Privacy Policy
Effective date: April 16, 2026
1. Introduction and Scope
Nest Mate ("Nest Mate," "we," "us," or "our") operates the Nest Mate web application and mobile application (collectively, the "Platform") — a property management service designed to facilitate landlord–tenant relationships in Ontario, Canada.
This Privacy Policy describes how we collect, use, disclose, retain, and protect personal information in accordance with Canada's Personal Information Protection and Electronic Documents Act ("PIPEDA"), S.C. 2000, c. 5, and its associated regulations.
By creating an account or using the Platform, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and disclosure of your personal information as described herein. If you do not agree, you must discontinue use of the Platform.
This Policy applies to all personal information we collect from landlords, tenants, prospective tenants, references, employers, and any other individuals who interact with the Platform.
2. Accountability
Nest Mate is the "organization" responsible for personal information under its control within the meaning of PIPEDA. We have designated a Privacy Officer who is accountable for our compliance with this Policy and with PIPEDA.
You may contact our Privacy Officer at any time:
Privacy Officer, Nest MateEmail: privacy@nestmateapp.ca
Response time: within 30 calendar days of receipt, as required by PIPEDA.
3. Personal Information We Collect
We collect personal information only to the extent necessary to provide the Platform's features. The categories of information we collect depend on whether you are a landlord, a tenant, a prospective tenant, or an employment or personal reference.
3.1 Landlords
- Full name and email address (account registration)
- Telephone number (optional, profile)
- Property addresses, unit configurations, and listed rental amounts
- Lease terms, rent amounts, and security deposit information
- Uploaded documents (LTB notices, lease agreements)
- Messages sent through the Platform's messaging system
- Audit log entries for actions you perform
3.2 Tenants and Prospective Tenants
- Full name and email address (account registration)
- Telephone number (optional, profile)
- Current address, monthly income, and income source
- Employment details (employer name, employer email, employer telephone, employment start date)
- Rental history (number of years as a tenant)
- Pet information (as declared in applications)
- Government-issued photo identification (front and back) and a selfie image (identity verification)
- Rent receipts and payment records
- Maintenance requests and supporting attachments
- Messages sent through the Platform's messaging system
- Inspection records and photographs
- Audit log entries for actions you perform
3.3 References and Employers
If a prospective tenant lists you as a personal or professional reference, we collect:
- Your name, telephone number, email address, and relationship to the applicant
- Your written reference response (if submitted via the Platform)
- Employment verification confirmation (if you are an employer)
We obtain this information because the applicant has disclosed it as part of their rental application and, where applicable, because you have voluntarily submitted a reference or clicked an employment confirmation link sent to you by email.
3.4 Automatically Collected Information
- Session authentication tokens (stored as HTTP-only cookies)
- IP addresses (used solely for rate-limiting and security purposes; not linked to your profile)
- Basic usage logs retained by our infrastructure provider for up to 30 days
We do not use tracking pixels, advertising identifiers, or behavioural analytics tools.
4. Purposes for Collection, Use, and Disclosure
We collect and use personal information for the following identified purposes only:
| Purpose | Legal Basis (PIPEDA) |
|---|---|
| Create and manage your account | Consent; performance of contract |
| Facilitate landlord–tenant communications and document exchange | Consent; performance of contract |
| Generate legally formatted Ontario LTB notices (N4, N12, N9, etc.) | Performance of contract; legal obligation |
| Process and manage rental applications | Consent; performance of contract |
| Verify tenant identity | Consent; legitimate interest (fraud prevention) |
| Send transactional emails (invitations, notices, receipts) | Performance of contract |
| Generate and deliver rent receipts | Legal obligation (Residential Tenancies Act); performance of contract |
| Manage maintenance requests and inspection records | Performance of contract |
| Maintain a tamper-evident audit log of legally significant actions | Legal obligation; legitimate interest |
| Rate-limit requests and detect abuse or fraud | Legitimate interest (security) |
| Comply with applicable law and respond to legal process | Legal obligation |
We will not use your personal information for any purpose other than those listed above without first obtaining your explicit consent.
5. Disclosure to Third Parties
We do not sell, rent, or trade your personal information. We disclose personal information only to the following service providers, who process data on our behalf under contractual data-processing obligations:
| Provider | Purpose | Data Location |
|---|---|---|
| Supabase, Inc. | Database hosting, authentication, and file storage | United States (AWS) |
| Resend, Inc. | Transactional email delivery | United States |
| Anthropic, PBC | AI-assisted document analysis (where opted in) | United States |
| OpenStreetMap / Nominatim | Address geocoding (property lookup only) | Distributed (open data) |
Because some of our service providers are located in the United States, your personal information may be subject to the laws of that jurisdiction, including lawful access by U.S. government authorities. By using the Platform, you consent to the cross-border transfer of your personal information for the purposes described in this Policy. You may withdraw this consent by deleting your account (see Section 8), which will result in the termination of your access to the Platform.
We may also disclose personal information where required or authorized by law, including in response to a valid court order, subpoena, or request from a law enforcement authority.
Personal information is shared between landlords and tenants only to the extent necessary to administer the tenancy — for example, a landlord sees the profile and lease information of their tenant, and a tenant sees the property address and landlord's name. Tenants do not see the personal information of other tenants at the same property.
6. Data Retention Schedule
We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. The following schedule applies:
| Category | Retention Period | Basis |
|---|---|---|
| Account profile (name, email, phone) | Deleted within 30 days of account deletion request | Consent withdrawn |
| Active lease records and LTB notices | 7 years from lease end date | Ontario Residential Tenancies Act; Income Tax Act (tax records) |
| Rent receipts | 7 years from date of issue | Income Tax Act, R.S.C. 1985, c. 1 (5th Supp.) |
| Identity verification documents (gov. ID, selfie) | Deleted within 30 days of verification decision (approved or rejected) | Proportionality principle (PIPEDA s. 5, Sched. 1, cl. 4.5) |
| Rental applications (approved) | Anonymized 2 years after lease end | Legitimate interest (dispute resolution) |
| Rental applications (rejected / withdrawn) | Deleted 1 year after decision | Proportionality principle |
| Messages between landlord and tenant | Deleted 2 years after lease termination | Legitimate interest (dispute resolution) |
| Maintenance requests | Deleted 2 years after lease termination | Legitimate interest (dispute resolution) |
| Inspection records | Deleted 2 years after lease termination | Legitimate interest (dispute resolution) |
| Audit logs | Retained 2 years from the date of the logged action | Legitimate interest (accountability) |
| Property inquiry messages | Deleted 1 year from submission | Proportionality principle |
| Push notification tokens | Deleted upon account deletion or app uninstall | Consent withdrawn |
When retention periods expire, personal information is either securely deleted or irreversibly anonymized (where deletion would destroy a legally required record). Anonymized data is no longer personal information and is not subject to this Policy.
7. Safeguards
We use security safeguards appropriate to the sensitivity of the information to protect against loss, theft, unauthorized access, disclosure, copying, use, and modification. These safeguards include:
- Transport Layer Security (TLS/HTTPS) for all data in transit
- Row-Level Security (RLS) policies on all database tables, ensuring each user can only access records they are authorized to see
- Private storage buckets for identity documents (no public URLs; access via signed, time-limited URLs only)
- Separation of service-role credentials (used only in server-side API routes, never exposed to clients)
- Rate limiting on all mutation endpoints to mitigate brute-force and denial-of-service attempts
- Security response headers (HSTS, CSP, X-Frame-Options, X-Content-Type-Options)
- UUID-format application identifiers (non-sequential, not guessable)
No method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we will promptly notify affected individuals and the Office of the Privacy Commissioner of Canada in the event of a privacy breach that creates a real risk of significant harm, as required under PIPEDA.
8. Your Rights Under PIPEDA
Subject to certain exceptions permitted by law, you have the following rights with respect to your personal information:
8.1 Right of Access
You may request access to the personal information we hold about you. We will respond within 30 calendar days and provide you with a copy of that information in a readily understandable format, along with an account of how it has been used and to whom it has been disclosed.
8.2 Right to Correction
If you believe that personal information we hold about you is inaccurate or incomplete, you may request correction through your account settings or by contacting our Privacy Officer. Where we are unable to make a correction, we will annotate the record with the correction you have requested.
8.3 Right to Withdraw Consent / Delete Your Account
You may withdraw your consent to the collection, use, and disclosure of your personal information at any time by deleting your account. Account deletion is available in Settings → Account → Delete Account within the Platform.
Upon deletion, we will, within 30 days:
- Delete your profile information (name, email, phone, preferences)
- Delete your identity verification documents from storage
- Delete your messages, notifications, and application data
- Anonymize (rather than delete) any lease records, rent receipts, and audit logs where we are legally required to retain a record of the underlying transaction
- Permanently deactivate your login credentials
Note that withdrawal of consent may mean we are unable to provide the Platform's services. Where you are a landlord with active leases, we recommend transferring or closing those tenancy records before requesting account deletion.
8.4 Right to Complain
If you believe we have handled your personal information in a manner contrary to PIPEDA, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada. We encourage you to first contact our Privacy Officer so we may attempt to resolve the concern directly.
10. Minors
The Platform is not directed to individuals under the age of 18. We do not knowingly collect personal information from minors. If you believe a minor has provided us with personal information, please contact our Privacy Officer immediately and we will delete it without undue delay.
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will notify registered users of material changes by email (to the address on file) at least 30 days before the change takes effect, and we will post the updated Policy on this page with a revised effective date. Continued use of the Platform after the effective date of a material change constitutes acceptance of the revised Policy.
Non-material changes (such as formatting corrections or clarifications that do not alter the substance of the Policy) may be made without prior notice.
12. Contact Us
For any privacy-related questions, access or correction requests, or complaints, please contact our Privacy Officer:
Privacy Officer, Nest MateEmail: privacy@nestmateapp.ca
We will acknowledge your request within 5 business days and provide a substantive response within 30 calendar days.
If you are not satisfied with our response, you may escalate your complaint to the Office of the Privacy Commissioner of Canada at 1-800-282-1376 or online at priv.gc.ca.
Nest Mate is not a law firm. Nothing in this Privacy Policy or on this Platform constitutes legal advice. For advice regarding your rights under the Residential Tenancies Act or other legislation, consult a licensed paralegal or lawyer.
Last updated: April 16, 2026