PropZy — Property Portfolio Management

Privacy Policy

Last updated: 3 May 2026

PROPZY PTY LTD (ACN 697 418 134) is committed to protecting your personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This policy explains how we collect, use, store, and share your data.

What Personal Data Is Collected

  • Name and email address (via Cognito registration)
  • Google account information if using Google Sign-In (name, email, profile picture)
  • WhatsApp phone number (if you link your account for WhatsApp messaging)
  • Property addresses and financial data (user-entered)
  • Uploaded documents (receipts, contracts, etc.)
  • Forwarded email content and attachments (via Smart Email Inbox)
  • Chat messages (web chat and WhatsApp conversations with the AI assistant)
  • Support ticket content
  • Payment information (processed by Stripe — PropZy does not store card details)
  • Referral codes and referral relationships (referrer and referred user IDs, referral status)
  • Usage logs (API Gateway access logs and Lambda execution logs)

Why Data Is Collected (APP 3)

We collect personal data for the following purposes:

  • To provide the portfolio management service
  • To process subscription payments
  • To operate the referral program (tracking referral codes, referral relationships, and credit eligibility)
  • To provide AI-powered features (portfolio health analysis, property evaluation)
  • To respond to support requests
  • To maintain platform security and prevent abuse

How Data Is Stored (APP 11)

  • All data is stored in AWS Sydney (ap-southeast-2)
  • Encrypted at rest using AES-256 and in transit using TLS 1.2/1.3
  • Authentication is managed via AWS Cognito with JWT tokens
  • Per-user data isolation is enforced via partition keys

Third-Party Data Sharing

  • Stripe — Payment processing (PCI DSS Level 1 certified). PropZy does not store your card details.
  • Amazon Bedrock (Claude) — AI features including the Riyun portfolio agent, document extraction, and loan review. Data is processed in the AWS Sydney region and does not leave Australia.
  • Groq — AI tax mode chat. User portfolio data is sent to Groq's US-based API for AI analysis. Groq does not retain user data beyond the request.
  • Meta WhatsApp Business Platform — WhatsApp messaging (if you link your phone number). Messages are delivered via Meta's infrastructure. Meta's data practices are governed by their own privacy policy.
  • Brevo — Transactional email delivery (welcome emails, portfolio reviews, notifications). Recipient email addresses are shared with Brevo for delivery purposes only.
  • Google Maps — Address autocomplete. Address queries are sent to Google for location suggestions.

We do not sell your data to third parties. We do not share your data for advertising or marketing purposes.

AI Data Processing Disclosure

PropZy uses AI for portfolio analysis, document extraction, loan review, and the Riyun chat assistant. AI processing is handled by two providers:

Amazon Bedrock (Primary)

  • Used for: Riyun portfolio agent (web and WhatsApp), document extraction, loan review, portfolio reviews.
  • Data is processed in the AWS Sydney region (ap-southeast-2) and does not leave Australia.
  • Amazon does not use your data to train or improve their models.

Groq (Tax Mode Only)

  • Used for: Tax mode chat only.
  • Data sent to Groq includes property summaries, financial figures, and user questions.
  • Groq does not retain your data beyond the API response.
  • During AI processing, your data temporarily leaves Australia.

You can opt out of AI data processing by simply not using the AI-powered features.

Smart Email Inbox Data Processing

PropZy's Smart Email Inbox allows you to forward property documents — receipts, leases, insurance policies, rate change letters, and more — to a unique inbound email address for automatic classification and filing. This feature involves cross-region data processing:

  • Inbound emails are received and temporarily processed via AWS infrastructure in the US (us-east-1) using Amazon Simple Email Service (SES).
  • Raw email files are stored temporarily in an encrypted S3 bucket in us-east-1 and are automatically deleted after 7 days.
  • Processed data (extracted details, document attachments) is stored permanently in AWS Sydney (ap-southeast-2) alongside your other PropZy data.
  • AI-powered document classification and extraction uses Amazon Bedrock (Claude) in the Sydney region to analyse attachments.
  • All data is encrypted at rest (AES-256) and in transit (TLS 1.2/1.3) across both regions.
  • PropZy's data processing is covered by the AWS Data Processing Addendum.

If you do not use the Smart Email Inbox, no email data is processed. You can regenerate your inbound email address at any time from Settings to invalidate the previous address.

WhatsApp Integration Data Processing

PropZy allows you to interact with the Riyun portfolio assistant via WhatsApp by linking your phone number. This feature involves the following data processing:

  • Your WhatsApp phone number is stored in E.164 format on your user settings record in AWS Sydney.
  • Messages you send via WhatsApp are received by PropZy through Meta's WhatsApp Business Platform webhook.
  • Message content is processed by the Riyun AI agent (Amazon Bedrock, Sydney region) and temporarily stored for conversation context (up to 30 days, then auto-deleted).
  • Replies are sent back to you via Meta's WhatsApp Cloud API.
  • Phone numbers are masked in internal logs (only last 4 digits visible) to protect your privacy.
  • A rate limit of 30 messages per hour is enforced per user.

You can unlink your WhatsApp number at any time from Settings. Unlinking takes immediate effect — subsequent messages from your number will not be processed. If you do not link your WhatsApp number, no WhatsApp data is collected or processed.

Data Retention

  • Account data is retained while your account is active.
  • After account deletion, data is deleted within 30 days.
  • Uploaded documents follow a lifecycle policy: Standard storage → Glacier → deleted after 2 years.
  • AWS service logs are retained for 90 days.
  • Stripe payment records are retained per Stripe's own data retention policies.

Your Rights (APP 12 & 13)

Under the Australian Privacy Principles, you have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your account and all associated data

To exercise these rights, submit a request via the in-app Support page or email us at admin@propzy.com.au. We will respond within 30 days.

Cookies and Local Storage

  • PropZy does not use third-party cookies.
  • JWT authentication tokens are stored in your browser's localStorage.
  • No tracking cookies or analytics cookies are used.

Children's Privacy

PropZy is not intended for users under the age of 18. We do not knowingly collect personal information from children.

Changes to Privacy Policy

We may update this Privacy Policy from time to time. Users will be notified of material changes via email or in-app notification. Continued use of the platform after notification constitutes acceptance of the updated policy.

← Back to Home