Privacy Policy
Last updated: 12 April 2026
PMFlow Pty Ltd (ABN 18 695 363 841)
Last updated: 12 April 2026
1. Introduction
PMFlow Pty Ltd ("PMFlow", "we", "us", "our") operates the PMFlow property management operations platform at pmflow.com.au (the "Platform"). We are committed to protecting the privacy of all individuals whose personal information we collect and handle.
This Privacy Policy explains how we collect, use, disclose, and protect personal information in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).
By using the Platform, you consent to the collection and use of your personal information as described in this policy.
2. Information We Collect
2.1 Information You Provide
We collect personal information that you provide directly to us, including:
- Account information: name, email address, phone number, job title, agency name
- Agency information: business name, ABN, office address, licensing details
- Tenancy data: tenant names, email addresses, phone numbers, property addresses, lease terms, rental amounts, payment history
- Owner data: property owner names, email addresses, phone numbers, bank details (for rent disbursement references only)
- Communication content: emails, SMS messages, notes, and correspondence sent through or stored in the Platform
- Documents: lease agreements, inspection reports, maintenance records, legal notices, condition reports, and other property management documents uploaded to or generated by the Platform
- Payment information: billing details processed through our payment provider (Stripe). We do not store credit card numbers on our servers.
2.2 Information Collected Automatically
When you use the Platform, we automatically collect:
- Usage data: pages visited, features used, actions taken, timestamps
- Device information: browser type, operating system, screen resolution
- Log data: IP address, access times, referring URLs
- Cookies and similar technologies: session cookies for authentication and preferences (see Section 9)
2.3 Information from Third Parties
We may receive information from:
- Supabase (database and authentication provider): authentication tokens and session data
- Resend (email delivery): email delivery status, bounce notifications, inbound email content
- Twilio (SMS delivery): SMS delivery status, inbound SMS content
- Stripe (payment processing): subscription status, payment confirmations
3. How We Use Your Information
We use personal information for the following purposes:
- Platform operations: providing, maintaining, and improving the Platform's property management features
- Arrears management: tracking rental arrears, calculating risk scores, generating staged communications, and managing legal notice workflows
- Communication delivery: sending emails and SMS messages on behalf of property managers to tenants, owners, and vendors
- AI-assisted drafting: generating draft communications, risk assessments, and recommendations using artificial intelligence (see Section 5)
- Document generation: creating legal notices, inspection reports, lease agreements, and other prescribed forms under Western Australian legislation
- Compliance monitoring: tracking compliance deadlines, generating reminders, and maintaining audit trails
- Account management: processing subscriptions, managing billing, and providing customer support
- Security: detecting and preventing fraud, unauthorised access, and other security threats
- Legal obligations: complying with applicable laws, regulations, and legal processes
- Platform improvement: analysing usage patterns to improve features and user experience (aggregated and de-identified where possible)
4. Legal Basis for Processing
We process personal information on the following bases:
- Consent: you have consented to the collection and use of your information (e.g., by creating an account)
- Contractual necessity: processing is necessary to provide the Platform services under our Terms of Service
- Legal obligation: processing is required to comply with Australian law
- Legitimate interests: processing is necessary for our legitimate business interests, provided these do not override your privacy rights
5. Artificial Intelligence and Automated Processing
5.1 How We Use AI
PMFlow uses artificial intelligence (powered by Anthropic's Claude API) to:
- Draft email and SMS communications for property manager review
- Generate risk assessments and risk explanations for arrears cases
- Classify inbound messages by intent, urgency, and suggested action
- Triage maintenance requests by urgency and trade category
- Generate renewal recommendations and owner reports
- Summarise communication history per tenancy
5.2 Human Review Requirement
All AI-generated content is presented as a draft for review. No AI-generated communication is sent to any recipient without explicit property manager approval. Property managers can edit, reject, or regenerate any AI draft before sending.
5.3 AI Data Handling
- Tenancy data sent to the AI provider (Anthropic) is used solely to generate the requested output
- We do not use your data to train AI models
- Anthropic's data handling is governed by their privacy policy and data processing agreements
- AI-generated content is labeled as such within the Platform
5.4 Automated Decision-Making
PMFlow's automated systems (risk scoring, stage progression, SLA calculations, compliance deadline tracking) make operational recommendations but do not make legally binding decisions. Property managers retain full control over all actions taken within the Platform.
6. How We Share Your Information
We share personal information only in the following circumstances:
6.1 Service Providers
We use trusted third-party service providers to operate the Platform:
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Supabase | Database, authentication, file storage | All platform data | Australia (Sydney region) |
| Anthropic | AI drafting and classification | Tenancy context for draft generation | United States |
| Resend | Email delivery | Email addresses, email content | United States |
| Twilio | SMS delivery | Phone numbers, SMS content | United States |
| Stripe | Payment processing | Billing details, subscription data | United States |
| Netlify | Platform hosting | Application code, static assets | Global CDN |
6.2 Within Your Agency
Property managers within the same agency can access tenancy data, communications, and documents for properties managed by that agency.
6.3 As Required by Law
We may disclose personal information if required by law, regulation, legal process, or governmental request, including to comply with the Western Australian Residential Tenancies Act 1987 or related legislation.
6.4 Business Transfers
If PMFlow is involved in a merger, acquisition, or sale of assets, personal information may be transferred as part of that transaction. We will notify affected users before personal information becomes subject to a different privacy policy.
7. Cross-Border Data Transfers
Some of our service providers are located outside Australia (see Section 6.1). Before transferring personal information overseas, we take reasonable steps to ensure the recipient handles information consistently with the Australian Privacy Principles, including through:
- Contractual data processing agreements
- Provider privacy policies and security certifications
- Assessment of the recipient country's data protection laws
8. Data Security
We implement appropriate technical and organisational measures to protect personal information, including:
- Encryption: data encrypted in transit (TLS 1.2+) and at rest
- Authentication: secure session management via Supabase Auth with JWT verification
- Row-Level Security: database-level access controls ensuring agencies can only access their own data
- Access controls: role-based permissions within each agency
- Audit trails: comprehensive logging of data access and modifications
- Secure storage: documents stored in private Supabase Storage buckets with signed URL access
- Infrastructure: hosted on SOC 2 certified infrastructure (Supabase, Netlify)
No method of electronic storage or transmission is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.
9. Cookies and Tracking
9.1 Cookies We Use
| Cookie | Purpose | Duration |
|---|---|---|
| pmflow-session | Authentication session management | Session |
| sb-*-auth-token | Supabase authentication tokens | Session |
| theme-preference | Light/dark mode preference | Persistent |
9.2 No Third-Party Tracking
PMFlow does not use third-party advertising cookies, analytics trackers, or social media pixels. We do not sell your data to advertisers or data brokers.
10. Your Rights
Under the Australian Privacy Principles, you have the right to:
- Access: request access to the personal information we hold about you
- Correction: request correction of inaccurate, incomplete, or outdated information
- Complaint: lodge a complaint about our handling of your personal information
10.1 For Property Managers (Account Holders)
You can access, update, or delete your account information through the Platform's Settings page. To request data export or account deletion, contact us at privacy@pmflow.com.au.
10.2 For Tenants and Property Owners
Your personal information is managed by your property management agency through the Platform. To exercise your privacy rights, contact your property manager in the first instance. You may also contact us directly at privacy@pmflow.com.au.
10.3 Complaints
If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.
11. Data Retention
We retain personal information for as long as necessary to:
- Provide the Platform services under an active subscription
- Comply with legal obligations (including record-keeping requirements under the Residential Tenancies Act 1987)
- Resolve disputes and enforce agreements
- Maintain audit trails required for legal proceedings
When an agency cancels their subscription, we retain data for 90 days to allow for reactivation, after which it is scheduled for deletion. Tenancy records that are subject to ongoing legal proceedings or statutory retention requirements may be retained longer.
12. Children's Privacy
The Platform is not directed at individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected information from a child, we will take steps to delete it promptly.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify registered users of material changes by email or through the Platform. The "Last updated" date at the top of this policy indicates when it was last revised.
Continued use of the Platform after changes are posted constitutes acceptance of the updated policy.
14. Contact Us
For privacy inquiries, data access requests, or complaints:
PMFlow Pty Ltd Email: privacy@pmflow.com.au Website: pmflow.com.au
You may also contact the Office of the Australian Information Commissioner: Website: www.oaic.gov.au Phone: 1300 363 992