Proppi
Log in Start a job

Privacy Policy

Last updated: 20 May 2026

Proppi Limited (NZBN 9429053332912), trading as Proppi (“Proppi”, “we”, “us”, “our”), operates the Proppi platform at members.proppi.ai. This policy explains what personal information we collect, why we collect it, how we use and protect it, and your rights regarding that information.

We are committed to complying with the New Zealand Privacy Act 2020 and the Australian Privacy Principles under the Privacy Act 1988 (Cth).

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

  • Email address
  • First and last name
  • Password (hashed, never stored in plain text)

If you sign in using a third-party provider (Google, Apple, Microsoft, or Facebook), we receive your name and email address from that provider. We do not receive or store your third-party password.

1.2 Property Information

You may enter property details such as addresses, property type, occupancy status, and other metadata. This information is provided voluntarily and used to organise your documents.

1.3 Documents

You upload property documents (leases, invoices, inspection reports, insurance policies, and similar). These documents may contain personal information about you, your tenants, or other parties.

1.4 Conversations

When you ask questions through our search feature, we store your questions and the responses generated by our AI to provide conversation history and improve the service.

1.5 Usage Data

We collect anonymised usage analytics (page views and performance metrics) through a privacy-respecting analytics provider. This data does not identify you personally and is used to improve site performance.

1.6 Email Forwarding

If you use our email forwarding feature, we receive and process emails you send to your Proppi inbox. Attachments are extracted and processed as documents. The raw email content is stored temporarily and then deleted.

1.7 Sensitive Information

Some documents you upload may contain sensitive information about you, your tenants, or other parties — including (depending on the document type) information about health, disability, family violence-related tenancy matters, criminal history references, or membership of relevant associations. We do not actively solicit sensitive information; any such information is collected only by virtue of being contained in documents you have voluntarily uploaded.

By uploading documents that may contain sensitive information about you, you consent to our collection of that information for the purpose of providing the Service to you. Where documents contain sensitive information about other individuals (such as tenants), you confirm that you have authority to provide that information to us in connection with your property management or investment activities. Our handling of sensitive information is subject to the same security controls described elsewhere in this Policy.

2. How We Use Your Information

We use your information to:

  • Provide, maintain, and improve the Proppi service
  • Process and analyse your documents using AI (classification, entity extraction, search indexing)
  • Generate search results and answers to your questions
  • Send you account-related emails (verification, password reset, security alerts)
  • Process payments and manage your subscription (if applicable)
  • Track property events and deadlines extracted from your documents
  • Comply with legal obligations

We do not sell your personal information. We do not use your documents to train AI models.

2.7 Direct Marketing

We may, from time to time, send you marketing communications about Proppi features, product updates, research publications, or industry insights that we believe may be relevant to your use of the Service. We do this only where:

  • You have provided your email address to us in the course of using the Service, and you would reasonably expect us to use it for these purposes; or
  • You have separately consented to receive marketing communications.

Every marketing email we send includes a simple unsubscribe mechanism. You may opt out of marketing communications at any time by clicking the unsubscribe link in any marketing email, or by emailing us at the address in the Contact section below. We will action opt-out requests within a reasonable period and will not charge you for opting out.

Opting out of marketing communications does not affect transactional or service-related emails (such as account verification, password reset, security alerts, and billing) which we send as part of providing the Service to you.

3. Document Processing — How AI Handles Your Data

This is the most important section of this policy. When you upload a document, it goes through the following processing steps, each of which may involve sending data to a third-party AI service operating under a data-processing agreement with us:

3.1 Optical Character Recognition (OCR)

Your document is sent to a document-intelligence provider to extract text and layout information. The provider processes the document and returns the extracted text. We do not enable any data-retention features — documents are processed and not stored by the provider beyond the processing request.

3.2 Classification and Entity Extraction

The extracted text is sent to a generative AI provider to classify the document type (e.g., lease agreement, insurance policy) and extract key entities (dates, amounts, parties, terms). The provider processes this data under a data-processing agreement that prohibits using your data to train models.

3.3 Conversational Search

When you ask a question, your question and relevant document excerpts are sent to a generative AI provider to generate an answer. Conversation context from your current session may also be included. The provider does not use this data to train their models.

3.4 Provider Disclosure

We may change AI providers from time to time as the technology evolves. A current list of the AI sub-processors we rely on is available on request — contact us at privacy@proppi.ai for the latest list.

3.5 Automated Processing of Your Documents

The document processing described in Sections 3.1 through 3.4 is automated. Your documents are automatically classified, key entities (dates, amounts, parties, addresses) are extracted automatically, and deadlines are detected automatically — without manual review by Proppi staff in the ordinary course of providing the Service.

We do not use automated processing to make decisions that have legal or similarly significant effects on you. Outputs of automated processing are provided to you as information to support your own decision-making, and you remain responsible for verifying the accuracy of AI Output before acting on it (as described in Section 5 of our Terms of Service).

3.6 Tax File Numbers and IRD Numbers

Property tax documents commonly contain Australian Tax File Numbers (TFNs) or New Zealand Inland Revenue (IRD) numbers. Proppi does not actively extract, index, or store TFNs or IRD numbers as separately searchable structured fields. Such identifiers remain in the underlying source documents you upload and are subject to the same security controls described in Section 5.

Where the Privacy (Tax File Number) Rule 2015 (issued under section 17 of the Australian Privacy Act 1988) applies, we treat TFN information in accordance with that Rule: we do not request TFN information from you separately; we restrict access to documents containing TFN information to staff who need to handle them for service support purposes; and we will not disclose TFN information except in accordance with that Rule or as otherwise required by law.

4. Other Third-Party Services

4.1 Infrastructure & Hosting

  • Cloud database and storage — Your documents and account data are stored on managed cloud infrastructure with encryption at rest.
  • Application hosting — Our web platform is served from a managed hosting provider. The host processes web requests but does not have access to your documents or personal data beyond what is required to serve the request.

4.2 Email

  • Transactional email provider — A third-party email service sends account-related emails on our behalf (verification, password resets, notifications). The provider processes your email address for delivery only.

4.3 Payments

  • Payment processor — Payments and subscriptions are handled by a PCI-DSS-compliant third-party payment processor. We do not store your credit card details — the processor handles all payment information under its own privacy policy.

4.4 Address Lookup

  • Address autocomplete — A third-party address service provides autocomplete suggestions when you add properties. The address you type is sent to the provider for suggestions only.

4.5 Calendar Integration (Optional)

  • If you connect a third-party calendar service, we access your calendar with your explicit permission to sync property-related events. We only read and write events related to Proppi — we do not access your other calendar entries.

A current list of these sub-processors is available on request — contact us at privacy@proppi.ai.

5. Data Storage and Security

  • All data is encrypted in transit (TLS/HTTPS) and at rest
  • Sensitive credentials (MFA secrets, recovery tokens) are encrypted with rotating keys
  • Passwords are hashed using industry-standard, salted one-way hashing algorithms — we never store passwords in plain text
  • Access to your documents requires authentication — only you (and team members you invite) can view them
  • We use role-based access control: property owners, editors, and viewers have different permissions
  • Our infrastructure relies on managed services that maintain SOC 2 or equivalent independent security certifications

6. Notifiable Data Breaches

If we become aware of a data breach involving your personal information, we will assess the breach as soon as practicable and follow the response procedures required by the laws of the jurisdictions we operate in.

6.1 When we will notify you

We will notify you directly (typically by email to the address on your account) if the breach is reasonably likely to result in serious harm to you. In assessing whether serious harm is likely, we consider the kinds of personal information involved, the sensitivity of that information, the security protections that were in place, the persons who have or could have obtained the information, the nature of the potential harm, and any remedial steps we have taken.

6.2 What the notification will include

A description of the breach; the kinds of personal information involved; the steps we have taken to respond; and the steps we recommend you take to protect yourself.

6.3 Regulator notification

Where required by law, we will notify the relevant regulator as soon as practicable after becoming aware of a notifiable breach:

6.4 Records

We maintain internal records of breach assessments and our responses for at least 24 months following the assessment.

7. Cookies and Local Storage

We use a small number of strictly necessary cookies to keep you signed in. Your authentication session is stored in an HttpOnly, Secure, SameSite=Lax cookie set by our servers — this cookie cannot be read by JavaScript running in your browser, which protects it from cross-site scripting attacks. The cookie is transmitted only to Proppi’s own servers when you make requests to the platform. We do not use cookies for advertising, cross-site tracking, or sharing your activity with third parties.

We use your browser’s local storage and session storage to remember interface preferences (such as sidebar state) and to cache short-lived information about in-progress operations (such as document upload status). This data stays on your device and is not transmitted to third parties.

8. Data Retention

  • Account data — Retained for as long as your account is active.
  • Documents — Retained until you delete them or close your account.
  • Conversation history — Retained for as long as your account is active.
  • Inbound emails — Raw email content is processed and then deleted. Extracted documents are retained as above.
  • Usage analytics — Anonymised and aggregated. Not linked to your account.

When you delete a document, it is removed from our database and file storage. Search index entries for that document are also removed.

9. Your Rights

Under the New Zealand Privacy Act 2020 and Australian Privacy Principles, you have the right to:

  • Access — Request a copy of the personal information we hold about you.
  • Correction — Ask us to correct any inaccurate information.
  • Deletion — Request deletion of your account and all associated data. You can delete individual documents at any time from the app, or contact us to delete your entire account.
  • Export — Download your original uploaded documents at any time through the app.
  • Complaint — Lodge a complaint with the Office of the Privacy Commissioner (NZ) or the Office of the Australian Information Commissioner (AU).

To exercise any of these rights, contact us at privacy@proppi.ai.

How to make a privacy complaint

If you have a privacy complaint, or believe we have not complied with our obligations under this Privacy Policy or applicable privacy law, please contact us first at privacy@proppi.ai so we have the opportunity to address your concern. We will acknowledge your complaint within 5 business days and aim to provide a substantive response within 30 days.

If you are not satisfied with our response, or if 30 days have passed without a response, you may then lodge a complaint with the relevant regulator: the Office of the Privacy Commissioner (New Zealand) or the Office of the Australian Information Commissioner (Australia).

10. International Data Transfers

Your data may be processed in countries outside New Zealand and Australia, including the United States and the European Union, where our infrastructure and AI providers operate data centres.

Before any such transfer, we take reasonable steps to ensure that the overseas recipient does not breach the New Zealand Privacy Act 2020 and the Australian Privacy Principles in relation to your personal information. Specifically:

  • We enter into written contractual arrangements (Data Processing Agreements or equivalent) with each overseas processor, requiring the processor to handle your data to standards consistent with the New Zealand Privacy Act 2020 and the Australian Privacy Principles.
  • We restrict each processor’s use of your data to the specific purpose of providing services to Proppi.
  • We prohibit processors from using your data to train artificial intelligence models for their own purposes.
  • We periodically review our processors’ security and privacy practices.

A current list of our overseas sub-processors and the countries in which they operate is available on request — contact us at privacy@proppi.ai.

Where Australian Privacy Principle 8 applies and we rely on contractual safeguards, we remain accountable for the acts and omissions of our processors as if they were our own acts (in accordance with section 16C of the Australian Privacy Act 1988).

11. Children’s Privacy

Proppi is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it.

12. Changes to This Policy

We may update this policy from time to time. When we make material changes — for example, changes to the categories of personal information we collect, the purposes for which we use it, or the third-party recipients with whom we share it — we will give you at least 30 days’ advance notice by email or through an in-app notification before the changes take effect. The “last updated” date at the top of this page indicates when the policy was last revised.

Non-material changes (such as clarifying language, correcting typos, or updating contact details) may take effect on shorter notice or immediately, but the “last updated” date will always reflect the most recent revision.

13. Contact Us

If you have questions about this privacy policy or how we handle your data, contact us at:

The Privacy Officer is the designated contact for the management of personal information held by Proppi in accordance with this Privacy Policy, the New Zealand Privacy Act 2020, and the Australian Privacy Principles (where applicable). The privacy email address above routes directly to the Privacy Officer.