Privacy Policy

Data Protection & Privacy Rights

Effective Date: June 2025

Last Updated: June 2025

Version: 2.0

Overview

Oberlin24 maintains enterprise-grade data protection standards to safeguard your personal and financial information. We integrate with third-party services to provide comprehensive rental property management while ensuring your data remains secure and private.

This privacy policy explains how we collect, use, store, and protect your data through our integrations with Gmail (Google) for document processing and Plaid for secure bank account connections. Your privacy is paramount, and you maintain full control over your data.

1. Data Collection and Processing

Gmail Integration

Data We Access

  • Email Messages: Read-only access to identify rental-related communications
  • Attachments: Invoice PDFs, receipts, and rental documents for automated processing
  • Email Metadata: Sender information, subject lines, and timestamps for categorization
  • Account Information: Email address for account identification and communication

How We Use Gmail Data

  • AI-Powered Document Processing: Automated extraction of financial data from invoices and receipts
  • Expense Categorization: Intelligent classification of rental-related expenses for tax reporting
  • Transaction Matching: Linking email receipts with bank transactions for comprehensive tracking
  • Read-Only Access: We never send emails, modify your account, or access non-rental related content

Data Retention and Security

  • Processed Data Only: Email content is processed but not permanently stored
  • Extracted Information: Financial data retained for tax and accounting purposes (7 years)
  • OAuth 2.0 Security: Secure authorization with limited scope permissions
  • Token Encryption: Access tokens encrypted using AES-256-GCM

Google's Privacy Policy: https://policies.google.com/privacy

Bank Account Integration (Plaid)

We use Plaid Inc. ("Plaid") to securely connect your financial institutions. By using our service, you grant our application and Plaid the right to access and transmit your financial information from your bank accounts.

Financial Data We Access

  • Transaction Data: Bank transactions for rental income and expense tracking
  • Account Information: Account names, types, and balances for portfolio management
  • Institution Details: Bank names and account identifiers for connection management
  • Transaction Metadata: Dates, amounts, merchant information, and categories

Data Processing and Security

  • Banking-Grade Security: All data protected by Plaid's SOC 2 Type II compliant infrastructure
  • AES-256-GCM Encryption: Financial data encrypted at rest with automatic key rotation
  • No Credential Storage: We never store your bank login credentials
  • Webhook Verification: Cryptographic signature verification for all data updates

Your Rights and Controls

  • Plaid Portal Access: View all data we access at my.plaid.com
  • Real-time Control: Disconnect bank accounts instantly through settings
  • Data Deletion: Request complete removal of financial data
  • Consent Withdrawal: Revoke data access permissions at any time

Plaid's Privacy Policy: https://plaid.com/legal/#end-user-privacy-policy

2. Enterprise-Grade Security Implementation

Data Encryption and Protection

  • AES-256-GCM Encryption: Industry-standard authenticated encryption for all sensitive data at rest
  • PBKDF2 Key Derivation: 100,000 iterations with SHA-256 for OWASP-compliant key generation
  • Automatic Key Rotation: 30-day default rotation schedule with configurable intervals
  • TLS 1.2+ Encryption: All data transmission protected by enterprise-grade encryption
  • Master Key Management: Environment variable-based security with base64 encoding
  • Encrypted Database Fields: User emails, access tokens, and financial data encrypted individually

Authentication and Access Control

  • Multi-Factor Authentication (MFA): TOTP-based MFA with backup codes and recovery mechanisms
  • Role-Based Access Control (RBAC): Database-backed permission management with real-time verification
  • Device Trust Management: Device fingerprinting and trusted device recognition
  • Zero Trust Architecture: No implicit trust with continuous verification for all access
  • JWT Security: All API endpoints protected with industry-standard JSON Web Tokens
  • Session Management: Secure session handling with automatic expiration and renewal

Security Monitoring and Compliance

  • Vulnerability Management: Daily automated scanning with defined SLA timelines
  • Real-time Monitoring: Continuous security event monitoring with automated alerting
  • Audit Logging: Comprehensive event tracking in 5 permanent database tables
  • Identity Management: Centralized session control with OAuth/SAML provider support
  • Compliance Monitoring: SLA breach detection and violation alerts
  • Security Metrics: 95%+ SLA compliance with vulnerability remediation

3. Your Privacy Rights

Data Subject Rights

  • Right to Access: View all data we have collected about you through our data export feature
  • Right to Rectification: Correct any inaccurate or incomplete data
  • Right to Erasure: Request complete deletion of your data with secure removal
  • Right to Data Portability: Export your data in machine-readable formats (JSON, CSV)
  • Right to Withdraw Consent: Revoke data access permissions with immediate effect
  • Right to Object: Object to certain types of data processing
  • Right to Restriction: Request limitation of data processing activities

Privacy Controls

  • Integrated Dashboard: Manage all privacy settings through your account
  • One-Click Actions: Withdraw consent or delete data without complex workflows
  • Real-time Updates: Interface immediately reflects privacy actions
  • Consent Tracking: Permanent audit trails with IP addresses and timestamps
  • Transparent Processing: Clear visibility into all data processing activities

4. Data Retention and Deletion

Retention Policies

  • Financial Data: Retained for tax and accounting purposes (typically 7 years as legally required)
  • Account Data: Retained while your account is active and for legitimate business purposes
  • Consent Records: Retained for legal compliance and audit purposes
  • Security Logs: Permanent audit storage for security compliance and investigation
  • Session Data: Automatically purged after expiration with configurable retention

Deletion Procedures

  • Request Processing: Deletion requests processed within 30 days
  • Secure Removal: Data permanently deleted using secure deletion methods
  • Account Closure: Complete data removal within 90 days of account closure
  • Legal Compliance: Some records retained as required by law
  • Verification: Deletion confirmation provided upon completion

5. Third-Party Services and Data Sharing

Service Providers

  • Google (Gmail): Email access and AI-powered document processing
  • Plaid: Secure bank account connections and transaction data access
  • Railway: Cloud hosting and database services with enterprise security
  • Data Processing Agreements: All providers bound by strict data protection contracts

Data Sharing Principles

  • No Sale of Data: We never sell, rent, or trade your personal information
  • Limited Processing: Data shared only for specific, consented purposes
  • Security Requirements: All processors must meet our security standards
  • Legal Obligations: Data may be disclosed only as required by law

6. Legal Basis and International Transfers

Data Processing Legal Basis

  • Consent: Explicit consent for Gmail and bank account integrations
  • Contract Performance: Processing necessary to provide rental management services
  • Legitimate Interest: Service improvement, security, and fraud prevention
  • Legal Obligation: Compliance with tax, financial, and regulatory requirements

International Data Transfers

  • Adequate Safeguards: Standard contractual clauses and adequacy decisions
  • Data Protection Agreements: Binding agreements with all international processors
  • Security Standards: Equivalent protection regardless of processing location
  • Compliance Monitoring: Regular audits of international data handling

7. Privacy Policy Updates and Contact

Policy Updates

  • Change Notification: Email alerts for significant policy changes
  • In-App Notifications: Prominent notices for important updates
  • Version Control: Clear version tracking with effective dates
  • Continued Consent: Continued use constitutes acceptance of updates

Privacy Contact Information

Privacy Officer: Saurabh Zope

Email: oberlin24info@gmail.com

Response Time: Privacy inquiries acknowledged within 72 hours

Data Rights: Exercise your privacy rights through account settings or contact us directly

Security Policy: View our Security Policy

Back to Dashboard

This privacy policy reflects our current enterprise-grade data protection implementation and is reviewed quarterly to ensure alignment with evolving privacy standards and regulatory requirements.

Last updated: June 2025 | Version 2.0 | GDPR Compliant