Privacy Policy & Data Protection
This Privacy Policy explains how Xponentshift Limited collects, uses, stores, and protects your personal data in accordance with the General Data Protection Regulation (GDPR) and applicable Irish data protection law.
Last Updated: April 17, 2026
1. Data Controller
The Data Controller for personal data collected through Avaaso.com is:
- Company Name: Xponentshift Limited
- Registered Address: 1 McElwain Terrace, Newbridge, Co. Kildare, W12 C434, Ireland
- Contact Email: info@avaaso.com
2. Why We Hold Your Data
We hold personal data because it is necessary to operate the Avaaso rental marketplace. This includes creating user accounts, matching tenants with suitable properties, processing rental applications, scheduling property viewings, and facilitating payments between landlords and tenants.
3. How We Obtain Your Data
All personal data is provided directly and voluntarily by you through the following means:
- During account registration and profile setup (as a tenant or landlord)
- When submitting rental applications
- When booking or managing property viewings
- Through analytics cookies, but only after your explicit consent
4. What Data We Collect & Why
| Data | Purpose | Legal Basis |
|---|---|---|
| Name, email, phone number | Account creation and communication | Contract |
| Date of birth, gender, employment status, income, savings | Tenant rental application processing | Contract / Consent |
| Current address / Eircode | Property matching and geocoding | Contract |
| Payment details (via Stripe) | Listing purchases and subscriptions | Contract |
| Property details (landlord) | Listing creation and management | Contract |
| AI chat messages | Providing the in-app AI assistant | Contract |
| Analytics data (PostHog) | Platform performance and improvement | Consent |
5. Data Retention
- Account and profile data: Retained for as long as your account remains active. Upon an account deletion request, all data is permanently and immediately deleted from our systems.
- PostHog analytics: Stored on PostHog's EU servers. Retention is set to a maximum of 7 years in accordance with PostHog's data retention policy.
- Stripe payment records: Retained for approximately 7 years as required by financial regulations.
- AI chat logs: Stored in our database and deleted when your account is deleted.
6. Third-Party Data Sharing
We share data with third parties solely to deliver our core services. We do not sell your personal data to any third party.
| Third Party | Purpose | Data Shared |
|---|---|---|
| Stripe | Payment processing | Payment details, billing info |
| Supabase | Database and authentication | All user and profile data |
| Google (Maps, Geocoding) | Property location display | Property addresses |
| Google (OAuth) | Social sign-in | Name, email |
| Google (Calendar) | Viewing appointment sync | Viewing dates, names |
| Google (Gemini AI) | AI chatbot responses | Chat messages |
| PostHog | Analytics (consent required) | Anonymised usage data |
| Sentry | Error monitoring | Anonymised error traces |
| Resend | Transactional emails | Email address, message content |
7. International Data Transfers
Some of our third-party service providers may process data outside the European Union. Where this occurs, we ensure appropriate safeguards are in place:
| Service | Storage Location |
|---|---|
| PostHog | European Union |
| Supabase | European Union — Ireland (eu-west-1) |
| Vercel (hosting) | Serverless functions: Dublin, Ireland (eu-west-1). Static assets via global CDN — no personal data stored. |
| Google services | Global; transfers covered by Google's Standard Contractual Clauses (SCCs) |
| Stripe | US-based; covered by SCCs and Stripe's Data Processing Agreement (DPA) |
8. How We Keep Your Data Secure
- Database (Supabase/PostgreSQL): Row Level Security (RLS) is enabled on all tables, ensuring each user can only access their own data.
- Admin access: Protected by email, password, and TOTP two-factor authentication (2FA).
- Encryption: All data in transit is encrypted via HTTPS/TLS. Supabase also encrypts data at rest.
- Payments: Processed entirely through Stripe. No raw card data is stored on Avaaso's servers.
- Session recordings: PostHog is configured with input masking enabled, preventing capture of sensitive form field data.
9. Your Rights Under GDPR
Under GDPR, you have the following rights regarding your personal data:
- Right of Access (Article 15): You may request a copy of all personal data we hold about you.
- Right to Rectification (Article 16): You may request correction of inaccurate or incomplete data.
- Right to Erasure (Article 17): You may request deletion of your personal data. Both tenants and landlords can delete their account directly within the platform.
- Right to Data Portability (Article 20): You may request your data in a structured, commonly used, machine-readable format.
- Right to Object (Article 21): You may object to processing of your data for marketing or analytics purposes at any time.
- Right to Restrict Processing (Article 18): You may request that we limit how we use your data in certain circumstances.
- Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, please email us at info@avaaso.com. We will respond within 30 days. You also have the right to lodge a complaint with the Irish Data Protection Commission (DPC) at www.dataprotection.ie.
10. Account Deletion
Both tenants and landlords can delete their account directly within the platform. Upon deletion, the following data is immediately and permanently removed:
- Profile and all personal information
- All rental applications (individual and joint)
- Saved properties and preferences
- Viewing appointments and calendar events
- Messages and conversation history
- (Landlords only) Property listings, received applications, organisation memberships, and billing history
11. Data Breach Notification
In the event of a personal data breach that poses a risk to the rights and freedoms of individuals, we are legally required under GDPR Article 33 to notify the Irish Data Protection Commission (DPC) within 72 hours of becoming aware of the breach. Where the breach poses a high risk to individuals, affected users will also be notified without undue delay.
12. Cookies
We use cookies on Avaaso.com. Analytics and marketing cookies are only placed with your explicit consent. Strictly necessary cookies are always active as they are required for the platform to function. Please see our Cookie Policy for full details.
13. Changes to This Policy
We may update this Privacy Policy from time to time. Any material changes will be posted on this page with an updated “Last Updated” date. Continued use of Avaaso after changes constitutes acceptance of the updated policy.
14. Contact Us
If you have any questions or concerns about this Privacy Policy or how we handle your data, please contact us at:
Xponentshift Limited
1 McElwain Terrace, Newbridge, Co. Kildare, W12 C434, Ireland
Email: info@avaaso.com