Privacy Policy
Effective: May 28, 2026 · Last updated: May 28, 2026
This Privacy Policy explains how Koda Properties ("we", "us", "our") collects, uses, shares, and protects personal information when you use our property management platform at app.koda.properties (the "Service").
On this page
- Who this policy applies to
- Information we collect
- How we use information
- Legal bases (GDPR)
- How we share information
- Sub-processors
- International transfers
- Data retention
- Security
- Your rights
- Canada (PIPEDA, Quebec Law 25, CASL)
- Jamaica (Data Protection Act 2020)
- U.S. residents (CCPA/CPRA)
- Automated decision-making
- Data Protection Officer
- Children
- Changes to this policy
- Contact us
1. Who this policy applies to
Koda Properties is a B2B platform sold to property managers, HOAs, and community administrators ("Customers"). When you use the Service:
- If you signed up your organization, you are likely an account administrator — your organization is our Customer and we are its service provider.
- If you log in because your property manager granted you access (e.g. you are a homeowner, resident, board member, security guard, or vendor), your organization controls how your data is used inside the Service. We process your data on its behalf.
- If you only visit our marketing website, this policy applies to the limited information we collect for marketing and product analytics.
For data that belongs to a Customer (e.g. resident records, units, payment history), the Customer is the data controller and we act as the data processor under data protection laws like GDPR. Our Data Processing Addendum governs that relationship.
2. Information we collect
2.1 Information you provide
- Account & profile: name, email address, phone number, role, password (stored as a bcrypt hash, never in plaintext), profile photo.
- Organization & community data: company name, address, community name, units, lots, residents, member relationships, vehicle and visitor records, amenity bookings, violations, payments, service tickets, documents you upload.
- Billing: if you subscribe to a paid plan, billing contact information. Payment card details are collected and stored by our payment processor (Stripe) — we do not see or store full card numbers on our servers.
- Support communication: contents of emails, tickets, or chats you send us.
2.2 Information collected automatically
- Usage data: pages visited, features used, timestamps, IP address, browser type, device type, referring URL.
- Cookies and similar technologies: see our Cookie Policy.
- Log data: server logs (HTTP requests, error traces) used for security monitoring and debugging.
- Audit log: we record significant actions inside the Service (creates, edits, deletions) including who performed them and when. This log is immutable by design.
2.3 Information from third parties
- Authentication providers if you sign in via a third-party identity provider (where available).
- Payment processor Stripe sends us transaction status, last 4 card digits, and billing country.
- Communication providers (email/SMS/WhatsApp) report delivery status of messages we send on your behalf.
3. How we use information
We use personal information to:
- Provide, maintain, and improve the Service.
- Authenticate you and protect against unauthorized access.
- Process payments and manage subscriptions.
- Send transactional messages (account verification, password reset, billing receipts, system alerts) and, where you've opted in, marketing messages.
- Generate aggregated, non-identifying analytics for product improvement.
- Detect, investigate, and prevent fraud, abuse, or security incidents.
- Comply with legal obligations, respond to lawful requests, and enforce our agreements.
4. Legal bases for processing
Different jurisdictions use different frameworks for justifying personal data processing. We rely on whichever applies to you:
| Purpose | Canada (PIPEDA, Quebec Law 25) | Jamaica (DPA 2020) | EEA/UK (GDPR) |
|---|---|---|---|
| Providing the Service | Implied or express consent for service delivery | Performance of a contract | Performance of a contract |
| Billing & tax records | Legal obligation | Legal obligation | Legal obligation |
| Security & fraud prevention | Legitimate business interest | Legitimate interest | Legitimate interest |
| Product analytics | Implied consent (opt-out available) | Legitimate interest (opt-out available) | Legitimate interest (opt-out available) |
| Marketing emails | Express consent under CASL | Express consent | Consent (Art. 6(1)(a)) |
| Responding to legal requests | Legal obligation | Legal obligation | Legal obligation |
In Quebec, where we use Personal Information for a purpose that was not originally identified at the time of collection, we will obtain a fresh consent before doing so.
5. How we share information
We do not sell personal information. We share it only in these limited cases:
- Within your organization. Information you put into the Service is visible to other authorized users within your Customer organization, subject to the access controls your administrators configure.
- Sub-processors who run infrastructure or process data on our behalf — see section 6.
- Professional advisors (lawyers, auditors) under confidentiality.
- Legal compliance. If required by a valid legal request, subpoena, or court order — we will push back on overbroad requests and will notify you unless legally prohibited.
- Business transfers. If we are acquired or reorganized, your data may transfer to the acquirer subject to the same protections.
- With your consent. Any other sharing requires your explicit consent.
6. Sub-processors
We use trusted third parties to operate the Service. Current sub-processors include:
| Sub-processor | Purpose | Location |
|---|---|---|
| Namecheap (hosting) | Application & database hosting | United States |
| Stripe | Payment processing | United States / Ireland |
| Google (Gmail SMTP) | Transactional email delivery | United States |
| Meta (WhatsApp Business) | WhatsApp message delivery (optional feature) | United States / Ireland |
| OpenAI | AI-assisted features (optional) | United States |
We will notify Customers in advance before adding a new sub-processor with access to personal data. Customers have the right to object as set out in the DPA.
7. International data transfers
Our servers and many of our sub-processors are located in the United States. If you access the Service from outside the United States, your data may be transferred to, processed, and stored in a country whose data protection laws differ from your own. Where required by law (e.g. EU/UK), we rely on Standard Contractual Clauses or other approved transfer mechanisms.
8. Data retention
We retain personal information for as long as needed to provide the Service, comply with legal obligations (tax records, audit log integrity), resolve disputes, and enforce agreements. Specifically:
- Active customer data: retained while the account is active.
- Account data after termination: retained for 90 days to allow recovery, then deleted or anonymized unless legally required to keep longer.
- Audit log records: retained for at least 7 years for compliance and forensic purposes.
- Backups: rotated regularly; deleted data may persist in backups for up to 30 days.
- Marketing contact data: retained until you unsubscribe.
9. Security
We use technical and organizational measures designed to protect personal information, including:
- Encryption of traffic in transit (HTTPS/TLS).
- Passwords stored only as bcrypt hashes with a work factor of 12.
- Per-tenant data isolation: every record is scoped to the owning organization and enforced at the application layer.
- Immutable audit log of significant actions.
- Role-based access controls inside the Service.
- Rate limiting on authentication endpoints.
- Restricted production access on a need-to-know basis.
No system is perfectly secure. If you believe your account has been compromised, contact us immediately at security@koda.properties. See our Security & Vulnerability Disclosure policy for how to report security issues.
10. Your rights
Depending on where you live, you may have rights to:
- Access the personal information we hold about you.
- Correct inaccurate information.
- Delete your personal information (subject to legal retention requirements).
- Restrict or object to processing in certain cases.
- Data portability — receive your data in a structured, machine-readable format.
- Withdraw consent at any time where processing is based on consent.
- Lodge a complaint with a supervisory authority.
To exercise these rights, contact privacy@koda.properties. If your data is held inside a Customer's account (i.e. you are a resident or member, not the account owner), we will pass your request to that Customer and assist them in responding.
We will not discriminate against you for exercising these rights.
11. Canada — PIPEDA, Quebec Law 25, and CASL
If you are located in Canada, your personal information is governed by the federal Personal Information Protection and Electronic Documents Act (PIPEDA), applicable provincial laws (including Quebec's Law 25, formerly Bill 64), and Canada's Anti-Spam Legislation (CASL).
11.1 Your rights under PIPEDA
- Access the personal information we hold about you.
- Correct inaccurate personal information.
- Withdraw consent at any time, subject to legal or contractual restrictions.
- Challenge our compliance and file a complaint with the Office of the Privacy Commissioner of Canada.
11.2 Additional rights for Quebec residents (Law 25)
If you reside in Quebec, you additionally have the right to:
- Data portability — receive your personal information in a structured, commonly-used technological format and request that we transmit it to another organization (effective Sept 2024).
- Be informed about automated decision-making — see section 14.
- De-indexing or cessation of dissemination in certain circumstances.
- Receive privacy notices in clear and plain language, including in French where you have requested service in French.
- Be informed of cross-border data transfers and that we have conducted a Privacy Impact Assessment for transfers outside Quebec where required.
- File a complaint with the Commission d'accès à l'information du Québec (CAI).
French language. Quebec residents may request that this policy and communications from us be provided in French. Email privacy@koda.properties with the subject line "Français" to make a request.
11.3 CASL (commercial electronic messages)
We send commercial electronic messages to Canadian recipients only with their express or implied consent as defined by CASL. Every commercial email includes a clear sender identification and a working unsubscribe mechanism. You can opt out of marketing emails at any time by clicking the unsubscribe link in any message or emailing privacy@koda.properties.
Transactional messages (account verification, password reset, billing receipts, system alerts) are not commercial electronic messages under CASL and you cannot opt out of them while you have an active account.
11.4 Mandatory breach reporting
Under PIPEDA's Breach of Security Safeguards Regulations and Quebec Law 25, we will report Personal Information breaches to the relevant regulator and notify affected individuals where the breach creates a real risk of significant harm. Notification occurs as soon as feasible. We maintain breach records for at least 24 months.
12. Jamaica — Data Protection Act 2020
If you are located in Jamaica or your personal data is processed in Jamaica, the Data Protection Act 2020 ("DPA 2020") applies. We commit to processing your personal data in accordance with the eight Standards (Data Protection Principles) set out in the Act.
12.1 Your rights under the Jamaica DPA
- Access to a copy of personal data we hold about you (subject to permitted exemptions).
- Rectification of inaccurate or incomplete personal data.
- Erasure of personal data where its retention is no longer necessary.
- Restriction of processing in certain circumstances.
- Object to processing, including direct marketing and decisions based solely on automated processing.
- Data portability where processing is by automated means and based on consent or contract.
- Withdraw consent at any time where processing is based on consent.
- Lodge a complaint with the Office of the Information Commissioner of Jamaica.
12.2 Lawful basis
We process personal data in Jamaica on one or more of the following lawful bases under Section 22 of the Act: necessary for the performance of a contract; compliance with a legal obligation; protection of vital interests; legitimate interests pursued by us (balanced against your rights); or your consent.
12.3 Sensitive personal data
The Service is not designed to process sensitive personal data (as defined in Section 4 of the DPA, including health, biometric, or criminal-record data). Customers must not submit sensitive personal data without our prior written agreement and an additional lawful basis under Section 23.
12.4 Cross-border transfers
Personal data of Jamaican residents may be transferred to and processed in the United States, Canada, or other jurisdictions where our sub-processors operate. We rely on appropriate safeguards, including written contractual commitments equivalent to the protections of the DPA 2020 and, where required, prior authorization from the Information Commissioner.
12.5 Breach notification
Where a Personal Data Breach occurs that is likely to result in risk to the rights and freedoms of data subjects, we will notify the Office of the Information Commissioner without undue delay (and where feasible, within 72 hours of becoming aware) and affected individuals without undue delay.
13. U.S. residents — CCPA / CPRA
California residents have the right to know what categories of personal information we collect, the right to delete personal information, the right to correct inaccurate information, the right to limit the use of sensitive personal information, and the right not to be discriminated against for exercising these rights.
We do not sell personal information and do not share it for cross-context behavioral advertising.
To exercise your CCPA rights, email privacy@koda.properties. We will verify your request using the email address associated with your account. You may also designate an authorized agent to make a request on your behalf.
Similar rights apply to residents of other U.S. states with comprehensive privacy laws (Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, etc.). The same contact applies.
14. Automated decision-making
The Service does not currently use solely automated processing (without meaningful human involvement) to make decisions that produce legal or similarly significant effects about individuals. If we introduce such processing in the future, we will disclose:
- That automated decision-making is used.
- The personal information used to render the decision.
- The principal factors and parameters that led to the decision.
- Your right to request human review and contest the decision (under Quebec Law 25, Jamaica DPA, and GDPR Art. 22).
15. Data Protection Officer
We have designated a Privacy Officer to oversee compliance with applicable privacy laws (including PIPEDA, Quebec Law 25, and the Jamaica DPA 2020):
- Email: privacy@koda.properties
- Mailing address: [Add registered business address before launch]
The Privacy Officer is your point of contact for questions about this policy and for exercising your rights.
16. Children
The Service is not directed to children under 16. We do not knowingly collect personal information from children under 16. If you believe a child has provided personal information to us, please contact privacy@koda.properties so we can delete it.
17. Changes to this policy
We may update this policy as the Service evolves. We will notify Customers of material changes by email or through the Service at least 30 days before they take effect. The "Last updated" date at the top of this page always reflects the most recent revision.
18. Contact us
Privacy questions or data subject requests:
- Email: privacy@koda.properties
- General legal: legal@koda.properties
- Mailing address: [Add registered business address before launch]
Regulators:
- Canada: Office of the Privacy Commissioner of Canada (federal) — priv.gc.ca. Quebec residents: Commission d'accès à l'information du Québec — cai.gouv.qc.ca.
- Jamaica: Office of the Information Commissioner — opi.gov.jm.
- EU/UK (if applicable): your local data protection authority. Our EU/UK representative (if appointed): [To be added if we appoint one].