continuously work to improve our security measures.

11. Data Breach Notification

In the event of a data breach that may affect your personal information, we will:

• Notify affected users via email within 72 hours of discovery
• Notify relevant regulators within 72 hours (required by Thailand, Indonesia, Vietnam)
• Provide details of the breach, affected data, and mitigation steps
• Offer assistance and guidance on protecting your information

Breaches will be reported to the following regulators as required:

• Singapore: Personal Data Protection Commission (PDPC)
• Malaysia: Personal Data Protection Department (JPDP)
• Thailand: Personal Data Protection Committee (PDPC)
• Indonesia: Ministry of Communication and Informatics (Kominfo)
• Vietnam: Ministry of Public Security - Department of Cybersecurity

12. Country-Specific Information

🇸🇬 Singapore

Governing Law: Personal Data Protection Act 2012 (PDPA)

Regulator: Personal Data Protection Commission (PDPC)

Website: www.pdpc.gov.sg

Singapore users have rights to access, correct, and withdraw consent. Complaints can be filed with PDPC.

🇲🇾 Malaysia

Governing Law: Personal Data Protection Act 2010 (PDPA) + 2024 Amendment

Regulator: Personal Data Protection Department (JPDP)

Website: www.pdp.gov.my

Registration: We are registered as a Data Controller under Malaysia PDPA.

Malaysian users have rights to access, correct, limit processing, and withdraw consent.

🇹🇭 Thailand

Governing Law: Personal Data Protection Act B.E. 2562 (2019)

Regulator: Personal Data Protection Committee (PDPC)

Website: www.pdpc.or.th

Thai users have comprehensive GDPR-like rights including access, rectification, erasure, restriction, portability, and objection.

🇮🇩 Indonesia

Governing Law: UU No. 27 Tahun 2022 tentang Pelindungan Data Pribadi (UU PDP)

Regulator: Ministry of Communication and Informatics (Kominfo)

Website: www.kominfo.go.id

Indonesian users have rights to access (72 hours), correct (72 hours), and delete data. Data breaches must be reported to Kominfo within 72 hours.

🇻🇳 Vietnam

Governing Law: Decree 13/2023/ND-CP on Personal Data Protection

Regulator: Ministry of Public Security - Department of Cybersecurity

Website: mps.gov.vn

Vietnamese users have 11 comprehensive rights including all rights listed in Section 8. We respond to data requests within 72 hours and report breaches to MPS within 72 hours.

13. Children's Privacy

Our Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children under 18. By using our Service, you confirm that you are 18 years or older.

If we discover that a child under 18 has provided us with personal information, we will delete such information immediately. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at privacy@tenantgriffin.com

14. Cookies and Tracking

We use cookies and similar tracking technologies to:

• Maintain your login session
• Remember your language preference
• Analyze site usage and improve performance
• Prevent fraud and enhance security

You can control cookies through your browser settings. However, disabling cookies may limit your ability to use certain features of our Service.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by:

• Posting the updated policy on this page with a new "Last Updated" date
• Sending an email notification to your registered email address
• Displaying a prominent notice on our Service

Your continued use of the Service after the effective date of the updated Privacy Policy constitutes your acceptance of the changes. We encourage you to review this Privacy Policy periodically.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

This Privacy Policy is compliant with the privacy laws of Singapore (PDPA 2012), Malaysia (PDPA 2010 + 2024 Amendment), Thailand (PDPA B.E. 2562), Indonesia (UU PDP 2022), and Vietnam (Decree 13/2023).