Skip to main content

Privacy Policy

Last updated: 15 April 2026

1. Who We Are

Kiri is a property rental management platform operated from Malta. For GDPR purposes, we are the data controller for the personal data you provide when using our Service. Contact: labrint@gmail.com.

2. Data We Collect

Account data: Full name, email address, phone number, hashed password.

Property data: Addresses, descriptions, photos, MTA licence numbers, amenities.

Financial data: Rent amounts, expense records, deposit tracking, meter readings. We do not collect or store bank details, credit card numbers, or payment credentials.

Tenant data: Names, email addresses, and phone numbers of tenants you add to leases.

Documents: Files you upload (leases, insurance, bills) stored in encrypted cloud storage.

Usage data: Page views and feature usage for improving the Service (no third-party analytics).

3. How We Use Your Data

We use your data to: provide and improve the Service; send transactional emails (verification, password reset, notifications); generate tax reports; display public property listings (only if you choose to publish); and communicate service updates.

4. Legal Basis (GDPR)

Contract: Processing your data is necessary to provide the Service you signed up for.

Legitimate interest: Security (2FA, rate limiting), fraud prevention, and Service improvement.

Consent: Marketing emails (if any) — you can withdraw consent at any time.

Legal obligation: Retaining financial records as required by Maltese tax law.

5. Data Storage & Security

All data is stored on Cloudflare infrastructure:

  • Database (D1): Western Europe region (WEUR)
  • File storage (R2): Encrypted at rest
  • Passwords: Hashed with PBKDF2-SHA256 (100,000 iterations)
  • Sessions: JWT tokens in httpOnly secure cookies
  • Connections: HTTPS/TLS encrypted in transit

6. Third-Party Services

We use the following third-party services:

We do not use third-party analytics, advertising networks, or tracking pixels.

7. Data Sharing

We do not sell your data. We share data only when: you choose to publish a property listing (locality and property details become public — never your full address or personal contact); sending emails via Resend (your email address); or required by Maltese law or court order.

8. Data Retention

Active accounts: data retained for the lifetime of the account. Archived properties: retained for 10 years for tax compliance. Closed accounts: data deleted after 30 days (except where legal retention applies). Enquiries from public listings: retained for 12 months.

9. Your Rights (GDPR)

As a data subject under GDPR, you have the right to:

  • Access your personal data
  • Rectify inaccurate data (via Settings)
  • Erase your account and data ("right to be forgotten")
  • Port your data (CSV export available)
  • Restrict or object to processing
  • Withdraw consent at any time

To exercise these rights, email labrint@gmail.com. We respond within 30 days.

10. Cookies

We use a single httpOnly session cookie (kiri_session) for authentication. It is strictly necessary for the Service to function. We do not use tracking cookies, analytics cookies, or advertising cookies.

11. Changes

We may update this policy. Material changes will be communicated via email at least 14 days in advance.

12. Complaints

If you believe your data rights have been violated, you may lodge a complaint with the Malta Information and Data Protection Commissioner (IDPC) at idpc.org.mt.

© 2026 Kiri. Property management for Malta.