Last Updated: July 19, 2025

Tentunit exists to simplify and secure the student housing experience by connecting individuals through trust, technology, and transparency. In short, to create a world where every student can confidently find a place to call home. We are a community built on integrity. A fundamental part of earning that trust is being clear about how we use your information and protecting your right to privacy.

This Privacy Policy describes how Tentunit, Inc. (“we,” “us,” or “Tentunit”) processes personal information in relation to your use of the Tentunit platform. Depending on where you live and how you interact with our services, additional privacy supplements may apply. We encourage you to review any applicable supplemental documents for details on how we handle your data in those regions and contexts.

Tentunit Privacy Policy – Table of Contents

Introduction
1.1. Purpose of This Policy
1.2. Scope of Application
1.3. Definitions
Who Controls Your Personal Information
2.1. Data Controller (Tentunit, Inc.)
2.2. Payments Controller
2.3. Insurance Controller
2.4. Regional Controllers and Supplements
Information We Collect
3.1. Information You Provide to Us
3.1.1. Contact, Account, and Profile Details
3.1.2. Identity and Verification Information
3.1.3. Payment and Transaction Information
3.1.4. Insurance and Coverage Data
3.1.5. Communication & Support Records
3.1.6. User-Generated Content
3.1.7. Biometric Data (Where Applicable)
3.1.8. Optional Submissions (Surveys, Research, Promotions)
3.2. Information We Automatically Collect
3.2.1. Device and Usage Data
3.2.2. Cookies and Similar Technologies
3.2.3. Log and Geolocation Data
3.3. Information We Collect from Third Parties
3.3.1. Linked Third-Party Accounts
3.3.2. Background and Identity Verification Services
3.3.3. Payment and Insurance Partners
3.3.4. Referrals and Co-Leasers
3.3.5. Complaints and Reports
How We Use Your Information
4.1. Core Service Delivery
4.2. Platform Safety and Trust
4.3. Communications and Support
4.4. Payments, Insurance, and Legal Compliance
4.5. Marketing and Promotional Purposes
4.6. Research, Analytics, and Product Development
4.7. User Personalization
4.8. Legal and Regulatory Obligations
How We Share Your Information
5.1. With Other Users
5.2. With Verified Landlords or Students
5.3. With Service Providers (e.g., payment processors, analytics tools)
5.4. With Insurance and Legal Partners
5.5. With Government, Law Enforcement, and Legal Authorities
5.6. In Corporate Transactions (e.g., mergers, acquisitions)
Your Choices and Privacy Rights
6.1. Accessing and Updating Your Information
6.2. Data Portability
6.3. Marketing Opt-Outs
6.4. Cookie Preferences
6.5. Account Deletion
6.6. Rights by Region (e.g., GDPR, CCPA)
Data Security and Retention
7.1. How We Protect Your Information
7.2. Data Storage and Retention Periods
7.3. Incident Reporting and Breach Notification
Children’s Privacy
8.1. Minimum Age Requirements
8.2. Parental Consent and Reporting
International Data Transfers
9.1. Cross-Border Transfers
9.2. Legal Safeguards (e.g., SCCs, Privacy Shield Alternatives)
Third-Party Links and Features
10.1. External Sites
10.2. Embedded Tools (e.g., Maps, Calendars)
Policy Updates and Notifications
11.1. When and How We Update This Policy
11.2. User Notification Procedures
How to Contact Us
12.1. Privacy Questions or Requests
12.2. Designated Data Protection Officer (DPO) Contact
12.3. Appeals and Complaint Resolution
Jurisdiction-Specific Disclosures
13.1. United States – CCPA
13.2. European Union – GDPR
13.3. Canada – PIPEDA
13.4. Other Regional Policies

Schedule 1: Entity-Specific Controllers and Contact Information

Introduction

Tentunit (“Tentunit,” “we,” or “us”) is committed to protecting the privacy and personal information of our users. This Privacy Policy explains how we collect, use, disclose, and safeguard the data you provide when using our platform, which connects students and property owners for housing opportunities.

We understand that trust is fundamental to your use of our services. That trust depends on transparency, accountability, and a clear understanding of how your data is handled. Tentunit is therefore dedicated to ensuring that our data practices comply with applicable privacy laws and meet the highest standards of clarity and security.

This Privacy Policy is designed to help you understand:

What information we collect;
How and why we use it;
With whom we share it;
Your rights and choices regarding your data;
How long we retain your information; and
How we protect your data throughout its lifecycle.

We aim to present all of this in plain and accessible language so you can make informed decisions when using Tentunit. By accessing or using our services, you acknowledge and agree to the practices described in this Policy.

If you have any questions or requests related to privacy, please contact us at [email protected].

Scope of this Policy: This Policy applies to all users of the Tentunit platform and services. Whether you are a student searching for housing, a landlord listing a property, or any other visitor or account holder, if you use Tentunit’s website, mobile application, or related services, this Privacy Policy governs how your information is collected, used, and disclosed. It covers all personal data processed through your interactions with Tentunit. For example, when you create an account, browse or post property listings, submit rental applications, or communicate with others via our platform, this Policy will apply to the information involved. Our goal is to make sure that every individual and organization using Tentunit knows their data will be handled with the same care, no matter which Tentunit service or feature they use.

Compliance and Legal Basis: Tentunit is a U.S.-based technology platform, and we comply with all applicable privacy laws and regulations, including U.S. federal and state data protection rules and (where applicable) international laws such as the European Union’s General Data Protection Regulation (GDPR). We only process personal data when we have a valid legal basis to do so. For instance, when it is necessary to provide our services and fulfill our contract with you, when you have given consent for a particular use of your data, when we have a legal obligation, or when we have a legitimate business interest that is not overridden by your rights. In addition, we recognize that privacy requirements can vary by jurisdiction, so this Privacy Policy may be supplemented by region specific disclosures to address local laws. This approach ensures that no matter where you are located, Tentunit will handle your personal information lawfully, fairly, and transparently, in accordance with all applicable law and the high standards set by leading industry practices.

Transparency and User Trust: In summary, the purpose of this Privacy Policy is to clearly inform you of our privacy practices and reassure you that your personal data is in responsible hands. Tentunit values transparency and user trust above all. By reading this Policy, you will see our commitment to safeguarding your information at every step from collection and use, to sharing and storage, to your rights and choices. We want you to feel confident that your privacy is protected when you use Tentunit, and we will continue to uphold the strict privacy standards that users have come to expect from trusted technology platforms.

2. Who Controls Your Personal Information

2.1 Tentunit, Inc. (Sole Data Controller). All personal information collected through the Tentunit platform is controlled by Tentunit, Inc., a Delaware C-Corporation. In privacy terms, Tentunit, Inc. acts as the data controller of your personal information, meaning it is the entity that determines the purposes and means of processing your personal information. Tentunit, Inc. is responsible for deciding how your data is collected, used, and protected in accordance with this Privacy Policy and applicable U.S. law. For example, under California law Tentunit, Inc. qualifies as the “business” that collects and uses consumers’ personal information (analogous to a data controller) and thus bears the corresponding compliance obligations (such as providing notices and honoring California Consumer Privacy Act (CCPA) rights). All references to “Tentunit,” “we,” or “us” in this Privacy Policy refer to Tentunit, Inc. in its capacity as the sole data controller of your personal information.

2.2 Stripe (Payments Controller (Third-Party Processor)). For all payment transactions on the Tentunit platform, we partner with Stripe, Inc. (“Stripe”) as our designated payment processing provider. Stripe will collect and process your payment related information (e.g. credit card details, billing information) for the purpose of completing transactions, and in doing so Stripe acts as an independent controller of that personal information. This means that any personal data you provide for payments is handled under Stripe’s responsibility and is subject to Stripe’s own privacy policy and practices. Tentunit shares only the information necessary for payment processing with Stripe, and Stripe in turn controls and safeguards that data in compliance with its legal obligations. In practical terms, when you make a payment on our platform, Stripe is the party directly processing your payment data, and you may refer to Stripe’s Privacy Policy for details on how it uses and protects such information. (For a list of authorized third-party processors and partners, including Stripe, please see Schedule 1 of this Privacy Policy.)

2.3 Insurance Partners (Future Integration). Tentunit does not currently offer insurance services directly. However, if and when Tentunit integrates insurance offerings into the platform, we will do so in collaboration with properly licensed insurance partners in the United States. In such an event, Tentunit will share relevant personal information with these licensed U.S. insurance partners solely for the purposes of providing and servicing the insurance products or services requested by our users. Any insurance partner we engage will be required to handle your personal information in accordance with this Privacy Policy and all applicable privacy laws and regulations. These partners would likely act as independent data controllers for the personal information necessary to quote, issue, or administer insurance (for example, they may determine eligibility and pricing using your data), while Tentunit remains a controller for the personal data in our possession. We will ensure that any such data sharing arrangement is made transparent to you including updating this Privacy Policy (and relevant sections such as Schedule 1) to identify the insurance partner and describe the scope of information sharing before any personal information is shared for insurance purposes. Please note that until any insurance integration occurs and is announced, Tentunit will not share your data with insurance companies.

2.4 United States (Only Operations and CCPA Compliance). Tentunit’s services and data practices are currently limited to the United States, and this Privacy Policy is accordingly focused on U.S. privacy requirements. We do not presently operate in or target any other countries or regions, which means international privacy laws (such as the GDPR or other non-U.S. data protection laws) are not within the scope of this Policy. Instead, Tentunit adheres to applicable federal and state privacy laws within the U.S. In particular, we comply with the California Consumer Privacy Act (CCPA) (as amended by the California Privacy Rights Act) for eligible California residents. Tentunit, Inc. meets the definition of a “business” under the CCPA, and we have implemented practices to honor the rights of California consumers and provide required privacy disclosures (see Schedule 1 for a summary of CCPA categories of personal information collected and shared). No regional supplements outside the United States are provided at this time, since our operations do not extend beyond U.S. jurisdictions. If Tentunit expands its services to other jurisdictions in the future, we will update our Privacy Policy to include any additional region-specific privacy disclosures or comply with any new legal requirements as needed.

3. Information We Collect

We collect various types of information to provide and improve our services. This includes information you directly provide to us, data we collect automatically through your use of our platform, and information we obtain from third parties. Below is a detailed breakdown of these categories:

3.1. Information You Provide to Us

This category includes personal data that you voluntarily share with us through your interactions (e.g. creating an account, filling out forms, or communicating with support).

3.1.1. Contact, Account, and Profile Details

When you register an account or fill out your profile, we collect basic contact and identity details. This includes information such as your full name, email address, phone number, postal address, date of birth, username, and profile photograph. These details help identify you on our platform and enable us to contact you as needed.

3.1.2. Identity and Verification Information

For certain services, we may require additional identity verification data to ensure security and trust. This can include government issued identification details or documents (e.g. passport, driver’s license, national ID) and related information. For example, we might ask for a scanned ID or an image of your government-issued ID document, along with other verifying info like your date of birth, address, or even a selfie for facial verification. We only request and collect this information where appropriate (such as to verify your identity in compliance with law or platform safety requirements).

3.1.3. Payment and Transaction Information

If you make payments or transactions through our service, we collect the information necessary to process and record those transactions. This includes your payment details (such as credit or debit card numbers, bank account information, PayPal or other payment account identifiers) and transaction data like the date, time, and amount of each payment. We may also capture billing information (e.g. billing address or ZIP code) and other related financial details to facilitate payments and provide receipts or invoices.

3.1.4. Insurance and Coverage Data

In cases where our services involve insurance or coverage (either now or in the future), we collect relevant insurance related information. For example, if you opt to purchase an insurance plan or are required to show proof of insurance, we will gather details needed for that process. This may include personal details (name, contact information) and specific policy information such as your insurance provider’s name, policy number, coverage limits, and related details. We obtain and use this information to verify coverage or facilitate insurance services (e.g. confirming you have required insurance for a rental or enrolling you in an insurance program associated with our platform).

3.1.5. Communication & Support Records

We maintain records of your communications with us and through our platform. If you contact customer support or otherwise correspond with us (by email, phone, chat, etc.), we will collect and store those communications, including any information you choose to provide in those interactions. For example, we may keep copies of support emails, chat logs, or call recordings when you speak with our support team for quality assurance and to address your inquiries. Additionally, if our platform enables communication between users (such as in-app messaging or calls), we may log details of those communications (like timestamps, participant info, and message content) as permitted, in order to investigate issues, enforce our policies, and improve user safety.

3.1.6. User-Generated Content

Any content you create or submit on our platform is collected as part of providing the service. This refers to the information and media you generate, such as listings, posts, reviews, comments, photos, videos, or other materials you choose to upload or share. For instance, if you post a listing or submit a review, all the details in that content (text descriptions, images, etc.) are collected and stored. This also includes information you provide to be displayed publicly or shared with other users on the platform. We collect user generated content to display it to others as intended, to moderate it for compliance with our guidelines, and to make improvements based on user feedback.

3.1.7. Biometric Data (Where Applicable)

If enabled for our services, we may collect biometric identifiers or information for verification purposes where applicable. For example, to enhance security, we might allow you to provide facial recognition data or a selfie alongside your ID document to verify your identity. In such cases, the biometric data (e.g. facial geometry or other biometric identifiers, potentially fingerprint or voiceprint in future) would be collected only with your knowledge and consent and as permitted by law. We will use any biometric data solely for the stated verification purpose and protect it in accordance with applicable privacy regulations.

3.1.8. Optional Submissions (Surveys, Research, Promotions)

We also collect information that you choose to submit optionally in the context of surveys, research programs, or promotional activities. If you volunteer to participate in a user research study or fill out a survey, we will collect your responses and any data you provide in that process (which might include feedback, opinions, or demographic information). Likewise, if you take part in promotions such as contests, sweepstakes, or referral programs, we gather the information you submit for those (for example, contest entries, referral contact info, or survey answers). These submissions are entirely voluntary; if you opt in, we use the information to administer the program (e.g. to analyze survey results or to deliver promotion rewards).

3.2. Information We Automatically Collect

When you use our website or application, certain data gets collected automatically through technological means. This information helps us understand how our services are used and enables us to secure and improve our platform. The automatically collected data includes:

3.2.1. Device and Usage Data

We collect details about the device you use to access our services and how you interact with our platform, without you having to explicitly provide this data. This includes technical information about your device and network, such as your IP address, operating system, browser type, hardware model, unique device identifiers, and crash or error logs. We also gather usage information, for example: the pages or screens you view and the actions you take on our site/app, the features or services you use, your search queries, click paths, time spent on pages, and timestamps of your visits or transactions. This device and usage data is collected through server logs and analytics tools and helps us troubleshoot issues, analyze trends, prevent fraud, and improve the functionality and user experience of our platform.

3.2.2. Cookies and Similar Technologies

We use cookies and similar tracking technologies to collect information about your browsing activities on our platform. Cookies are small text files placed on your device that allow us to recognize you on subsequent visits and store certain preferences. Along with cookies, we may use tools like web beacons, pixels, and local storage objects to gather data about how you navigate and use our services. These technologies collect information such as the pages you visit, links or features you click, your IP address and browser type, and other usage statistics and preferences. We utilize this data for purposes like remembering your settings, personalizing content, helping you stay logged in, and analyzing site traffic and user behavior to improve our services. (For more details on our use of cookies, please refer to our Cookie Policy.)

3.2.3. Log and Geolocation Data

Our systems automatically generate logs that record certain events and information whenever you interact with our platform. These log files can include data such as your IP address (and thereby your general location), the dates and times of access, pages visited or actions performed, and device information, among other usage details. We collect details of visits to our site for example, the volume of traffic, which resources or endpoints were accessed, and any system errors or messages in order to monitor the service and ensure stability. In addition, we may collect geolocation data to the extent you allow or it’s implied by the service. Approximate location can sometimes be determined from your IP address or network signals, and if you grant permission (for instance, via a mobile app), we might also collect more precise location information from your device’s GPS or from nearby Wi-Fi and cell tower data. This geolocation information can be used for location-based features of our service (for example, showing local content or offerings) or for security and fraud prevention. You can typically control or disable precise location sharing through your device settings if you do not want to share GPS-level data.

3.3. Information We Collect from Third Parties

In addition to data you give us directly or that we collect via your use of our service, we may also obtain information about you from external sources. This happens when you connect third-party services to our platform or when our partners and service providers share data with us to help run our services. Such third-party sources and the information they provide include:

3.3.1. Linked Third-Party Accounts

If you choose to link or log into our platform using a third-party account (for example, Google, Facebook, Apple, or another service), we receive certain information from that third party as authorized by you. When you connect these accounts, the third-party service sends us data such as your profile information (e.g. your name, email address, profile photo) and potentially your friend list or contacts, depending on the permissions you grant. For instance, using Facebook Login might share with us your public Facebook profile and friend network as allowed by your Facebook privacy settings. We use this information to streamline account creation, verify your identity, and help you find people you may know on our platform. (The exact data we receive varies by provider and is governed by the third-party account’s privacy policies and your settings there.)

3.3.2. Background and Identity Verification Services

To support trust and safety on our platform, we may obtain personal information about you from background check providers or identity verification services. In cases where our service involves screening users (for example, for tenant screening or to ensure community safety), we will request reports or confirmations from third-party services that specialize in background information. This might include, as allowed by law, retrieving criminal record checks, sex offender registry status, creditworthiness, or other publicly available background information. For example, we might use your full name and date of birth to request a background check report from an authorized agency, which could tell us if there are any relevant criminal records on file. Any such screening is done in accordance with applicable laws, and often with your knowledge or consent. The information we receive from these third-party checks is used strictly to determine eligibility, enhance security, and comply with legal or contractual requirements.

3.3.3. Payment and Insurance Partners

We may receive information from our payment processing partners and (where applicable) insurance partners in the course of providing you services. For example, if you make a payment through an integrated third-party payment provider or choose a financing plan, the financial institution or payment processor might share some details with us to complete the transaction. This can include confirmation of payment, your account details or status, or a payment schedule for installment plans. Similarly, if our service works with an insurance company (for instance, to offer renter’s insurance or validate an insurance policy for a rental), we could receive data confirming your coverage or policy details from that third-party. Such information may encompass your policy status, coverage amounts, or claims information needed to verify that you meet our requirements or to administer an insurance product. We only obtain what is necessary from these partners to facilitate the service you’ve opted into (e.g. confirming a successful payment or that you have active insurance coverage), and any information shared with us from these third party sources is handled under the same privacy protections as the data you provide directly.

3.3.4. Referrals and Co-Leasers

If someone else provides your information to us through referral features or as a co-party to a transaction, we will collect that information. For instance, our platform may allow users to refer friends or add co-leasers/co-tenants to a lease or reservation. If you are invited or referred by another user, that person might give us personal information about you such as your name, email address, or phone number in order to send you an invitation or to include you on a lease agreement. Likewise, if an existing user adds you as a roommate or co-signer, the details they input (your contact info or other required details) are collected into our system. We use this information to contact you with referral invitations or to associate you with the relevant rental/lease account. If you receive such an invitation or referral, you will have the chance to confirm your information and may be asked to accept our terms before fully joining the platform.

3.3.5. Complaints and Reports

We also collect information that others provide about you in the form of complaints, reports, or feedback. If a third party (for example, another user, a neighbor, or an external entity) submits a complaint or incident report regarding your activities or behavior in relation to our services, we will receive whatever information they include in that report. This could range from the nature of an issue (e.g. a noise complaint or violation of terms) to evidence or details about the incident. For example, a co-leaser or landlord might report a problem and provide documents or messages relevant to the complaint. We collect and retain these complaints and reports as part of maintaining a safe and responsible platform. The information is used to investigate and address the issue, to take appropriate action (if needed), and to comply with any legal or regulatory reporting obligations. We treat complaint information sensitively and only share it with those who need to know (such as relevant support or compliance personnel), unless disclosure is required as part of resolving the matter.

Each of the above categories of information is collected in accordance with our Privacy Policy and applicable law. We only gather what is necessary for the purposes described, and we implement safeguards to protect your personal information. If a certain type of data is not needed or not yet utilized (for example, biometric data or certain insurance details might not be collected until a future feature is introduced), we will not collect it. We are committed to transparency about our data practices, and this Information We Collect section outlines the full scope of personal information that you may encounter when using our services. All of this data enables us to provide you with a secure, reliable, and personalized experience.

4. How We Use Your Information

We use the personal information we collect for a range of purposes necessary to operate our platform and provide services to you. In this section, we outline the key ways in which your information is utilized. Our practices are aligned with industry standards and similar to how major companies use customer data for service delivery, safety, communication, and improvement. Below, we break down the uses of your information into several categories for clarity.

4.1. Core Service Delivery

Your information is fundamental to delivering our core services. We primarily use personal data to provide and maintain the services you expect from us. This includes:

Account Setup and Management: Using your details to create, maintain, and secure your user account and profile (e.g. account credentials and identity verification for login).
Service Provision: Enabling the main functionalities of our platform for example, facilitating transactions or bookings, matching you with relevant services or other users, and ensuring the service operates as intended. We use your information to process any requests or orders you place through our platform and to carry out the services you sign up for. As an illustration, Amazon notes that it uses customers’ personal information to take and handle orders, deliver products and services, process payments, and communicate with customers about their orders.
Service-Related Communications: Using your contact information to send confirmations, receipts, updates, and notifications that are necessary for delivering the service. This covers things like sending booking confirmations, reminders, or alerts about changes or issues affecting your use of the service.
Customer Support in Service Delivery: Accessing relevant data about your account or transactions to resolve any issues you encounter. For instance, if you experience a problem, we will use your information to troubleshoot and provide assistance as part of delivering the core service. (We discuss communications and support in more detail in Section 4.3 below.)

In short, we use your information wherever needed to operate the platform and fulfill the services you have requested. This core usage is essential for us to meet our contractual obligations to you as a user of our services.

4.2. Platform Safety and Trust

Maintaining a safe, secure, and trustworthy environment is a top priority. We use personal information to protect our community and prevent misuse of the platform. This involves:

Identity Verification and Background Checks: Confirming your identity and eligibility to use certain features. We may use identity documents or perform background screening (where lawful) to verify user credentials and build trust. This is similar to practices on other platforms – for example, Airbnb processes personal data to verify information provided by users (including identity info) and even conduct background checks for safety.
Fraud Detection and Prevention: Monitoring for suspicious or fraudulent activities. Your usage patterns and device information may be analyzed to detect fraud, spam, or any abuse of our services. If flags are raised, we use the data to investigate and take action (such as blocking fraudulent transactions or accounts). According to Airbnb’s policies, companies use personal information to detect, prevent, and address fraud and security risks on their platforms.
Security Monitoring: Using technical data (like device identifiers, IP addresses, login history) to safeguard the platform. This helps us identify and block unauthorized access attempts, secure user accounts, and prevent security incidents such as hacking or data breaches.
Policy Enforcement: We use information (including reports from users or automated analysis) to ensure compliance with our Terms of Service and community guidelines. For example, if we receive complaints or detect content that violates our policies, we will review the relevant user information or communications to investigate. This may result in warnings or, if necessary, suspension of accounts to uphold platform standards.
User Ratings and Trust Signals: On platforms that involve user interactions (such as marketplaces or sharing economy services), we may utilize ratings, reviews, and feedback data. This helps encourage good behavior and allows us to intervene when trust metrics (like consistently low ratings) indicate a problem.

Overall, your information is used to keep the platform safe and reliable for all. By verifying identities, preventing fraud, and enforcing rules, we aim to foster trust among users. These measures reflect common practices of large platforms to protect their user community.

4.3. Communications and Support

We also use your information to communicate with you and provide support when needed. This covers both automated service messages and direct interactions through our support channels:

Transactional and Service Announcements: We will send you communications that are necessary for using the service. For example, we might email or text you to verify your email address or phone number when you sign up, to confirm a booking or purchase, to notify you of changes to our terms or policies, or to alert you about service outages or security issues. These are not marketing messages but essential notices to keep you informed about your account and usage.
User Inquiries and Customer Support: If you contact us with questions, feedback, or problems, we will use your information to assist you and resolve issues. This may involve reviewing your account details, past orders/transactions, or relevant communications to troubleshoot the problem. We might ask for additional info to clarify the situation and will use your contact info to reach out with a solution or follow-up. While we may not record calls, we similarly keep records of support interactions (like emails or chat logs) to ensure quality service.
Direct Communication Between Users: In some cases, our platform may facilitate communications between users (for example, allowing a service provider and a customer to arrange details of a service). We may use information to enable these communications in a safe way. This could mean masking contact details (for privacy) while still allowing necessary coordination. (For example, a rideshare driver might call a rider through an anonymized number). Any such user-to-user communication using our platform may be monitored or recorded for safety and support purposes, in accordance with applicable law.
Customer Service Improvements: We analyze our support interactions to improve our customer service. Details like response times, frequently asked questions, and common issues can help us train our support team better and update our help resources. Our goal is to make sure you receive timely, helpful assistance.

In summary, we use your information to stay in touch with you about important service matters and to help you when you reach out. We strive to keep these communications useful and respect your preferences (for example, you may choose how we contact you in your notification settings).

4.4. Payments, Insurance, and Legal Compliance

Some of your information is used to process financial transactions, manage insurance or related services, and ensure legal compliance in these areas:

Payment Processing: When you make or receive payments through our platform, we use the relevant personal and financial information (such as your payment card details or bank information) to facilitate those transactions. This includes charging your chosen payment method for services, issuing payouts (if you are earning money on the platform), and keeping records of transactions. We must share data with our payment processors (like credit card companies or payment gateways) to complete transactions, and we use your information to send you invoices or receipts. All payment data is handled securely and in accordance with industry standards (such as encryption and PCI DSS compliance).
Insurance and Claims: If our services include any insurance programs, guarantees, or claims processes (for instance, insurance for events, rentals, or other activities on the platform), we will use relevant information to administer these programs. This could involve sharing certain data with insurance partners or underwriters, and using details of an incident to process a claim. If an incident occurs that is covered by an insurance or protection plan we offer, we will use the information you provide (and information from any investigation of the incident) to determine coverage, facilitate the claims process, and comply with any legal requirements tied to insurance.
Financial and Legal Compliance: We use and retain transaction data as needed to comply with legal obligations related to payments and finances. This includes obligations like tax reporting, accounting, record-keeping, and audits. We maintain appropriate records of payments and payouts, which may include invoice details, transaction dates and amounts, and associated user information, to meet requirements under applicable law. Additionally, we may use personal identifiers and financial information to comply with anti-fraud and anti-money laundering rules (for example, verifying your identity or checking that you are not on government sanction lists, where legally required).
Regulatory and Contractual Requirements: In certain industries, there may be regulations or contractual requirements that compel us to use your information in specific ways. For example, if we are facilitating housing rentals, we might be required by law to collect and share occupancy information or tax information with government authorities. If such rules apply, we will use your data strictly for those compliance purposes. We also ensure any insurance requirements are met, such as retaining proof of coverage or incident reports for a legally prescribed period.

In essence, whenever you engage in a paid transaction on our platform or benefit from an insurance/guarantee service, we use your data to make sure it all happens smoothly and lawfully. This covers charging and paying funds, handling any claims, and adhering to the laws that regulate payments and insurance. We take care to limit the information used to only what is truly needed for these processes and to protect it according to industry best practices.

4.5. Marketing and Promotional Purposes

With your consent or as permitted by law, we may use your information for marketing, advertising, and promotional communications. Our goal is to inform you about opportunities and updates in ways that are relevant and respect your preferences. This includes:

Promotional Communications: Using your contact information (such as your email address) to send you news about new features, services, or special offers that we think you might find valuable. For example, we might announce a new partnership, a discount on services, or a user referral program via email newsletters. We will only send you promotional emails or texts if you have agreed to receive them, and you can opt out at any time. (We do not share your contact information with third-party marketers without your explicit consent.)
Personalized Advertising: We may utilize data about your use of the platform – such as your searches, location, or service history – to show you targeted ads or suggestions. This could be on our own platform or, in some cases, on external advertising channels (e.g., showing you an ad on a social media platform for a service available on our app). Any such advertising will follow applicable privacy laws and industry guidelines (for instance, if we ever engage in interest-based advertising, we will provide the appropriate notices and opt-out options)

Offers, Contests, and Surveys: If we run a special promotion, contest, or survey, we will use the information necessary to administer those programs. For example, if you enter a sweepstakes, we might use your contact info to notify you if you win, or if we offer referral bonuses, we’ll track referrals to credit the appropriate accounts. We might also send out user surveys and use your responses to improve our services or marketing strategies (aggregating results so that individual feedback is not publicly tied to your identity).

Future Promotional Programs: While our current operations are focused only in the United States and we are not yet running extensive promotional campaigns, we want you to be aware that we may introduce new marketing programs in the future. This could include loyalty rewards, partnership offers, or expanded advertising initiatives as our business grows. If and when we launch such programs, we will update our privacy disclosures and provide you with any required choices (such as opting in or out). For now, you will only receive marketing messages directly from us and only if you are an inaugural US user who has agreed to such communications. We do not currently engage in international marketing outreach, given that our service is only available in the USA at this time.

Rest assured, you remain in control of your marketing preferences. If you receive promotional emails, each message will contain an unsubscribe link. You can also adjust your notification settings in your account at any time to limit or stop marketing messages. Our use of your data for marketing is designed to be transparent and permission-based.

4.6. Research, Analytics, and Product Development

We are continuously improving our platform, and your information helps us innovate. We use collected data for internal research, analytics, and to develop new products or features. This use of data is quite common across tech companies as it allows services to evolve and better meet user needs. Here’s how we leverage your data for improvement:

Usage Analytics: We analyze how users interact with our app/website. For example, we look at which features are most used, how often certain actions are taken, and where users might encounter errors. This usage data (often aggregated and anonymized) helps us understand what’s working well and what can be improved. It can inform decisions like simplifying a frequently confusing interface element or adding resources where users tend to ask for help.
Performance and Debugging: Technical information (such as logs of errors or crashes, device types, load times) is utilized to debug issues and improve performance. By examining error reports or crash diagnostics, our engineers can identify and fix problems to make the platform more reliable.
Feature Testing and Development: We might use a subset of user data to test new features (for example, through beta programs or A/B testing). By observing how a new feature performs with real usage, we can refine it before a full release. Your feedback, either provided directly or inferred from how you use the service, is crucial in guiding our development roadmap.
Improving Safety and Security: Analytics are also applied to enhance safety measures. For instance, by analyzing data on incidents or close calls on the platform, we can implement better safeguards or detection algorithms.

Research and Insights: We may compile information to generate insights about trends and preferences. This could involve user surveys, studying market trends, or collaborating in academic or industry research (always under strict privacy protections, e.g., using anonymized data). Such research helps us understand broader impacts and how people use our service in context, which in turn fuels innovation.

In all cases, we take care to protect your privacy when using data for analytics and development. Typically, this work is done on aggregated or de-identified data sets that look at overall patterns rather than focusing on individuals. The improvements and new features that result from this analysis ultimately benefit you and all our users, as they make the platform more useful, efficient, and secure.

4.7. User Personalization

To make your experience more convenient and relevant, we use your information for personalization. Instead of a one-size-fits-all service, personalization allows us to tailor what you see and how the service works for you, based on your preferences and behavior. Here are ways we personalize our service:

Content and Recommendation Personalization: We might suggest things to you based on your activity. For instance, if our platform is a marketplace or listing service, we could recommend listings or providers similar to ones you’ve interacted with. If it’s a content or social platform, we might personalize which posts or profiles are shown to you. These recommendations are driven by your past behavior (e.g., categories you’ve shown interest in, your location, or items you’ve marked as favorites). The aim is to help you discover services or content that are relevant to you.

Interface Customization: We use your settings and usage patterns to customize the app/website interface for you. This can be simple things like remembering your language preference, display settings, or the last page you visited. It can also involve showing certain UI elements by default because you use them often (for example, if you frequently use a specific filter or tool, the system might surface it prominently for easier access).
Personalized Offers and Content: In conjunction with our marketing efforts (see Section 4.5), personalization means that any offers or updates you see are more likely to be relevant to you. For example, we might feature a promotion on the home screen that aligns with services you’ve used before, or send you a notification about a new feature that fits your usage profile. If you never use a certain part of our service, we will generally avoid cluttering your experience with information about it.
Location-Based Personalization: If you’ve permitted location access, we may tailor the content to your region. This could mean showing nearby options first, or providing information specific to your city or state. Since we currently operate in the USA only, location personalization mostly involves regional differences (for instance, city-specific offerings or compliance with state laws that may require showing certain info to users in that state).

All these personalization efforts are intended to make the service more useful to you. We want to save you time and present you with what you’re likely looking for. Importantly, personalization does not mean making decisions that could negatively affect you without your knowledge; it’s about enhancing convenience. You always have the option to adjust personalization features (where applicable). For example, if recommendation feeds are provided, you can usually influence them by adjusting your profile or preferences. We follow best practices to ensure personalized experiences are transparent and beneficial.

4.8. Legal and Regulatory Obligations

Finally, we use personal information to fulfill our legal duties and respond to regulatory requirements. Various laws may require that we collect, retain, or disclose certain data about our users, and we take these obligations seriously. Here’s how we handle data in such contexts:

Compliance with Laws: We may process and retain your information as needed to comply with applicable laws and regulations. This can include consumer protection laws, privacy laws, financial regulations, and any other legal requirements that apply to our operations. For example, Amazon explicitly states that it uses personal information to comply with legal obligations in certain cases. This could mean retaining transaction records for a mandated period, or collecting specific information to meet regulatory standards (such as age verification for age-restricted services).
Responding to Legal Requests: If we receive a legal request or order (for instance, a subpoena, court order, or request from law enforcement agencies), we may need to use and possibly share certain personal information to respond. We will only do so after verifying the request is legitimate and as required by law. If necessary, we might use your data to cooperate with investigations (e.g., providing information to law enforcement when required for criminal cases or to regulatory bodies for compliance audits).
Enforcing Our Rights and Agreements: We use personal information to enforce our Terms of Service and other agreements (such as user agreements or partner contracts). If there is a dispute or if we suspect violations (fraud, harassment, intellectual property theft, etc.), we will use relevant data to investigate and address the issue. This may involve reviewing communications sent over the platform or usage logs to gather facts. In the event that we need to pursue legal action (or defend ourselves against a claim), we will use and possibly present necessary information as evidence, in accordance with privacy laws. This also ties into protecting our rights and the safety of others – we will use data to detect and prevent harm to our company, our users, or the public (for example, analyzing threats or misuse).
Regulatory Reporting and Cooperation: If our industry is subject to specific regulatory oversight (for example, transportation, housing, finance, etc.), we might be obligated to collect and sometimes report data to regulators. We will use your information strictly for these purposes when required. This could include statistical reporting on platform usage, safety incident reports, or compliance reports on privacy and security practices to authorities. Any such reporting is done under confidentiality and only as mandated.
Other Legal Uses: There may be scenarios like mergers or acquisitions where using or disclosing data is necessary for legal reasons (e.g., during due diligence). In such cases, we ensure any involved parties are under strict obligations to keep information confidential and use it only for the legal purpose at hand. Additionally, we adhere to any data retention laws that dictate how long we must keep certain information, even if you request deletion (we will inform you when this is the case, such as keeping transaction data for tax requirements).

In summary, we use your information to meet our legal responsibilities and to protect our legal interests. We will always strive to limit the information we disclose or use to what is strictly necessary and will inform you where possible (for example, we may notify users about information requests, unless prohibited by law). Your privacy is important, but we must balance that with legal requirements and the safety of our community, using your data in a responsible and lawful manner.

5. How We Share Your Information

Tentunit operates exclusively in the United States, and we share personal data only with the U.S.-based recipients and in compliance with applicable U.S. laws. Below we describe the limited circumstances in which we may share your information.

5.1. With Other Users

Landlords and students on Tentunit can see only the profile and listing details needed to connect. For example, our platform displays a rental listing’s basic information along with the landlord’s contact details so that an interested student can inquire about the property. Likewise, when a student expresses interest in a listing, the student’s name and contact information (such as email) are provided to the landlord so that each party can follow up on the rental opportunity. This sharing is strictly limited to non-sensitive data (name, photo, listing description, availability, etc.) and is intended solely to facilitate communication and bookings between users.

5.2. With Verified Landlords or Students

When you apply to rent a property or otherwise enter a housing agreement, we share certain details with the other party to complete the transaction. For instance, if a student schedules a viewing or submits a rental application, we will provide the student’s profile information (name, background-checked status, etc.) and contact details to the landlord, and vice versa, so each side can verify identities and finalize the lease. We only share verification status or rental history if you have supplied it on your profile. In all cases, such sharing is done with your consent and is limited to the minimum information needed to process the application or agreement.

5.3. With Service Providers

Tentunit uses third-party service providers only to support core platform operations – primarily payment processing and legal compliance. Our sole payment processor is Stripe (a U.S. company), and we share only the data necessary for Stripe to process your payments (for example, transaction details and any identity information required by law). Stripe is contractually bound to keep this information secure and to use it only to provide the requested services. We do not share your payment or personal data with any other payment companies. Crucially, we never sell or rent your personal information to unaffiliated marketers. Consistent with industry best practices (and as exemplified by Stripe’s privacy commitments), we do not share user data with third parties for their marketing purposes.

5.4. With Insurance and Legal Partners

In limited cases you may opt in to additional services (such as renters insurance) or require legal services in connection with your tenancy. If we offer a renters-insurance option and you opt in, we will share only the information needed to arrange coverage – for example, your name, contact, rental address, and lease dates – with the insurance provider. Any such sharing is done only with your explicit consent and is limited to the specific details the insurer requires. Similarly, if we engage attorneys or claims administrators on your behalf (for example, to handle an insurance claim or legal dispute), we will provide them only the necessary information (such as your personal and lease data) under strict confidentiality. In all cases, these partners are required to protect your data and use it solely for the intended insurance or legal purpose.

5.5. With Government, Law Enforcement, and Legal Authorities

We will disclose personal information to government or law enforcement agencies only when required by U.S. law or legal process. For example, Tentunit may provide your data in response to a valid subpoena, court order, or other lawful request by a governmental or public authority. We also cooperate with law enforcement or regulatory investigations of illegal activity when required, or disclose information to prevent harm or protect the safety of Tentunit users and the public. In each case, we disclose only the minimum information necessary to comply with the legal requirement, and we do so in accordance with U.S. legal standards.

5.6. In Corporate Transactions

If Tentunit is involved in a merger, acquisition, reorganization, or sale of assets, your personal information may be treated as one of the company’s business assets. In such a transaction, your data may be transferred to the new owner or successor organization. We will make reasonable efforts to notify you before any such transfer occurs. Any successor entity would be required to honor the terms of this Privacy Policy with respect to your information.

6. Your Choices and Privacy Rights

Access and Updates. You may access and update your profile or account information at any time by logging into your Tentunit account. If any of your information is out of date or incorrect, you can edit it in your account settings or contact us for assistance.
Data Download and Portability. You may request a copy of the personal data we hold about you. We will provide your data in a structured, commonly used, machine-readable format when possible. Where technically feasible, you may also request that we transmit your data to another service provider.
Marketing and Communication Preferences. You can opt out of promotional marketing communications at any time. To stop promotional emails, simply click the “unsubscribe” link included in any marketing message or visit your account’s notification or communication settings. We will promptly process all unsubscribe requests. (Note: you may still receive important service-related messages, such as account notices or transactional emails, even after opting out of marketing.) In addition, you may control push notifications or in-app messages through your device and account settings.
Account Deletion and Data Retention. You may delete your account at any time. Upon receiving a verifiable request, we will deactivate and then permanently delete your account and associated personal data, except for any information we are legally required or permitted to retain (for example, to comply with law or resolve disputes). Once your account is deleted, you will no longer have access to it or any data in it; you would need to create a new account to use our services again. We may retain de-identified or aggregate information for internal purposes, but no identifying personal data will be kept beyond legal requirements.
State Privacy Rights. Because Tentunit operates in the United States, you have additional rights under applicable U.S. state privacy laws. For example, California residents have rights under the California Consumer Privacy Act (CCPA/CPRA), including the right to request access to or deletion of personal information and the right to opt out of the “sale” or sharing of their data. (Note that Tentunit does not sell personal information for money. California and other state residents can exercise their rights (such as access, deletion, and opt-out of sharing) by contacting us or using the tools provided in their account. We will verify any such requests to protect your privacy. We do not discriminate against users exercising these rights. We will comply with all applicable state privacy regulations in processing your requests.

Each of the above choices is subject to applicable law. If you need assistance or wish to exercise any of these rights, you can contact our Privacy Team at [[email protected]] or follow the instructions in our Help Center. We are committed to honoring your privacy rights and will respond to all valid requests in accordance with U.S. law and the practices described above.

7. Data Security and Retention

7.1 How We Protect Your Information

Tentunit implements multiple layers of technical and organizational safeguards to protect your data. All data in transit is secured using industry-standard TLS encryption (TLS 1.2 or 1.3), and all data at rest is encrypted with AES-256 on our servers. We use Cloudflare’s security services to filter and monitor traffic: a Web Application Firewall (WAF) inspects incoming requests and blocks malicious attacks, while Cloudflare’s global network absorbs and mitigates Distributed Denial-of-Service (DDoS) attacks (with over 388 Tbps capacity) without affecting performance. Access to our systems is restricted by strong access controls (e.g. multi-factor authentication and least-privilege policies), and we conduct regular security audits and employee training to ensure ongoing compliance with best practices.

Encryption in Transit: All communications with Tentunit use HTTPS (TLS 1.2 or 1.3) to protect data in transit.
Encryption at Rest: Sensitive data stored on Kodhosting servers is encrypted at rest using AES-256, a widely recognized industry-standard algorithm.
Firewalls and Traffic Filtering: Cloudflare’s WAF and firewall rules inspect and filter web traffic in real-time, blocking OWASP Top 10 threats, bots, and other attacks.
DDoS Mitigation: Cloudflare provides network-layer DDoS protection with massive capacity (388 Tbps), ensuring Tentunit remains available even under large-scale attacks.
Organizational Measures: We enforce strict administrative controls (access controls, audits, incident response training) and regularly update our systems to patch vulnerabilities in accordance with industry standards.

7.2 Data Storage and Retention Periods

Tentunit stores personal data on secure Kodhosting servers. In line with our data minimization principles, we retain your personal information only as long as necessary. Personal data is generally deleted or irreversibly anonymized six (6) months after your account is deleted or last active, whichever comes later. After this retention period we securely dispose of the data unless a longer retention period is mandated by law or a legitimate business need. All data storage and processing occurs on Kodhosting’s infrastructure, which employs enterprise-grade physical security, encryption, and network protection (including backup and DDoS defenses) to safeguard data.

Retention Period: We retain personal data for at most six (6) months following account deletion or last activity.
Deletion/Anonymization: After the retention period expires (and absent any legal requirement to retain data), we promptly delete or permanently anonymize personal data from our active and backup systems.
Hosting: All data is hosted on Kodhosting’s secure servers. Kodhosting maintains industry-standard security controls (secure data centers, encrypted storage, access restrictions, etc.) to protect stored data.

7.3 Incident Reporting and Breach Notification

Tentunit has a formal incident response and breach notification policy. In the event of a confirmed data breach involving personal information, we will act swiftly to contain and investigate the incident. If personal data is compromised, we will notify affected users and relevant authorities without undue delay, and no later than seventy-two (72) hours after confirming the breach. Notifications will include information about the nature of the breach, the data involved, and recommended steps users can take to protect themselves. We will also cooperate with law enforcement and regulatory bodies as required, and update affected users on any corrective actions or available remedies.

Incident Response: We promptly activate our security incident team to contain the breach, assess its scope, and remediate vulnerabilities.
72-Hour Notification: We will inform regulatory authorities and affected individuals as soon as practicable, but in all cases within 72 hours of confirming the breach.
Communication: Notifications to users will clearly describe what happened, what data may have been involved, and how we are responding. We will provide guidance on how affected users can protect their information.
Cooperation: Tentunit will work with law enforcement and regulators, comply with all applicable breach reporting laws, and keep users apprised of any new developments or preventative measures.

8. Children’s Privacy

8.1. Minimum Age Requirements

Tentunit is designed for use by adults. Individuals must be at least 18 years of age to create an account and independently engage in activities such as applying for housing, signing leases, or posting listings. We do not permit individuals under the age of 18 to use Tentunit’s services without verified parental or legal guardian involvement.

For general access to our website (not involving housing transactions), we comply with the U.S. Children’s Online Privacy Protection Act (COPPA), which restricts the collection of personal information from users under the age of 13. In jurisdictions that establish a higher age threshold (e.g., 16 under certain data protection laws), we comply with those local requirements as well.

Age Verification:
Users must confirm their date of birth during account creation. Tentunit may use identity verification tools (such as government-issued ID or third-party identity checks) to enforce the minimum age rule.

8.2. Parental Consent and Reporting

No Independent Use by Minors:
Tentunit does not knowingly collect, solicit, or store personal information from individuals under 18 without verified parental or guardian consent. Any accounts found to be associated with underage users acting independently will be promptly suspended and reviewed for deletion.

Parent or Guardian Supervision Required:
If a minor (under 18) is to participate in any part of the housing process, it must be under the active oversight and account ownership of a parent or legal guardian. All responsibilities, communications, and financial transactions must be handled or approved by the responsible adult.

Removal of Minor Data:
If Tentunit becomes aware that we have collected personal information from a user under the required age without verified guardian consent, we will immediately delete the data and deactivate the account.

Contacting Tentunit:
Parents or legal guardians may reach out to our privacy team at [[email protected]] to:

Request deletion of a minor’s personal data,
Report a violation of this policy,
Or inquire about our children’s data protection practices.

9. International Data Transfers

We may transfer personal data (including international students’ payment and credit card information) across borders in order to operate globally. Under laws like the EU’s General Data Protection Regulation (GDPR), any transfer of personal data outside the European Economic Area (EEA) must preserve the same level of privacy protection as within the EEA. In practice, this means we will comply with Chapter V of the GDPR, which requires that transfers to non-EEA countries only occur on the basis of an adequacy decision or appropriate safeguards. For example, if we send data (such as payment processing records) to a country recognized as providing “adequate” protection, no additional legal measures are needed. In other cases, we will only transfer data under approved mechanisms (described below) or very limited legal exceptions.

Adequacy Decisions: Before transferring data, we will check if the destination country has an EU (or UK) adequacy ruling. Countries like the United Kingdom, Switzerland, Japan, Canada, and the United States (through the EU–US Data Privacy Framework) have such decisions. Data may flow freely to these jurisdictions without extra safeguards, although we will still enforce GDPR principles (such as data minimization and security) at all times.
Appropriate Safeguards (Art. 46 GDPR): If no adequacy decision applies, we will use legally prescribed safeguards. For instance, any overseas service provider that processes EU-originating data (as a processor) will be bound by a written contract incorporating EU-approved terms, just as if the processor were inside the EEA. These contracts (see below) obligate the third party to meet GDPR standards.
Derogations (Art. 49 GDPR): In rare situations (e.g. the student explicitly consents to a specific transfer, or the transfer is strictly necessary for a contract), GDPR allows certain exceptions. Such derogations are intended only as a last resort for isolated cases (not for routine data flows) and would be used only if no other lawful transfer mechanism is available.

9.1 Cross-Border Transfers

Because we may accept payment (including credit card processing) from students around the world, our systems and third-party processors might handle data in multiple countries. For example, if a student in the EU pays via credit card on our US-based platform, the payment processor may receive personal data abroad. We will ensure that any such cross-border transfers comply with GDPR requirements. This means confirming an adequacy decision or putting in place an approved safeguard before transferring the personal data internationally.

Transfer Basis: In each case, we will identify the legal basis for the transfer. Transfers to countries with an EU adequacy decision may proceed under that decision. Otherwise, we will use one of the “appropriate safeguards” listed in GDPR Art. 46 (see below). Our contracts with overseas processors (e.g. payment gateways) will include EU-standard clauses to ensure protection.
Security Measures: In addition to legal safeguards, we will implement technical and organizational measures (such as end-to-end encryption of payment data) to maintain security during transfer and storage. This complements the GDPR requirement that we also enforce data security and confidentiality when processing information abroad.
Documentation: We will document each transfer, including the destination, legal mechanism used, and any special conditions, as part of our compliance procedures. For transfers governed by SCCs (see below), we will perform a Transfer Impact Assessment to record the laws of the receiving country and any supplemental protections we apply.

9.2 Legal Safeguards (e.g., SCCs, Privacy Shield Alternatives)

To legally transfer data internationally, we will rely on recognized mechanisms:

Standard Contractual Clauses (SCCs): We will use the EU’s approved model clauses in contracts with non-EEA recipients. These clauses are pre-authorized by the European Commission and require all parties to meet GDPR-level obligations. In June 2021 the EU updated its SCCs for various scenarios (e.g. controller→controller or controller→processor). Under SCCs, we will conduct a formal transfer impact assessment documenting the nature of the data, the receiving country’s laws, and any additional measures we implement. This helps ensure that transferred data remains protected even if the foreign country’s rules change.
EU–US Data Privacy Framework (DPF): For transfers to the United States, we intend to use the new EU–US Data Privacy Framework. This framework, effective July 10, 2023, provides an “adequacy” decision covering certified US organizations. It replaces the former Privacy Shield (invalidated in 2020) and allows compliant U.S. companies to receive EU data with legal certainty. If we use any US-based service providers, we will seek those that are DPF-certified or otherwise compliant with EU requirements.
Binding Corporate Rules (BCRs): If we transfer data within our corporate group across borders, we may adopt Binding Corporate Rules. BCRs are internal policies approved by EU data authorities that permit unlimited intra-group transfers while ensuring GDPR-level protection. They are often considered the “gold standard” of transfer mechanisms. However, BCRs require lengthy approval and are typically used by large multinational organizations. We would pursue BCRs if our group’s global activities warrant it.
Other Approved Mechanisms: Depending on future needs, we may explore other GDPR-approved tools. These include certified Codes of Conduct or international certification schemes (per GDPR Arts. 40–42), or even case-specific contractual clauses authorized by a DPA. We also will ensure that our payment providers comply with industry standards (e.g. PCI DSS) and incorporate GDPR-aligned obligations for data protection in their service agreements.
Supplementary Measures: In line with EU guidance (following the Schrems II decision), we will add extra safeguards as needed. For example, if data must be sent to a country where foreign government access laws could conflict with EU privacy rights, we may use encryption, anonymization, or other technical protections. These supplementary measures help ensure that even if local laws allow government data access, the transferred personal data remains shielded.

Note: We will decide which specific mechanisms to implement (such as self-certification under the Data Privacy Framework, detailed SCC templates, or development of BCRs) once our compliance strategy is finalized. We will update this section with the chosen approaches to ensure full global compliance.

10. Third-Party Links and Features

TentUnit’s platform may include links to third-party websites and embedded features to enhance functionality. These links and features are provided for your convenience; however, Tentunit does not control the content or practices of any external sites. The following subsections explain how we handle third‑party links and tools:

10.1 External Sites

Links to Third-Party Websites: For user convenience, Tentunit may provide links or references to external websites and services (for example, social media platforms, payment processors, or partner sites). These third-party sites are not under Tentunit’s control. Tentunit does not own, manage, or endorse any content or services on those sites.
No Responsibility for Third-Party Practices: We are not responsible for the privacy practices or content of external websites. Any personal data you share with a third-party site through Tentunit’s platform is governed by that site’s own privacy policy and terms of use. In other words, your use of a linked website is subject to the provider’s policies, not ours.
Review Their Policies: We encourage you to read the privacy policy and terms of any third-party site before providing any personal information or interacting with its content. Tentunit’s Privacy Policy applies only to our platform – it does not extend to external websites. We explicitly disclaim any liability for the practices of third-party sites.

10.2 Embedded Tools (e.g., Maps, Calendars)

Tentunit uses embedded third-party tools to improve the user experience. These features may include interactive maps, calendar widgets, and other embedded content. Because they are provided by external companies, they may collect information about your device or usage. Any data collected by these tools is handled according to the third-party provider’s terms and privacy policies. Notably, Tentunit’s Privacy Policy does not apply to embedded content from third parties, and we are not responsible for how these providers use data. You should review the privacy notices of each provider when using their tools. In particular:

Map Services (placeholder): We plan to integrate an interactive mapping service (for example, Google Maps, Mapbox, or another provider) to display property locations. The specific map provider is not yet selected; this section will be updated with the chosen provider’s name and details in future versions of this Policy. The embedded map may collect information such as your IP address, approximate location, and interactions with the map. The map service’s own Privacy Policy and Terms of Use will govern that data collection. Any use of map features on Tentunit is subject to the provider’s policies.
Calendar Widgets: We may use third-party calendar tools (such as Google Calendar or similar services) for scheduling or event features. These calendar widgets may collect technical information (for example, date/time stamps, device and browser information, and how you interact with the calendar). The embedded calendar operates under the calendar provider’s terms and privacy policy. Tentunit does not control the data collection of the calendar provider, and you should consult the provider’s privacy policy for details on how your information is used.
Other Embedded Content: Tentunit’s site may include other embedded third-party content (for example, video players, social media feeds, or third-party forms). Such content is hosted and served by the respective providers. Because we did not create or manage these features, Tentunit disclaims responsibility for their data practices. Each provider’s terms and privacy policy apply to the data collected through their embedded content. We encourage you to review those policies before using any embedded feature.

In summary, any third-party links or embedded tools on Tentunit are subject to the privacy practices of the providers. We do not warrant or assume any responsibility for those practices. For more information, you should refer directly to the privacy policy of each external site or service you use.

11. Policy Updates and Notifications

11.1 When and How We Update This Policy

Tentunit may update this Privacy Policy from time to time to reflect changes in our services, legal requirements, or operational practices. We reserve the right to modify or revise the policy as needed, in accordance with applicable law. Whenever we make changes, we will post the revised Privacy Policy on our website (and in our app, if applicable) and update the “Last Updated” date or effective date at the top of the policy. We also maintain version control for this Policy – each update will be identified by its effective date or version number, and in some cases we may provide a short summary of changes or a change log for transparency in line with industry best practices. Unless we state otherwise in a notice, any changes to this Privacy Policy will become effective on the date we post the updated version (as indicated by the effective date).

We encourage you to periodically review this Privacy Policy so that you remain informed about any updates or changes. Your continued use of Tentunit’s services after an updated Privacy Policy has been posted (and becomes effective) signifies your acceptance of the revised terms, except where otherwise required by law or expressly stated. If you do not agree to the changes, you should discontinue use of our services and/or contact us regarding your data rights.

11.2 User Notification Procedures

For any significant or material changes to this Privacy Policy, Tentunit will proactively notify you through prominent channels, in advance of the changes taking effect. In particular, we will use one or more of the following notification methods to inform you of important updates to our privacy practices:

Email Alerts: We may send a notice to the email address associated with your Tentunit account detailing the upcoming changes. For major changes, we aim to provide such email notice at least 30 days before the new policy becomes effective, whenever feasible.
Website Notices: We will post clear update notices on our website, such as a banner, pop-up, or announcement on the homepage or privacy policy page, to inform all users of the revised policy. This notice will often include the effective date of the change and a link to the updated Privacy Policy.
In-App Notifications: If you use a Tentunit mobile or web application, we may deliver an in-app message or alert about the Privacy Policy update. This could be a notification in your account dashboard or a modal pop-up that directs you to review the changes.

These notification procedures are designed to ensure you are aware of material changes in how we handle your information. All update notices will indicate the effective date of the revised policy, and we may ask for your acknowledgment or consent to the new terms if required by law. Please note that minor updates (such as clarifications or grammatical changes that do not affect your rights or our obligations) may not trigger a direct notification; such changes will be indicated by the updated “Last Updated” date, and we still encourage you to review the Privacy Policy periodically for any such updates.

By keeping you informed through these channels, Tentunit strives to be transparent and to give you an opportunity to understand the changes. If you have any questions about an update or if you wish to object to certain changes, you can contact us using the information provided in this Privacy Policy. Your continued use of our services after the effective date of a revised Privacy Policy will be deemed acceptance of the changes, to the extent permitted by law.

12. How to Contact Us

12.1 Privacy Questions or Requests

If you have questions about how we handle your personal information or wish to make a data request (for example, accessing, correcting, or deleting your data), you may contact us via email at [email protected]. We will review and respond to your privacy inquiries promptly and in accordance with applicable laws. This dedicated channel ensures your request is handled securely and efficiently.

12.2 Designated Data Protection Officer (DPO) Contact

Tentunit will designate a Data Protection Officer (DPO) when necessary. In the meantime, you may direct any data protection–related questions to our general privacy email above. We will update this section once the DPO is appointed, as is common practice in leading privacy policies.

12.3 Appeals and Complaint Resolution

If you are dissatisfied with a privacy-related decision or wish to file a complaint regarding our handling of your personal data, you may appeal by contacting [email protected] (please include “Appeal” or “Complaint” in the subject line). We will review your appeal or complaint in accordance with applicable laws and our internal policies. Our team is committed to addressing concerns fairly and will respond as promptly as possible.

13. Jurisdiction-Specific Disclosures

13.1 United States (California – CCPA/CPRA)

California residents have specific rights under the California Consumer Privacy Act (as amended by the California Privacy Rights Act). These include the right to know what personal information we collect and how it is used, the right to delete the personal information we have collected about you (subject to certain exceptions), the right to opt-out of the sale or sharing of your personal information, the right to correct inaccurate personal information, the right to limit use of sensitive personal data, and the right to be free from discrimination for exercising these rights. For example, consumers can request a list of the categories of data collected and disclosed, request deletion of their data, or request that we cease any sales or sharing of their personal data. Tentunit does not sell personal information (as “sale” is defined under CCPA) and is not a data broker; we will honor any CCPA opt-out requests as required by law. We will not discriminate against consumers for exercising their CCPA rights.

How to exercise California rights: California residents may submit verifiable requests by contacting Tentunit at [[email protected]] (or via our web form). We will take steps to verify your identity and respond to requests within the 45‑day timeframe required by law (which can be extended by 45 days if notified).
Our compliance: In addition to honoring opt-out requests, Tentunit provides a clear “Do Not Sell or Share My Personal Information” link on our website if applicable. We will not require consumers to pay a fee or create an account to submit a CCPA request, and we will use any personal information collected for verification only. We provide the means for California residents to appeal refusals by contacting our Privacy Officer.

13.2 European Union (GDPR)

For individuals in the European Union, Tentunit respects the General Data Protection Regulation (GDPR). The GDPR grants data subjects numerous rights, including the right to be informed about data processing, the right of access to their personal data, the right to rectification (correction) of inaccurate data, the right to erasure (the “right to be forgotten”), the right to restrict processing, the right to data portability, the right to object to processing (including for direct marketing), and the right not to be subject to automated decision-making. We also recognize the right to withdraw consent at any time when processing is based on consent. Tentunit will facilitate these rights and provide information in clear language on how to exercise them.

How to exercise GDPR rights: EU data subjects may contact our Data Protection Officer (DPO) at [[email protected]] or use our online rights request form to submit requests. We will respond to data subject requests within one month of receipt (extendable by two additional months if needed), at no cost to the individual. If requests are made electronically, we will provide data in a commonly used electronic format.
Our compliance: Tentunit processes EU personal data only on lawful grounds and provides transparent notice of data use. We implement appropriate safeguards (such as Standard Contractual Clauses) when transferring personal data outside the EU. We do not charge fees for access requests (except potentially a nominal fee for repetitive requests). If we deny a request, we will explain the reasons and inform the individual of their right to lodge a complaint with an EU data protection authority.

Canada (PIPEDA)

Under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), Canadian users have the right to access their personal information held by Tentunit and to request correction of any inaccurate or incomplete information. Specifically, if you make a written request, we will inform you whether we have collected data about you, what types of data, the purposes of collection, and any third parties with whom the data has been shared, all within 30 days. We will also correct or update your information if it is inaccurate, as required by law. PIPEDA also requires that individuals be informed of how to challenge compliance; we will respond to complaints and advise you of any further recourse.

How to exercise PIPEDA rights: Canadian individuals may contact our Privacy Officer at [[email protected]] to submit access or correction requests, or any inquiries about our privacy practices. We will reply promptly (within 30 days) and free of charge whenever possible. In addition, Tentunit’s privacy policy will include the name and contact information of our Privacy Officer as mandated by PIPEDA.
Our compliance: Tentunit adheres to PIPEDA’s ten fair information principles (accountability, purpose, consent, limited use, accuracy, safeguards, openness, access, and challenge) in our handling of Canadian personal data. We will protect data with appropriate security measures and only retain it as long as necessary. If you have a complaint about our compliance, you may contact our Privacy Officer or the Office of the Privacy Commissioner of Canada as noted in our policy.

13.3 Other Regions

Tentunit anticipates expanding into other regions and will comply with applicable local privacy laws as we do so. While we currently operate primarily under U.S., EU, and Canadian requirements, we include the following general placeholders for future jurisdictions:

Asia-Pacific and elsewhere: We will observe regional frameworks (for example, the APEC Privacy Framework promotes baseline data protection standards across member economies) and local laws (such as Singapore’s PDPA or similar laws in APEC countries) when applicable. This may include providing data subject rights (access, correction, deletion, etc.) and notices consistent with local legal requirements.
Latin America and other regions: For example, Brazilian and other Latin American privacy laws (such as Brazil’s LGPD) require that privacy policies list the controller’s contact information and the rights of data subjects. Tentunit will update this policy to incorporate any new obligations (such as appointing a local representative or adopting specific consent rules) as required by local law.

Tentunit will update this section as needed to reflect new or changing laws. Users should review the relevant regional subsections for the specific rights and contact methods that apply to them.

Schedule 1: Entity-Specific Controllers and Contact Information

This Privacy Policy identifies Tentunit as the sole Data Controller for all processing activities covered by the policy. In compliance with applicable data protection laws, the controller’s identity and contact details are disclosed below. For example, the GDPR explicitly requires a privacy notice to include the “identity and the contact details of the controller”, and industry guidance similarly emphasizes listing the controller’s name, address, and contact information. The information for Tentunit is provided in the table below, with placeholders for the email and physical address to be updated when available:

*Legal Entity Name (Controller)*	*Role*	*Jurisdiction*	*Contact Email*	*Physical Address*
Tentunit	Data Controller	United States	[email protected]	47906