Privacy Policy

Effective: May 28, 2026 · Last updated: May 28, 2026

Pre-launch template. This policy was drafted for an initial Jamaica + Canada launch and incorporates Canada's PIPEDA, Quebec Law 25, and Jamaica's Data Protection Act 2020. It should be reviewed by qualified legal counsel in each jurisdiction before going live. Quebec customers also have French-language rights (Charter of the French Language, Bill 96) — a French translation should be made available before serving Quebec residents.

This Privacy Policy explains how Koda Properties ("we", "us", "our") collects, uses, shares, and protects personal information when you use our property management platform at app.koda.properties (the "Service").

On this page

  1. Who this policy applies to
  2. Information we collect
  3. How we use information
  4. Legal bases (GDPR)
  5. How we share information
  6. Sub-processors
  7. International transfers
  8. Data retention
  9. Security
  10. Your rights
  11. Canada (PIPEDA, Quebec Law 25, CASL)
  12. Jamaica (Data Protection Act 2020)
  13. U.S. residents (CCPA/CPRA)
  14. Automated decision-making
  15. Data Protection Officer
  16. Children
  17. Changes to this policy
  18. Contact us

1. Who this policy applies to

Koda Properties is a B2B platform sold to property managers, HOAs, and community administrators ("Customers"). When you use the Service:

For data that belongs to a Customer (e.g. resident records, units, payment history), the Customer is the data controller and we act as the data processor under data protection laws like GDPR. Our Data Processing Addendum governs that relationship.

2. Information we collect

2.1 Information you provide

2.2 Information collected automatically

2.3 Information from third parties

3. How we use information

We use personal information to:

Different jurisdictions use different frameworks for justifying personal data processing. We rely on whichever applies to you:

PurposeCanada (PIPEDA, Quebec Law 25)Jamaica (DPA 2020)EEA/UK (GDPR)
Providing the ServiceImplied or express consent for service deliveryPerformance of a contractPerformance of a contract
Billing & tax recordsLegal obligationLegal obligationLegal obligation
Security & fraud preventionLegitimate business interestLegitimate interestLegitimate interest
Product analyticsImplied consent (opt-out available)Legitimate interest (opt-out available)Legitimate interest (opt-out available)
Marketing emailsExpress consent under CASLExpress consentConsent (Art. 6(1)(a))
Responding to legal requestsLegal obligationLegal obligationLegal obligation

In Quebec, where we use Personal Information for a purpose that was not originally identified at the time of collection, we will obtain a fresh consent before doing so.

5. How we share information

We do not sell personal information. We share it only in these limited cases:

6. Sub-processors

We use trusted third parties to operate the Service. Current sub-processors include:

Sub-processorPurposeLocation
Namecheap (hosting)Application & database hostingUnited States
StripePayment processingUnited States / Ireland
Google (Gmail SMTP)Transactional email deliveryUnited States
Meta (WhatsApp Business)WhatsApp message delivery (optional feature)United States / Ireland
OpenAIAI-assisted features (optional)United States

We will notify Customers in advance before adding a new sub-processor with access to personal data. Customers have the right to object as set out in the DPA.

7. International data transfers

Our servers and many of our sub-processors are located in the United States. If you access the Service from outside the United States, your data may be transferred to, processed, and stored in a country whose data protection laws differ from your own. Where required by law (e.g. EU/UK), we rely on Standard Contractual Clauses or other approved transfer mechanisms.

8. Data retention

We retain personal information for as long as needed to provide the Service, comply with legal obligations (tax records, audit log integrity), resolve disputes, and enforce agreements. Specifically:

9. Security

We use technical and organizational measures designed to protect personal information, including:

No system is perfectly secure. If you believe your account has been compromised, contact us immediately at security@koda.properties. See our Security & Vulnerability Disclosure policy for how to report security issues.

10. Your rights

Depending on where you live, you may have rights to:

To exercise these rights, contact privacy@koda.properties. If your data is held inside a Customer's account (i.e. you are a resident or member, not the account owner), we will pass your request to that Customer and assist them in responding.

We will not discriminate against you for exercising these rights.

11. Canada — PIPEDA, Quebec Law 25, and CASL

If you are located in Canada, your personal information is governed by the federal Personal Information Protection and Electronic Documents Act (PIPEDA), applicable provincial laws (including Quebec's Law 25, formerly Bill 64), and Canada's Anti-Spam Legislation (CASL).

11.1 Your rights under PIPEDA

11.2 Additional rights for Quebec residents (Law 25)

If you reside in Quebec, you additionally have the right to:

French language. Quebec residents may request that this policy and communications from us be provided in French. Email privacy@koda.properties with the subject line "Français" to make a request.

11.3 CASL (commercial electronic messages)

We send commercial electronic messages to Canadian recipients only with their express or implied consent as defined by CASL. Every commercial email includes a clear sender identification and a working unsubscribe mechanism. You can opt out of marketing emails at any time by clicking the unsubscribe link in any message or emailing privacy@koda.properties.

Transactional messages (account verification, password reset, billing receipts, system alerts) are not commercial electronic messages under CASL and you cannot opt out of them while you have an active account.

11.4 Mandatory breach reporting

Under PIPEDA's Breach of Security Safeguards Regulations and Quebec Law 25, we will report Personal Information breaches to the relevant regulator and notify affected individuals where the breach creates a real risk of significant harm. Notification occurs as soon as feasible. We maintain breach records for at least 24 months.

12. Jamaica — Data Protection Act 2020

If you are located in Jamaica or your personal data is processed in Jamaica, the Data Protection Act 2020 ("DPA 2020") applies. We commit to processing your personal data in accordance with the eight Standards (Data Protection Principles) set out in the Act.

12.1 Your rights under the Jamaica DPA

12.2 Lawful basis

We process personal data in Jamaica on one or more of the following lawful bases under Section 22 of the Act: necessary for the performance of a contract; compliance with a legal obligation; protection of vital interests; legitimate interests pursued by us (balanced against your rights); or your consent.

12.3 Sensitive personal data

The Service is not designed to process sensitive personal data (as defined in Section 4 of the DPA, including health, biometric, or criminal-record data). Customers must not submit sensitive personal data without our prior written agreement and an additional lawful basis under Section 23.

12.4 Cross-border transfers

Personal data of Jamaican residents may be transferred to and processed in the United States, Canada, or other jurisdictions where our sub-processors operate. We rely on appropriate safeguards, including written contractual commitments equivalent to the protections of the DPA 2020 and, where required, prior authorization from the Information Commissioner.

12.5 Breach notification

Where a Personal Data Breach occurs that is likely to result in risk to the rights and freedoms of data subjects, we will notify the Office of the Information Commissioner without undue delay (and where feasible, within 72 hours of becoming aware) and affected individuals without undue delay.

13. U.S. residents — CCPA / CPRA

California residents have the right to know what categories of personal information we collect, the right to delete personal information, the right to correct inaccurate information, the right to limit the use of sensitive personal information, and the right not to be discriminated against for exercising these rights.

We do not sell personal information and do not share it for cross-context behavioral advertising.

To exercise your CCPA rights, email privacy@koda.properties. We will verify your request using the email address associated with your account. You may also designate an authorized agent to make a request on your behalf.

Similar rights apply to residents of other U.S. states with comprehensive privacy laws (Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, etc.). The same contact applies.

14. Automated decision-making

The Service does not currently use solely automated processing (without meaningful human involvement) to make decisions that produce legal or similarly significant effects about individuals. If we introduce such processing in the future, we will disclose:

15. Data Protection Officer

We have designated a Privacy Officer to oversee compliance with applicable privacy laws (including PIPEDA, Quebec Law 25, and the Jamaica DPA 2020):

The Privacy Officer is your point of contact for questions about this policy and for exercising your rights.

16. Children

The Service is not directed to children under 16. We do not knowingly collect personal information from children under 16. If you believe a child has provided personal information to us, please contact privacy@koda.properties so we can delete it.

17. Changes to this policy

We may update this policy as the Service evolves. We will notify Customers of material changes by email or through the Service at least 30 days before they take effect. The "Last updated" date at the top of this page always reflects the most recent revision.

18. Contact us

Privacy questions or data subject requests:

Regulators: