Privacy Policy

1. Information We Collect

Account Information

When you sign in through Google or Microsoft, we receive your name and email address from the authentication provider. We also store your account role and organization membership.

Property Listing Data

Information you enter about rental properties, including address, apartment number, city, state, postal code, monthly rent, security deposit, bedroom and bathroom count, square footage, amenities (pets allowed, dishwasher, laundry, doorman), available date, application links, deadlines, and scheduling times.

Inquirer & Prospect Data

Information about prospective tenants, including first and last name, phone number, email address, annual income, employer, employment status, desired move-in date, number of occupants, pet details (name, size, type), concession requests, and guarantor information (name, relationship, income).

Communication Data

Email templates you create (subject lines, message bodies, sender/recipient addresses, CC/BCC recipients). We also store email thread identifiers to maintain conversation continuity, but we do not store the content of emails sent or received through your connected accounts — that content remains in your Gmail or Outlook account and is fetched on demand.

Workflow & Automation Data

Workflow configurations you create, including block definitions, node settings, and connection rules used to automate your communication processes.

2. Google Account Permissions

When you connect a Google account, we request the following OAuth scopes:

• gmail.readonly — Read your email messages and metadata. Used to display incoming inquiries and conversation threads within DealDesk.
• gmail.send — Send emails on your behalf. Used to send replies and outreach emails to prospective tenants from your Gmail address.
• calendar.readonly — Read your calendar events. Used to display your availability for property showings and scheduling.

We store encrypted OAuth access and refresh tokens to maintain your connection. You can revoke these permissions at any time through your Google Account settings.

3. Microsoft Account Permissions

When you connect a Microsoft account, we request the following permissions via Microsoft Graph API:

• Mail.Read — Read your Outlook messages. Used to display incoming inquiries and conversation threads within DealDesk.
• Mail.Send — Send emails on your behalf. Used to send replies and outreach emails to prospective tenants from your Outlook address.
• Calendars.Read — Read your calendar events. Used to display your availability for property showings and scheduling.
• offline_access — Maintain your connection without requiring you to sign in each time you use DealDesk.

You can revoke these permissions at any time through your Microsoft Account privacy settings.

4. How We Use Your Information

We use the information we collect to:

• Provide and operate the DealDesk platform
• Send and read emails through your connected Gmail or Outlook account
• Display your calendar availability for scheduling
• Manage property listings and track prospective tenant communications
• Run workflow automations you have configured
• Provide address autocomplete when entering property addresses (via Google Maps/Places API)
• Communicate with you about your account and service updates

5. Data Storage & Security

• All account data is stored in a PostgreSQL database hosted by Supabase with enterprise-grade security controls.
• OAuth access and refresh tokens are encrypted at rest using AES-256-GCM authenticated encryption.
• Access tokens are temporarily cached in Redis (up to 55 minutes) for performance and are automatically cleared on expiration.
• All data in transit is protected by HTTPS/TLS encryption.
• Email content is not stored in our database. Messages are fetched directly from Gmail or Outlook APIs when you view them in DealDesk.

6. Third-Party Services

We use the following third-party services to operate DealDesk:

• Supabase — user authentication and PostgreSQL database hosting
• Google APIs — Gmail (email read/send), Google Calendar (event read), and Google Maps/Places (address autocomplete)
• Microsoft Graph API — Outlook email (read/send) and calendar (event read)
• Vercel — frontend application hosting
• Railway — backend API server and Redis hosting

Each third-party service has its own privacy policy. We encourage you to review them.

7. Data Retention & Deletion

• Your data is retained for as long as your account is active.
• When your account is deleted, all associated data is permanently removed, including property listings, inquirer records, workflows, email templates, and OAuth tokens.
• If you revoke OAuth access through Google or Microsoft, your stored tokens are automatically invalidated and deleted.
• Only email thread identifiers are stored for conversation threading — email message content is never persisted in our systems.
• To request deletion of your account and all associated data, contact us at the email address listed below.

8. Your Rights

You have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate or incomplete data
• Request deletion of your account and all associated data
• Disconnect your Google or Microsoft account at any time, either within DealDesk or through your provider's account settings
• Request a copy of your data in a portable format
• Withdraw consent for data processing at any time

To exercise any of these rights, contact us at the email address below.

9. Children's Privacy

DealDesk is not directed at children under the age of 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make changes, we will update the “Last updated” date at the top of this page. Continued use of DealDesk after changes are posted constitutes acceptance of the revised policy.

11. Contact

For questions about this Privacy Policy, your data, or to exercise your rights, contact us at nathanieltsung@gmail.com.