Privacy Policy
Last updated June 25, 2026
1. Scope & Roles
This Privacy Policy describes how RQ200 ("we", "us", or "our") collects, uses, and protects information when you use the RQ200 property-management platform ("Service").
RQ200 is a data processor, not a data controller, for most personal data in the Service. When your organization (property managers, admins, brokers) enters personal information about tenants, applicants, contractors, or other individuals, your organization acts as the data controller — it decides what to collect and why. RQ200 processes that data on your instructions, solely to provide the Service.
This policy applies to all users of the Service: organization admins, managers, contractors, brokers, and the individuals whose data is entered by those users. It does not apply to third-party websites or services we may link to.
2. What We Collect
Account information. When you create an account or are invited to an organization, we collect your name, email address, phone number (optional), username, and a securely hashed password. We store the date and version of your consent to our Terms of Service.
Content you create. We store the data you and your organization enter into the Service: buildings and addresses, maintenance tasks and jobs, contractor assignments, unit records, notes, photos and videos uploaded as documentation, and any other content submitted through the platform.
Tenant and applicant personal data. Organization admins and managers may enter personal information about tenants and rental applicants, including: full name, email, phone number, current and prior addresses, and employment and income details. The rental application does not request Social Security numbers or driver's license numbers. Any such identifiers collected before July 2026 were field-encrypted at the application layer and are no longer displayed or exported by the Service. We do not store raw payment card numbers (billing is handled by a third-party payment processor).
Usage and diagnostic data. We collect server-side logs of API requests (endpoint, HTTP status, approximate response time) and client-side error reports to identify and fix bugs. We do not use third-party analytics SDKs. Logs are retained for a short period and are not tied to individual user identities beyond what is needed to diagnose a specific issue.
Communications. If you contact us at support@rq200.com, we retain those communications to respond to your inquiry and improve the Service.
3. How We Use It
We use the information we collect to:
- Provide and operate the Service — authenticate users, store and retrieve your data, generate notifications, process rental applications, and power all Service features.
- Send transactional notifications — task assignments, job updates, due-date reminders, completion confirmations, and other operational emails and (when enabled) SMS messages related to your account activity.
- Secure the Service — detect and prevent unauthorized access, abuse, and security incidents; enforce rate limits; maintain audit logs.
- Support you — respond to help requests, diagnose issues, and communicate material changes to the Service or these policies.
- Improve the Service — analyze aggregate, anonymized usage patterns to prioritize development. We do not build individual user profiles for marketing purposes.
We do not use your data for advertising. We do not sell your data to any third party. We do not share your data with third parties except as described in Section 4 (Sub-processors) and Section 5 (Data sharing).
4. Sub-processors
To provide the Service, we use the following third-party sub-processors. Each receives only the data necessary to perform its function.
- Amazon Web Services (AWS) — cloud hosting and transactional email delivery. Data processed: Service data hosted on our servers; email content and recipient addresses for notifications. Region: United States.
- Cloudflare — media file storage, edge network services (content delivery, DNS, and protection against malicious traffic), and Turnstile bot protection on our public tenant-request form. Data processed: uploaded media files; HTTP request metadata at the edge; and, for Turnstile, client signals such as IP address, TLS fingerprint, user-agent header, and the widget site key, processed solely to tell human visitors from bots (the check runs invisibly, with no challenge shown). Cloudflare's handling of those Turnstile signals is described in its Turnstile Privacy Addendum. Region: United States (storage); edge nodes globally.
- Twilio (when SMS is enabled by the organization) — SMS delivery for operational notifications (task assignments, reminders). Data processed: recipient phone numbers, message body. Enabled only when your organization activates SMS and a user verifies their phone number. Not active by default.
- Geocoding services — third-party services used to convert building addresses into map coordinates. Data processed: building street addresses only; no tenant or applicant personal information is sent.
- Tenant-screening / consumer-report provider — when your organization initiates a background or credit check on a rental applicant, the applicant's information (name, address history) is transmitted to the screening provider pursuant to the applicant's FCRA consent captured on the application form. The specific provider is designated per organization. RQ200 transmits the data on your instruction as the controller; the screening provider is an independent controller for purposes of the consumer report.
We will update this list when we add or replace sub-processors. Material changes to sub-processors will be communicated via the Section 12 change process.
5. Data Sharing
We do not sell your data — not to data brokers, advertisers, or any third party. Period.
We share data only in the following limited circumstances:
- Sub-processors listed in Section 4, under data processing agreements that restrict their use to providing the designated service.
- Legal compliance — if required by law, regulation, court order, or lawful request from a government authority with jurisdiction. We will attempt to notify the affected organization before complying unless we are legally prohibited from doing so.
- Business transfers — if RQ200 is acquired, merges, or transfers substantially all of its assets, your data may be transferred to the successor entity under the same privacy protections described in this policy. We will notify affected organizations of any such transfer.
- With your explicit consent — for any other purpose, with your prior written consent.
6. Retention
We retain your data for as long as your organization's account is active or as needed to provide the Service. Specifically:
- Account and content data — retained while the account is active. Inactive (soft-deleted) records may be retained for a short recovery window before permanent deletion.
- Media files — retained while referenced by at least one task, job, update, or application record in the Service. When the last record referencing a file is deleted, the underlying file is removed from storage.
- On cancellation or request: upon account termination (at your request or ours), you may request an export of your Customer Data within 30 days. After that window, we will delete your data from active systems. Backups may retain data for a short additional period consistent with our backup rotation schedule.
- Diagnostic logs — retained for a short period (typically 30–90 days) and not linked to individual identities beyond what is needed to diagnose a specific incident.
- Legal holds — we may retain specific data longer if required by law or in connection with a legitimate legal dispute.
To request data export or deletion, email support@rq200.com.
7. Security
We take reasonable technical and organizational measures to protect data against unauthorized access, disclosure, alteration, and destruction:
- Encryption in transit — all traffic between your browser and our servers is encrypted using industry-standard transport encryption (HTTPS/TLS). Media uploads travel directly from your browser to our storage provider over encrypted connections using short-lived, single-use upload links.
- Encryption at rest — data stored on our infrastructure, including media files, is encrypted at rest.
- Additional protection for sensitive identifiers — certain sensitive values (such as building access codes, and any Social Security or driver's license numbers collected before July 2026) receive an additional layer of application-level encryption before being stored, so they are not readable from the database alone.
- Org-scoped access control — all data is partitioned by organization. A user in one organization cannot access data from another organization. Within an organization, role-based access (admin, manager, contractor, broker) restricts what each user can read or modify.
- Authentication — passwords are stored using industry-standard one-way hashing and are never stored in plain text. Sessions use short-lived access tokens with server-side revocation, and an optional "remember me" sign-in uses a secure, browser-protected cookie.
- Abuse protection — sign-in and registration are rate-limited to resist automated credential-guessing attacks.
No security measure is perfect. We do not guarantee that the Service is immune to all security threats. We encourage organizations to use strong, unique passwords and to promptly report suspected security incidents to support@rq200.com.
8. Data Location
All data is stored and processed in the United States. Our servers and media storage are hosted in US-based data centers. Our content-delivery network may cache non-sensitive request metadata at edge locations outside the US, but Customer Data — your organizational content, tenant records, and media — resides in US data centers.
We do not currently offer data residency options in other geographic regions. If that changes, we will update this policy and notify affected organizations.
9. Your Rights & Choices
Organization administrators have the following controls within the Service:
- Access and correction — view and edit all data within your organization via the admin dashboard. Tenant and applicant records can be viewed, corrected, or deleted by your organization admins.
- Data export — request a machine-readable export of your organization's data by emailing support@rq200.com.
- Account deletion — close your organization's account and request data deletion by emailing support@rq200.com.
- Notification preferences — each user can configure which email (and, when enabled, SMS and push) notifications they receive via the Settings section of the dashboard.
Individual users (managers, contractors, brokers) may update their own name, email, and notification preferences from their account settings. To close their account or correct data they cannot edit themselves, they should contact their organization admin or email support@rq200.com.
Tenants and applicants whose data has been entered by an organization should contact that organization (the data controller) directly to exercise access, correction, or deletion rights with respect to their personal information. RQ200 will cooperate with organizations in honoring such requests. Applicants who have questions about their consumer report should contact the screening provider directly.
We will respond to verifiable requests within a reasonable time. We may ask you to verify your identity before acting on a request.
10. Breach Posture
In the event of a confirmed security incident that results in unauthorized access to or disclosure of personal data, RQ200 will:
- Investigate promptly and take immediate steps to contain the incident and mitigate harm.
- Notify affected organizations without undue delay — and in no case later than 72 hours after confirming the breach where feasible — providing a description of what happened, what data was involved, and what steps we are taking.
- Cooperate with affected organizations in any notifications they are required to make to individuals or regulatory authorities under applicable law.
To report a suspected security vulnerability or incident, contact us immediately at support@rq200.com. We take security reports seriously and will acknowledge receipt promptly.
11. Children
The Service is not directed at children under the age of 13, and we do not knowingly collect personal information from children under 13. The Service is designed for property management professionals and is intended for use by adults. If we learn that we have inadvertently collected personal information from a child under 13, we will delete it promptly. If you believe we have collected such information, please contact us at support@rq200.com.
12. Changes to This Policy
We may update this Privacy Policy from time to time as the Service evolves or as legal requirements change. When we make material changes, we will update the "Last updated" date at the top of this page and notify affected organization admins by email at least 7 days before the changes take effect where practicable.
Your continued use of the Service after the effective date of a revised policy constitutes your acceptance of the revised policy. If you do not agree to the revised policy, you should stop using the Service and request account closure.
13. Contact
For questions about this Privacy Policy, to exercise data rights, or to report a security concern, contact us at:
RQ200
Email: support@rq200.com
We will do our best to respond to privacy inquiries within a reasonable time.